Register for your free account! | Forgot your password?

You last visited: Today at 17:00

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

Reading HP

Discussion on Reading HP within the CO2 Programming forum part of the Conquer Online 2 category.

Reply
 
Old   #1
 
elite*gold: 20
The Black Market: 0/0/0
Join Date: Aug 2005
Posts: 1,734
Received Thanks: 1,001
Reading HP

NOTE* Addresses change at almost every update on the Conquer.exe, These addresses might not work on the new patch. This code is written for 5068 patch.

I know some people have had trouble reading HP from Conquers memory so, here's a little "tutorial" how to save the real hp value to a static location. I'm not going much to depth how I found the places I'm using in this tutorial.

First of all, you need a OllyDBG. (Well that's what this tutorial is written for) Next thing we do is, open Conquer in OllyDBG and let it analyze the code. Now we need to find a place where the Conquer processes the current hp value. You don't have to worry about this, I've already got it for you. :P

Code:
004ECEF1     FF75 0C       PUSH DWORD PTR SS:[EBP+0C]
004ECEF4     52            PUSH EDX
004ECEF5     E8 2EDF0000   CALL <JMP.&MSVCRT._rotl>              
004ECEFA     59            POP ECX
004ECEFB     8906          MOV DWORD PTR DS:[ESI],EAX
In that piece of ASM the EDX contains current hp. (It's updated or accessed all the time) Next thing we need to do is find a place that has about 20 free bytes. Usually this is at the end of the .exe file. We also need two bytes free somewhere in Conquer.exe so we can save the HP value there for easier access.

Anyways, I found the 20 bytes free at end of the exe so -> (Ctrl + G) -> 5302D1; That is the address where we shall start re-generating the old code that is going to be replaced in the original place. So next thing we need to do is to replace the code that is going to get overwritten by our jmp to this codecave.


Code:
005302D1      FF75 0C               PUSH DWORD PTR SS:[EBP+0C]
005302D4      8915 70905600         MOV DWORD PTR DS:[569070],EDX
005302DA      52                    PUSH EDX
005302DB      E8 48ABFCFF           CALL <JMP.&MSVCRT._rotl>  ; CALL 004FAE28
005302E0    ^ E9 15CCFBFF           JMP 004ECEFA
What this code does is that, it saves the value of EDX to a static location (569070, hex). So now we can later on read the hp value from that address.

So what we need to do now? We need to make the original code to jump to this our little piece of code :P Lets go back to the codeblock :

Code:
004ECEF1     FF75 0C       PUSH DWORD PTR SS:[EBP+0C]
004ECEF4     52            PUSH EDX
004ECEF5     E8 2EDF0000   CALL <JMP.&MSVCRT._rotl>              
004ECEFA     59            POP ECX
004ECEFB     8906          MOV DWORD PTR DS:[ESI],EAX
Remember what code we did manually ? That's right we did these :
Code:
004ECEF1     FF75 0C       PUSH DWORD PTR SS:[EBP+0C]
004ECEF4     52            PUSH EDX
004ECEF5     E8 2EDF0000   CALL <JMP.&MSVCRT._rotl>
So now we need to replace the
Code:
004ECEF1     FF75 0C       PUSH DWORD PTR SS:[EBP+0C]
With the JMP to our codecave. So now the code should look like this :

Code:
004ECEF1     E9 DB330400   JMP 005302D1
So now the original code :
Code:
004ECEF1     \FF75 0C       PUSH DWORD PTR SS:[EBP+0C]
004ECEF4      52            PUSH EDX
004ECEF5      E8 2EDF0000   CALL <JMP.&MSVCRT._rotl>                 ; Jump to msvcrt._rotl
Should look like this :


Code:
004ECEF1      E9 DB330400   JMP 005302D1
004ECEF6      90            NOP
004ECEF7      90            NOP
004ECEF8      90            NOP
004ECEF9      90            NOP
If you did everything correctly you can now read the HP from address 569070h and the Conquer shouldn't crash.


If you have any comments or questions. Please ask.
tanelipe is offline  
Thanks
4 Users
Old 10/02/2008, 10:52   #2
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2008
Posts: 490
Received Thanks: 595
Nicely done, couldnt have put it down better.

A little off topic, Think this would work with reading a monster name instead,
as the addresses for those keep changing as well, think it would be possible to put them into a static location wich u then can use with the ReadProcessMemory

(I'm asking this for something I'm working on myself at the moment, too slow to go thru all addresses to find a match , eitherway I'll look into it, tho I like to hear your thoughts about it )
_fobos_ is offline  
Old 10/02/2008, 14:17   #3
 
elite*gold: 20
The Black Market: 0/0/0
Join Date: Aug 2005
Posts: 1,734
Received Thanks: 1,001
If you find a place that updates the "Base address" for monsters, then it's possible. I haven't really looked (asm side of this) how the "base address" for monsters change. (I did work on similar thing before, however I had limited knowledge back then, less than now atleast.)

I can try to look on this
tanelipe is offline  
Old 10/02/2008, 17:14   #4
 
warriorchamp's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2007
Posts: 171
Received Thanks: 41
Quote:
Originally Posted by tanelipe View Post
If you find a place that updates the "Base address" for monsters, then it's possible. I haven't really looked (asm side of this) how the "base address" for monsters change. (I did work on similar thing before, however I had limited knowledge back then, less than now atleast.)

I can try to look on this
Yes, monsters have a nice static address and offsets and everything xD
HP value can be find in easier way too
The MP value can't be found. Try to check that tanelipe (im searching for it for a few months but i found nothing related to it)
warriorchamp is offline  
Old 10/03/2008, 04:38   #5
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2008
Posts: 490
Received Thanks: 595
Quote:
Originally Posted by tanelipe View Post
If you find a place that updates the "Base address" for monsters, then it's possible. I haven't really looked (asm side of this) how the "base address" for monsters change. (I did work on similar thing before, however I had limited knowledge back then, less than now atleast.)

I can try to look on this
If you could look into it that would be really appreciated
When I can find this out all thats needed is if a match is found call the attack function,
Then a nice pretty bot can be made in asm
_fobos_ is offline  
Old 10/04/2008, 16:56   #6
 
elite*gold: 20
The Black Market: 0/0/0
Join Date: Aug 2005
Posts: 1,734
Received Thanks: 1,001
Haven't had any luck so far atleast, I'll probably try it again over this weekend.
tanelipe is offline  
Old 10/12/2008, 07:37   #7
 
Ian*'s Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Nov 2006
Posts: 805
Received Thanks: 464
Quote:
Originally Posted by _fobos_ View Post
If you could look into it that would be really appreciated
When I can find this out all thats needed is if a match is found call the attack function,
Then a nice pretty bot can be made in asm
You'd also need to be able to have it figure out when the monster is dead (probably by checking hp and hwen it's dead (or probably at 1 since if it's at 0 there would be no monster lol)) and have the attack function disabled until the monster is dead so it won't just keep sending it to everything it reads. After doing that you'd probably be in pretty good shape.
Ian* is offline  
Old 12/27/2008, 16:43   #8
 
leavemealone's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: May 2006
Posts: 2,168
Received Thanks: 8,592
Hey tane, have you attempted this for the new conquer.exe with 5089 still running with 5090. Ive tried it a few times and a few different methods. Seems to either crash or freeze the exe.
leavemealone is offline  
Reply

« sendmessage? | [HELP] does anyone know da answer to this question? »

Similar Threads Similar Threads
Reading HP/MP/etc...
10/27/2009 - Aion - 2 Replies
Hey All, I'm sort of new to this memory offset, but I've currently got the BaseAddress of Game.dll and am looking for advice or direction in getting the target HP and stuff. I've seen the offset thread on these forums, I'm just unsure how to actually do the offset in C#. Any direction would be appreciated :)
upon reading....
07/01/2009 - Grand Chase - 23 Replies
upon reading this forum. i noticed that majority is blaming the cheater for being patch well guys i want you to under stand that game guard will always be updated every two or three weeks...
tnx 4 reading dis
07/15/2008 - Cabal Online - 6 Replies
the past versions(1.05 and 1.06) is not working on my pc as well as this new version(1.07). the control panel do not pop up when my char has logged in on to the game. i did turned my firewall off and my deepfreeze. i also checked files as well and updated GG before starting CR i tried to download it on a shop and it worked 100%! can someone explain me this? i'm using windows xp @badburn tol tga bacoor ako sa camella springville here's my YM:



All times are GMT +1. The time now is 17:00.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2025 elitepvpers All Rights Reserved.