DOTA Players’ Gold: Complex Address (Back Tracing Pointer)

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

DOTA Players’ Gold: Complex Address (Back Tracing Pointer)

Postby WhiteHat » Sun Jun 29, 2008 6:26 pm

This tutorial is actually my answer for Felheart’s PM, and also a reply for his post:
viewtopic.php?p=21519&sid=516f450a9e620b4a3406584c100d11f9#21519

I have to say that my method is stupid: it takes a lot effort yet there is no guarante for success. However, in case of Warcraft 3 Players Gold (and other resources like lumbers and foods) this method is working, so i am going to post it anyway...

...

Here’s my step-by-step of constructing Complex Address for Player#2’s gold address:

I started DOTA as BLUE Player, that is Player 2, and tried to find my gold adress in MHS... My gold was 3500 when i found its address at 0x0F571410 which then put in MHS table.
For Complex Address purpose, i had to know how WarCraft3 created the address. So the next thing to do was to applied “Find What Accesses This Address” to the gold address.

Image
(picture 01)

Auto-Hack window in MHS Disassembler Helper would show nothing unless my gold is modified/accessed. To do this, i got back to the game and just waited for my gold to changed...

After playing some time, my gold had increased to 3508. About time to checked the Auto-Hack window:

Image
(picture 02)

Some codes that had just modified my gold address pop-ed up...

In the picture above, i chose one of the code to get the base pointer for my gold address which then showed the registers values in the field below them. From the code i chose, i can tell that the base pointer was stored in EDX and it was 0x0F571398...

I put similar expression as [EDX+78] into Expression Evaluator to see if the result is correct:

Image
(picture 03)

Take a closer look to the Expression Evaluator window (lower-left part of the picture):
- Expression: 0x0F571398+0x78
- Result: 0x0F571410 --> This was equal to my gold address

So, i knew that:
- 0x0F571398 was the value of base pointer that pointed to my gold address
- 0x78 was the offset of how far my gold address reside from the base pointer

Next step was to find out where in memory the base pointer value resides and if the base pointer was a static one. To do that i had to search for addresses which values were exactly the same as previous base pointer (0x0F571398), so i utilized Pointer Search with Exact Value...

Image
(picture 04)

MHS found 6 addresses which values are match to the base pointer of my gold address...

Image
(picture 05)

I chose the last one and put it into my table so i can applied “Find What Accesses This Address” to it (the reason i chose the last address was because further experiment to the other addresses failed. I was lucky that there were only 6 address found instead of hundreds. That’s why i called this method stupid...)

Back to DOTA, i got my gold increased to 3524. Something had to have came up in Auto-Hack window by then...

Image
(picture 06a)

Image
(picture 06b)

An ‘unusual’ ASM code came up... There were two registers within the bracket instead of usual one: [Register+(Register*constant)+offset]

Which was the base pointer then ?
A friend of mine told me that in almost any case, the base pointer value is the left-most register, while the other register has something to do with array, e.g reg value = 1 for player one, reg value = 2 for player two, etc... (well... i didn’t quite understand it, but it was working anyway. So i just accepted it...)

From those two pictures above, i got the registers values:
- EDX = 0x18610010 (got it from the 1st ASM code)
- EAX = 0x2A (got it from the 2nd ASM code)

Then i tried the code in Expression Evaluator, which result was still my gold address:

Image
(picture 07)

Allow me to make a simple explanation about the Complex Address so far:
- 0x18610010+(0x2A*8 )+4 = 0x18610164 ---> This was the address which value equal to the base pointer to my gold address.
- [0x18610010+(0x2A*8 )+4] = 0x0F571398 ---> This was the 1st layer base pointer to my gold address.

That means:
[0x18610010+(0x2A*8 )+4]+0x78 = 0x0F571398+0x78 = 0x0F571410 ---> My gold address.

I just had my complex address for my gold address, but it was not over yet. Not until i found the static base pointer. So, the next thing to do was to repeat above steps until i get the static base pointer and build the complex address out of it...

Moved on, searched for any addresses which value equals to last base pointer (0x18610010).

Like before, i used Exact value of Pointer Search:

Image
(picture 08 )

and the result:

Image
(picture 09)

Lucky me, there was only 3 addresses. That would narrowed down my search... (luck is one of the best friend for beginners) :p

I chose the 2nd address for Auto-Hack, 0x094C00A4 (yes, the 2nd one was the only address which gave good result later on). And this is the Auto-Hack window for it after my gold increased to 3532 in DOTA:

Image
(picture 10)

I don’t think that i need to explain anything more, since it is a similar step from the steps before...

Next, modified my complex address from the last one: changing the value of base pointer to the address that contained it. That is changed 0x18610010 to [0x094C00A4], or more precisely from 0x18610010 to [0x094C0098+0x0C] (based on the ASM code in Auto-Hack windows).

Image
(picture 11)

Apparently, i had not get the static pointer yet (the inner most base pointer was still in [register+offset] format), so i have to repeat the step...

Searched for addresses which values equal to the last base pointer (=0x094C0098 ) via pointer search.

Image
(picture 12)

MHS found 2 addresses...

Image
(picture 13)

Chose the 2nd one and applied “Find What Accesses This Address” to it.

(At this point, i didn’t have to switch to DOTA since some codes came up when i highlight the address in Auto-Hack window. Apparently, WarCraft 3 keep accessed this address even it ran as background)...

Image
(picture 14)

There ! The static base pointer address !
When we get such ASM code similar to MOV ESI, DWORD PTR [6F87D7BC], it means that the address within the bracket is a static address.

Next, the last step, was to modify the Complex Address in Expression Evaluator...
The result still intact: my gold address !

Image
(picture 15)

The Complex Address for my gold address, started with Static Base Pointer was : [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
That is 3 layers pointer...

By the time i got at step shown in picture 13, the found address should be green text which means they are static addresses. However, when i redo the process to write this tutorial, that didn’t happen. So i just proceed with the same step like before... I dunno what’s wrong, but that does not really matter anyway...

Summary of finding Complex Address of my gold address:

- 0x0F571410
- 0x0F571398+0x78 --> 0x0F571410
- [0x18610164]+0x78 --> 0x0F571410
- [0x18610010+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C00A4]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C0098+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[[0x6F87D7BC]+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410

...

Through some experiments, i got Complex Addresses for each player’s gold:

Player 01: [[[0x6F87D7BC]+0x0C]+0x02*8+4]+0x78
Player 02: [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
Player 03: [[[0x6F87D7BC]+0x0C]+0x52*8+4]+0x78
Player 04: [[[0x6F87D7BC]+0x0C]+0x7A*8+4]+0x78
Player 05: [[[0x6F87D7BC]+0x0C]+0xA2*8+4]+0x78
Player 06: [[[0x6F87D7BC]+0x0C]+0xCA*8+4]+0x78
Player 07: [[[0x6F87D7BC]+0x0C]+0xF2*8+4]+0x78
Player 08: [[[0x6F87D7BC]+0x0C]+0x11A*8+4]+0x78
Player 09: [[[0x6F87D7BC]+0x0C]+0x142*8+4]+0x78
Player 10: [[[0x6F87D7BC]+0x0C]+0x16A*8+4]+0x78
Player 11: [[[0x6F87D7BC]+0x0C]+0x192*8+4]+0x78
Player 12: [[[0x6F87D7BC]+0x0C]+0x1BA*8+4]+0x78

To make it easier to read, i modified the offsets of 3rd layer pointer so that they correspond to players number:

Player 01: 0x02*8+4 -----> ((1-1)*0x140)+0x14
Player 02: 0x2A*8+4 -----> ((2-1)*0x140)+0x14
Player 03: 0x52*8+4 -----> ((3-1)*0x140)+0x14
Player 04: 0x7A*8+4 -----> ((4-1)*0x140)+0x14
Player 05: 0xA2*8+4 -----> ((5-1)*0x140)+0x14
Player 06: 0xCA*8+4 -----> ((6-1)*0x140)+0x14
Player 07: 0xF2*8+4 -----> ((7-1)*0x140)+0x14
Player 08: 0x11A*8+4 ----> ((8-1)*0x140)+0x14
Player 09: 0x142*8+4 ----> ((9-1)*0x140)+0x14
Player 10: 0x16A*8+4 ----> ((10-1)*0x140)+0x14
Player 11: 0x192*8+4 ----> ((11-1)*0x140)+0x14
Player 12: 0x1BA*8+4 ----> ((12-1)*0x140)+0x14

@Felheart: this is how there are +0x14 in my complex address. It was just my own modification to make them easier to read corresponding to Player’s Number...
Example: 0x02*8+4 = ((1-1)*0x140)+0x14 = 0x14

So, my final Complex Address for each Players’ Gold in DOTA WarcCraft 3 are:

Player 01: [[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78
Player 02: [[[0x6F87D7BC]+0xC]+((2-1)*0x140)+0x14]+0x78
Player 03: [[[0x6F87D7BC]+0xC]+((3-1)*0x140)+0x14]+0x78
Player 04: [[[0x6F87D7BC]+0xC]+((4-1)*0x140)+0x14]+0x78
Player 05: [[[0x6F87D7BC]+0xC]+((5-1)*0x140)+0x14]+0x78
Player 06: [[[0x6F87D7BC]+0xC]+((6-1)*0x140)+0x14]+0x78
Player 07: [[[0x6F87D7BC]+0xC]+((7-1)*0x140)+0x14]+0x78
Player 08: [[[0x6F87D7BC]+0xC]+((8-1)*0x140)+0x14]+0x78
Player 09: [[[0x6F87D7BC]+0xC]+((9-1)*0x140)+0x14]+0x78
Player 10: [[[0x6F87D7BC]+0xC]+((10-1)*0x140)+0x14]+0x78
Player 11: [[[0x6F87D7BC]+0xC]+((11-1)*0x140)+0x14]+0x78
Player 12: [[[0x6F87D7BC]+0xC]+((12-1)*0x140)+0x14]+0x78

Note: In my previous post, the static address changed to [module+offset] format (0x6F87D7BC = game.dll+0x87D7BC). But it didn’t happen that way when i wrote this tutorial (and i don’t know how. Perhaps because of different version of WC3), so i just leave the static address as is...

This conclude my tutorial which i hope answers Felheart’s PM...

I have to say that the method i used here is not good enough, since it is not always succeed. For example, i haven’t been succeed in finding complex address for Heros’ health and manna in Warcraft3 using this method (although i can say that they are very much similar to complex address for player’s gold !)...

I’m sure there are many more better method to find complex address, so i hope some would kindly share their methods...

Hope this tutorial helps for the least. Any corrections are welcome... And i’m sorry for my English and late reply. Can’t go online much these days...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Re: DOTA Players’ Gold: Complex Address (...answering Felhea

Postby Turtle » Tue Jul 01, 2008 11:04 am

[quote="Whitehat"][/quote]
Amazing!! Looks like a lot of work.
Turtle
I Ask A Lot Of Questions
 
Posts: 15
Joined: Tue Jul 18, 2006 12:02 pm

Postby L. Spiro » Tue Jul 01, 2008 12:42 pm

This was the method I was going to tutorialize long ago when you were asking me to do that, Turtle.
So now you know, and now you have a tutorial.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby SunBeam » Tue Jul 08, 2008 6:37 pm

That's called back-tracing and the 'complex addresses' are multi-level pointers :) Before Cheat Engine could do it, we used to apply these manual methods. Nifty tutorial for beginners ;)
SunBeam
I Have A Few Questions
 
Posts: 4
Joined: Thu Sep 13, 2007 8:33 am

Postby Sychotix » Tue Jul 08, 2008 9:54 pm

wow sunbeam actually visits these forums? You should go download Wolfteam and unpack it (its packed with Themida) so that I can bypass xtrap =P
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Postby Explicit » Wed Jul 09, 2008 6:34 am

Hahaha.
Is that really SunBeam? :)
Last edited by Explicit on Thu Jul 10, 2008 7:25 pm, edited 1 time in total.
Image
Nothing is impossible, just implausible
User avatar
Explicit
I Know Your Poop
 
Posts: 503
Joined: Sun Dec 30, 2007 4:47 pm

Postby Steiner » Thu Jul 10, 2008 7:21 pm

Hi Whitehat,
Good tutorial but one Question :) If I search my gold address with mhs, I select "unsigned long" so far so good, but my gold count is 3500 why can I only find the gold address, when I search for 35000? Why 35000 not 3500? Please tell me :)

Greetz Tobi.
Steiner
I Ask A Lot Of Questions
 
Posts: 19
Joined: Thu Jul 10, 2008 7:17 pm

Postby SunBeam » Thu Jul 10, 2008 10:38 pm

No offense, but every poorly-coded copy-cat MMORPG out there uses Themida to cover their noob coding up. Themida is a simple protector once you know how its INNER works. Most get scared by the amount of virtualization and emulated APIs..

No need to get off-topic :P Keep it on track..
SunBeam
I Have A Few Questions
 
Posts: 4
Joined: Thu Sep 13, 2007 8:33 am

Postby Sychotix » Thu Jul 10, 2008 10:58 pm

SunBeam wrote:No offense, but every poorly-coded copy-cat MMORPG out there uses Themida to cover their noob coding up. Themida is a simple protector once you know how its INNER works. Most get scared by the amount of virtualization and emulated APIs..

No need to get off-topic :P Keep it on track..


Offtopic: Wolfteam is a MMOFPS =P I have heard that Themida is a bitch to unpack and even my friend Juggalo/Jewbacca can't unpack it... not to mention me who has no experience manually unpacking anything.

Steiner wrote:Hi Whitehat,
Good tutorial but one Question :) If I search my gold address with mhs, I select "unsigned long" so far so good, but my gold count is 3500 why can I only find the gold address, when I search for 35000? Why 35000 not 3500? Please tell me :)

Greetz Tobi.


To stay on topic... It must be encrypted then. Age of conan does something similar with their mana/hp/stamina. It is behind and encryption method of x*100 and then it rounds up. For example, the value could be 123412 and your mana is 1235. It could be 123401 and your mana is still 1235. Now if it is 123400, your mana is 1234. Make sense?
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Postby L. Spiro » Fri Jul 11, 2008 12:42 am

Fixed-point decimals != encryption. Read below.

And encrypting executables has nothing to do with how the game processes these decimals—such an obtrusive modification could not possibly be done reliably; executable encryptors guarantee run-time reliance, exceptions not owing to encryption itself.

They may, however, inject useless code that may end up multiplying values by 10 and juggling them around in various ways, but these values are never saved anywhere (you can not find them via searching) and all registers are backed up before and restored after these useless operations to guarantee once again that the packer has not in any way interfered with the executable it is packing.

Furthermore, these and some other packer-related features are macro’ed into the project when it compiles to generate special byte sequences that the packer can find to distinguish what it is allowed to do and where. That is, if the packer is allowed to modify some part of the code, the programmer has to use macros while coding the game to indicate which code it is allowed to modify and how.


Sychotix wrote:To stay on topic... It must be encrypted then. Age of conan does something similar with their mana/hp/stamina. It is behind and encryption method of x*100 and then it rounds up. For example, the value could be 123412 and your mana is 1235. It could be 123401 and your mana is still 1235. Now if it is 123400, your mana is 1234. Make sense?

This is not encryption. It is a newbie implementation of fixed-point decimals. It allows them to transparently keep track of your mana to a degree of 1/100th of a unit, which allows them to give you, for example, 0.5 mana points. This is done behind the scenes without the player knowing, but it is an important feature in many cases because it decreases rounding errors.
If they gave you 0.5 mana points twice but they only track your mana by units of one, you would have 1234 + 0.5 + 0.5 = 1234 (rounded down due to lack of precision). Whereas 123400 + 50 + 50 = 123500.

This is a newbie/simplified implementation. The correct implementation uses shifting of bits, not multiplication and division (due to speed). For example, on Nintendo DS, 1.0 equals 0x1000 (1 << 12). 1.5 equals 0x1800, etc. This gives them an accuracy of 1/4096th of a unit.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby Sychotix » Fri Jul 11, 2008 1:05 am

L. Spiro wrote:And encrypting executables has nothing to do with how the game processes these decimals—such an obtrusive modification could not possibly be done reliably; executable encryptors guarantee run-time reliance, exceptions not owing to encryption itself.

If you were talking about what we were saying about Themida, we were just talking offtopic. I know that sunbeam can unpack Themida so i asked if he/she would unpack Wolfteam.exe (was almost sure that he/she wouldnt =P).
L. Spiro wrote:This is not encryption. It is a newbie implementation of fixed-point decimals.


L. Spiro


Yeah that sounds about like FunCom (creators of Age of Conan). Thanks for clearing that up! =D
Sychotix
Been Around
 
Posts: 239
Joined: Wed Mar 05, 2008 4:28 am

Postby Steiner » Fri Jul 11, 2008 4:10 pm

Thank you for all this informations.
But I have something to add, at Whitehat, your "stupid method" does not work ;)
I never got a success, so please people post some other methodes how to search a complex address.


Greetz Tobi.
Steiner
I Ask A Lot Of Questions
 
Posts: 19
Joined: Thu Jul 10, 2008 7:17 pm

Postby Josese » Sat Jul 12, 2008 2:50 am

Steiner wrote:Thank you for all this informations.
But I have something to add, at Whitehat, your "stupid method" does not work ;)
I never got a success, so please people post some other methodes how to search a complex address.


Greetz Tobi.


If u are a "stupid kidd" yes this method never work, so please use the help file. and find ur own method.
Yes, I know,I Know, Im Handsome Lol!!
Image
Ya its me playing WT!!
ImageImage
User avatar
Josese
Been Around
 
Posts: 220
Joined: Tue Feb 05, 2008 12:59 am

Postby Steiner » Sat Jul 12, 2008 7:50 pm

Relaxe :) we are in the same team hack0r xD
I had try again your Method Whitehat and I was able to find the full complex address *YES!*

But one question ... again I know :)
Finaly I have found two static addresses, here the complette addresses
Code: Select all
# First     - Player Red
[[[[[[0x6FAA4178]+0x0C]+0x2A*0x08+0x04]+0x64]+0x08]+0x40]+0x78

# Second - Player Blue
[[[[[[0x6FAA417C]+0x0C]+0x2A*0x08+0x04]+0x64]+0x08]+0x40]+0x78


It is right, when I say, the first static address( 0x6FAA4178 ) is Player red and the second( 0x6FAA417C ) is my gold address?
So I'm going right, that 0x6FAA4178 is the head of all gold addresses and, when I want to read the next one I need only to add 0x04?

EDIT:
Okay now I got the complex address, but how can I use it ???
Greetz Tobi.
Steiner
I Ask A Lot Of Questions
 
Posts: 19
Joined: Thu Jul 10, 2008 7:17 pm

Postby Explicit » Sat Jul 12, 2008 9:04 pm

Modify Address -> Normal Address -> Complex
Write your Complex Address inside the open dialog and after you have completed that, tick "Use Complex Address (Overrides Simple)". Click "OK"!
Image
Nothing is impossible, just implausible
User avatar
Explicit
I Know Your Poop
 
Posts: 503
Joined: Sun Dec 30, 2007 4:47 pm

Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron