This post is a continuation of post on strings and char name as well as a response to a PM from OoO.
It contains detailed step by step explanation on how to find base pointer and offsets for Name in Perfect World (PW), with high amount of graphical content and in depth explanations.
As before, Cheat Engine (CE) was used as a memory scanning tool and for this particular example, hacked exe for PW International (the one in US). Exe was supplied to me by OoO and as far as I can tell, only unlimited zoom was changed from original version, but as I have never played on International version, other changes may have been done to exe as well.
I should also point out, that CE is used with all settings on default, so if you changed any, you might be getting different results.
Character name that was used is "Accessor", without " obviously.
Let us begin.
Start PW, start CE, hook CE to process elementclient.exe (OoO: I renamed hacked .exe to match original name).
Setup search parameters, click First Scan and you get something like this:
Right, 19 results. Plenty to work with, but not too much thankfully. We're going to skip whole elimination process and start working on all of them. Not that it doesn't work, but it'll take some time and probably only eliminate 1-2 matches. So, select them all and click red arrow to copy them in window below.
Now we are going to remove false positives by right clicking on first entry and selecting "Find out what accesses this address". Little window will pop up (referred to op codes window from here) and as it does, we alt tab to PW for a moment than back to CE. If the op codes window remains empty, close it and remove the entry. Else leave entry and move on to the next one. Continue doing that untill you have removed all entries that yielded no results. Series of images below depict this process:
This is the little window (op codes window) in question. Note that first time you click "Find out what accesses this address" you are presented with a question to which you answer Yes. Besides the op codes window, a smaller one will also open, which you can ignore and close if you desire. We won't be needing it.
I will not go into any detail as to what this windows do and how, as that information can be obtained from CE forums as well as many other place.
Window above remains empty after alt tabbing to PW and back, so we will remove this entry after closing window.
Below is an example of how it looks like when it doesn't remain empty:
Now we have eliminated all those that yielded no results and we are left with...
...3 entries in my case. Luck is on our side today
We know now that one of these 3 is the value we are after, but we have no other means of filtering it further, so we might as well begin searching for base address. Hints posted before, tell us that we are looking for level 3 pointer, that first offset must be 0 and third one must be 0x20. But careful now! Numeric ordering is assumed from our perspective, from how we add them. First one we add is numbered first and so on. But actual ordering should be done other way around with first one being the one "closest" to base pointer. Reason we are assuming "wrong" ordering is because our first pointer is the one we encounter first. I'm not trying to confuse you here, just warn you to be careful when reading documentation from other sources.
I'll start with first entry, despite the fact I know it's wrong. I'll do this to show how you can tell it's wrong, using information above.
Right click first entry, select what accessed this address and alt tab to PW then back to CE. Op codes window gets filled with some stuff as it did before and now we are going to take a look at it a bit closer.
First click Stop, this is to stop debugger from running. You will notice button caption changed to Close. Double click on first entry in op codes window (or select it and click button "More Information").
I picked first entry and used probable address in search. For that you want to set Value type to 4 bytes, Scan type to exact value and checking Hex check box. Enter probable address and click First Scan.
I only got 1 match, but you may get more. Either way, following process must be done for all matches, since you do not know which one is right.
Add every match as pointer by clicking on button "Add address manually" and fill window that opens like depicted here:
You can optionally change description as well, so you can track it easier later. I made my description into "name, level 1". Click OK once done and you will notice it gets added in lower window. Note P-> before address, it means it's a pointer to that address and it's what we will be working with now.
It's a level 1 pointer, now we use it to find next offset, for level 2. Right click on it and again select "Find what accesses this address" from dropdown. Since this is a pointer, you are presented with an option:
Click on first button from the top captioned "Find out what accesses this pointer" and you are once again presented with op codes window. And again, as before, you will want to alt tab PW and then back to CE.
I got this:
Look at the image carefully. None of them has expected offset (in the range of 0x5F0 as mentioned few times already). Thus, none of them is correct and as a result pointer we made is incorrect as well as the original entry we started from. Good, at least we are down one false positive.
Close op codes window and remove pointer that you added as well as first value entry we started from.
Now we move to the next entry, which just happens to be correct one. Same procedure as above is used, right click, Find out what accesses.
Both entried have 0 offset, thus both are candidates and as luck will have it, both also have same probable address. Run a search for it and add result (results) as pointer as described above.
Again, right click on pointer you just added and select Find what accesses this address. DO NOT forget to alt tab to PW and back.
Well I'll be damned! Not only is the offset in the range of 0x5F0 but it actually IS 0x5F0 on this version. We must be on the right track for sure.
With a smile on your face search for probable address.
Ouch, 21 results. Oh well, most often first one is correct so let's go with it.
We want to add it as another (2nd) offset to pointer entry. To do this, double click address column of pointer entry (it's the one we added remember, P->address ) and same window opens as before when we were adding it. Now click button Add pointer and you get another row to fill.
Click OK and optionally modify description. I made my "level 2, name", since this is now a level 2 pointer to name. You will notice that Type column became UText[0] and Value column is empty. It appears to be CE bug, but we can fix that without serious delay by double clicking on UText[0] and setting length to what it needs to be.
Only one offset left now and at the risk of repeating my self, right click on pointer entry and select Find what accesses this address. You will quickly realize that op codes window is filling fast without even alt tabing to PW. Yes sir, we are now deep in PW memory bowels and code here runs regardless of whether PW UI is active or not. Skip the alt tabbing and just click Stop.
Offsets are all 0x20, as expected. Note probable address of first entry in op codes window. It's 0x034A89A0, just a bit lower that the address for second entry in our pointer which was 0x034A89C0. This is always a good sign, base pointer should be very low in address list and if we are moving towards that direction we must be doing something right.
Run a search for probable address now and ...
.. oh yeah, I'm home honey !!! We got base address.
Add this one as the one before, double click on P->address, click Add Pointer, fill and click OK once done.
You can now modify description to "Name, base pointer", congratulate your self on a job well done, have a beer or a cup of tea and save CE table before your computer crashes
.
In order to test it fully, close CE and PW (even restart your computer if you really want to be sure, or use different computer), then run PW and CE, hook elementclient.exe process again and load saved CE table.
If your pointer still points to Name you can rest assured that it works.
Last image shows what you got in the end and it's what was written many of times on forums:
base address + offsets
0x009652E4 + 0x20 + 0x5F0 + 0 <- Name
That is also what you were looking for OoO, base address and offsets to Name on cracked exe.
For those that want to test it out on their own, I've done the same for original exe for PW International (US version) and it's:
0x0096B6E4 + 0x20 + 0x5F0 + 0
Turns out that base address + 0x20 points to a player struct that contains all info for logged in character. Knowing that, one can easily play with second offset and see what you get. Of course, first offset (0) is not needed for numeric values like hp, mp, etc,.. so you are down to 2 level pointer then.
Current HP on cracked exe for example:
Type is no longer text of course, you'll need to change that to 4 bytes for hp for example. But the rest is practically identical.
This is by far not the only way this can be done, if you know any assembler op codes widow alone offers possibilities beyond and then some.
Try, experiment, learn and don't forget to have fun.
If you lack knowledge of CE do the tutorial provided by CE and/or visit CE forums.
It may be that I missed something on some steps or commented it badly. I will answer questions and explain in more detailed if that is the case.
I will not however answer questions from people, where it's plainly visible that they didn't even read it all. I know it's a lot but seeing that someone went trough the trouble of putting it together, you might at least read it all before posting questions.
