DOTA Players’ Gold: Complex Address (Back Tracing Pointer)

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Postby WhiteHat » Thu Mar 05, 2009 5:29 pm

Aspras wrote:Also found a pointer to the purple slot's damage stat.

[[Game.dll+0xA705FC]+0x1E4]+0xA0


So sorry for double post.. I can’t edit my previous one..

I tried the complex address into expression evaluator when in-game, it was
unobtainable.. The value at address Game.dll+0xA705FC was equal to zero..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Fri Mar 06, 2009 12:18 am

Thats the pointer to the purple player's damage address I had found, though a day after I realised that if you edit that value all of the AI heroes' damage changes as well, treants' too. So its not really working correctly though Game.dll+0xA705FC does not give me zero even now : / .
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Fri Mar 06, 2009 12:50 pm

That’s quite strange....

[Game.dll+0xA705FC] returns 0 (zero) for me all the time..
But, that perhaps we’re playing different version of WC3 ?
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Wed Mar 11, 2009 10:38 pm

I have the same version as yours.
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Re: DOTA Players’ Gold: Complex Address (...answering Felhea

Postby Fishy » Sun Mar 15, 2009 11:50 am

So i was just trying this out and everything is working fine.

But i do not understand what you mean about
Whitehat wrote:From those two pictures above, i got the registers values:
- EDX = 0x18610010 (got it from the 1st ASM code)
- EAX = 0x2A (got it from the 2nd ASM code)


After picture 6a and 6b
Image
Image
Fishy
Sir Hacks-A-Lot
 
Posts: 37
Joined: Mon Jun 30, 2008 8:27 pm

Postby WhiteHat » Mon Mar 16, 2009 1:16 pm

Remember that I was doing auto-hack to address 0x18610164 and got those 2 codes (pic 6a and 6b):

Image

the result in Auto-Hack window as follows:

Here is pic 6a:
Image
from the highlighted code, we can’t easily determine the value of EAX since it was written after the code executed..
But we can determine the value of EDX from Registers Window below, which was 0x18610010..

In other word, the value of EAX in the Registers Window below was not the one we were looking for (false EAX)..

Here is pic 6b:
Image
from the highlighted code, we can’t easily determine the value of EDX since it was written after the code executed..
But we can determine the value of EAX from Registers Window below, which was 0x2A..

In other word, the value of EDX in the Registers Window below was not the one we were looking for (false EDX)..

Using those two codes and their registers info, we get the correct value of EDX and EAX:
0x18610164 = EDX+(EAX*0x8)+0x4
- EDX = 0x18610010
- EAX = 0x2A

0x18610164 = 0x18610010+(0x2A*0x8)+0x4
0x18610164 = 0x18610010+0x150+0x4
0x18610164 = 0x18610164
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Fishy » Mon Mar 16, 2009 8:06 pm

Ok i understand all of that now.. Thank you

Last part im stuck on is how you came up with the equation

EDX+(EAX*0x8)+0x4
Image
Image
Fishy
Sir Hacks-A-Lot
 
Posts: 37
Joined: Mon Jun 30, 2008 8:27 pm

Postby Aspras » Fri Mar 20, 2009 3:05 am

EDX+(EAX*0x8)+0x4 is a pointer. Breaking that pointer up you notice it is made up of an address with an offset added to it, EDX holds that address and (EAX*0x8)+0x4 is the offset.
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby Fishy » Fri Apr 10, 2009 9:22 am

White-Hat you know the addresses since they patched it to 1.23?
Image
Image
Fishy
Sir Hacks-A-Lot
 
Posts: 37
Joined: Mon Jun 30, 2008 8:27 pm

Postby WhiteHat » Sat Apr 11, 2009 10:18 am

Haven’t patch to version 1.23 yet, cause i’ve been busy lately...
However, i’m quite sure that we only have to change the static base address, from any available complex addresses...

Example for gold value in ver 1.22:
Code: Select all
Player #01 (Red) : [[["Game.dll"+0xAA4178]+0xC]+(0x002*0x8)+0x4]+0x78


For version 1.23, we only need to replace the offset of "Game.dll"+0xAA4178, that is 0xAA4178 into some value else, so the complex address for version 1.23 will be something like this:
Code: Select all
Player #01 (Red) : [[["Game.dll"+(OffsetForVer1.23)]+0xC]+(0x002*0x8)+0x4]+0x78


The best way to do this probably is to use MHS Expression Search to find the Static Base Address...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby tkbnj » Thu Jun 04, 2009 12:43 am

L. Spiro wrote:Fixed-point decimals != encryption. Read below.

And encrypting executables has nothing to do with how the game processes these decimals—such an obtrusive modification could not possibly be done reliably; executable encryptors guarantee run-time reliance, exceptions not owing to encryption itself.

They may, however, inject useless code that may end up multiplying values by 10 and juggling them around in various ways, but these values are never saved anywhere (you can not find them via searching) and all registers are backed up before and restored after these useless operations to guarantee once again that the packer has not in any way interfered with the executable it is packing.

Furthermore, these and some other packer-related features are macro’ed into the project when it compiles to generate special byte sequences that the packer can find to distinguish what it is allowed to do and where. That is, if the packer is allowed to modify some part of the code, the programmer has to use macros while coding the game to indicate which code it is allowed to modify and how.


Sychotix wrote:To stay on topic... It must be encrypted then. Age of conan does something similar with their mana/hp/stamina. It is behind and encryption method of x*100 and then it rounds up. For example, the value could be 123412 and your mana is 1235. It could be 123401 and your mana is still 1235. Now if it is 123400, your mana is 1234. Make sense?

This is not encryption. It is a newbie implementation of fixed-point decimals. It allows them to transparently keep track of your mana to a degree of 1/100th of a unit, which allows them to give you, for example, 0.5 mana points. This is done behind the scenes without the player knowing, but it is an important feature in many cases because it decreases rounding errors.
If they gave you 0.5 mana points twice but they only track your mana by units of one, you would have 1234 + 0.5 + 0.5 = 1234 (rounded down due to lack of precision). Whereas 123400 + 50 + 50 = 123500.

This is a newbie/simplified implementation. The correct implementation uses shifting of bits, not multiplication and division (due to speed). For example, on Nintendo DS, 1.0 equals 0x1000 (1 << 12). 1.5 equals 0x1800, etc. This gives them an accuracy of 1/4096th of a unit.


L. Spiro


thanks, i understand fix point decimals but my question is, if ive never seen this thread, how will i know that the number is being represented in this way (3500 is in fixed point decimal rather than say unsigned long)? if they had juggled around with these numbers a bit more would we still be able to find these numbers? i apologize if these are newb questions.
tkbnj
I Have A Few Questions
 
Posts: 3
Joined: Fri May 29, 2009 3:41 am

Postby L. Spiro » Thu Jun 04, 2009 6:48 am

When you start off hacking a game you are not going to have any clue how they store what.

Health may be a decimal from 0 to 100 (Doom 3). Maybe it is a float from 0.0f to 1.0f (Perfect Dark/GoldenEye 007). Maybe it is a fixed-point number from 0000.0000 to 0001.0000.

It doesn’t matter what game it is or what format they use; you always start off not knowing the format and just taking guesses until you get it right.
For each failed search you generalize your search parameters even more. And again this is something you automatically do regardless of the format of their data.


With fixed-point data, you are likely going to fail several search attempts until you end of resorting to “Unknown” followed by “Decreased” and “Increased” until you find a number that, although strangely displayed, followed your health up and down.


When you notice the number is always “health × some number”, you have just realized that the value is fixed-point.



If they juggle around with the numbers a bit more (what does that mean?) then you will just find it later rather than sooner.
But there are only 3 formats games are ever going to use: Decimal, floating-point, and fixed-point.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby tkbnj » Tue Jun 16, 2009 1:24 am

thanks, that last post made a lot of sense

has anyone tried this successfully in 1.23? I keep running into that linked list loop. can you guys explain how you got around that again? i have tried josse's method with not much success.
tkbnj
I Have A Few Questions
 
Posts: 3
Joined: Fri May 29, 2009 3:41 am

Postby toffey » Wed Sep 23, 2009 4:57 am

Thank you so much for this tutorial. I've read it over plenty of times, but was constantly confused by the EAX and EDX you used. After reading through the thread again and your post at the top of this page I finally understand what you did.

This should prove quite useful, thanks WhiteHat! (And L. Spiro, and everyone else who has helped out on these forums)
User avatar
toffey
Hack-Master Hex
 
Posts: 689
Joined: Fri Sep 05, 2008 5:39 pm
Location: California, USA

Postby WhiteHat » Sat Oct 03, 2009 8:59 pm

WarCraft 3 version 1.24.1.6374, that is patch 1.24b English...

Code: Select all
Complex Addreses for GOLD:
============================================================================
Player #01 (Red)        : [[[0x6FACE5E0]+0xC]+(0x002*0x8)+0x4]+0x78
Player #02 (Blue)       : [[[0x6FACE5E0]+0xC]+(0x02A*0x8)+0x4]+0x78
Player #03 (Aquamarine) : [[[0x6FACE5E0]+0xC]+(0x052*0x8)+0x4]+0x78
Player #04 (Purple)     : [[[0x6FACE5E0]+0xC]+(0x07A*0x8)+0x4]+0x78
Player #05 (Yellow)     : [[[0x6FACE5E0]+0xC]+(0x0A2*0x8)+0x4]+0x78
Player #06 (Orange)     : [[[0x6FACE5E0]+0xC]+(0x0CA*0x8)+0x4]+0x78
Player #07 (Green)      : [[[0x6FACE5E0]+0xC]+(0x0F2*0x8)+0x4]+0x78
Player #08 (Pink)       : [[[0x6FACE5E0]+0xC]+(0x11A*0x8)+0x4]+0x78
Player #09 (Grey)       : [[[0x6FACE5E0]+0xC]+(0x142*0x8)+0x4]+0x78
Player #10 (Cyan)       : [[[0x6FACE5E0]+0xC]+(0x16A*0x8)+0x4]+0x78
Player #11 (Dark Green) : [[[0x6FACE5E0]+0xC]+(0x192*0x8)+0x4]+0x78
Player #12 (Brown)      : [[[0x6FACE5E0]+0xC]+(0x1BA*0x8)+0x4]+0x78
============================================================================


Still the same, modified the static base pointer address, only this time MHS unable to read modul names in my PC...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

PreviousNext

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron