#################################################################
#################################################################
##                                                             ##
## Creating a Game Trainer in Delphi                           ##
##                                                             ##
## In this tutorial, I'm going to outline all the basic API    ##
## and code necessary to create a trainer in Delphi 4. A basic ##
## knowledge of Delphi is preferred, but Delphi's a damn easy  ##
## language to learn anyway.                                   ##
##                                                             ##
#################################################################
#################################################################

###############
# The Concept #
###############

Okay, this is what we want the trainer to do. We run the game, and then [alt][tab] out to Windows. We run the trainer, and press a button. This action will poke a value into a certain memory address of the game. So if we know the memory address of the money in a game, we can hack the money using this trainer.

To make a trainer, here are the basic things we need.

The Game's Window Title: Run the game, and then alt-tab out to Windows. Look at the taskbar for your game, and write down the exact window title.

The Memory Address (in hex): Using a program like GameHack [www.gamehack.com] or MTC, we can do a search for any value and find the memory address. An example address in hex form is 41D090. Write the address down somewhere.

A Value To Poke (in hex): So we have the memory address. What value do we want to poke into it? Let's say I want 50 gold, so first, I must convert 50 into hex form using a hex converter. The converter says 32, so write this number down also.

Number Of Bytes: In the value to poke that you wrote down above, you must also know how many bytes this will take up in memory. For example, 32 will take up only 1 byte, but FF07 will take up two bytes. In general, two digits take up one byte.

##########################
# Let's Start The Coding #
##########################

We are going to use the Win32 API to poke values into the memory of another process. Here are the functions we'll be using, in the correct order:

FindWindow
GetWindowThreadProcessId
OpenProcess
ReadProcessMemory
WriteProcessMemory
CloseHandle

[Read up these API fuctions in the Win32.hlp file for full details. I will only go through the basics such that beginners can just copy and paste the code in this turorial]

The coding begins. First we declare our variables. Copy and paste these into your code:

Var WindowName : integer;
    ProcessId : integer;
    ThreadId : integer;
    buf : PChar;
    HandleWindow : Integer;
    write : cardinal;

Time to declare all the important stuff. Copy and paste the following into the same area of the code. Set up the following variables to what you have written down earlier.

Const WindowTitle = 'prog test';
      Address = $41D090;
      PokeValue = $32;
      NumberOfBytes = 1;

Now to poke a value, you must get the handle of the memory of the game. There is no direct way to do this, so here's what we do.

1) Get the main window's handle.
2) With the handle, get the process identifier.
3) With the pID, get the handle of the memory area.
4) With this handle, we can start hacking!

First, we need to get the handle of the main window of the game. Use the FindWindow function like this:

WindowName := FindWindow(nil,WindowTitle);
If WindowName = 0 then
begin
  MessageDlg('The game must be running in the background.
    Run it now, and then try again.', mtwarning,[mbOK],0);
end;

Notice that the code checks whether windowname is zero. If it is, it means the game is not running, so we warn the user and tell him to run the damn game now!

Next, we need the window's processidentifier. We use the GetWindowThreadProcessId function for this. Then we get the handle of the memory are using OpenProcess. Copy the code below.

ThreadId := GetWindowThreadProcessId(WindowName,@ProcessId);
HandleWindow := OpenProcess(PROCESS_ALL_ACCESS,False,ProcessId);

That's it! Now we can use WriteProcessMemory to hack into the handle. Once we're done, we close the handle, just to be safe. Copy the code below.

GetMem(buf,1);
buf^ := Chr(PokeValue);
WriteProcessMemory(HandleWindow,ptr(Address),buf,NumberOfBytes,write);
FreeMem(buf);
closehandle(HandleWindow);

Below is the source code for the entire trainer. For beginner programmers, to make a fast trainer, all you have to do is change the constants declared in the beginning of the code.

############################################################
############################################################
####                                                    ####
####            Trainer +1 For MTC's Prog Test          ####
####            Source Code  (Delphi 4)                 ####
####            Copyright 1999 By CheatMagic            ####
####                                                    ####
############################################################
############################################################

Var WindowName : integer;
    ProcessId : integer;
    ThreadId : integer;
    buf : PChar;
    HandleWindow : Integer;
    write : cardinal;
    
Const WindowTitle = 'prog test';
      Address = $41D090;
      PokeValue = $32;
      NumberOfBytes = 1;

###########################################################
# (Put the following code inside a command button routine)#
###########################################################

begin
  WindowName := FindWindow(nil,WindowTitle);
  If WindowName = 0 then
  begin
    MessageDlg('The game must be running in the background.
      Run it now, and then try again.', mtwarning,[mbOK],0);
  end;

  ThreadId := GetWindowThreadProcessId(WindowName,@ProcessId);
  HandleWindow := OpenProcess(PROCESS_ALL_ACCESS,False,ProcessId);

  GetMem(buf,1);
  buf^ := Chr(PokeValue);
  WriteProcessMemory(HandleWindow,ptr(Address),buf,NumberOfBytes,write);
  FreeMem(buf);
  closehandle(HandleWindow);
end;