To find the wc addr atleast some asm knowledge is required!
The hard method / how I found it the first time:
Find your y-playerposition (the real one, not the one in the objectstruct)
for the 1844 build its: [[[[0088FF40]+680]+D4]+8C]+B4
Set a write-BP on the y-position. Find out what writes to this location while your character trys to climb a mountain.
Code:
_
/ \ <-move against some hill u cant get up / gegen einen Berg laufen wo man nicht hoch kommt
/ \
\ 0
hill \ /|\
\_/ \________________
After you have found the instruction trace around until you find some static addr. It should look similar to this: movss xmm0,[0084b464] This may take some time. I cant remember the exact way but it wasnt very hard to find.
The easy way / using searchpatterns
This method requires that you already know the wc addr of an older binary and that you have made some notes. So here are my notes for the old RoM Version 2.0.6.1834:
Code:
[COLOR="SeaGreen"]0044D97B - eb 08 - jmp 0044d985
0044D97D - f3 0f 10 0d e8 5a 84 00 - movss xmm1,[00845ae8]
0044D985 - d9 44 24 14 - fld dword ptr [esp+14]
0044D989 - f3 0f 10 05 94 5c 84 00 - movss xmm0,[00845c94] // wallclimb addr
0044D991 - dc 0d 60 5a 84 00 - fmul qword ptr [00845a60]
0044D997 - f3 0f 11 4c 24 0c - movss [esp+0c],xmm1
0044D99D - d9 44 24 0c - fld dword ptr [esp+0c]
0044D9A1 - db f1 - fcomi st(0),st(1)[/COLOR]
Now lets take a look at these instructions. Some of them contain static addreses ... like our mc addr. Other instructions contain offsets like +14 or +0C. If the binary gets updated static addreses will probably change and offsets will not. Ofc offsets can change too ... but its unlikely ... maybe on major updates.
Code:
[COLOR="SeaGreen"]0044D97B - eb 08 - jmp 0044d985 // will change
0044D97D - f3 0f 10 0d e8 5a 84 00 - movss xmm1,[00845ae8] // will change
0044D985 - d9 44 24 14 - fld dword ptr [esp+14] // will not change
0044D989 - f3 0f 10 05 94 5c 84 00 - movss xmm0,[00845c94] // wallclimbaddr, will change
0044D991 - dc 0d 60 5a 84 00 - fmul qword ptr [00845a60] // will change
0044D997 - f3 0f 11 4c 24 0c - movss [esp+0c],xmm1 // will not change
0044D99D - d9 44 24 0c - fld dword ptr [esp+0c] // will not change
0044D9A1 - db f1 - fcomi st(0),st(1) // will not change[/COLOR]
So how can this be usefull? You could create a searchpattern and scan the process for it:
Code:
[COLOR="SeaGreen"]EB,08,??,??,??,??,??,??,??,??,D9,44,24,14,??,??,??,??,??,??,??,??,
??,??,??,??,??,??,f3,0f,11,4c,24,0c,d9,44,24,0c,db,f1[/COLOR]
To bad CE does not have a patternscaner
... but it can scan for an array of bytes! Open the memory viewer -> search -> Find Memory -> select array!
Search for: f30f114c240cd944240cdbf1
A good idea would be to start the search at some similar addr. of the old binary to avoid wrong results. So start the search at 44D000. Now press OK.
For the 1844build CE pops up at 44DE47 in the lower part of the window. Now in the upper part of the window go to 44DE47 and scroll up. You should see the mc addr. in the instruction (You may have to disable View->symbols):
0044DE39 - movss xmm0,[0084b464]
If you want to update your offsets as fast as possible - write your own patternscanner or search the net for a good one ... I will not share my scanner. Guess it would be a good idea to post a patternscaner here ... but I'm to lazy to search now ...
![[Request] Wallclimb Tutorial](https://www.elitepvpers.com/forum/iconimages/general-gaming-discussion/request-wallclimb-tutorial_ltr.gif){kind=small}
)
