You are on page 1of 9

getting the offsets for the ingame HP

by blub22

(medium)

Ok first of all there are different ways to get offsets, some are easy ,some are difficult
I will show you the way I prefer, because if your done you don't need to look for stuff like dma
(dynamic memory).

At first we need some Tools.


-(a debugger) OllyDBG www.ollydbg.de/
-(a search tool) Tsearch (no homepage) (better for getting Values)
or MSH www.memoryhacking.com (better for getting Strings,Chars,Unicode)

In this tutorial I will work with Tsearch and OllyDBG only,

Lets start:

1.) Login any Char on any Server

2.) Now open Tsearch and attach the process (if you are using Vista you need maybe admin
rights)
3.) We know that our char has currenty full hp (597) lets search.

4.) 1153 adress with the value 597 , we need only 1

5.) We need to change our value ,switch ingame and attack a monster ,that will decrease our HP
6.) Lets search again with the same adresses.

7.) 9 adresses, looks better but not all adresses contain the real value only this 2 are right , lets
add them to the listbox.
!! We need all the time a lower HP then the max HP ,don't pot and attack some monsters !!

8.) Now we are finish with Tsearch , open OllyDbg and attach the Sro_client process.
The process stop if you are attach , press F9 to resume.
9.) You see a window with 4 parts , on the left side the Assembler code, below the Dump (the
memory), on the right side the Register with the registers eax,ebx.. the stackpointer esp and
the flags z,c,p.. and below there is the stack window.

10.)Now we search the adresses from Tsearch , righclick in the dump>Go to> expression
11.)In my example its 1D474BF0 but its not the same at your PC.

12.)We want to know where the code gets modified , lets set a memorybreakpoint

13.)Because of the low hp of the char wich recovers itself just slowly Silkroad need to change
this value.
It breaks and paused the process.

14.)If the Game paused some minutes ,you got a disconnect, thats why we must work fast.
15.)Lets analyse the line
mov Dword Ptr DS[ECX+43C],EAX

mov destination,source
eax = contains the current hp
ecx = contains a adress
+43C = the offset
Dwort = a 4byte (DoubleWord)
Ptr = pointer to an adress

This line writes the new HP value on the adress we have found.
Our adress is the same like ecx + 43C.
=> we need to know where ecx comes from.

16.)The line is currently in a call because one line below there is a retn (return)
before we can step over to go to the point where the call is from, we remove the breakpoint

17.) press F8 and step over (2 times) we land here


18.)lets analyse again , press right click > analysis > Analyse code (needs 1-2min)

Call sro_clie.00857770 < this was the call


in the call we had the adress stored in ecx lets look for ecx

one line before the call


mov ecx,esi < the adress was stored in esi before

one line higher you see push ebx and left of this a smal arrow >
these is the position where three jumps land

19.)press F9 and look if the Game isn't disconnected.


now lets set three breakpoints on je,jnz and jnz( mark the lines and press F2)
The Game paused on the first line.

20.)Now you can do it again and analyse where esi got his value.
This took much time and could be much difficult if we need to step in every call or set
breakpoints and check the register window.
In our case we scroll up and search for an adress who contains our adress.
It should look like
mov eax,dword prt ds:[12345678]

first found
0077949D . 8B0D 54F7F000 MOV ECX,DWORD PTR DS:[F0F754]

Look in the small window between assembler code and dump, select the line and you will
see this, you can see that its not our adress.

DS:[00F0F754]=12F92E34 <<<
ECX=1D4747B4

next found
007793F2 . 8B0D 7C09CF00 MOV ECX,DWORD PTR DS:[CF097C]
DS:[00CF097C]=1D4747B4 << this should be your adress
ECX=1D4747B4

21.)Ok , now we have all what we need, lets make program code.
We use the function ReadProcessMemory but before we need a Handle with a readright.

DelphiCode:

var
ProcessId : integer;
HandleWindow : Cardinal;
wnd : HWND;
baseAdress,HP:DWord;
BytesRead : Cardinal;
begin
wnd := FindWindow('CLIENT',nil); //search the Silkroad Window
if wnd <> 0 then //if there is a running Sro Window
begin
GetWindowThreadProcessId(wnd,@ProcessId); //we need the ProcessId for our Handle
HandleWindow := OpenProcess(PROCESS_VM_READ,False,ProcessId);
...
end;
end;

This is the preparation before we can get the adresses.


MOV ECX,DWORD PTR DS:[CF097C]

Translated in Delphi it looks like:


ReadProcessMemory(HandleWindow,Pointer($CF097C),@baseAdress,Sizeof(DWord),BytesRead);

The baseAdress now contains the adress we need before we can get the HP value.
MOV Dword Ptr DS[ECX+43C],EAX

ReadProcessMemory
(HandleWindow,Pointer(baseAdress+$43C),@HP,Sizeof(DWord),BytesRead );
I hope this will help you in understanding how you can get stuff from memory :).
This was part 1 next days follow part 2.

greetz blub22

You might also like