Memory Hacking Software

[aRkker]

Hey,

My problem is the following:

I need to find the LAN-lobby slot being occupied by the player. You'd think that somewhere runs a value like 01 for Sentinel first slot, 02 for Sentinel 2nd slot and so on, but if it is so, I haven't managed to find it

I've been puzzled about this for almost half-a-year now and I've been trying to do this with Cheat Engine for that time. Now I found this MHS software and thought to give it a go. But I didn't manage to get it done with this either.

I have found that almost everything (if not everything?) inside the game's memory is being allocated dynamically. DLLs are always loaded to the same addresses tho, and they have static allocation.

Could someone a little more experienced try this out and post their results? Or even point me to the proper way of searching for this info.

Thanks in advance.

[WhiteHat]

I need to find the LAN-lobby slot being occupied by the player. You'd think that somewhere runs a value like 01 for Sentinel first slot, 02 for Sentinel 2nd slot and so on, but if it is so, I haven't managed to find it.

I’ve dealt with this long ago, only it was in Single Player Mode...

Somewhere in our memory, there are addresses for each player slots which values determine which player using the slot.

Example:

Code: Select all

Address    Values
------------------
0x1401000  0x00
0x1402000  0x01
0x1403000  0x02
0x1404000  0xFF

Address 0x1401000 is for the topmost player slot, while its value shows that the player using it is Human player. The next slot is Computer EASY (0x01), followed by Computer NORMAL (0x02), and Open Slot (0xFF), etc...

If i remember it correctly, that is how WarCraft 3 stored its addresses for player slots. Please note, however, that the values are fictive ones. I forget the correct values are. It is possible that 0xFF is a Human player instead of Open Slot. Use Unknown initial search values followed by same or different sub-search to get the real ones...

Hope you get the idea...

[aRkker]

Thank you for answering, Whitehat.

I tried what you said, and I indeed found the values, but that is not the only problem.

Now as I have the value addresses, I have to find the base pointers for these. Do you remember how you went by with this? I have tried the CE base-pointer search with no working results. I am attempting with MHS soon too, hoping for better results.


Edit1: I did manage to find the base pointer for the sentinel slot 1 address after hours of work, and I will proceed to find the rest tomorrow. There were even 5 base pointers for the 1st slot, and they seemed to be 100% accurate.

Code: Select all

war3.exe + 000661AC Offset 59C ->
02421FEC + A8 ->
02420138 + 25C ->
0051ECA4 + 460 ->
15055708 + 234 ->
1B5B0234 (on the current game Im running, next game it will be different)



[WhiteHat]

Now as I have the value addresses, I have to find the base pointers for these. Do you remember how you went by with this?

I haven’t try it yet. The values i found were came out of a little experiment since i was curious about them. But i did not intended to go deeper about them... However, this topic may lead to some interesting hacks...

Edit1: I did manage to find the base pointer for the sentinel slot 1 address after hours of work, and I will proceed to find the rest tomorrow.

If i remember it correctly, the values between each slots are onle several bytes away, just like the ones with gold addresses...

From your pointer trails (or Complex Address), the 1st sentinel slot address is:
[[[[war3.exe+0x661AC]+0xA8]+0x25C]+0x460]+0x234

it is possible that the 2nd slot for sentinel has this trail:
[[[[war3.exe+0x661AC]+0xA8]+0x25C]+0x460]+0x234+n offset

where ‘n offset’ shows how many bytes the other slots reside in memory...

Anyway, do you certain that the base module is war3.exe, and not game.dll ?
I’m quite curious about this since all of my complex addresses for this game use game.dll as their base pointers..

There were even 5 base pointers for the 1st slot, and they seemed to be 100% accurate.

I guess that’s normal. Even the complex addresses for players gold may be based from two different base pointers. And there are about 2 or 3 working base pointers for the same pointer trails in GTA San Andreas...

[aRkker]

Anyway, do you certain that the base module is war3.exe, and not game.dll ?
I’m quite curious about this since all of my complex addresses for this game use game.dll as their base pointers..

Yes, that is what my Cheat Engine said, and as the game re-allocates the memory every time you remake the game, the pointers I found worked every time. I tried restarting the game, and even the computer, and tried it in few other computers, and it worked.

I found it rather curious too that the base wasn't 6F000000 (Game.dll always is loaded there) since everything else I have searched for has had it as the base.

What I am trying to achieve with all this is that I wanted to try if I could create a program to make myself swap slots automatically according to my needs, in case you were wondering.

Edit: I can not manage to get the pointers for the 5th slot of Sentinel apparentally. They just don't seem to be the base pointers. :/

Edit2: Beaten. I managed to find a stable pointer for the stuff.

Code: Select all

[Storm.dll+0x55708]+0x234


^ This pointer always points to the first slot. And by adding 0x1D8 to the address pointed by this pointer, you get to the 2nd slot.

Code: Select all

Sentinel 1st slot - [Storm.dll+0x55708]+0x234
Sentinel 2nd slot - [[Storm.dll+0x55708]+0x234]+0x1D8
Sentinel 3rd slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8
Sentinel 4th slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8
Sentinel 5th slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8

---------------------

Scourge 1st slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8
Scourge 2nd slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8
Scourge 3rd slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8
Scourge 4th slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8
Scourge 5th slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8

---------------------

Observer 1st slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8
Observer 2nd slot - [[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8



I hope this helps everyone struggling with this problem aswell.

[WhiteHat]

A bit late reply. Been quite busy...

What I am trying to achieve with all this is that I wanted to try if I could create a program to make myself swap slots automatically according to my needs, in case you were wondering.

I’m not sure if you could do that, although it may be accomplished if you’re the one who create the game (room) since only game creator can kick players...

But, what would happen if you want to move to slot #5 whilst it is occupied by another human player ?

Edit2: Beaten. I managed to find a stable pointer for the stuff.

Haven’t try them yet, but congratulation...

BTW, you may want to make them shorter. I mean, instead of:
[[Storm.dll+0x55708]+0x234]+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8+0x1D8

you can, in MHS, use the shorter one:
[[Storm.dll+0x55708]+0x234]+(9*0x1D8)

So your Complex Addresses will be something like these:

Code: Select all

[[Storm.dll+0x55708]+0x234]+(00*0x1D8)
[[Storm.dll+0x55708]+0x234]+(01*0x1D8)
[[Storm.dll+0x55708]+0x234]+(02*0x1D8)
[[Storm.dll+0x55708]+0x234]+(03*0x1D8)
[[Storm.dll+0x55708]+0x234]+(04*0x1D8)
[[Storm.dll+0x55708]+0x234]+(05*0x1D8)
[[Storm.dll+0x55708]+0x234]+(06*0x1D8)
[[Storm.dll+0x55708]+0x234]+(07*0x1D8)
[[Storm.dll+0x55708]+0x234]+(08*0x1D8)
[[Storm.dll+0x55708]+0x234]+(09*0x1D8)
[[Storm.dll+0x55708]+0x234]+(10*0x1D8)
[[Storm.dll+0x55708]+0x234]+(11*0x1D8)

The beauty of MHS complex address, it can go very complex that allows us to do some math within it...
We can even create a ‘complex address within complex address’ like this (look at stamina part):
viewtopic.php?p=38772&sid=e5666b6c44f17240bd0ed7a697a62f3c#p38772

Only in MHS...

[aRkker]

It is indeed possible. We've tracked it down to pretty deep already, and I am convinced that it can be done.

And the key here is not to kick people, but just change slots to empty slots.

And you're wrong about host only being able to kick people, with my year worth of research I've discovered all sorts of stuff about the game mechanics.

[WhiteHat]

And the key here is not to kick people, but just change slots to empty slots.

This more makes sense... but...

And you're wrong about host only being able to kick people, with my year worth of research I've discovered all sorts of stuff about the game mechanics.

I take it as players who join a room can kick others even the server/room creator (?).
Well if it can be done, then we don’t have to limit our hack to occupy whichever empty
slots we want, but also to occupy certain slot with force (even if it is occupied)...