DOTA Players’ Gold: Complex Address (Back Tracing Pointer)
Posted: Sun Jun 29, 2008 6:26 pm
This tutorial is actually my answer for Felheart’s PM, and also a reply for his post:
viewtopic.php?p=21519&sid=516f450a9e620b4a3406584c100d11f9#21519
I have to say that my method is stupid: it takes a lot effort yet there is no guarante for success. However, in case of Warcraft 3 Players Gold (and other resources like lumbers and foods) this method is working, so i am going to post it anyway...
...
Here’s my step-by-step of constructing Complex Address for Player#2’s gold address:
I started DOTA as BLUE Player, that is Player 2, and tried to find my gold adress in MHS... My gold was 3500 when i found its address at 0x0F571410 which then put in MHS table.
For Complex Address purpose, i had to know how WarCraft3 created the address. So the next thing to do was to applied “Find What Accesses This Address” to the gold address.
(picture 01)
Auto-Hack window in MHS Disassembler Helper would show nothing unless my gold is modified/accessed. To do this, i got back to the game and just waited for my gold to changed...
After playing some time, my gold had increased to 3508. About time to checked the Auto-Hack window:
(picture 02)
Some codes that had just modified my gold address pop-ed up...
In the picture above, i chose one of the code to get the base pointer for my gold address which then showed the registers values in the field below them. From the code i chose, i can tell that the base pointer was stored in EDX and it was 0x0F571398...
I put similar expression as [EDX+78] into Expression Evaluator to see if the result is correct:
(picture 03)
Take a closer look to the Expression Evaluator window (lower-left part of the picture):
- Expression: 0x0F571398+0x78
- Result: 0x0F571410 --> This was equal to my gold address
So, i knew that:
- 0x0F571398 was the value of base pointer that pointed to my gold address
- 0x78 was the offset of how far my gold address reside from the base pointer
Next step was to find out where in memory the base pointer value resides and if the base pointer was a static one. To do that i had to search for addresses which values were exactly the same as previous base pointer (0x0F571398), so i utilized Pointer Search with Exact Value...
(picture 04)
MHS found 6 addresses which values are match to the base pointer of my gold address...
(picture 05)
I chose the last one and put it into my table so i can applied “Find What Accesses This Address” to it (the reason i chose the last address was because further experiment to the other addresses failed. I was lucky that there were only 6 address found instead of hundreds. That’s why i called this method stupid...)
Back to DOTA, i got my gold increased to 3524. Something had to have came up in Auto-Hack window by then...
(picture 06a)
(picture 06b)
An ‘unusual’ ASM code came up... There were two registers within the bracket instead of usual one: [Register+(Register*constant)+offset]
Which was the base pointer then ?
A friend of mine told me that in almost any case, the base pointer value is the left-most register, while the other register has something to do with array, e.g reg value = 1 for player one, reg value = 2 for player two, etc... (well... i didn’t quite understand it, but it was working anyway. So i just accepted it...)
From those two pictures above, i got the registers values:
- EDX = 0x18610010 (got it from the 1st ASM code)
- EAX = 0x2A (got it from the 2nd ASM code)
Then i tried the code in Expression Evaluator, which result was still my gold address:
(picture 07)
Allow me to make a simple explanation about the Complex Address so far:
- 0x18610010+(0x2A*8 )+4 = 0x18610164 ---> This was the address which value equal to the base pointer to my gold address.
- [0x18610010+(0x2A*8 )+4] = 0x0F571398 ---> This was the 1st layer base pointer to my gold address.
That means:
[0x18610010+(0x2A*8 )+4]+0x78 = 0x0F571398+0x78 = 0x0F571410 ---> My gold address.
I just had my complex address for my gold address, but it was not over yet. Not until i found the static base pointer. So, the next thing to do was to repeat above steps until i get the static base pointer and build the complex address out of it...
Moved on, searched for any addresses which value equals to last base pointer (0x18610010).
Like before, i used Exact value of Pointer Search:
(picture 08 )
and the result:
(picture 09)
Lucky me, there was only 3 addresses. That would narrowed down my search... (luck is one of the best friend for beginners) :p
I chose the 2nd address for Auto-Hack, 0x094C00A4 (yes, the 2nd one was the only address which gave good result later on). And this is the Auto-Hack window for it after my gold increased to 3532 in DOTA:
(picture 10)
I don’t think that i need to explain anything more, since it is a similar step from the steps before...
Next, modified my complex address from the last one: changing the value of base pointer to the address that contained it. That is changed 0x18610010 to [0x094C00A4], or more precisely from 0x18610010 to [0x094C0098+0x0C] (based on the ASM code in Auto-Hack windows).
(picture 11)
Apparently, i had not get the static pointer yet (the inner most base pointer was still in [register+offset] format), so i have to repeat the step...
Searched for addresses which values equal to the last base pointer (=0x094C0098 ) via pointer search.
(picture 12)
MHS found 2 addresses...
(picture 13)
Chose the 2nd one and applied “Find What Accesses This Address” to it.
(At this point, i didn’t have to switch to DOTA since some codes came up when i highlight the address in Auto-Hack window. Apparently, WarCraft 3 keep accessed this address even it ran as background)...
(picture 14)
There ! The static base pointer address !
When we get such ASM code similar to MOV ESI, DWORD PTR [6F87D7BC], it means that the address within the bracket is a static address.
Next, the last step, was to modify the Complex Address in Expression Evaluator...
The result still intact: my gold address !
(picture 15)
The Complex Address for my gold address, started with Static Base Pointer was : [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
That is 3 layers pointer...
By the time i got at step shown in picture 13, the found address should be green text which means they are static addresses. However, when i redo the process to write this tutorial, that didn’t happen. So i just proceed with the same step like before... I dunno what’s wrong, but that does not really matter anyway...
Summary of finding Complex Address of my gold address:
- 0x0F571410
- 0x0F571398+0x78 --> 0x0F571410
- [0x18610164]+0x78 --> 0x0F571410
- [0x18610010+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C00A4]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C0098+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[[0x6F87D7BC]+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410
...
Through some experiments, i got Complex Addresses for each player’s gold:
Player 01: [[[0x6F87D7BC]+0x0C]+0x02*8+4]+0x78
Player 02: [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
Player 03: [[[0x6F87D7BC]+0x0C]+0x52*8+4]+0x78
Player 04: [[[0x6F87D7BC]+0x0C]+0x7A*8+4]+0x78
Player 05: [[[0x6F87D7BC]+0x0C]+0xA2*8+4]+0x78
Player 06: [[[0x6F87D7BC]+0x0C]+0xCA*8+4]+0x78
Player 07: [[[0x6F87D7BC]+0x0C]+0xF2*8+4]+0x78
Player 08: [[[0x6F87D7BC]+0x0C]+0x11A*8+4]+0x78
Player 09: [[[0x6F87D7BC]+0x0C]+0x142*8+4]+0x78
Player 10: [[[0x6F87D7BC]+0x0C]+0x16A*8+4]+0x78
Player 11: [[[0x6F87D7BC]+0x0C]+0x192*8+4]+0x78
Player 12: [[[0x6F87D7BC]+0x0C]+0x1BA*8+4]+0x78
To make it easier to read, i modified the offsets of 3rd layer pointer so that they correspond to players number:
Player 01: 0x02*8+4 -----> ((1-1)*0x140)+0x14
Player 02: 0x2A*8+4 -----> ((2-1)*0x140)+0x14
Player 03: 0x52*8+4 -----> ((3-1)*0x140)+0x14
Player 04: 0x7A*8+4 -----> ((4-1)*0x140)+0x14
Player 05: 0xA2*8+4 -----> ((5-1)*0x140)+0x14
Player 06: 0xCA*8+4 -----> ((6-1)*0x140)+0x14
Player 07: 0xF2*8+4 -----> ((7-1)*0x140)+0x14
Player 08: 0x11A*8+4 ----> ((8-1)*0x140)+0x14
Player 09: 0x142*8+4 ----> ((9-1)*0x140)+0x14
Player 10: 0x16A*8+4 ----> ((10-1)*0x140)+0x14
Player 11: 0x192*8+4 ----> ((11-1)*0x140)+0x14
Player 12: 0x1BA*8+4 ----> ((12-1)*0x140)+0x14
@Felheart: this is how there are +0x14 in my complex address. It was just my own modification to make them easier to read corresponding to Player’s Number...
Example: 0x02*8+4 = ((1-1)*0x140)+0x14 = 0x14
So, my final Complex Address for each Players’ Gold in DOTA WarcCraft 3 are:
Player 01: [[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78
Player 02: [[[0x6F87D7BC]+0xC]+((2-1)*0x140)+0x14]+0x78
Player 03: [[[0x6F87D7BC]+0xC]+((3-1)*0x140)+0x14]+0x78
Player 04: [[[0x6F87D7BC]+0xC]+((4-1)*0x140)+0x14]+0x78
Player 05: [[[0x6F87D7BC]+0xC]+((5-1)*0x140)+0x14]+0x78
Player 06: [[[0x6F87D7BC]+0xC]+((6-1)*0x140)+0x14]+0x78
Player 07: [[[0x6F87D7BC]+0xC]+((7-1)*0x140)+0x14]+0x78
Player 08: [[[0x6F87D7BC]+0xC]+((8-1)*0x140)+0x14]+0x78
Player 09: [[[0x6F87D7BC]+0xC]+((9-1)*0x140)+0x14]+0x78
Player 10: [[[0x6F87D7BC]+0xC]+((10-1)*0x140)+0x14]+0x78
Player 11: [[[0x6F87D7BC]+0xC]+((11-1)*0x140)+0x14]+0x78
Player 12: [[[0x6F87D7BC]+0xC]+((12-1)*0x140)+0x14]+0x78
Note: In my previous post, the static address changed to [module+offset] format (0x6F87D7BC = game.dll+0x87D7BC). But it didn’t happen that way when i wrote this tutorial (and i don’t know how. Perhaps because of different version of WC3), so i just leave the static address as is...
This conclude my tutorial which i hope answers Felheart’s PM...
I have to say that the method i used here is not good enough, since it is not always succeed. For example, i haven’t been succeed in finding complex address for Heros’ health and manna in Warcraft3 using this method (although i can say that they are very much similar to complex address for player’s gold !)...
I’m sure there are many more better method to find complex address, so i hope some would kindly share their methods...
Hope this tutorial helps for the least. Any corrections are welcome... And i’m sorry for my English and late reply. Can’t go online much these days...
viewtopic.php?p=21519&sid=516f450a9e620b4a3406584c100d11f9#21519
I have to say that my method is stupid: it takes a lot effort yet there is no guarante for success. However, in case of Warcraft 3 Players Gold (and other resources like lumbers and foods) this method is working, so i am going to post it anyway...
...
Here’s my step-by-step of constructing Complex Address for Player#2’s gold address:
I started DOTA as BLUE Player, that is Player 2, and tried to find my gold adress in MHS... My gold was 3500 when i found its address at 0x0F571410 which then put in MHS table.
For Complex Address purpose, i had to know how WarCraft3 created the address. So the next thing to do was to applied “Find What Accesses This Address” to the gold address.
(picture 01)
Auto-Hack window in MHS Disassembler Helper would show nothing unless my gold is modified/accessed. To do this, i got back to the game and just waited for my gold to changed...
After playing some time, my gold had increased to 3508. About time to checked the Auto-Hack window:
(picture 02)
Some codes that had just modified my gold address pop-ed up...
In the picture above, i chose one of the code to get the base pointer for my gold address which then showed the registers values in the field below them. From the code i chose, i can tell that the base pointer was stored in EDX and it was 0x0F571398...
I put similar expression as [EDX+78] into Expression Evaluator to see if the result is correct:
(picture 03)
Take a closer look to the Expression Evaluator window (lower-left part of the picture):
- Expression: 0x0F571398+0x78
- Result: 0x0F571410 --> This was equal to my gold address
So, i knew that:
- 0x0F571398 was the value of base pointer that pointed to my gold address
- 0x78 was the offset of how far my gold address reside from the base pointer
Next step was to find out where in memory the base pointer value resides and if the base pointer was a static one. To do that i had to search for addresses which values were exactly the same as previous base pointer (0x0F571398), so i utilized Pointer Search with Exact Value...
(picture 04)
MHS found 6 addresses which values are match to the base pointer of my gold address...
(picture 05)
I chose the last one and put it into my table so i can applied “Find What Accesses This Address” to it (the reason i chose the last address was because further experiment to the other addresses failed. I was lucky that there were only 6 address found instead of hundreds. That’s why i called this method stupid...)
Back to DOTA, i got my gold increased to 3524. Something had to have came up in Auto-Hack window by then...
(picture 06a)
(picture 06b)
An ‘unusual’ ASM code came up... There were two registers within the bracket instead of usual one: [Register+(Register*constant)+offset]
Which was the base pointer then ?
A friend of mine told me that in almost any case, the base pointer value is the left-most register, while the other register has something to do with array, e.g reg value = 1 for player one, reg value = 2 for player two, etc... (well... i didn’t quite understand it, but it was working anyway. So i just accepted it...)
From those two pictures above, i got the registers values:
- EDX = 0x18610010 (got it from the 1st ASM code)
- EAX = 0x2A (got it from the 2nd ASM code)
Then i tried the code in Expression Evaluator, which result was still my gold address:
(picture 07)
Allow me to make a simple explanation about the Complex Address so far:
- 0x18610010+(0x2A*8 )+4 = 0x18610164 ---> This was the address which value equal to the base pointer to my gold address.
- [0x18610010+(0x2A*8 )+4] = 0x0F571398 ---> This was the 1st layer base pointer to my gold address.
That means:
[0x18610010+(0x2A*8 )+4]+0x78 = 0x0F571398+0x78 = 0x0F571410 ---> My gold address.
I just had my complex address for my gold address, but it was not over yet. Not until i found the static base pointer. So, the next thing to do was to repeat above steps until i get the static base pointer and build the complex address out of it...
Moved on, searched for any addresses which value equals to last base pointer (0x18610010).
Like before, i used Exact value of Pointer Search:
(picture 08 )
and the result:
(picture 09)
Lucky me, there was only 3 addresses. That would narrowed down my search... (luck is one of the best friend for beginners) :p
I chose the 2nd address for Auto-Hack, 0x094C00A4 (yes, the 2nd one was the only address which gave good result later on). And this is the Auto-Hack window for it after my gold increased to 3532 in DOTA:
(picture 10)
I don’t think that i need to explain anything more, since it is a similar step from the steps before...
Next, modified my complex address from the last one: changing the value of base pointer to the address that contained it. That is changed 0x18610010 to [0x094C00A4], or more precisely from 0x18610010 to [0x094C0098+0x0C] (based on the ASM code in Auto-Hack windows).
(picture 11)
Apparently, i had not get the static pointer yet (the inner most base pointer was still in [register+offset] format), so i have to repeat the step...
Searched for addresses which values equal to the last base pointer (=0x094C0098 ) via pointer search.
(picture 12)
MHS found 2 addresses...
(picture 13)
Chose the 2nd one and applied “Find What Accesses This Address” to it.
(At this point, i didn’t have to switch to DOTA since some codes came up when i highlight the address in Auto-Hack window. Apparently, WarCraft 3 keep accessed this address even it ran as background)...
(picture 14)
There ! The static base pointer address !
When we get such ASM code similar to MOV ESI, DWORD PTR [6F87D7BC], it means that the address within the bracket is a static address.
Next, the last step, was to modify the Complex Address in Expression Evaluator...
The result still intact: my gold address !
(picture 15)
The Complex Address for my gold address, started with Static Base Pointer was : [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
That is 3 layers pointer...
By the time i got at step shown in picture 13, the found address should be green text which means they are static addresses. However, when i redo the process to write this tutorial, that didn’t happen. So i just proceed with the same step like before... I dunno what’s wrong, but that does not really matter anyway...
Summary of finding Complex Address of my gold address:
- 0x0F571410
- 0x0F571398+0x78 --> 0x0F571410
- [0x18610164]+0x78 --> 0x0F571410
- [0x18610010+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C00A4]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[0x94C0098+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410
- [[[0x6F87D7BC]+0x0C]+(0x2A*8 )+4]+0x78 --> 0x0F571410
...
Through some experiments, i got Complex Addresses for each player’s gold:
Player 01: [[[0x6F87D7BC]+0x0C]+0x02*8+4]+0x78
Player 02: [[[0x6F87D7BC]+0x0C]+0x2A*8+4]+0x78
Player 03: [[[0x6F87D7BC]+0x0C]+0x52*8+4]+0x78
Player 04: [[[0x6F87D7BC]+0x0C]+0x7A*8+4]+0x78
Player 05: [[[0x6F87D7BC]+0x0C]+0xA2*8+4]+0x78
Player 06: [[[0x6F87D7BC]+0x0C]+0xCA*8+4]+0x78
Player 07: [[[0x6F87D7BC]+0x0C]+0xF2*8+4]+0x78
Player 08: [[[0x6F87D7BC]+0x0C]+0x11A*8+4]+0x78
Player 09: [[[0x6F87D7BC]+0x0C]+0x142*8+4]+0x78
Player 10: [[[0x6F87D7BC]+0x0C]+0x16A*8+4]+0x78
Player 11: [[[0x6F87D7BC]+0x0C]+0x192*8+4]+0x78
Player 12: [[[0x6F87D7BC]+0x0C]+0x1BA*8+4]+0x78
To make it easier to read, i modified the offsets of 3rd layer pointer so that they correspond to players number:
Player 01: 0x02*8+4 -----> ((1-1)*0x140)+0x14
Player 02: 0x2A*8+4 -----> ((2-1)*0x140)+0x14
Player 03: 0x52*8+4 -----> ((3-1)*0x140)+0x14
Player 04: 0x7A*8+4 -----> ((4-1)*0x140)+0x14
Player 05: 0xA2*8+4 -----> ((5-1)*0x140)+0x14
Player 06: 0xCA*8+4 -----> ((6-1)*0x140)+0x14
Player 07: 0xF2*8+4 -----> ((7-1)*0x140)+0x14
Player 08: 0x11A*8+4 ----> ((8-1)*0x140)+0x14
Player 09: 0x142*8+4 ----> ((9-1)*0x140)+0x14
Player 10: 0x16A*8+4 ----> ((10-1)*0x140)+0x14
Player 11: 0x192*8+4 ----> ((11-1)*0x140)+0x14
Player 12: 0x1BA*8+4 ----> ((12-1)*0x140)+0x14
@Felheart: this is how there are +0x14 in my complex address. It was just my own modification to make them easier to read corresponding to Player’s Number...
Example: 0x02*8+4 = ((1-1)*0x140)+0x14 = 0x14
So, my final Complex Address for each Players’ Gold in DOTA WarcCraft 3 are:
Player 01: [[[0x6F87D7BC]+0xC]+((1-1)*0x140)+0x14]+0x78
Player 02: [[[0x6F87D7BC]+0xC]+((2-1)*0x140)+0x14]+0x78
Player 03: [[[0x6F87D7BC]+0xC]+((3-1)*0x140)+0x14]+0x78
Player 04: [[[0x6F87D7BC]+0xC]+((4-1)*0x140)+0x14]+0x78
Player 05: [[[0x6F87D7BC]+0xC]+((5-1)*0x140)+0x14]+0x78
Player 06: [[[0x6F87D7BC]+0xC]+((6-1)*0x140)+0x14]+0x78
Player 07: [[[0x6F87D7BC]+0xC]+((7-1)*0x140)+0x14]+0x78
Player 08: [[[0x6F87D7BC]+0xC]+((8-1)*0x140)+0x14]+0x78
Player 09: [[[0x6F87D7BC]+0xC]+((9-1)*0x140)+0x14]+0x78
Player 10: [[[0x6F87D7BC]+0xC]+((10-1)*0x140)+0x14]+0x78
Player 11: [[[0x6F87D7BC]+0xC]+((11-1)*0x140)+0x14]+0x78
Player 12: [[[0x6F87D7BC]+0xC]+((12-1)*0x140)+0x14]+0x78
Note: In my previous post, the static address changed to [module+offset] format (0x6F87D7BC = game.dll+0x87D7BC). But it didn’t happen that way when i wrote this tutorial (and i don’t know how. Perhaps because of different version of WC3), so i just leave the static address as is...
This conclude my tutorial which i hope answers Felheart’s PM...
I have to say that the method i used here is not good enough, since it is not always succeed. For example, i haven’t been succeed in finding complex address for Heros’ health and manna in Warcraft3 using this method (although i can say that they are very much similar to complex address for player’s gold !)...
I’m sure there are many more better method to find complex address, so i hope some would kindly share their methods...
Hope this tutorial helps for the least. Any corrections are welcome... And i’m sorry for my English and late reply. Can’t go online much these days...