Memory Hacking Software

[slointe]

I am playing single player Warcraft 3.

I am just starting out using this tool so please bear with me. I read the help file but didn't see a walkthrough really that went start to finish on how to use this.

I can find the values for things in the game without issue but of course the addresses change whenever I restart the game, this I understand from the help file and the way memory is managed.

So I gather that I need to find the "static pointers" for these values. So now my problem. First let's say I find the health of my hero, no sweat, it's currently at 0x0DB73C30 if I lock that address he doesn't die. Now do I do a pointer search using 0x0DB73C30? If I do that, I get addresses that are way farther back than the ranges typically 0x0 to 0x500. Or am I missing a step between successfully finding and locking that value in data type search and then doing a static pointer search? I feel like I'm way off.

[mezzo]

Looks like you're doing just fine...

if hero Hp is at 0x0DB73C30, start a pointer search (eval type ranged), with target from 0xDB60000 to 0x0DB73C30... Click find only static pointers and you are off..

Generally the pointer that points to the smallest amount of bytes before the memory address is the one you need. Save that pointer (write it down or save it). Launch you game again and look ath the pointer you found+amount of bytes is was pointing before the HP address, if it's the HP addy you're in luck, if not, you have to choose a pointer at another address from the result list..

(but honestly, the bit L.Spiro wrote in the help file about pointers and pointer searches is a better explanation then I ever could, it even has drawings
Go read that again a few times and you will figure it out)

[L. Spiro]

(Reply written before seeing mezzo’s reply.)

In large games it is normal to get pointers that point to locations far before the value you found.

Find the closest few and mark their locations (add them to the list if you need).

Then reset the game, find the new health value, and see if the pointers you marked are still the same distance from the health even after it moves.

It is possible to get multiple copies. They are usually all just as useful as long as they are always synchronized.
It might take time to figure out that one of the pointers is being used for something else and might change in the future.


L. Spiro

[slointe]

Hmm...okay so I did two separate data-type searches and found that the hero's HP changed addresses, expected. Then I did two pointer searches with said address. Sorry, I took two screenies of the results as I don't know of any faster way to compare the results with each other:






So I am ideally supposed to be able to find one or more distances from one list that exactly matches one or more from the other list? I don't see it happening at all. I have done it 8 times so far.

[L. Spiro]

Copy MHS into another directoy and load them both.

In one, you do the search for the health.
In the other, search for pointers.

#1 = Health.
#2 = Pointers.

In #1, find health. In your case, 0x0DB93974.
In #2, search for the pointers to that health.

Reset the health, but do not restart the game. Find a way to move the health that does not involve restarting the game. Start a new map or something.

In #1, find the new health. In your case, 0x0DBB3974.
The difference between 0x0DBB3974 and 0x0DB93974 is 0x20000.
In #2, perform a Sub Search for the pointers that have changed by 0x20000.

Repeat if necessary.
The point is to move the player health and keep track of which pointers are moving with it.


L. Spiro

[slointe]

just a quick question before I try this. in changed by textbox, it doesn't accept hexadecimal entries? I am using the Windows Calc.exe in the hex mode to do subtraction. Do I need to do another conversion then put that value in the changed by box?

[mezzo]

convert the amount that you need to subtract from hex (if thats what you got it in) to decimal with the calculator (you can use the expression evaluator for this too) and put the decimal number into the 'changed by' box. that should do it

[slointe]

Didn't think this was going to be this much trouble.


1. I opened two instances of the MHS. One for hero HP, one for pointer searching

2. Found the first hero HP at 0x0AD73C30.

3. Did the first pointer search with the range of 0x0AD03C30 to 0AD73C30. Checked the only static pointers box. 12 results.

4. Did not restart game just ended that mission and loaded a new map.

5. Found the Hero's HP on restarted mission 0x0ABA3C30. Using the expression evaluator I got the difference of the first minus the second or

0x0AD73C30 - 0x0AD03C30 = 458752 (70000)

6. Now in the MHS instance for pointer searching. With the results from the previous search, I plug the value 458752 into a 'changed by' subsearch.

7. No results found.

8. Okay so then I just tried the Different than Before search type. No results found.

9. What did I miss?


Does Warcraft 3 have some anti-cheat magic in it? I noticed that attaching OLLYDBG to it generates an error: war3.exe is not a valid 32bit exe, or something or other.

[L. Spiro]

It probably just has a multi-layer pointer tree.
Try the debugger in MHS.


L. Spiro

[slointe]

Just got some free time again.

What do I do with the debugger?

the debugger is grayed out on my MHS

[mezzo]

download the very latest version (see the sneak peek thread in general forum).

Don't forget to 'attach' the debugger.

[slointe]

I got the newest version with the debugger activated.

Thank you guys, I think I got this wired now. It's working great!

[L. Spiro]

The latest version is MHS 4.0.0.0 on the download page.


L. Spiro

[mezzo]

woa MHS4.0.0.1 even