Toast's turtorial to binary string reading.

Quote:

Originally Posted by coolninja Dear Toast I suddenly figured that how did u make the hacks for rohan, u extracted the whole rohan back to porgrams! Till now, all i do is randomly search values in CE in rohan. that's why i cant find much thing, would you mind teaching me how to map out the source code of rohan? cause i really want to read the code myself. thanks for any help! Yours, Nutimash

We'll useually using CE, and tracing the address back to a larger control structure. but i'll show you how anyways.


Note: "This is all based off memory, since i do not have rohan anymore but the concept is always the same FOR MOST GAMES."

Mapping out the strings is pretty easy,
1)First go over to [Only registered and activated users can see links. Click Here To Register...] and download the latest version of OLLYDBG enither olly 1 or 2 will achieve the same thing.
2)Run the rohan bypass through the bot.
3)Attach olly to the bot
4)You'll find yourself in ntdll , this is not what you want. Useually your games are located in the 0x04000000 region, so you would so lets jump to that expression shall we?
5)CTRL-G, and enter any value you searched with any cheat engine to jump to the game. (remember it should be somewhere in the 04000000 region.
6)Right click the main window and go to Find--->All text strings
7)Copy to clipboard ---> Whole table.

This is the easiest way to go around things but i'd suggest you read up on ASM, Pointers, Memory types,cove caves, structure, stack overflows and how memory is mapped out in a window's system. I also recommend learning a computer language such as C++.

not quite understand this line...

5)ALT-G, and enter any value you searched with any cheat engine to jump to the game. (remember it should be somewhere in the 04000000 region

more easier explanation pls?

you should put this in the tutorial section of the forum

Copied right out of the text book

0x00400000 is where your game is almost always loaded. Kernel32.dll, USER32.dll, and SHELL32.dll are other common modules.

All data in all games have addresses and values. An integer can have an address of 0x00443C0C and have a value of 100 (0x64), and this value is used for mathematical purposes. Likewise, a pointer can have an address of 0x0042104C and a value of 0x004AE804, but this value isn’t used for math. This value is yet another address.xx

It is important to be very clear on what a static address is. In our above example, address 0x00340000 would be static. Some people define static addresses as addresses that never move. But quite clearly that would mean every address is static. Address 0x00340000 is always address 0x00340000, address 0x00300000 is always 0x00300000, 3 is always 3, etc. So it isn’t the address that never moves, since addresses never move anyway. It’s the data that never moves. The data for my player may be at address 0x00340000. Address 0x00340000 will always be there, but the data for my player may later move off to address 0x0234C000.

EXTRA :
The accessible range (as shown) is from 0x00000000 to 0x7FFFE000, which covers two gigabytes. But wait. What if you don’t have two gigabytes of RAM? And, wait a minute. How can both of your games be loaded at 0x004000000 at the same time? Most of the processes on your computer are running at either 0x00400000 or 0x01000000, so that must mean they each have their own 2 gigabytes of RAM, right? But then, that means every time you load a process, you suddenly gain 2 gigabytes of RAM, right?

In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill.

Every address you see here is a lie. You always see 0x00400000 as the base address of your game, but that is not its real address. Windows® hides its real address, and uses a virtual mapping system to give each process its own “set of RAM”. These addresses are virtual. But luckily for us, we don’t need to know this at all! All that is important to know is that when working in any given process, we are working within a virtual space with addresses that have meaning only to that process. For the sake of simplicity we always treat them as literal real addresses.

Quote:

Originally Posted by bluetoast Copied right out of the text book 0x00400000 is where your game is almost always loaded. Kernel32.dll, USER32.dll, and SHELL32.dll are other common modules. All data in all games have addresses and values. An integer can have an address of 0x00443C0C and have a value of 100 (0x64), and this value is used for mathematical purposes. Likewise, a pointer can have an address of 0x0042104C and a value of 0x004AE804, but this value isn’t used for math. This value is yet another address.xx It is important to be very clear on what a static address is. In our above example, address 0x00340000 would be static. Some people define static addresses as addresses that never move. But quite clearly that would mean every address is static. Address 0x00340000 is always address 0x00340000, address 0x00300000 is always 0x00300000, 3 is always 3, etc. So it isn’t the address that never moves, since addresses never move anyway. It’s the data that never moves. The data for my player may be at address 0x00340000. Address 0x00340000 will always be there, but the data for my player may later move off to address 0x0234C000. EXTRA : The accessible range (as shown) is from 0x00000000 to 0x7FFFE000, which covers two gigabytes. But wait. What if you don’t have two gigabytes of RAM? And, wait a minute. How can both of your games be loaded at 0x004000000 at the same time? Most of the processes on your computer are running at either 0x00400000 or 0x01000000, so that must mean they each have their own 2 gigabytes of RAM, right? But then, that means every time you load a process, you suddenly gain 2 gigabytes of RAM, right? In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill. Every address you see here is a lie. You always see 0x00400000 as the base address of your game, but that is not its real address. Windows® hides its real address, and uses a virtual mapping system to give each process its own “set of RAM”. These addresses are virtual. But luckily for us, we don’t need to know this at all! All that is important to know is that when working in any given process, we are working within a virtual space with addresses that have meaning only to that process. For the sake of simplicity we always treat them as literal real addresses.

woah, that teach me another big thing i never noticed, virtual address allocate by OS real memory operation code.

But, my question is simply don't understand what this line means...
5)ALT-G, and enter any value you searched with any cheat engine to jump to the game. (remember it should be somewhere in the 04000000 region
does it means, i can't search the value from CE because the value are encrypted or so, but i can with ollydbg? and what do you mean "to jump to the game"? why do i have to search so that i can jump to the game address? and what do I have to search?

Quote:

Originally Posted by bluetoast Copied right out of the text book 0x00400000 is where your game is almost always loaded. Kernel32.dll, USER32.dll, and SHELL32.dll are other common modules. All data in all games have addresses and values. An integer can have an address of 0x00443C0C and have a value of 100 (0x64), and this value is used for mathematical purposes. Likewise, a pointer can have an address of 0x0042104C and a value of 0x004AE804, but this value isn’t used for math. This value is yet another address.xx It is important to be very clear on what a static address is. In our above example, address 0x00340000 would be static. Some people define static addresses as addresses that never move. But quite clearly that would mean every address is static. Address 0x00340000 is always address 0x00340000, address 0x00300000 is always 0x00300000, 3 is always 3, etc. So it isn’t the address that never moves, since addresses never move anyway. It’s the data that never moves. The data for my player may be at address 0x00340000. Address 0x00340000 will always be there, but the data for my player may later move off to address 0x0234C000. EXTRA : The accessible range (as shown) is from 0x00000000 to 0x7FFFE000, which covers two gigabytes. But wait. What if you don’t have two gigabytes of RAM? And, wait a minute. How can both of your games be loaded at 0x004000000 at the same time? Most of the processes on your computer are running at either 0x00400000 or 0x01000000, so that must mean they each have their own 2 gigabytes of RAM, right? But then, that means every time you load a process, you suddenly gain 2 gigabytes of RAM, right? In my left hand is a red pill. If you take it I will show you the truth. I lost my right hand in the war, so I’m afraid you’re stuck with the red pill. Every address you see here is a lie. You always see 0x00400000 as the base address of your game, but that is not its real address. Windows® hides its real address, and uses a virtual mapping system to give each process its own “set of RAM”. These addresses are virtual. But luckily for us, we don’t need to know this at all! All that is important to know is that when working in any given process, we are working within a virtual space with addresses that have meaning only to that process. For the sake of simplicity we always treat them as literal real addresses.

Do you mind telling me the name of that book?

Quote:

Originally Posted by magisbladius Do you mind telling me the name of that book?

+1 (& where we can find it if not a problem)

it can be found in almost EVERY reverse engineering book, under window's memory management. little guide i use is mhs tutorial.

what do you mean "bot"----- the multiclient or the RohanBotEn1.0.9?
i really don't understand this part.... pls help.....>.<

Quote:

Originally Posted by lae0821 what do you mean "bot"----- the multiclient or the RohanBotEn1.0.9? i really don't understand this part.... pls help.....>.<

wag na po asa kung depleted na ang braincells (bobo)

nag tatanong lng po...... grabe ka nman....paturo n lng lam ko nman na magaling kau d2....