Hacking DotA Heroes: Utilizing Group Search... (pictures)

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Hacking DotA Heroes: Utilizing Group Search... (pictures)

Postby WhiteHat » Fri May 02, 2008 10:42 am

We’re gonna learn to utilize Hex Editor and Group Search for hacking WarCraft 3 DotA.

Though this tutorial series are for beginners audience, I assume that you already familiar with basic data-type searching and sub-search. I also recommend you to use MHS Help File as reference along with tutorial, especially in Hex Editor and Group Search chapters.

Before we start, allow me to emphasize that studying values around your found addresses is very very important. It is never been a secret that important values often stored in the same region of memory... In my understanding, this caused by something about Data-Structure or Data-Class (please correct me if i’m wrong). The bottom line: Always be suspicious to values around your found addresses !

The version of Warcraft used here is 1.21a (i believe so)... But this should be no problem at all since i’ve been using 2 or 3 different versions... Also, i’m sure that you don’t have to worry about the DotA map version. The hacks should be working on all DotA maps (only slight differences)...


Now, on to the first tutorial...




Hacking EXP

Hacking EXP of DotA heroes is easy. Use a basic Data-Type Search / Sub-Search and Unsigned Long data-type.

Here’s the picture of DotA screen-shot merged with MHS.
Image

Address for Shendelzare’s EXP is 0x0D1C0120. Yours would be different and that’s normal (... google this: DMA, if you wanna know why your address should be different).

The next step is ALWAYS be suspicious for values around found address. The only way to do this is using Hex Editor...
Since EXP value is in Unsigned Long data-type, i changed the Base Option into the same data-type... And as i suspected, there ARE other important values around EXP address, which i’ll show you in the next picture.

Here’s the merged picture of DotA screen-shot and Hex Editor:
Image

You can see that EXP, Ability Points, and Base Strength are stored respectively.. This means we have another option to search EXP: Group Search.

To quote what L. Spiro say in MHS Help file:
Group Searches are used when you know that several values are in the same region of memory, but you don’t know their order, or if you know their order but don’t know their values.

In this case, we know their values, we know their order, and certainly they are in the same region of memory... Again, please refer to MHS help file for more details about Group Search, so you won’t get lost in the next steps of this tutorial...

The next picture shows how to input values in Group Search based on the Hex Editor:
Image
Be sure to check the summary at the bottom part to get a preview of how MHS will perform Group Search...

With those inputs, Group Search found only 1 result. This is very common since there are not many specific values match to the search target which are 3E 00 00 00 01 00 00 00 10 00 00 00 hex ( or 62, 1, 16 unsigned long).

From Group Search result, we can add those each element separately to the MHS table (we have to do it manually via hex editor). Now we have the table for EXP, Ability Points, and Base Strength (at level 1)...
Image

Now those values are free to modify:
- Boost your exp to get instant max level
- Boost your STR to get a huge Max Health, and more damage for Strength Heroes...
- Boost your Ability Points to get more skills (the level limitation still applied tho.)

The table seems enough for most cases. But in fact, there are more important values around EXP address which i’ll show you in the next tutorial...
Last edited by WhiteHat on Fri May 02, 2008 10:55 am, edited 1 time in total.
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Fri May 02, 2008 10:44 am

Hacking BASE STATS

Base Stats for Heroes in Warcraft 3 consist of Strength, Agility and Intelligence. They are then affect other stats such as Attack Damage, Attack Speed, Max HP & Manna, HP & Manna regeneration rate, etc. Everytime a hero gains a level, these Base Stats increased by certain constants...

For example:

Hero X has 16 Base STR and 1 STR constant. This means:
- At level 1, Hero X will have 16+(0*1) = 16 STR
- At level 2, Hero X will have 16+(1*1) = 17 STR
- At level 3, Hero X will have 16+(2*1) = 18 STR
- ...
- At level 25, Hero X will have 16+(24*1) = 40 STR

In this tutorial part, we’re going to hack this constants. I’ll just call them Base Stats Addition to make things easier (...please forgive my English).

The first thing we have to do is to know how to obtain these values. This is very easy: Just hover your mouse pointer to the hero icon before you choose her.
Image

In fact, these Base Stats Addition values are stored in the same memory region of EXP address, so i used the same Hex Editor window from previous tutorial. However, since they are floating number, i had changed the Base Option into Float data-type.

Here’s the pic of the address merged with Base Stats Addition info form DotA:
Image

We can see that the addresses of Base Stats Additions are actually only a few bytes after EXP address:
- STR Addition address = EXP address + 0x48
- INT Addition address = EXP address + 0x50
- AGI Addition address = EXP address + 0x58
(don’t swap between INT and AGI tho. Cause in WC3 screen AGI is typed before INT...)

At this point, you can just add these Base Stats Addition addresses into the table. But we’re gonna try to search for Base Stats Additions utilizing Group Search...
Image

There are 2 values which will be ignored, since they keep changing for each DotA session. Please understand that the Red background color of these values has nothing to do with our decision to ignore them. Instead, it shows that MHS suspected these values as Pointers since they are divisible by 4 (modulus operation to these values by 4 will result in 0)... Just, refer to MHS help file about Hex Editor and Pointer...

However, we’re NOT ignoring these 2 values for elements count. Please be careful...

Now, when the Group search executed, there is 99.9999% chance that there would be only 1 result. Those 5 ordered elements of float data-type are pretty much unique (unless there are other heroes with same Base Stats Addition, of course).

The next thing you can do is to add Base Stats Addition values addresses into MHS table (manually through Hex Editor).
Image

Following picture shows you when Shendelzare’s attain some levels after i modified all values of Base Stats Addition to 100.00, without any equipments and without any Hero abilities:
Image

Just focus on Shendelzare’s Base Stats. She’s now definitely far far beyond of Beyond Godlike...
(in case you’re curious, Shendelzare’s max health is 46,054 at level 25)

:D


...

I really hope you’re now have a slight better knowledge of Group Search, for next tutorials i will discuss it in fast speed (still some pictures tho)...

Coming up next:
- Health & Manna Hacks
- Movement Speed Hacks
- Attack Speed, Attack Range, Attack Damage Hacks
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Fri May 02, 2008 10:45 am

HEALTH and MANNA Hacks

Health and Manna values stored in similar way. You’ll find them like following pattern within memory:
Current Health/Manna - Health/Manna Regeneration Rate - NULL - Max Health/Manna
They are all float data-type... NULL (0x00000000) equals 0.00 float.

All values but Regeneration Rate can be found with group search. Regeneration Rate is very hard to memorized nor it is hard to calculate (actually, it is not hard if you’re not lazy...). So we’re just gonna put Current Health/Manna, NULL, Max Health/Manna in Group Search find values.

However, before you begin performing Group Search, you have to be very very sure that your hero is at full health/manna. There are times when you read her current health is full (same value as max health), or manna, but in fact it is not the same value within the memory.

So, the best time to apply following Group Search is at very-very early of the game, that is right after you choose your hero...

For this tutorial session, we’ll be using Drow Ranger...

Health and Manna for Traxex:
- Max Health = 473
- Max Manna = 195

The group search would be something like this:
Image

As usual, the search found only 1 address, unless there are other heroes have the same health or manna...

And this is the Hex Editor for Health (Hex Editor for Manna is very similar):
Image

Now you can make MHS table by manually add the addresses from Hex Editor:
Image

Once you have the table, you can make your hero invincible by increasing both Current Health and Max Health as high as you want and freeze them...

Personally, i prefer to modify Regeneration Rate. If you put 10000.00 to both Regeneration Rate, you are virtually frozen your Health and Manna...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Fri May 02, 2008 10:46 am

Hacking MOVEMENT SPEED

Hacking movement speed is a bit tricky... I’ve tried various way to get its address and failed for about a week. That was until i decided to use Nerubian Waver’s skill Shukuchi.

Using Unknown Data-type search followed by Difference From Before and Same as Original Sub-Search, i managed to get a fact when Anub'seran is in Shukuchi mode there would be exactly one address had a value of 11.00 float. And the same address changed to 01.00 float when the Shukuchi mode worn off...

When i studied values arround the address, i found the base movement speed (original speed of Anub'seran without any speed booster item) address just 8 bytes before. The value of this address is static, means that it is not affected by whatever speed booster item put on. So, if you want to know your hero original movement speed, you have to put off all speed booster item before type "-ms" command in DotA...

Based on the Hex Editor view, the inputs for Group Search would be something like this:
Image

Now, with simillar way i maxed out Rhasta movement. And here’s the screen-shot result:
Image

Since Rhasta original movement speed is 275, the values input for group search was: 0 0 275 1 0 0. Then i simply changed the address of value 275.00 with 1000.00.
But, no matter how high you change the speed value, the max speed is limited to 522.

Heroes Base Movement Speed in DotA is a static value. No matter what speed boosting equipment you have, the value remains the same. Thanks to Group Search so we can search the value address in single step...

Can you imagine that you have to search value 275.00 float and sub-search for the same value just to obtain your movement speed address ?.. It’s more likely that the game is over before you find the address...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby WhiteHat » Fri May 02, 2008 10:48 am

Hacking ATTACK RANGE, ATTACK SPEED and ATTACK DAMAGE

Obtaining attack range address is easy: Use any heroes with ability to alter their attack range.

First time i did this, i used Dwarven Sniper. His Take Aim ability was very helpful since it change Kardel’s attack range gradually..

But, again, we can’t use standard Data-Type Search and Sub-Search for Attack Range since most heroes have static attack range. So, we’re gonna use Group Search.

Before we begin, we have to know how to obtain the value of our attack range. There are two ways in DotA:
- Hovering your mouse pointer to the Attack Icon, below your EXP bar.
- Read the Attack Range value in Heroes brief description before you choose them.
Please note that you can only use the 2nd option to obtain attack range for Melee Heroes...

Now that i found the address of Kardel’s Attack Range. Next thing to do is ALWAYS study the values arround it...

After several trial with various heroes, i managed to make the Group Search pattern base on this hex-editor:
Image

So the Group Search would be like this:
Image

Hero’s Attack Speed and Attack Damage addresses are just a few hundreds bytes before Attack Range address like shown in this Hex Editor:
Image
In above picture:
- Attack Range = 605.00 float (0x44174000)
- Awareness Range = 800.00 float (0x44480000)
- Attack Speed = 1.21 float (0x3F9AE147)
- Attack Damage = 34 Unsigned Long (0x00000022)
I got that values by clicking each address and check the value in Conversions Tab of Helper Window...

Note that for Attack Damage, the value shown in game slightly differ in Hex Editor. However, it is the right address...

Finally, we can make the table regards these attacking things:
Image

I used above method to hack Elazor's Attack Range and Attack Damage, enabled him to destroy scourge tower out-range of the tower itself...
Image
Pay attention to the range from where Elazor destroy the tower (the gold he gained confirm that he is the one who destroy the tower)...


This conclude my tutorial series of Hacking DotA Heroes. There are still lot things to hack though, so we can’t just stop here...

Feel free to ask anything related to this tutorial. I’ll do my best to answer them... Also, feel free to make any corrections should there are any..

I have to apologize for using a lot of pictures due my bad English... I humbly hope that these tutorial would be useful..

Have fun... Peace... :)

-WhiteHat-
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Awesome!

Postby GlowSplint » Fri May 02, 2008 4:32 pm

Awesome man! Whitehat you rock! The screenshots and length of these tutorials shows how much effort you have put into these tutorials! Awesome!

*Applause for Whitehat*

<Gets cracking>

Yes I know I am a noob...but I have a few noobie questions to clarify.

Do these addresses change every time you restart Dota but choose the same hero?

How do you know that the value of Anub'seran with Shukuchi mode on be 11.00 float and with it off 01.00 float? I thought that the value for maximum speed in dota would be 522, so logically I should search for 522?

Is it plausible to search for armor : Invulnerable?

<Lots more questions but no time to type it out (Exam are, well on 6th May to 9th May)>

Ok. Thanks WhiteHat for the tutorial. Indeed, it was USEFUL. --> Dota will never be the same again...

EDIT: I'm such a noob that I play more often offline than online. So, in my case, yes, DotA will never be the same again.
Last edited by GlowSplint on Fri May 02, 2008 7:44 pm, edited 1 time in total.
Image

I tend to capitalise my words towards the end. LoL.
GlowSplint
NULL
 
Posts: 158
Joined: Sat Mar 29, 2008 6:33 pm
Location: Singapore

Postby Sychotix » Fri May 02, 2008 5:04 pm

ill post some static pointers when i get home... apparently you guys dunno how to do searches =P
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Re: Awesome!

Postby WhiteHat » Fri May 02, 2008 5:59 pm

GlowSplint wrote:... Dota will never be the same again...

I have a feeling that you’re gonna try them On-Line...

In case you are, then i am very sorry to say that these hacks are for single
player only. Yes, you’re the only human among bots... I only hope that i can
share my enthusiasm of utilizing Group Search since it is a unique feature
of MHS and i’ve been using it for quite a while...

I haven’t try these hacks in multiplayer/online. But i have a strong feeling
that they won’t work in those modes... You can try them yourself if you want.
But please be careful of the risk...

Sorry again...


GlowSplint wrote:Do these addresses change every time you restart Dota but choose the same hero?

Most likely... But that would be not much a problem if we know the pattern
of how values are stored in memory. We can use Group Search to get any
address in (mostly) single step searching.


GlowSplint wrote:How do you know that the value of Anub'seran with Shukuchi mode on be 11.00 float and with it off 01.00 float? I thought that the value for maximum speed in dota would be 522, so logically I should search for 522?

It was a basic Data-Type Search and Sub-search, with Same as Original
option checked.

When Anub’seran does Shukuchi, i searched for unknown Unsigned Long.
When Shukuchi worn out, i Sub-Searched for different from before.
Another Shukuchi, i sub-searched for Same as Original...
...
Repeated these steps until i get the result that conclude:
- Shukuchi ON = 11.00 float
- Shukuchi OFF = 01.00 float


GlowSplint wrote:Is it plausible to search for armor : Invulnerable?

Yes it is...

In fact, there are unlimited ways to make your Hero invincible. To name a
few of them:
- Boost up hero’s health regeneration rate
- Boost up hero’s max manna
- Boost up hero’s armor
- Nullifies enemy’s attack damage
- etc...


GlowSplint wrote:<Lots more questions but no time to type it out (Exam are, well on 6th May to 9th May)>

Good luck with your exam... ;)


Sychotix wrote:ill post some static pointers when i get home... apparently you guys dunno how to do searches =P

Please do so... I’ll gladly learn it from you.
I’ve failed searching on those values static pointer but resources values...
Players Gold Complex Addresses

However, i believe that i said in the early part of my tutorial here that we’ll
focus on Group Search..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Lobbie » Fri May 02, 2008 7:18 pm

Whitehat,

No no no, your english is not bad at all. Your explanations and pics spoke a million words. Although I dont plan DotA, I certainly learn't some important concepts and techniques here. Good stuff mate. Great job done!

Cheers,
Lobbie
Lobster in Szechuan sauce, Baked Lobster in Cheese, Lobster in Ginger and Shallot....YUM!

ImageImage
By JB Gzn & emocore

Muahahaha...I am the LobsterMaster...Muahahaha
Image
User avatar
Lobbie
Been Around
 
Posts: 286
Joined: Fri Mar 07, 2008 7:56 pm
Location: Australia

Re: Awesome!

Postby Sychotix » Sat May 03, 2008 7:22 am

Whitehat wrote:
Sychotix wrote:ill post some static pointers when i get home... apparently you guys dunno how to do searches =P

Please do so... I’ll gladly learn it from you.
I’ve failed searching on those values static pointer but resources values...
Players Gold Complex Addresses

However, i believe that i said in the early part of my tutorial here that we’ll
focus on Group Search..


http://www.sendspace.com/file/0fnyhk

There. I only posted purple to stop leechers from abusing this. Have fun =P
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Re: Awesome!

Postby WhiteHat » Sat May 03, 2008 9:38 am

Sychotix wrote:http://www.sendspace.com/file/0fnyhk

There. I only posted purple to stop leechers from abusing this. Have fun =P


Thanks for sharing... =)

There’s something unmatched with my pointer finding though:
For EXP address:
- your offset for 1st layer pointer is 0x120
- my offset for 1st layer pointer is 0x8C

I used MHS “Find What Accesses this Address” on EXP address, ran the game for about 1 hour and the Auto-Hack found these:
MOV EAX, DWORD PTR [EAX+8C]
ADD DWORD PTR [ESI+8C], EAX
MOV EBX, DWORD PTR [ESI+8C]
... etc


Those were the code which accessed my EXP address, and none of them has a [(register)+120] in it...

However, i’ve tried your offset (+0x120) anyway:
- My EXP address was 0x0ACD0120. So, if the offset is 0x120, then the pointer should be at 0x0ACD0000 right ?
- I put address 0x0ACD0000 into the table and apply “Find What Accesses this Address” to it...
- Got back to DotA and tried to gain some EXP
- The result of AutoHack for address 0x0ACD0000 was still empty...
That time i assume that your complex address is not working for me (but i believe there is some reason for that such as different WC3 version..)

I have to admit that my knowledge of finding static pointer is very limited. Only few static pointers i made are working for many games...
None of my reply here intended to offend you. I’m just trying to share my thought and hope to learn something from you...

So, if you would share on how you find that static pointer / complex address, that would be much appreciated...

Thanks..


Lobbie wrote:Whitehat,

... Although I dont plan DotA, I certainly learn't some important concepts and techniques here...

Thanks... that’s my true intention.

It’s true that the game in this tutorial is Warcraft 3 but i believe, for
more or less, Group Search is very very useful for finding addresses
(and it does much more than that, for sure) for all PC games...
Last edited by WhiteHat on Sat May 03, 2008 9:53 am, edited 1 time in total.
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Sychotix » Sat May 03, 2008 9:43 am

the offset is not 0x120. It is a multi-layer pointer which means there would be MANY offsets. It should also be the same since it goes all the way down to a wc3.exe address as the base.

try using the "pointer scan" option in order to find your pointers =P
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Postby WhiteHat » Sat May 03, 2008 10:37 am

I’ve managed to build a list of Players Gold here. (please take a look for it)..
And as far as i know the base address is not within war3.exe but game.dll
module. So, at the first place, i pre-assumed that other base pointers lies
within that module...

And you mentioned about “pointer scan”. Sounds great... I’ve tried searching
that feature within MHS app or help file, but i didn’t find it. I must have missed
something obviously...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby emocore » Sat May 03, 2008 4:22 pm

good job this is real great tutorial on how we can maximizing the group search. im impressed with the ss and edited pic! and also the explanation. perfect 10.
User avatar
emocore
Been Around More
 
Posts: 380
Joined: Tue Feb 12, 2008 10:55 am
Location: Taman Kencana

Postby Sychotix » Sun May 04, 2008 2:50 am

there is a game.dll pointer to there but i figured it would not work with the pointer. I just traced it all the way to a static address.
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron