Finding Off Sets

8/14/2019 Finding Off Sets

1/9

getting the offsets for the ingame HPby blub22

(medium)

Ok first of all there are different ways to get offsets, some are easy ,some are difficult

I will show you the way I prefer, because if your done you don't need to look for stuff like dma(dynamic memory).

At first we need some Tools.-(a debugger) OllyDBG www.ollydbg.de/-(a search tool) Tsearch (no homepage) (better for getting Values)

or MSH www.memoryhacking.com (better for getting Strings,Chars,Unicode)

In this tutorial I will work with Tsearch and OllyDBG only,

Lets start:

1.) Login any Char on any Server

2.) Now open Tsearch and attach the process (if you are using Vista you need maybe adminrights)
http://www.memoryhacking.co/http://www.memoryhacking.co/


2/9

3.) We know that our char has currenty full hp (597) lets search.

4.) 1153 adress with the value 597 , we need only 1

5.) We need to change our value ,switch ingame and attack a monster ,that will decrease our HP


3/9

6.) Lets search again with the same adresses.

7.) 9 adresses, looks better but not all adresses contain the real value only this 2 are right , letsadd them to the listbox.

!! We need all the time a lower HP then the max HP ,don't pot and attack some monsters !!

8.) Now we are finish with Tsearch , open OllyDbg and attach the Sro_client process.

The process stop if you are attach , press F9 to resume.


4/9

9.) You see a window with 4 parts , on the left side the Assembler code, below the Dump (thememory), on the right side the Register with the registers eax,ebx.. the stackpointer esp andthe flags z,c,p.. and below there is the stack window.

10.)Now we search the adresses from Tsearch , righclick in the dump>Go to> expression


5/9

11.)In my example its 1D474BF0 but its not the same at your PC.

12.)We want to know where the code gets modified , lets set a memorybreakpoint

13.)Because of the low hp of the char wich recovers itself just slowly Silkroad need to changethis value.It breaks and paused the process.

14.)If the Game paused some minutes ,you got a disconnect, thats why we must work fast.


6/9

15.)Lets analyse the linemov Dword Ptr DS[ECX+43C],EAX

mov destination,sourceeax = contains the current hpecx = contains a adress

+43C = the offsetDwort = a 4byte (DoubleWord)Ptr = pointer to an adress

This line writes the new HP value on the adress we have found.Our adress is the same like ecx + 43C.=> we need to know where ecx comes from.

16.)The line is currently in a call because one line below there is a retn (return)before we can step over to go to the point where the call is from, we remove the breakpoint

17.) press F8 and step over (2 times) we land here


7/9

18.)lets analyse again , press right click > analysis > Analyse code (needs 1-2min)

Call sro_clie.00857770 < this was the callin the call we had the adress stored in ecx lets look for ecx

one line before the call

mov ecx,esi < the adress was stored in esi before

one line higher you see push ebx and left of this a smal arrow >these is the position where three jumps land

19.)press F9 and look if the Game isn't disconnected.now lets set three breakpoints on je,jnz and jnz( mark the lines and press F2)The Game paused on the first line.

20.)Now you can do it again and analyse where esi got his value.This took much time and could be much difficult if we need to step in every call or set

breakpoints and check the register window.In our case we scroll up and search for an adress who contains our adress.It should look like

mov eax,dword prt ds:[12345678]

first found0077949D . 8B0D 54F7F000 MOV ECX,DWORD PTR DS:[F0F754]

Look in the small window between assembler code and dump, select the line and you willsee this, you can see that its not our adress.

DS:[00F0F754]=12F92E34


8/9

DS:[00CF097C]=1D4747B4


9/9

I hope this will help you in understanding how you can get stuff from memory :).This was part 1 next days follow part 2.

greetz blub22

Finding Off Sets

Documents