Memory Hacking Software

[Steiner]

Can I use this complex address to write a trainer or something like this, to spy player's gold? If yes, how can I use this?

I code with C++. Is there any trick to use this with ReadProcessMemory()?


Greetz Tobi.

[Sychotix]

if you can code, shouldnt you already know?

[Steiner]

Hm not really, I'm not sure how to use this complex address
[[[[[[0x6FAA4178]+0x0C]+0x2A*0x08+0x04]+0x64]+0x08]+0x40]+0x78

Maybe you can tell me how to do it?


Greetz Tobi.

[Sychotix]

its a pointer. It takes the value that is inside of 0x6FAA4178 and then adds 0x0C. Then it takes the value of whatever the address inside of there is and adds 0x2a*0X08+0X4 to it. It continues down the list until it gets to the end.

[Steiner]

I had try this way:

Code: Select all

DWORD dwPlayerRed_Gold = 0;
ReadProcessMemory( hProcess, (LPCVOID)(0x6FAA417C+((0x0C+(0x2A*0x08)+0x04+0x64+0x08+0x40+0x78))),(LPVOID)&dwPlayerRed_Gold, sizeof( DWORD ), 0 );


But it does not work. dw_PlayerRed_Gold is anytime zero.
What is wrong?

EDIT:
Why this complex address works only for dota? So I need to search for each map a complex address ?


Greetz Tobi.

[Sychotix]

I dont know anything about that. Also, I am pretty sure that code you have is COMPLETELY wrong.

Pointers are a bit harder to define than a basic address =P... not to mention you removed all the "[" and "]" (probably cuz you were like "ZOMG IT WONT COMPILE!". I am not even sure you defined the base address correctly... dont you have to add a "h" after it? -.-

From what i see by your code, you have no clue how a pointer works (even though i explained it clearly in my above post. YOu are just trying to add a bunch of things to the base address which is completely wrong.

[Steiner]

Okay I got it!

I use the german version of Warcraft III - TFT ( v. 1.22 ) and here are all Gold addresses for player 1 till 12:

Code: Select all

[[[[[[0x6FAA4178]+0x0C]+0x0002*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  1st Player
[[[[[[0x6FAA4178]+0x0C]+0x002A*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  2nd Player
[[[[[[0x6FAA4178]+0x0C]+0x0052*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  3rd Player
[[[[[[0x6FAA4178]+0x0C]+0x007A*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  4th Player
[[[[[[0x6FAA4178]+0x0C]+0x00A2*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  5th Player
[[[[[[0x6FAA4178]+0x0C]+0x00CA*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  6th Player
[[[[[[0x6FAA4178]+0x0C]+0x00F2*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  7th Player
[[[[[[0x6FAA4178]+0x0C]+0x011A*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  8th Player
[[[[[[0x6FAA4178]+0x0C]+0x0142*0x08+0x04]+0x64]+0x08]+0x40]+0x78 //  9th Player
[[[[[[0x6FAA4178]+0x0C]+0x016A*0x08+0x04]+0x64]+0x08]+0x40]+0x78 // 10th Player
[[[[[[0x6FAA4178]+0x0C]+0x0192*0x08+0x04]+0x64]+0x08]+0x40]+0x78 // 11th Player
[[[[[[0x6FAA4178]+0x0C]+0x01BA*0x08+0x04]+0x64]+0x08]+0x40]+0x78 // 12th Player


And so you can use the complex address in your trainer (coded in c++):

Code: Select all

#include <windows.h>
#include <iostream>
    using namespace std;

void EnableDebugPrivilege( ); // More access

int main( int argc, char* argv[ ] ) {

    DWORD dwProcessID = 0;
    HANDLE hProcess = 0;

    printf( "Enter Warcraft III PID :  " );
    cin >> dwProcessID;
    cin.sync( );

    EnableDebugPrivilege( );

    hProcess = OpenProcess( PROCESS_ALL_ACCESS, 0, dwProcessID );
    if( !hProcess ) {

        printf( "\n\nUnable to open process handle!" );
        CloseHandle( hProcess );
        getchar( );
       return 0;
    }

    // [[[[[[0x6FAA4178]+0x0C]+0x0002*0x08+0x04]+0x64]+0x08]+0x40]+0x78
    DWORD dwPlayerRed_Gold = 0;
    DWORD dwBuffer         = 0;
    DWORD dwCurrentAddress = 0x6FAA4178;
   
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + 0x0C;
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + ( ( 0x0002 * 0x08 ) + 0x04 );
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + 0x64;
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + 0x08;
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + 0x40;
    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwBuffer, sizeof( DWORD ), 0 ); dwCurrentAddress = dwBuffer + 0x78;

    ReadProcessMemory( hProcess, (LPCVOID)dwCurrentAddress,(LPVOID)&dwPlayerRed_Gold, sizeof( DWORD ), 0 );

    printf( "\n\nPlayer Red Gold : %d", ( dwPlayerRed_Gold / 10 ) );
    CloseHandle( hProcess );
    getchar( );
   return 0;
}

void EnableDebugPrivilege( ) {

    TOKEN_PRIVILEGES priv;
    HANDLE hThis, hToken;
    LUID luid;

    hThis = GetCurrentProcess();

    OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken);
 
    LookupPrivilegeValue(0, "seDebugPrivilege", &luid);

    priv.PrivilegeCount = 1;
    priv.Privileges[0].Luid = luid;
    priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0);
    CloseHandle(hToken);
    CloseHandle(hThis);
}


Cheers Tobi.

[L. Spiro]

You really should just do this:

Code: Select all

class CMemReader {
public :
    HANDLE m_hProc;
    UINT_PTR GetExtDword( UINT_PTR dwAddress ) {
        UINT_PTR dwRet = 0;
        ReadProcessMemory( m_hProc, (LPCVOID)dwAddress, sizeof( UINT_PTR ), NULL );
        return dwRet;
    }
};

…
    // Read in Complex-Address format.
    // [[[[[[0x6FAA4178]+0x0C]+0x0002*0x08+0x04]+0x64]+0x08]+0x40]+0x78
    CMemReader mrRdr;
    mrRdr.m_hProc = hProcess;
    UINT_PTR dwVal = mrRdr.GetExtDword( mrRdr.GetExtDword( mrRdr.GetExtDword( mrRdr.GetExtDword( mrRdr.GetExtDword( mrRdr.GetExtDword( 0x6FAA4178 )+0x0C )+0x0002*0x08+0x04 )+0x64 )+0x08 )+0x40 )+0x78;
    // One more to get the value there.
    dwVal = mrRdr.GetExtDword( dwVal );


Although the line of code that processes the complex address looks long and complex, it can be made simply by replacing “[” with “mrRdr.GetExtDword( ” and “]” with “)”, so the conversion is reliable and easy to make.

I am not even sure you defined the base address correctly... dont you have to add a "h" after it?

No. My parser is magic. You can use 0x OR h to define a hexadecimal number, plus it recognizes hex-formatted numbers even if they have neither.


L. Spiro

[Sychotix]

yeah but i think hes creating a trainer on his own =P And yeah, i noticed that your program recognizes when its hex. Its pretty nifty =D I can't stand using Cheat Engine anymore since i found your program =D

EDIT: also, is that C++? I may use it in the dll I am creating (I am a noob coder but thanks to a friend of mine, i have a dll skeleton so I am good for now... i mainly used the __asm{ } function but i heard it uses more CPU than your using that function and another function like it.

[L. Spiro]

Yes it is ASM and no it does not use more CPU time whether you are using C, C++, or ASM.


L. Spiro

[Steiner]

L. Spiro could you tell me some good methods to search for inGame functions and static addresses? I have tried this backtricking method to search for Players current health, but there pop-up about 100 addresses, there must be a better way?

I hope you cann tell me some of your methods to hacking games ( like Warcraft III )


Greetz Tobi.

[WhiteHat]

Why this complex address works only for dota? So I need to search for each map a complex address ?

Not really... they work for Warcraft 3 TFT:

Red Player’s gold:
[[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78

Red Player’s lumber:
[[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78+0x80

Red Player’s Max Food:
[[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78+0x180

Which means that the addresses for Lumbers and Max Foods
are several bytes away from the one for gold.

[Steiner]

Spirooooooo tell me please your secrets

[L. Spiro]

I have no secrets.
I use this method in conjunction with regular debugging and Auto-Hack.
By stepping through the code, no matter how complex, you can eventually trace back to the start and figure out the pointer trail. If searching gives you too many results, debug.


L. Spiro

[Steiner]

I use this method in conjunction with regular debugging and Auto-Hack.

Hm, but you can't attach a debugger ( e.g. olly ), when you all ready use the auto-hack in MHS. How it should work together?


Greetz Tobi.