Académique Documents
Professionnel Documents
Culture Documents
by blub22
(medium)
Ok first of all there are different ways to get offsets, some are easy ,some are difficult
I will show you the way I prefer, because if your done you don't need to look for stuff like dma
(dynamic memory).
Lets start:
2.) Now open Tsearch and attach the process (if you are using Vista you need maybe admin
rights)
3.) We know that our char has currenty full hp (597) lets search.
5.) We need to change our value ,switch ingame and attack a monster ,that will decrease our HP
6.) Lets search again with the same adresses.
7.) 9 adresses, looks better but not all adresses contain the real value only this 2 are right , lets
add them to the listbox.
!! We need all the time a lower HP then the max HP ,don't pot and attack some monsters !!
8.) Now we are finish with Tsearch , open OllyDbg and attach the Sro_client process.
The process stop if you are attach , press F9 to resume.
9.) You see a window with 4 parts , on the left side the Assembler code, below the Dump (the
memory), on the right side the Register with the registers eax,ebx.. the stackpointer esp and
the flags z,c,p.. and below there is the stack window.
10.)Now we search the adresses from Tsearch , righclick in the dump>Go to> expression
11.)In my example its 1D474BF0 but its not the same at your PC.
12.)We want to know where the code gets modified , lets set a memorybreakpoint
13.)Because of the low hp of the char wich recovers itself just slowly Silkroad need to change
this value.
It breaks and paused the process.
14.)If the Game paused some minutes ,you got a disconnect, thats why we must work fast.
15.)Lets analyse the line
mov Dword Ptr DS[ECX+43C],EAX
mov destination,source
eax = contains the current hp
ecx = contains a adress
+43C = the offset
Dwort = a 4byte (DoubleWord)
Ptr = pointer to an adress
This line writes the new HP value on the adress we have found.
Our adress is the same like ecx + 43C.
=> we need to know where ecx comes from.
16.)The line is currently in a call because one line below there is a retn (return)
before we can step over to go to the point where the call is from, we remove the breakpoint
one line higher you see push ebx and left of this a smal arrow >
these is the position where three jumps land
20.)Now you can do it again and analyse where esi got his value.
This took much time and could be much difficult if we need to step in every call or set
breakpoints and check the register window.
In our case we scroll up and search for an adress who contains our adress.
It should look like
mov eax,dword prt ds:[12345678]
first found
0077949D . 8B0D 54F7F000 MOV ECX,DWORD PTR DS:[F0F754]
Look in the small window between assembler code and dump, select the line and you will
see this, you can see that its not our adress.
DS:[00F0F754]=12F92E34 <<<
ECX=1D4747B4
next found
007793F2 . 8B0D 7C09CF00 MOV ECX,DWORD PTR DS:[CF097C]
DS:[00CF097C]=1D4747B4 << this should be your adress
ECX=1D4747B4
21.)Ok , now we have all what we need, lets make program code.
We use the function ReadProcessMemory but before we need a Handle with a readright.
DelphiCode:
var
ProcessId : integer;
HandleWindow : Cardinal;
wnd : HWND;
baseAdress,HP:DWord;
BytesRead : Cardinal;
begin
wnd := FindWindow('CLIENT',nil); //search the Silkroad Window
if wnd <> 0 then //if there is a running Sro Window
begin
GetWindowThreadProcessId(wnd,@ProcessId); //we need the ProcessId for our Handle
HandleWindow := OpenProcess(PROCESS_VM_READ,False,ProcessId);
...
end;
end;
The baseAdress now contains the adress we need before we can get the HP value.
MOV Dword Ptr DS[ECX+43C],EAX
ReadProcessMemory
(HandleWindow,Pointer(baseAdress+$43C),@HP,Sizeof(DWord),BytesRead );
I hope this will help you in understanding how you can get stuff from memory :).
This was part 1 next days follow part 2.
greetz blub22