I'd like to enhance the tutorial from Scaringmeanssharing.
In fact I want to show you how to recreate the teleport-hack, as in my opinion the tutorial from Scaring doesn't really show very well how to retrieve the memory values, nor it's explained why he uses Autohack in T-Search, as we can achieve our goal without debugging.
(which would be intermediate level imho and for teleporting you dont need it)
What is this tutorial covering?
- Finding easy values: Mana/Health/etc
- Finding X, Y coordinates
- Finding Z coordinates
This tutorial addresses newbies only (therefore it has a lot of pictures implemented)
Alright lets start.
First make sure you have WoW started and are logged into your char.
Then fire up a memory-searcher of your choice, i prefer T-Search for my malicious deeds.
As we all know WoW.exe cannot be selected, as its listed as a system process and T-Search has no priviledges to open it. This can be changed for example by using permEdit.zip, brought to us by breakpoint. (i think)
Alright now we can see and open WoW.exe.
If u ever tried to attempt a memory-search in WoW u will have noticed that it takes ages to perform a search.
As we are all aware of Blizzards programming skills, we know that they do not reserve space in the memory of the executable module ? they make use of dlls.
Therefore we goto Process/Details in the menu of T-Search, where we will find all modules loaded by WoW.
Normally (sc, wc3) you would see which dlls are the important ones from the name, but from the dll-names WoW uses, one cannot judge (at least i cant) which dll could hold the values we are looking for.
So what we do is to select a range where we perform a memory-search, for which it is at least possible that it holds those values.
I chose 0 to 4D740000, as the rest of the dlls are either windows-standard-dlls or useless for our hack.
(Oh god this will take a while...)
To let T-Search know which range we have chosen to be searched through, we open View/Options and set our range in the form.
?Freeze Game During Search? actually is not needed with our method, but it makes things easier. (be sure to have filled in a good range or else u will be disconnected when the game unfreezes again ^^)
MEM_IMAGE: Indicates that the memory pages within the region are mapped into the view of an image section.
MEM_MAPPED: Indicates that the memory pages within the region are mapped into the view of a section.
MEM_PRIVATE: Indicates that the memory pages within the region are private (that is, not shared by other processes).
Therefore we can safely only use mem_private, which saves another 1/10 of searchtime
So first to start with something simple: We look for the memory-address that holds the value of the temporary mana.
In my case I have 2751 temporary mana. So we perform a search in T-Search looking for an exact value of 2751. It would be sufficient to look for a 2 Bytes type as well, as our value wont extend 65000 and odd. (actually it would be more accurate, as you can only guess if blizzard saves the mana as unsigned int or as long)
So we get about 300 results. Alright, cast a spell and then sieve by doing a step by step ?has decreased? and 1-2 ?has increased? searches.
You will have 2 final results at the end.
The first address holds the value that we are looking for. (the other one holds the mana before the latest refresh, which we dont need..)
Congrats, you found the temporary mana.
That value (you might already have guessed) has no use for you ? as you cant change it, better said, changes will have no effect since the real variable containing that value is kept serverside and changing client-side variables makes no difference.
As we know that WoW is very well programmed we can conclude, that all the player-variables are kept in a class/structure. (as its programmed in c++ i reckon its a class)
so it might look like this:
class Player {
long Health;
long Mana;
..
};
So we can assume that our address, in my case 20229CEC, is somewhere in this class.
We can also assume that this Player class holds the coordinates of the Player.
i.e. long X, Y, Z; (we dont know that the coordinates are stored as float yet)
Anyways, write down the address that we retrieved.
Alright, now that we found out that we cannot control the mana we will check out the coordinates.
As we have no idea at what coordinates we are located atm we gonna fire up a new search with ?Unknown Value? first, then move, sieve with ?Has Changed?, then turn a little (but don't move), sieve again with ?Has Not Changed? and so on..
I did this for about 5 times and had 164 results in the ?end?.
You can sieve it more and maybe get the X and Y values after a while, but I was too lazy for that
As we have written down our address which stored the mana we can safely conclude which addresses belong to the Player-Class and which don't.
(the coordinates must be in the class and therefore in a near range of our mana-address)
Removing all bogus addresses we still have about 15 addresses, which all seem to have something to do with the X and Y coordinates.
Looking at those values we realise that they are too awkward to be coordinates ? maybe they are not from the type ?long?, but from ?float?. ?Unsigned Int? (2-Bytes) would not be reasonable, as it could not contain enough data for a sufficiant navigation through the WoW-World.
Fortunately ?long? just like ?float? has 4 Bytes so we can just transpone it to ?float?.
Change your position, and sieve again, this time with float as type.
Now you get a screen similar to this one:
You will realise that values containing crap like: 1#.QNAN or 1.345345345+E234
will very unlikely be the coordinates.
Sieve them all out manually (which means by hand and brain).
There we go, 4 values left.
So lets try changing the first value.
bam ! The screen changes ? u have teleported.
Chaning the second address? Works ? also teleported around the room.
Lets see, can we also change the last 2 values?
..hm.. no doesn't work, they just copy the values from our 2 working addresses.
Alright, delete the 2 not-working addresses and there you go with your 2 coordinates. Wait we need 3 coordinates, so how to retrieve the Z address ?
Remember that Blizzard stores the variables in a class ?
And by some strange coincidence the addresses of the X and Y coordinates are only 4 Bytes away from each other. (which happens to come as float is 4 Bytes long).. So its very likely that 4 bytes before or after there will come the Z coordinates.
Common sense tells me that it might come after, so we just add 4 bytes to our second address and see what it contains.
Remember its HEX, so add properly, at best with the windows calculator.
Voila ? You found the Z-Axis.
From that point on its all left to your own.
If you want to create a trainer or something similar u need to be aware that this game involves DMA. Therefore u will need to find a spot in memory, which can always be identified. For example you could use a string and look for it in the memory each time and add up the offsets that lead to your coordinates.
You could add up from the dll start-addresses.
Or you could inject your own code to get around with nasty DMA (my favourite).
Drop me a note if that helped you, or u liked it, whatsoever
gg
--NikEy, Germany
