Game Trainer Documentation

Game Trainer 2.01

"Beware the dawn of the Trainer Age."
- from The Book of Trainers.

History
[v2.01, 11 Jun 1999]
Made target unfreeze if its type is changed.
Made Ascii and Asciiz searches case-insensitve.
A +1.0 and -1.0 exclusive range is now used in floating point matching for float and double searches.

[v2.0, 24 May 1999]
Major changes.

[v1.0, 21 Apr 1999]
First release.

Purpose
Allows you to cheat in games.

Platform
Win95. Game Trainer should also work on Win98, though this is not tested.

Distribution
Freeware.

Disclaimer
Game Trainer is distributed with NO WARRANTY OF ANY KIND. The author is not responsible for any losses or damages suffered directly or indirectly from the use of Game Trainer. Use Game Trainer at your own risk.

Screenshot

Features
- Search for BYTE, WORD, DWORD, FLOAT, DOUBLE, ASCII and ASCIIZ.
- Up to 65536 addresses can be tracked at any one time.
- Up to 500 addresses are shown in the Address List.
- View the Address Map of processes.
- Choose from different memory regions and access protection.
- Edit, write, freeze and auto-read up to a maximum of 100 targets in the Target List.
- Load and save the Target List for saving your work or distributing to your friends.
- View values as hex, signed or unsigned decimal.
- Configurable freeze and read rate.
- Smart auto-off read function when Game Trainer's window is inactive for faster operation.
- Read or freeze error feedback.
- Built-in address calculator. Set, copy, add and subtract addresses easily.
- Brute-force memory dump and comparisons (same, different, decreased or increased), limited only by harddisk space.
- Dump memory to a debug-like text file.
- And many other handy features.

System Requirements
Large free harddisk space is needed if you are using the memory dump feature. Recommended: 500MB. A screen resolution of at least 800x600 is recommended.

Installation
Installation is manual. Unzip the zip file to any directory of your choice. You should create a shortcut to the executable file on the desktop for convenience. Game Trainer does not modify the registry or the Start menu. It will only create and access its own files in the installed directory.

Game Trainer Save Files (.gt) from version 1.0 are incompatible with the current version.

Uninstallation
Simply delete all the unzipped files and any files created by Game Trainer in the installed directory.

Brief Training Tutorial
Lets train Minesweeper to stop its time. Run Minesweeper and click on a square to start its time running. Run Game Trainer and select the process that contains "WINMINE.EXE". We can guess that this is the Minesweeper's process from the name. Notice that Game Trainer automatically selects the Shared region, indicating that Minesweeper is a Win16 application. Leave this selection unchanged. Also ensure that the RW protection is selected (the default). This limits Game Trainer to read-writeable memory blocks. There are 2 methods to find the address of the time.

Method 1: Find and Sieve
Just when the time in Minesweeper increases, remember the time and press Escape to minimize Minesweeper. The time is stopped when Minesweeper is minimized. Hence you know that the current value of the time. Enter this value into Value in Game Trainer. For integer numbers, the data type Dword is commonly used. But since Minesweeper is Win16, change the Type to Word instead. Click on Find. Game Trainer will report that there are a few hundreds or thousands of addresses found. This is too many since there is usually 1 or a few addresses that point to the location we want to change, in this case, the time. Restore the Minesweeper window. Let the time increase and minimize the game. Enter the new time into the Value in Game Trainer and click on Sieve. You will notice that less addresses now remain. They will be shown in the Address List only if there are no more than 500 addresses. Let the time in Minesweeper increase and sieve again. Repeat the sieve until you end up with 1 address in the Address List. Double-click on it to transfer it to the Target List. Click on the "[ ]" of the target so that an "X" appears. This means that the target is freezed. Click on the value of the target to edit it. Enter for example, zero and press Enter. Switch back to Minesweeper and you will see that the time is fixed at 1. This means that Minesweeper adds 1 to the time. If you like, you can enter "-1" into the value of the target so that the time appears as zero.

Method 2: Memory Dump
This brute-force method is slower and uses large harddisk space. Use this method only when you do not know the value in the game (e.g. when the game displays the value in a graphical bar instead of numerical value) or when Method 1 fails. Lets pretend that we do not know the time in Minesweeper but know that it is increasing. Run Minesweeper and let the time run. Click on Dump in Game Trainer. Game Trainer will take a while to save the selected memory blocks of Minesweeper into a dump file. Let the time increase by at least 1 and then click on Inc. Game Trainer will compare the dump file and the current memory of Minesweeper. Only addresses whose values have increased are kept in the dump file. Repeat this until 1 address remains.

Description of Functions

Process List
Select the process of the game that you are going to train, e.g. "FFFD2335:WINMINE.EXE". The first 8 characters is the process ID of the process in hex, followed by the name of the executable file that created the process. From the name, you can decide which is the process of the game you are going to train.

Value
Enter the current value of the health, ammo, gold, etc. in the game that you want to find. If you do know know the value, you have to use the memory dump functions instead. The value you enter must correspond to the data type selected in Type.

For Byte, Word and Dword:
To enter a hex number, type in for example "0xff" which is equal to 255 in decimal. That is, you must precede a hex number by "0x". To enter an octal number, precede the number by a "0" (zero). Otherwise, decimal is assumed by default.

For Float and Double:
Type in for example "100", "100.123" or "1e10". Game Trainer will consider a floating point number to match if it is within +1.0 or -1.0 exclusive of the user-specified value. For example if the user keys in "100", any floating point number between 99.0 and 101.0 exclusive is considered as matching. This is because not all floating point numbers can be represented exactly in binary format, hence a small range is used for matching. Furthermore, games that use floating point numbers usually round or truncate the numbers before showing them on screen.

For Ascii and Asciiz
Type in a text string such as "Player". Ascii and Asciiz searches are case-insensitive. For Ascii, Game Trainer will not include a terminating null character at the end of the string and will not search for it. For Asciiz, it will include one automatically in the search.

Type
The data type of the value you are searching for. If you are searching for an integer number, select Dword to start with. Most Win32 games uses Dword for integers. If you cannot find the address, then switch to Word (commonly used by Win16 applications and DOS programs) and finally Byte. If you are searching for real numbers, start with Float and then Double if necessary. If you are searching for a text string, start with Ascii followed by Asciiz.

Data Type	Size (in bytes)	Range in Unsigned View	Range in Signed View
Byte	1	0 to 255	-128 to 127
Word	2	0 to 65,535	-32,768 to 32,767
Dword	4	0 to 4,294,967,295	-2,147,483,648 to 2,147,483,647
Float	4	3.4E +/- 38 (7 digits)	same as unsigned
Double	8	1.7E +/- 308 (15 digits)	same as unsigned
Ascii	length of text	NA	NA
Asciiz	length of text + 1 for terminating null	NA	NA

Find
Search for Value of the data Type and store matching addresses in Game Trainer's memory array. This array can only hold up to 65536 addresses. Typically, you have to Find once for the current value in the game first. Then change the value in the game to a different one. Enter this new value into Value and click on Sieve. Sieve will only search the addresses stored in the array by Find. Repeat the Sieve until 1 or a few memory addresses have been sieved.

One or a few of the sieved addresses are very likely to be the location of the value you are searching for. If only 1 address is sieved, you can be sure that is the correct address.

If it is reported that 65536 addresses are found or sieved, then you have searched for a value that is too common, e.g. zero. You should change the value in the game to a less common value and search again.

Sieve
Search the addresses stored in Game Trainer's memory array by Find for Value. You have to Find once first before sieving.

Address List
Show the addresses in hex e.g. "00405004", that are found or sieved only if there are no more than 500 addresses. Double-clicking on an address will transfer it to the Target List.

The Address List is also used to show matching addresses returned from the memory dump functions: Same, Diff, Dec and Inc. In this case, the address is shown for example as "80B4D5DA:26 38". "26" is the value stored at the address in hex and "38" is the decimal equivalent.

>
Transfer selected addresses in the Address List to the Target List. You can select more than 1 address in the Address List by holding down the CTRL or SHIFT keys.

>>
Transfer all the addresses in the Address List to the Target List.

Del
Delete selected targets in the Target List.

Tip: When the Target List has the keyboard focus, you can press Delete on the keyboard.

Clr
Clear, or delete all the targets in the Target List.

Target List
Can hold up to 100 targets. A target consists of Description, Address, Freeze ("[ ]"), Value, Type and Error ("!").

Description
For you to key in your comments, such as the "Health", "Ammo" or "Gold". To enter a description, double-click on the description.

A single click will select the target. More than 1 target can be selected at any one time by holding down the CTRL or SHIFT keys. Selected targets are shown in a highlight. Even though more that 1 target can be selected, only 1 target can be focused at any one time. The focused target has a bounding rectangle around the description.

Address
The address of the target. This is usually transferred from the Address List. Click to change the address. Addresses are always shown and entered as hex in Game Trainer. To abort editing, press Escape. To end editing, press Enter or click anywhere outside the edit box. Note that an address of zero is not allowed in Game Trainer.

Tip: Press the Up or Down arrow keys when editing to increase or decrease the address by 1.

Freeze [ ]
Click on it to toggle freezing. An "X" means freeze. When freezed, the value of the target will be written at the address at the Freeze rate. Any unfreezed targets are read, that is, the value is read from the address and updated on screen at the Read rate.

Value
If the target is freezed, this value is written to the address. Else, this value is read from the address.

To change the value, simply click on it. This new value will be written to the address. The value you enter must correspond to the Value View, that is, either as hex or decimal.

Type
The data type of the target. Click on it to change. When editing, you can only press "1", "2", ... or "7". They correspond to Byte, Word, Dword, Float, Double, Ascii and Asciiz respectively.

Error !
A "!" is shown if the address is invalid. This means that the target could not be freezed or read. You cannot edit the error.

Value View
Change the view of the targets' values to hex, signed or unsigned decimal. The value you enter into a target must correspond to the view chosen, that is, either as hex or decimal. Note that when hex view is chosen, signed or unsigned view is not applicable.

The signed or unsigned view is also applicable in the memory dump functions: Dec and Inc.

Operand
This is the edit box sandwiched between the "-" and "+" buttons. It is used to hold an address or an address offset in hex.

Set
Set the address of selected targets to the Operand.

Tip: When the Target List has the keyboard focus, you can press "/" on the numeric pad.

Cpy
Copy the address of the focused target to the Operand.

Tip: When the Target List has the keyboard focus, you can press "*" on the numeric pad.

-
Decrement the address of selected targets by the Operand.

Tip: When the Target List has the keyboard focus, you can press "-" on the numeric pad.

+
Increment the address of selected targets by the Operand.

Tip: When the Target List has the keyboard focus, you can press "+" on the numeric pad.

New
Create a new target with a dummy address of "FFFFFFFF".

Tip: When the Target List has the keyboard focus, you can press Insert on the keyboard.

New-
Create a new target with an address that is immediately before the focused target's address, with its data type's size taken into account. The focus is also transferred to the new target, thus you can repeat the same action. This is useful for examining nearby addresses of a certain target.

Tip: When the Target List has the keyboard focus, you can press F3 on the keyboard.

New+
Create a new target with an address that is immediately after the focused target's address, with its data type's size taken into account. The focus is also transferred to the new target, thus you can repeat the same action. This is useful for examining nearby addresses of a certain target.

Tip: When the Target List has the keyboard focus, you can press F4 on the keyboard.

Freeze
The rate of freezing targets in milliseconds. You can select "Off" to override all the freezed targets without having to unfreeze them one by one.

Read
The rate of reading targets in milliseconds. Unfreezed targets are automatically read and updated on screen.

Auto
Smart auto-off function for reading of unfreezed targets. When checked, Game Trainer will not read and update unfreezed targets if the Game Trainer window is inactive. This allows for faster running of the system.

However if you are training a windowed game and has the Game Trainer window in view, you can unchecked the option to see the values of the targets change real-time.

Open, Save and Save As
Load or save the Target List into a Game Trainer Save File (.gt). A beep signals success.

Save files from version 1.0 are incompatible with the current version.

Note: The addresses that you found earlier may no longer point to the health, ammo, gold, etc. after you start a new game, mission, scenario, etc. or when you quit and restart the game the next time. This is because some games allocate memory dynamically. Hence you will need to search for the new addresses every time for such games. To ease this task, you should make use of the Copy, - and + functions.

For example, you have found the following addresses and freezed them in the Target List: health at the address 400000, ammo at 400014 and gold at 400050.

After you start a new mission, you find that the addresses do not work anymore. You should select one of the targets, for example, health, and Copy its address to the Operand. Select the other 2 targets and click on "-". This will calculate their relative address offsets from health. Their new addresses will be 14 and 50. Search for the new address for health, for example 500000, and Copy it to the Operand. Select the other 2 targets and click on "+". Their new addresses will now be 500014 and 500050.

However, this easy way of getting the new addresses only work if the relative address offsets of the targets remain the same always. This is a good bet if the addresses of the targets are in the same memory block. To see if they are, simply click on the target. Game Trainer will select the memory block which contains the target's address in the Address Map. Game Trainer will also do the same if you click on an address in the Address List.

Address Map
Show the address map of the selected process. The Size just above the address map shows the size of the selected Private, Shared and Both memory regions in that order. In the address map, Addr is the base address of the memory block. The State of a memory block can be FREE, COMMIT or RESERVE. Only COMMIT blocks are of interest and dealt with in Game Trainer. Protect is the access protection of the memory block. "R" is readable, "W" is writeable and all dashes means no access. The type of access protection that Game Trainer should limit itself to is chosen by the RW and All radio buttons.

The name and path of the module loaded at the address is also shown at the end if present.

Double-clicking on an address will copy it to the Operand.

Private, Shared and Both
Limit Game Trainer to the Private, Shared or Both memory regions. When you select a process, Game Trainer will select the most suitable region. The Private region is typically from the address 0x400000 to 0x7FFFFFFF. This is the region used by Win32 applications. Since most games are Win32, this is the most common selection. The Shared region is from 0x80000000 to 0xBFFFFFFF. This region is used by Win16 applications and DOS programs. Both selects both the private and shared regions. This is never selected automatically by Game Trainer. You have to select this yourself if you do not want Game Trainer to limit itself to either the private or shared region.

RW and All
RW limits Game Trainer to read-writeable memory blocks. This is the default since in most applications, data values are stored in data segments which are read-writeable. All does not limit Game Trainer by the access protection of memory blocks.

Refresh
Refresh the Process List and the Address Map. Note that an application can alter its memory allocation any time. Thus it is best to refresh whenever you switch from the game to Game Trainer and need to refer to the Address Map.

Dump
Dump the memory of the process to a binary file called "dump.bin". You need to dump once first before using the Same, Diff, Dec and Inc functions. The size of the dump file is 5 times the selected memory size of the process. The memory size is shown just above the Address Map.

Text
Dump the memory of the process to a debug-like text file called "dump.txt". A beep signals completion. This text file is not used by Game Trainer. It is only for you to examine the memory of a process by using your text editor. The size of the dump file is 5 times the selected memory size of the process.

Same, Diff, Dec, Inc
Compare the dump file with the current memory of the process. Only matching addresses are kept in the dump file. If less than or equal to 500 addresses remain, they will be listed in the Address List. The Byte data type is used for comparison.

Same: Keep addresses whose values have not changed.

Diff: Keep addresses whose values have changed.

Dec: Keep addresses whose values have decreased. The Byte value is taken as signed or unsigned depending on the Value View.

Inc: Keep addresses whose values have increased. The Byte value is taken as signed or unsigned depending on the Value View.

For example, in unsigned view, if a byte value changes from 127 to 128, it is considered to have increased. But in signed view, 128 is actually -1, hence the value is considered to have decreased from 127 to -1. If you are unsure about signed and unsigned integers, just stick to the default unsigned view.

Known Problems
None at the present.

Contact
Please email any bugs or suggestions to the author.

Email: poisonpunk@geocities.com
Homepage: http://www.geocities.com/SiliconValley/Heights/5287/

Copyright © 1999 PKK.