Pointer+offsets lol

Quote:

League of Legends Data & Offset League of Legends v1.0.0.141 2012/07/11 Base Address "League of Legends.exe"+009E5568 "League of Legends.exe"+ 009E5568 +68 "League of Legends.exe"+ 009E5568 +14C "League of Legends.exe"+ 009E5568 +168 Mouse Select Target Info(Base Address+F0) Data Type：4bytes (No Target the default value is 0) +E4 = Current HP +E8 = Max HP +EC = Current MP +F0 = Max MP +F4 = Level Example："League of Legends.exe"+009E5568+F0+E4=Mosue Select Target Current HP Data Type：float (No Target the default value is -100) +548 = Ability Power +54C = Armor +550 = Attack Damage +554 = Attack Speed +55C = Magic Resist +560 = Movement Speed Example："League of Legends.exe"+009E5568+F0+548=Mosue Select Target Ability Power Personal Info(Base Address+E0) Data Type：float +1C = Ability Power +24 = Attack Damage +28 =Attack Speed +34 = Movement Speed Example："League of Legends.exe"+009E5568+E0+1C = Personal Ability Power Personal Info(Base Address+E4) Data Type：4bytes +58 = Current HP +5C = Max HP +60 = HP Regen +64 = Current MP +68 = Max MP +6C = MP Regen +70 = Level Example："League of Legends.exe"+009E5568+E4+58 = Personal Current HP Position Base "League of Legends.exe"+02B19A18 Data Type：float +10 = Camera X (Min 300 Max 14000) +18 = Camera Y (Min 300 Max 14200) +1F4 = Player X +1F8 = Player Z +1FC = Player Y +200 = Mouse Pos X +204 = Mouse Pos Z +208 = Mouse Pos Y Example："League of Legends.exe"+02B19A18+10 = Camera X Game Time Data Type：4bytes "League of Legends.exe"+00DFE568+00414004=Game Time Second "League of Legends.exe"+001212580+00414004=Game Time Second //---------------------------------------------------------------------- Make simple last hit bot Minion Move Speed = 325 Minion Level = 1 Minion Attack Damage = 12 + 1*(Game Time/180) void AutoHit() { if (GetKeyState(VK_LBUTTON)&(GetMouseTargetMoveSpeed( )==325)){ MouseClickTime = GetTickCount(); if ((MouseClickTime-CamaraMoveTime)>400){ Mouse_POS_X=ReadPointer(LPDWORD(InfoBase+PositionO ffset), 0x200); Mouse_POS_Y=ReadPointer(LPDWORD(InfoBase+PositionO ffset), 0x208); } if ((float)GetMouseTargetCurrentHP()<(((GetMyStateAtt ackDamage()*100)/(100+GetMouseTargetArmor()))+12+(GetGameTime()/180))){ CamaraMoveTime = GetTickCount(); WritePointer(InfoBase+PositionOffset, 0x10, Mouse_POS_X);//Camera X WritePointer(InfoBase+PositionOffset, 0x18, Mouse_POS_Y);//Camera Y SetCursorPos(GetSystemMetrics(0)/2,GetSystemMetrics(1)/2); mouse_event (MOUSEEVENTF_RightDOWN, 0, 0, 0, 0 ); mouse_event (MOUSEEVENTF_RightUP, 0, 0, 0, 0 ); } } } odule info: LoL.exe = 00400000 Player: LoL+009ECF64 (00DECF64) offset E4 Player Offsets: 0 = header 4bytes = 10964540 (you can easily find that player struct by just searching this instead of using pointers) +148 = current hp +14A = max hp +14C = current mana +14E = max mana Selected Target (right click mouse anything): LoL+009ECF64, offset F0 Offsets: 0 = header 4bytes = 10967060 I dont remember rest, but if you browse memory region you can easily find hp and mana, so not much. Other: Static Camera Position (lookAt): Start (X): 02E9BB38 (+4 z +4 y +4 rotation) Static Player Move Point: Start (X): 02E9BBE0 (+4 z +4 y +4 rotation) Static Player Model Position: Start (X): 02EA9238 (+4 z +4 y +4 rotation) find that health is at 0x1234 and it's storing the value of 1350 (your health); then set the scan to hex and scan for 0x1234 and find it's at something like 0x2544 static address --> pointer --> health ADDRESS: static address --> Address you found VALUE@ADDRESS: pointer location --> health value the static address is the "pointer" that points to the dynamic memory location at which the health value is stored. Sometimes there can be a whole chain of pointers that keep pointing to another pointer. A green address in CE will mean it's static, but it never hurts to find out if a non green doesn't change per game launch too. So for example when I did that to playerX's memory location I would see something for example like: mov [register + 200], newVal (Trivial ASM) so we know that the register that it is using is the base address, and 200 is the offset from the base address for the data structure. Currently I haven't yet invested much/any time into this stuff aside from any zoom hack stuff I keep updating, or the little amount of time I spent here, But if I were going to keep using such data, I do highly recommend pattern/signature scanning as you've talked about, so something like this you would want to probably see if you could make a signature around the base address Edit: For example I just found the PlayerX Dest, we know how their coordinate system works, with X, Z, Y Quote: EAX=044708C8 EBX=00000000 ECX=0018DA9C EDX=000001D5 ESI=04470BFB EDI=2A4D5870 EBP=0018DAAC ESP=0018DA20 EIP=00A316BE Probable base pointer =044708C8 00A316AB - movss xmm0,[League of Legends.exe+406C574] 00A316B3 - mov eax,[ebp+08] 00A316B6 - movss [eax+000002BC],xmm0 00A316BE - movss xmm0,[League of Legends.exe+406C578] 00A316C6 - movss [eax+000002C0],xmm0 It tells you the "Probable base pointer" but it is very easy to see what the base pointer is without looking at that, although as the CE tut teaches you these can get much more complex, in which a powerful knowledge of ASM can assist you. I also ran across a few weird ones which is probably because I'm in the training map and have the cam locked to my character so I would expect to see player dest, player location, and player cam from the search I was doing since they all correspond. If you got this down to a science, you could just know what the specific start locations are for the training map, and simply when there is a patch you could load up the training map and search for the specific start locations and you'd have your new memory address that you could easily find the main pointer to. PS: Sorry if I rambled or it doesn't make sense some places, I'm running on little sleep and am now seeking to find more felt like I wanted to respond to keep the flow of this topic going. Edit2: from that small snippet of code that the window gave us we can see that it moves the value stored at [ebp+08] onto eax before we use eax as a base pointer to add 2BC to find the location of the 'playerX destination', it could be very likely that the value in ebp is also a higher up base pointer which our current pointer that we've been looking at is being stored in. There could be a possibility that ebp is some kind of master pointer, and the player data pointer is +08 on off of it, who knows maybe there's some awesome pointer stored in ebp+04 Finaly i figured out how to get the EBP value and then the address of my Unit Class Here how i did it : Attach CE, find mana or health value address, "Find out what access this address" You should get something like that : Quote: 00AAF6CA - 3B 45 58 - cmp eax,[ebp+58] 00AAF6CD - 74 03 - je League of Legends.exe+6AF6D2 00AAF6CF - 89 45 58 - mov [ebp+58],eax << ;Here we refill the health which is stored at ebp+58 00AAF6D2 - F3 0F10 44 24 28 - movss xmm0,[esp+28] 00AAF6D8 - 0F2E 45 60 - ucomiss xmm0,[ebp+60] So to get 0x00AAF6CF i made a SigScan : \x89\x45\x58\xF3\x0F\x10\x44\x24\x28 xxxxxxxxx So, we have health @ ebp+58 and probably health regen addition @eax I decided to make a codecave to grab the EBP value. CodeCave need at least 5bytes to work and @ 0x00AAF6CF we only have 3 avaible. So i moved to 0x00AAF6D2 where we have 6bytes to inject my codecave. To do this : Quote: g_pSigManager->Add("test1", "League of Legends.exe", "\x89\x45\x58\xF3\x0F\x10\x44\x24\x28", "xxxxxxxxx", 0x03); //We add 0x03 to 00AAF6CF so it become 00AAF6D2 and we are ready to write the codecave :) The codecave is simple, move ebp to a variable and execute the command we overwrote which is this one : Quote: 00AAF6D2 - F3 0F10 44 24 28 - movss xmm0,[esp+28] So here is the codecave : Quote: __declspec(naked) void GetUnitAdd(void) { __asm { pop RetAddr //Here we grab EBP value and put it in DWORD EBPAddy MOV EBPAddy, EBP PUSHAD PUSHFD } //Do whatever you want, i just log EBPAddy value here __asm { POPFD POPAD //We execute the code we erased to write the codecave MOVSS XMM0,[ESP+28] push RetAddr ret } } That's all! Just dont forget one thing, we you inject a codecave it must be 5bytes, so if you have 6bytes like in this case, NOP one byte so the game dont crash because of an incorrect bytes sequence, its important. There is some more thing to do to use it but all the necessary is here. There isnt much source code about league of legends so i hope this will help some people and i want to thank's you again UserNamex32 and Vallz for your help //---------------------------------------------------------------------- Make simple last hit bot Minion Move Speed = 325 Minion Level = 1 Minion Attack Damage = 12 + 1*(Game Time/180) void AutoHit() { if (GetKeyState(VK_LBUTTON)&(GetMouseTargetMoveSpeed( )==325)){ MouseClickTime = GetTickCount(); if ((MouseClickTime-CamaraMoveTime)>400){ Mouse_POS_X=ReadPointer(LPDWORD(InfoBase+PositionO ffset), 0x200); Mouse_POS_Y=ReadPointer(LPDWORD(InfoBase+PositionO ffset), 0x208); } if ((float)GetMouseTargetCurrentHP()<(((GetMyStateAtt ackDamage()*100)/(100+GetMouseTargetArmor()))+12+(GetGameTime()/180))){ CamaraMoveTime = GetTickCount(); WritePointer(InfoBase+PositionOffset, 0x10, Mouse_POS_X);//Camera X WritePointer(InfoBase+PositionOffset, 0x18, Mouse_POS_Y);//Camera Y SetCursorPos(GetSystemMetrics(0)/2,GetSystemMetrics(1)/2); mouse_event (MOUSEEVENTF_RightDOWN, 0, 0, 0, 0 ); mouse_event (MOUSEEVENTF_RightUP, 0, 0, 0, 0 ); } } } Auoit Lasthit bot [Only registered and activated users can see links. Click Here To Register...]