for searching WarRock Addy's, you need a Dumped WarRock.exe and IDA PRO.
You can Dump your WarRock.exe with Kernel Detective v1.4.1.
IdaPro :
Download :
Kernel Detective v1.4.1 :
Download : Will be added soon!
How to Dump your WarRock.exe
Will be added Soon!
OPEN IdaPro and your Dumped WarRock.exe
- Now only Search for the "Codes|Text's" below -
Some example's what to search, for what Addy - Please also try to find some at your own!
NoFallDamage:
OFS_X/Y/Z:
Weapon 1/3:
BasePointer:
HealthPointer:
ClassBase:
MaxPlayers:
PlayerPointer:
ServerPointer:
FastAmmo:
NoRecoil 2/3:
NoBounds (1/2):
PLAYERSIZE:
FastRepair:
Slots
FullBright:
NearFog:
FarFog:
FogColor:
WaterHeight:
Premium (1/2):
RoomMaster:
SuperMaster:
Search: "DestoryMission Success" (Unten)
Tabelle: mov [esi+103A4h], eax
= 0x00103A4
Tabelle: mov [esi+103A4h], eax
= 0x00103A4
OFS_X/Y/Z:
Search: "DA02"
Tabelle:
___:004CC96D mov ecx, [esi+102D4h] -->OFS_X
___:004CC973 mov eax, 0C6h
___:004CC978 xor ecx, eax
___:004CC97A mov [ebp-30h], ecx
___:004CC97D mov ecx, [esi+102A8h]
___:004CC983 mov edx, [ebp-30h]
___:004CC986 mov [ecx+34h], edx
___:004CC989 mov ecx, [esi+102D8h] -->OFS_Z
___:004CC98F xor ecx, eax
___:004CC991 mov [ebp-30h], ecx
___:004CC994 mov ecx, [esi+102A8h]
___:004CC99A mov edx, [ebp-30h]
___:004CC99D mov [ecx+38h], edx
___:004CC9A0 mov ecx, [esi+102DCh] -->OFS_Y
___:004CC9A6 xor ecx, eax
___:004CC9A8 mov eax, [esi+102A8h]
___:004CC9AE mov [eax+3Ch], ecx
___:004CC9B1 mov [ebp-30h], ecx
___:004CC9B4 mov ecx, [esi+102A8h]
=
OFS_X 0x000102D4
OFS_Y 0x000102DC
OFS_Z 0x000102D8
Tabelle:
___:004CC96D mov ecx, [esi+102D4h] -->OFS_X
___:004CC973 mov eax, 0C6h
___:004CC978 xor ecx, eax
___:004CC97A mov [ebp-30h], ecx
___:004CC97D mov ecx, [esi+102A8h]
___:004CC983 mov edx, [ebp-30h]
___:004CC986 mov [ecx+34h], edx
___:004CC989 mov ecx, [esi+102D8h] -->OFS_Z
___:004CC98F xor ecx, eax
___:004CC991 mov [ebp-30h], ecx
___:004CC994 mov ecx, [esi+102A8h]
___:004CC99A mov edx, [ebp-30h]
___:004CC99D mov [ecx+38h], edx
___:004CC9A0 mov ecx, [esi+102DCh] -->OFS_Y
___:004CC9A6 xor ecx, eax
___:004CC9A8 mov eax, [esi+102A8h]
___:004CC9AE mov [eax+3Ch], ecx
___:004CC9B1 mov [ebp-30h], ecx
___:004CC9B4 mov ecx, [esi+102A8h]
=
OFS_X 0x000102D4
OFS_Y 0x000102DC
OFS_Z 0x000102D8
Weapon 1/3:
Search: "You cannot enter a vehicle in prone pos"
Tabelle:
___:00455F65 mov ax, [edi+101D0h] --> Weapon 3
___:00455F6C mov [edi+10100h], ax --> Weapon1
=
OFS_WEAPON1 0x00010100
OFS_WEAPON3 0x000101D0
Tabelle:
___:00455F65 mov ax, [edi+101D0h] --> Weapon 3
___:00455F6C mov [edi+10100h], ax --> Weapon1
=
OFS_WEAPON1 0x00010100
OFS_WEAPON3 0x000101D0
BasePointer:
Search: "NULL" (Unten)
Tabelle:
mov edi, offset dword_9A6250
oder
cmp edi, offset dword_9A6250
= 0x009A6250
Tabelle:
mov edi, offset dword_9A6250
oder
cmp edi, offset dword_9A6250
= 0x009A6250
HealthPointer:
Search: "DamageFly0" (Weit Oben)
Tabelle: cmp dword_9A7DE4[esi], 12Ch
= 0x009A7DE4
Tabelle: cmp dword_9A7DE4[esi], 12Ch
= 0x009A7DE4
ClassBase:
Search: "Lower" (Unten)
Tabelle: mov esi, dword_9A7DF0[eax]
= 0x009A7DF0
Tabelle: mov esi, dword_9A7DF0[eax]
= 0x009A7DF0
MaxPlayers:
Search: "m891" (Unten)
Tabelle: mov eax, [eax+0CBFF0h]
=0x000CBFF0
Tabelle: mov eax, [eax+0CBFF0h]
=0x000CBFF0
PlayerPointer:
Search "DX01" (Oben)
Tabelle: "cmp dword_A91820"
= 0x00A91820
Tabelle: "cmp dword_A91820"
= 0x00A91820
ServerPointer:
Search: "CF01" (Oben)
Tabelle: "mov ecx, dword_9394A2
= 0x009394A2
Tabelle: "mov ecx, dword_9394A2
= 0x009394A2
FastAmmo:
Search: "ammo_base" (Unten)
Tabelle:
___:0042B2A6 mov eax, [esi+8]
___:0042B2A9 cmp dword ptr [eax+18h], 0
___:0042B2AD jnz loc_42B368
___:0042B2B3 mov eax, [eax+1Ch]
___:0042B2B6 mov eax, [eax+0E8h]
___:0042B2BC add eax, 8
___:0042B2BF push offset aAmmo_base ; "ammo_base"
___:0042B2C4 push eax
___:0042B2C5 call sub_68DAED
___:0042B2CA test eax, eax
___:0042B2CC pop ecx
___:0042B2CD pop ecx
___:0042B2CE jnz short loc_42B316
___:0042B2D0 fld [ebp+var_4]
___:0042B2D3 fcomp flt_76BE84
___:0042B2D9 fnstsw ax
___:0042B2DB test ah, 5
___:0042B2DE jp loc_42B368
___:0042B2E4 cmp dword_7BFE10, 1Bh
___:0042B2EB jz short loc_42B30A
___:0042B2ED fld flt_89B048
___:0042B2F3 lea eax, [ebp+var_10]
___:0042B2F6 fmul flt_7615C0
___:0042B2FC push eax
___:0042B2FD mov ecx, offset dword_89E53C <--- FastAmmo
___:0042B302 fstp [ebp+var_10]
___:0042B305 call sub_42A28A
= 0x0089E53C
Tabelle:
___:0042B2A6 mov eax, [esi+8]
___:0042B2A9 cmp dword ptr [eax+18h], 0
___:0042B2AD jnz loc_42B368
___:0042B2B3 mov eax, [eax+1Ch]
___:0042B2B6 mov eax, [eax+0E8h]
___:0042B2BC add eax, 8
___:0042B2BF push offset aAmmo_base ; "ammo_base"
___:0042B2C4 push eax
___:0042B2C5 call sub_68DAED
___:0042B2CA test eax, eax
___:0042B2CC pop ecx
___:0042B2CD pop ecx
___:0042B2CE jnz short loc_42B316
___:0042B2D0 fld [ebp+var_4]
___:0042B2D3 fcomp flt_76BE84
___:0042B2D9 fnstsw ax
___:0042B2DB test ah, 5
___:0042B2DE jp loc_42B368
___:0042B2E4 cmp dword_7BFE10, 1Bh
___:0042B2EB jz short loc_42B30A
___:0042B2ED fld flt_89B048
___:0042B2F3 lea eax, [ebp+var_10]
___:0042B2F6 fmul flt_7615C0
___:0042B2FC push eax
___:0042B2FD mov ecx, offset dword_89E53C <--- FastAmmo
___:0042B302 fstp [ebp+var_10]
___:0042B305 call sub_42A28A
= 0x0089E53C
NoRecoil 2/3:
Search (1/2): "DU04" (Oben)
Tabelle:
___:00445C34 call sub_70F500
___:00445C39 mov eax, [esi]
___:00445C3B mov ecx, [ebp+20h] ? No Recoil 2
___:00445C3E mov edx, [ebp+24h] ? No Recoil 3
___:00445C41 mov [ebp+15Ch], eax
___:00445C47 mov [ebp+160h], ecx
___:00445C4D mov edi, offset aDu04 ; "DU04"
=0x20/0x24
Tabelle:
___:00445C34 call sub_70F500
___:00445C39 mov eax, [esi]
___:00445C3B mov ecx, [ebp+20h] ? No Recoil 2
___:00445C3E mov edx, [ebp+24h] ? No Recoil 3
___:00445C41 mov [ebp+15Ch], eax
___:00445C47 mov [ebp+160h], ecx
___:00445C4D mov edi, offset aDu04 ; "DU04"
=0x20/0x24
NoBounds (1/2):
Search: "m408_1"
Tabelle: FSTP DWORD PTR DS:[E29KD]
= 0x00E29KD
Search: "m408_1"
Tabelle:MOV DWORD PTR DS:[EO399],EAX
= 0x00EO399
Tabelle: FSTP DWORD PTR DS:[E29KD]
= 0x00E29KD
Search: "m408_1"
Tabelle:MOV DWORD PTR DS:[EO399],EAX
= 0x00EO399
PLAYERSIZE:
Search: "CLS_DAMAGEFLY" (Unten)
Tabelle:
imul eax, 1CE8h
oder
imul ecx, 1CE8h
= 0x001CE8
Tabelle:
imul eax, 1CE8h
oder
imul ecx, 1CE8h
= 0x001CE8
FastRepair:
Search: "repair_base"
Tabelle:
___:0042B316 mov eax, [esi+8]
___:0042B319 mov eax, [eax+1Ch]
___:0042B31C mov eax, [eax+0E8h]
___:0042B322 add eax, 8
___:0042B325 push offset aRepair_base ; "repair_base"
___:0042B32A push eax
___:0042B32B call sub_68DAED
___:0042B330 test eax, eax
___:0042B332 pop ecx
___:0042B333 pop ecx
___:0042B334 jnz short loc_42B368
___:0042B336 fld [ebp+var_14]
___:0042B339 fcomp flt_76BE84
___:0042B33F fnstsw ax
___:0042B341 test ah, 5
___:0042B344 jp short loc_42B368
___:0042B346 cmp dword_7BFE14, 1Bh
___:0042B34D jz short loc_42B35E
___:0042B34F push offset flt_89B048
___:0042B354 mov ecx, offset dword_89E540 --> FastRepair
___:0042B359 call sub_42A28A
=0x0089E540
Tabelle:
___:0042B316 mov eax, [esi+8]
___:0042B319 mov eax, [eax+1Ch]
___:0042B31C mov eax, [eax+0E8h]
___:0042B322 add eax, 8
___:0042B325 push offset aRepair_base ; "repair_base"
___:0042B32A push eax
___:0042B32B call sub_68DAED
___:0042B330 test eax, eax
___:0042B332 pop ecx
___:0042B333 pop ecx
___:0042B334 jnz short loc_42B368
___:0042B336 fld [ebp+var_14]
___:0042B339 fcomp flt_76BE84
___:0042B33F fnstsw ax
___:0042B341 test ah, 5
___:0042B344 jp short loc_42B368
___:0042B346 cmp dword_7BFE14, 1Bh
___:0042B34D jz short loc_42B35E
___:0042B34F push offset flt_89B048
___:0042B354 mov ecx, offset dword_89E540 --> FastRepair
___:0042B359 call sub_42A28A
=0x0089E540
Slots
Search: "CC02" (Oben)
Tabelle: mov byte ptr [ebp+0D147Ch], 1
= 0x00D147C
OFS_5SLOT ....C
OFS_6SLOT ....D
OFS_7SLOT ....E
OFS_8SLOT ....F
Tabelle: mov byte ptr [ebp+0D147Ch], 1
= 0x00D147C
OFS_5SLOT ....C
OFS_6SLOT ....D
OFS_7SLOT ....E
OFS_8SLOT ....F
FullBright:
Search: "Light.Ambient" (Unten)
Tabelle:
push offset flt_8B131C
push offset flt_8B1318
push offset flt_8B1314
=
ADR_FULLBRIGHT1 0x008B131C
ADR_FULLBRIGHT2 0x008B1318
ADR_FULLBRIGHT3 0x008B1314
Tabelle:
push offset flt_8B131C
push offset flt_8B1318
push offset flt_8B1314
=
ADR_FULLBRIGHT1 0x008B131C
ADR_FULLBRIGHT2 0x008B1318
ADR_FULLBRIGHT3 0x008B1314
NearFog:
Search: "Fog.NearDistance" (Unten)
Tabelle: push offset dword_8B13AC
=0x008B13AC
Tabelle: push offset dword_8B13AC
=0x008B13AC
FarFog:
Search: "Fog.FarDistance" (Unten)
Tabelle: push offset dword_8B13B0
=0x008B13B0
Tabelle: push offset dword_8B13B0
=0x008B13B0
FogColor:
Search: "Fog.Color" (Unten)
Tabelle:
push _warrock.008B1364
push _warrock.008B13A2
push _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
Tabelle:
push _warrock.008B1364
push _warrock.008B13A2
push _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
WaterHeight:
Search: "Water.HeightRatio" (Unten)
Tabelle: PUSH _warrock.004A6AIE2
=0x004A6AIE2
WaterColor (Shallow/Deep)
Search: "Water.HeightRatio" (Unten)
Tabelle: PUSH _warrock.004A6AIE2
=0x004A6AIE2
WaterColor (Shallow/Deep)
Shallow>
Search: "Water.ShallowColor" (Unten)
Tabelle:
PUSH _warrock.008B1364
PUSH _warrock.008B13A2
PUSH _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
Deep>
Search: "Water.DeepColor" (Unten)
Tabelle:
PUSH _warrock.008B1364
PUSH _warrock.008B13A2
PUSH _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
Tabelle: PUSH _warrock.004A6AIE2
=0x004A6AIE2
WaterColor (Shallow/Deep)
Search: "Water.HeightRatio" (Unten)
Tabelle: PUSH _warrock.004A6AIE2
=0x004A6AIE2
WaterColor (Shallow/Deep)
Shallow>
Search: "Water.ShallowColor" (Unten)
Tabelle:
PUSH _warrock.008B1364
PUSH _warrock.008B13A2
PUSH _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
Deep>
Search: "Water.DeepColor" (Unten)
Tabelle:
PUSH _warrock.008B1364
PUSH _warrock.008B13A2
PUSH _warrock.008B14D7
=
0x008B1364
0x008B13A2
0x008B14D7
Premium (1/2):
>PremiumPointer1<
Search: " EventGiftNotice_2" ( Weit Oben)
Tabelle: LEA EDI,DWORD PTR DS:[ESI+57J]
= 0x0057
>PremiumPointer2<
Search: " EventGiftNotice_2" (Weit Oben)
Tabelle: LEA EBX,DWORD PTR DS: [ESI+580]
= 0x00580
Search: " EventGiftNotice_2" ( Weit Oben)
Tabelle: LEA EDI,DWORD PTR DS:[ESI+57J]
= 0x0057
>PremiumPointer2<
Search: " EventGiftNotice_2" (Weit Oben)
Tabelle: LEA EBX,DWORD PTR DS: [ESI+580]
= 0x00580
RoomMaster:
Search: "list too long"
Tabelle: cmp ecx, [eax+0CC420h]
= 0x000CC420
Tabelle: cmp ecx, [eax+0CC420h]
= 0x000CC420
SuperMaster:
Search: "NULL" (Unten)
Tabelle: and dword ptr [ecx+0CC004h], 0
= 0x000CC004
Tabelle: and dword ptr [ecx+0CC004h], 0
= 0x000CC004
I can't explain it so good to you, because I am not a pro in searching addy's...
I started to learn C++ and so on past 5 days, but I learn extreme fast...
I will maybe write a better Tutorial if I understand it a bit better...
If you are not a beginner, you should understand that... I hope...