DOTA Players’ Gold: Complex Address (Back Tracing Pointer)

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Postby L. Spiro » Sat Feb 28, 2009 7:07 am

It is a linked list. You will have to repeat that pattern for as many objects as there are in the list, which could be thousands.

There is no other way to follow the pointer trail to the base, or from the base to the target, unless there is something very special about your target address that could cause it to be stored as another pointer set elsewhere.
Only your player and a few other types of objects would have this property. If your object is a random object, your only option is to follow the repeating pointers.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Aspras » Sat Feb 28, 2009 4:44 pm

Does that mean that I'll reach an end if I continue this?
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby Explicit » Sat Feb 28, 2009 6:06 pm

Yes, eventually.
Image
Nothing is impossible, just implausible
User avatar
Explicit
I Know Your Poop
 
Posts: 503
Joined: Sun Dec 30, 2007 4:47 pm

Postby Aspras » Sat Feb 28, 2009 7:13 pm

I guess theres no point in trying to find the pointer this way, is there any other way to find the base pointer?

Image
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby SpeedWing » Sat Feb 28, 2009 9:18 pm

try other base addys. that is my only advise, and lol nice loops :p.
User avatar
SpeedWing
Defragler
 
Posts: 2031
Joined: Tue Jan 01, 2008 1:00 am
Location: If there is a Will there is a Solution.

Postby Aspras » Sat Feb 28, 2009 10:02 pm

L. Spiro wrote:It is a linked list. You will have to repeat that pattern for as many objects as there are in the list, which could be thousands.

There is no other way to follow the pointer trail to the base, or from the base to the target, unless there is something very special about your target address that could cause it to be stored as another pointer set elsewhere.
Only your player and a few other types of objects would have this property. If your object is a random object, your only option is to follow the repeating pointers.


L. Spiro


The object is my hero's Gold, so I take it noone has found its base pointer with patch 1.22a
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Sun Mar 01, 2009 8:16 pm

I have to agree with this:
SpeedWing wrote:try other base addys. that is my only advise, and lol nice loops :p.


@Aspras
Actually, the complex address used here in this tutorial, is the one which works. There were actually 2 more pointer trails which lead me to the same ‘looping’ complex addresses like yours. So i put the one which works for the tutorial.

And i’m quite believe that the complex address for GOLD in version 1.22a is quite similar...

Also, you may want to mix this back-tracing method with the one from josese’s tutorial about complex address. The mix of both methods has helped me obtaining complex addresses for ZUMA Deluxe..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Sun Mar 01, 2009 10:45 pm

I have tried all base addresses, the only one that brings it back to the address of gold is this one which continues to loop, besides CE's pointer search found no static base pointers so I dont see how someone would be able to get a static one. Also, ive read Josese's tutorial, though I dont understand why would someone want to use ranged search when u know the exact address you want your pointer to be pointing at.
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Mon Mar 02, 2009 2:44 pm

Some say that CE’s pointer search work in some (not every) cases. However, i’ve never manage to obtain even a single working pointer trail (complex address) out of it. The trail works once, but no more at the other session..

The method in josese’s tutorial is very useful (if not the only option) to obtain complex address in games which restrict us to debug it. However, like i said, the mix of two methods allowed me to find some complex address in zuma.. Here’s the case (illustration):
From backtracing method, i got this complex address: [[[pointer]+offset3]+offset2]+offset1, that was when the back-tracing for [pointer] started to loop like you’ve encountered.. So i decided to use ranged search (like the one in josese’s tut) for [pointer], and soon after that i got the working complex address: [[[module.exe+offset4]+offset3]+offset2]+offset1. The value of offset4 is the one i couldn’t find with back-tracing method... Thanks to josese’s method, the complex addresses are now working perfect..

When i wrote my tut about MHS Injection Manager for ZUMA, i said that i wasn’t able to obtain its complex address. And it’s true because i tried to stick with this back-tracing method..

Anyway, now i’m curious with WarCraft3 version 1.22... Perhaps i’ll upgrade later when i get the time..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Mon Mar 02, 2009 4:41 pm

Hmm I'll try to get down to level 3 with backtracing and then will try josese's method on w3. Ive also tried code injection but the game always crashes on me.
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Tue Mar 03, 2009 8:49 am

I’ve just patched my WarCraft 3 to version 1.22.0.6328...

I used the very much similar step-by-step (almost like copy and paste !) as previous one and managed to obtain these:

Code: Select all
Complex Addreses for GOLD:
============================================================================
Player #01 (Red)        : [[["Game.dll"+0xAA4178]+0xC]+(0x002*0x8)+0x4]+0x78
Player #02 (Blue)       : [[["Game.dll"+0xAA4178]+0xC]+(0x02A*0x8)+0x4]+0x78
Player #03 (Aquamarine) : [[["Game.dll"+0xAA4178]+0xC]+(0x052*0x8)+0x4]+0x78
Player #04 (Purple)     : [[["Game.dll"+0xAA4178]+0xC]+(0x07A*0x8)+0x4]+0x78
Player #05 (Yellow)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0A2*0x8)+0x4]+0x78
Player #06 (Orange)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0CA*0x8)+0x4]+0x78
Player #07 (Green)      : [[["Game.dll"+0xAA4178]+0xC]+(0x0F2*0x8)+0x4]+0x78
Player #08 (Pink)       : [[["Game.dll"+0xAA4178]+0xC]+(0x11A*0x8)+0x4]+0x78
Player #09 (Grey)       : [[["Game.dll"+0xAA4178]+0xC]+(0x142*0x8)+0x4]+0x78
Player #10 (Cyan)       : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78
Player #11 (Dark Green) : [[["Game.dll"+0xAA4178]+0xC]+(0x192*0x8)+0x4]+0x78
Player #12 (Brown)      : [[["Game.dll"+0xAA4178]+0xC]+(0x1BA*0x8)+0x4]+0x78
============================================================================

You can use these to spy your opposing players’ gold in multiplayer mode , or to make them rich/poor in single player mode..

I’ve tested these twice and they work perfect. Haven’t try them in other PC yet though...

Hope these work for you guys (and ladies, if there are any)...

:)
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Tue Mar 03, 2009 12:42 pm

I recognise the address*8+4 offset, ive tried many times to get that offset to work in the past, my pointer was looking like this :

[address1 +(address*8+4)]+0x78

, using the expression evaluator I checked whether it was pointing back to my gold's address or not and it wasnt. Also tried adding "0x" in front of 8 and 4 (just in case it made any difference) but that wouldnt bring t back to my gold's address either :cry:
Btw theres something I wanted to ask you Whitehat, at a point theres 2 addresses that pop up in the Auto Hack tab, they both are of the same type and have a register as an offset, why do you take the first addresses's left register as the pointer and then the other addresses's second register as the offset? Why not take the first addresses's register at the right as part of the offset?

EDIT: I think I now do understand why you got the first addresses's register as the pointer and the second addresses's second register as the offset.

Image

The first address will give you a correct EDX cause that is the unique in that actual address, though it has 2 EAXs and it would give u the first EAX's value which is not the the one we need. You saw that theres only 1 EAX in the second address and you could be sure it would give u the correct EAX.
So having understood why you did it that way, here is why I cant get that pointer to point back at my base pointer.

Image


EDIT2:
Heres what I thought, since I dont know the offset but know the leftmost register and the address I want to get it to (which in this case is the base pointer) I can subtract the leftmost register from the base pointer's address and get the offset. Then I could move on by finding a pointer to the leftmost register. Would this work?

EDIT3:
Woo it worked! I found 2 different pointers for the purple slot.

[[[Game.dll+0xAA4178]+0xc]+0x3D4]+0x78
[[[Game.dll+0xAA417C]+0xc]+0x3D4]+0x78

Also found a pointer to the purple slot's damage stat.

[[Game.dll+0xA705FC]+0x1E4]+0xA0
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby tiduswong » Wed Mar 04, 2009 9:22 pm

Whitehat wrote:
Code: Select all
Complex Addreses for GOLD:
============================================================================
Player #01 (Red)        : [[["Game.dll"+0xAA4178]+0xC]+(0x002*0x8)+0x4]+0x78
Player #02 (Blue)       : [[["Game.dll"+0xAA4178]+0xC]+(0x02A*0x8)+0x4]+0x78
Player #03 (Aquamarine) : [[["Game.dll"+0xAA4178]+0xC]+(0x052*0x8)+0x4]+0x78
Player #04 (Purple)     : [[["Game.dll"+0xAA4178]+0xC]+(0x07A*0x8)+0x4]+0x78
Player #05 (Yellow)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0A2*0x8)+0x4]+0x78
Player #06 (Orange)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0CA*0x8)+0x4]+0x78
Player #07 (Green)      : [[["Game.dll"+0xAA4178]+0xC]+(0x0F2*0x8)+0x4]+0x78
Player #08 (Pink)       : [[["Game.dll"+0xAA4178]+0xC]+(0x11A*0x8)+0x4]+0x78
Player #09 (Grey)       : [[["Game.dll"+0xAA4178]+0xC]+(0x142*0x8)+0x4]+0x78
Player #10 (Cyan)       : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78
Player #11 (Dark Green) : [[["Game.dll"+0xAA4178]+0xC]+(0x192*0x8)+0x4]+0x78
Player #12 (Brown)      : [[["Game.dll"+0xAA4178]+0xC]+(0x1BA*0x8)+0x4]+0x78
============================================================================

You can use these to spy your opposing players’ gold in multiplayer mode , or to make them rich/poor in single player mode..



how to spy my opposing player using these addys?
ImageImage
Image
Image
Image
Image
Image

Nice? No glue or any thing normal build it up using a pair of hand. vvv
ImageImage

I'm not a leecher and not gonna be 1 of it noob!!!

Skill and Hack is the best!^^

Sorry For My Bad Memory =.=

Tidus.W

L. Spiro wrote:bummybum, stop spamming/making useless posts.



L. Spiro
tiduswong
Probably Popular
 
Posts: 1296
Joined: Sat Mar 01, 2008 2:31 am
Location: between heaven and hell

Postby Aspras » Wed Mar 04, 2009 10:19 pm

Suppose youre on a 1v1 and your opponent has the Cyan colour (player no.10) , this pointer will bring u to the address that holds your opponents gold.

Player #10 (Cyan) : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Thu Mar 05, 2009 9:55 am

Aspras wrote:Heres what I thought, since I dont know the offset but know the leftmost register and the address I want to get it to (which in this case is the base pointer) I can subtract the leftmost register from the base pointer's address and get the offset. Then I could move on by finding a pointer to the leftmost register. Would this work?

Yes, it works just like you stated later...

In fact, that’s the only way u know to determine the base address (in this case, the leftmost register) if auto-hack returns only 1 code similar to that.

When you use ‘Find Out What Accesses This Address’ to address 0x18610164, and get this code:
Code: Select all
MOV EAX, DWORD PTR [EDX+EAX*8+4]

it means that:
0x18610164 = [EDX+EAX*8+4]

then you can use the registers values info (the bottom-most part of auto-hack window) to do some calculation to determine those register values before the code executed..


Aspras wrote:Also found a pointer to the purple slot's damage stat.

What do you mean by “purple slot’s damage” here ?
Sorry for ask but i guess i use different term for it...


tiduswong wrote:how to spy my opposing player using these addys?

Like Aspras’ said, you can put them into MHS table or put them all in Expression Evaluator orderly, with one more bracket addition..

[[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78 = the address of Player 10 Gold
[[[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78] = the value in the address of Player 10 Gold
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

PreviousNext

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron