Page 4 of 6

PostPosted: Sat Feb 28, 2009 7:07 am
by L. Spiro
It is a linked list. You will have to repeat that pattern for as many objects as there are in the list, which could be thousands.

There is no other way to follow the pointer trail to the base, or from the base to the target, unless there is something very special about your target address that could cause it to be stored as another pointer set elsewhere.
Only your player and a few other types of objects would have this property. If your object is a random object, your only option is to follow the repeating pointers.


L. Spiro

PostPosted: Sat Feb 28, 2009 4:44 pm
by Aspras
Does that mean that I'll reach an end if I continue this?

PostPosted: Sat Feb 28, 2009 6:06 pm
by Explicit
Yes, eventually.

PostPosted: Sat Feb 28, 2009 7:13 pm
by Aspras
I guess theres no point in trying to find the pointer this way, is there any other way to find the base pointer?

Image

PostPosted: Sat Feb 28, 2009 9:18 pm
by SpeedWing
try other base addys. that is my only advise, and lol nice loops :p.

PostPosted: Sat Feb 28, 2009 10:02 pm
by Aspras
L. Spiro wrote:It is a linked list. You will have to repeat that pattern for as many objects as there are in the list, which could be thousands.

There is no other way to follow the pointer trail to the base, or from the base to the target, unless there is something very special about your target address that could cause it to be stored as another pointer set elsewhere.
Only your player and a few other types of objects would have this property. If your object is a random object, your only option is to follow the repeating pointers.


L. Spiro


The object is my hero's Gold, so I take it noone has found its base pointer with patch 1.22a

PostPosted: Sun Mar 01, 2009 8:16 pm
by WhiteHat
I have to agree with this:
SpeedWing wrote:try other base addys. that is my only advise, and lol nice loops :p.


@Aspras
Actually, the complex address used here in this tutorial, is the one which works. There were actually 2 more pointer trails which lead me to the same ‘looping’ complex addresses like yours. So i put the one which works for the tutorial.

And i’m quite believe that the complex address for GOLD in version 1.22a is quite similar...

Also, you may want to mix this back-tracing method with the one from josese’s tutorial about complex address. The mix of both methods has helped me obtaining complex addresses for ZUMA Deluxe..

PostPosted: Sun Mar 01, 2009 10:45 pm
by Aspras
I have tried all base addresses, the only one that brings it back to the address of gold is this one which continues to loop, besides CE's pointer search found no static base pointers so I dont see how someone would be able to get a static one. Also, ive read Josese's tutorial, though I dont understand why would someone want to use ranged search when u know the exact address you want your pointer to be pointing at.

PostPosted: Mon Mar 02, 2009 2:44 pm
by WhiteHat
Some say that CE’s pointer search work in some (not every) cases. However, i’ve never manage to obtain even a single working pointer trail (complex address) out of it. The trail works once, but no more at the other session..

The method in josese’s tutorial is very useful (if not the only option) to obtain complex address in games which restrict us to debug it. However, like i said, the mix of two methods allowed me to find some complex address in zuma.. Here’s the case (illustration):
From backtracing method, i got this complex address: [[[pointer]+offset3]+offset2]+offset1, that was when the back-tracing for [pointer] started to loop like you’ve encountered.. So i decided to use ranged search (like the one in josese’s tut) for [pointer], and soon after that i got the working complex address: [[[module.exe+offset4]+offset3]+offset2]+offset1. The value of offset4 is the one i couldn’t find with back-tracing method... Thanks to josese’s method, the complex addresses are now working perfect..

When i wrote my tut about MHS Injection Manager for ZUMA, i said that i wasn’t able to obtain its complex address. And it’s true because i tried to stick with this back-tracing method..

Anyway, now i’m curious with WarCraft3 version 1.22... Perhaps i’ll upgrade later when i get the time..

PostPosted: Mon Mar 02, 2009 4:41 pm
by Aspras
Hmm I'll try to get down to level 3 with backtracing and then will try josese's method on w3. Ive also tried code injection but the game always crashes on me.

PostPosted: Tue Mar 03, 2009 8:49 am
by WhiteHat
I’ve just patched my WarCraft 3 to version 1.22.0.6328...

I used the very much similar step-by-step (almost like copy and paste !) as previous one and managed to obtain these:

Code: Select all
Complex Addreses for GOLD:
============================================================================
Player #01 (Red)        : [[["Game.dll"+0xAA4178]+0xC]+(0x002*0x8)+0x4]+0x78
Player #02 (Blue)       : [[["Game.dll"+0xAA4178]+0xC]+(0x02A*0x8)+0x4]+0x78
Player #03 (Aquamarine) : [[["Game.dll"+0xAA4178]+0xC]+(0x052*0x8)+0x4]+0x78
Player #04 (Purple)     : [[["Game.dll"+0xAA4178]+0xC]+(0x07A*0x8)+0x4]+0x78
Player #05 (Yellow)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0A2*0x8)+0x4]+0x78
Player #06 (Orange)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0CA*0x8)+0x4]+0x78
Player #07 (Green)      : [[["Game.dll"+0xAA4178]+0xC]+(0x0F2*0x8)+0x4]+0x78
Player #08 (Pink)       : [[["Game.dll"+0xAA4178]+0xC]+(0x11A*0x8)+0x4]+0x78
Player #09 (Grey)       : [[["Game.dll"+0xAA4178]+0xC]+(0x142*0x8)+0x4]+0x78
Player #10 (Cyan)       : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78
Player #11 (Dark Green) : [[["Game.dll"+0xAA4178]+0xC]+(0x192*0x8)+0x4]+0x78
Player #12 (Brown)      : [[["Game.dll"+0xAA4178]+0xC]+(0x1BA*0x8)+0x4]+0x78
============================================================================

You can use these to spy your opposing players’ gold in multiplayer mode , or to make them rich/poor in single player mode..

I’ve tested these twice and they work perfect. Haven’t try them in other PC yet though...

Hope these work for you guys (and ladies, if there are any)...

:)

PostPosted: Tue Mar 03, 2009 12:42 pm
by Aspras
I recognise the address*8+4 offset, ive tried many times to get that offset to work in the past, my pointer was looking like this :

[address1 +(address*8+4)]+0x78

, using the expression evaluator I checked whether it was pointing back to my gold's address or not and it wasnt. Also tried adding "0x" in front of 8 and 4 (just in case it made any difference) but that wouldnt bring t back to my gold's address either :cry:
Btw theres something I wanted to ask you Whitehat, at a point theres 2 addresses that pop up in the Auto Hack tab, they both are of the same type and have a register as an offset, why do you take the first addresses's left register as the pointer and then the other addresses's second register as the offset? Why not take the first addresses's register at the right as part of the offset?

EDIT: I think I now do understand why you got the first addresses's register as the pointer and the second addresses's second register as the offset.

Image

The first address will give you a correct EDX cause that is the unique in that actual address, though it has 2 EAXs and it would give u the first EAX's value which is not the the one we need. You saw that theres only 1 EAX in the second address and you could be sure it would give u the correct EAX.
So having understood why you did it that way, here is why I cant get that pointer to point back at my base pointer.

Image


EDIT2:
Heres what I thought, since I dont know the offset but know the leftmost register and the address I want to get it to (which in this case is the base pointer) I can subtract the leftmost register from the base pointer's address and get the offset. Then I could move on by finding a pointer to the leftmost register. Would this work?

EDIT3:
Woo it worked! I found 2 different pointers for the purple slot.

[[[Game.dll+0xAA4178]+0xc]+0x3D4]+0x78
[[[Game.dll+0xAA417C]+0xc]+0x3D4]+0x78

Also found a pointer to the purple slot's damage stat.

[[Game.dll+0xA705FC]+0x1E4]+0xA0

PostPosted: Wed Mar 04, 2009 9:22 pm
by tiduswong
Whitehat wrote:
Code: Select all
Complex Addreses for GOLD:
============================================================================
Player #01 (Red)        : [[["Game.dll"+0xAA4178]+0xC]+(0x002*0x8)+0x4]+0x78
Player #02 (Blue)       : [[["Game.dll"+0xAA4178]+0xC]+(0x02A*0x8)+0x4]+0x78
Player #03 (Aquamarine) : [[["Game.dll"+0xAA4178]+0xC]+(0x052*0x8)+0x4]+0x78
Player #04 (Purple)     : [[["Game.dll"+0xAA4178]+0xC]+(0x07A*0x8)+0x4]+0x78
Player #05 (Yellow)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0A2*0x8)+0x4]+0x78
Player #06 (Orange)     : [[["Game.dll"+0xAA4178]+0xC]+(0x0CA*0x8)+0x4]+0x78
Player #07 (Green)      : [[["Game.dll"+0xAA4178]+0xC]+(0x0F2*0x8)+0x4]+0x78
Player #08 (Pink)       : [[["Game.dll"+0xAA4178]+0xC]+(0x11A*0x8)+0x4]+0x78
Player #09 (Grey)       : [[["Game.dll"+0xAA4178]+0xC]+(0x142*0x8)+0x4]+0x78
Player #10 (Cyan)       : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78
Player #11 (Dark Green) : [[["Game.dll"+0xAA4178]+0xC]+(0x192*0x8)+0x4]+0x78
Player #12 (Brown)      : [[["Game.dll"+0xAA4178]+0xC]+(0x1BA*0x8)+0x4]+0x78
============================================================================

You can use these to spy your opposing players’ gold in multiplayer mode , or to make them rich/poor in single player mode..



how to spy my opposing player using these addys?

PostPosted: Wed Mar 04, 2009 10:19 pm
by Aspras
Suppose youre on a 1v1 and your opponent has the Cyan colour (player no.10) , this pointer will bring u to the address that holds your opponents gold.

Player #10 (Cyan) : [[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78

PostPosted: Thu Mar 05, 2009 9:55 am
by WhiteHat
Aspras wrote:Heres what I thought, since I dont know the offset but know the leftmost register and the address I want to get it to (which in this case is the base pointer) I can subtract the leftmost register from the base pointer's address and get the offset. Then I could move on by finding a pointer to the leftmost register. Would this work?

Yes, it works just like you stated later...

In fact, that’s the only way u know to determine the base address (in this case, the leftmost register) if auto-hack returns only 1 code similar to that.

When you use ‘Find Out What Accesses This Address’ to address 0x18610164, and get this code:
Code: Select all
MOV EAX, DWORD PTR [EDX+EAX*8+4]

it means that:
0x18610164 = [EDX+EAX*8+4]

then you can use the registers values info (the bottom-most part of auto-hack window) to do some calculation to determine those register values before the code executed..


Aspras wrote:Also found a pointer to the purple slot's damage stat.

What do you mean by “purple slot’s damage” here ?
Sorry for ask but i guess i use different term for it...


tiduswong wrote:how to spy my opposing player using these addys?

Like Aspras’ said, you can put them into MHS table or put them all in Expression Evaluator orderly, with one more bracket addition..

[[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78 = the address of Player 10 Gold
[[[["Game.dll"+0xAA4178]+0xC]+(0x16A*0x8)+0x4]+0x78] = the value in the address of Player 10 Gold