- Joined
- Mar 21, 2016
- Messages
- 2,985
Can you please make it XP compatible?
-
Listen to a special audio message from Bill Roper to the Hive Workshop community (Bill is a former Vice President of Blizzard Entertainment, Producer, Designer, Musician, Voice Actor) 🔗Click here to hear his message!
-
Read Evilhog's interview with Gregory Alper, the original composer of the music for WarCraft: Orcs & Humans 🔗Click here to read the full interview.
-
🏆 HD Modeling Contest #7 POLL is live! ✅ Vote for the TOP 3 MODELS! ❗️Poll closes April 28, 2025. 🎬Watch the entries on our YouTube channel! 🔗 Click here to cast your vote!
Accessing memory from the script - it's time of the revolution
- Status
- Joined
- Mar 21, 2016
- Messages
- 2,985
Are you the developer of War3Loader?
Fyi, it would seem the widescreen fix made by @ENAleksey as a .mix file, does work with v1.26a on XP SP3 with my French version of the game. I will test his fix some other day with v1.27a and v1.27b.
Spell Reviewer
- Joined
- Jan 18, 2005
- Messages
- 27,285
No, but if it was easy then surely the developer would have made it support XP already? As a software engineer I know that Windows changed a lot of its APIs between XP and Vista to make them more future proof, and these new APIs are not supported by XP. Microsoft has dropped pretty much all support for XP by now.
- Joined
- Mar 21, 2016
- Messages
- 2,985
Well, clicking on the appropriate checkbox in Visual Studio 2015/2017 so that it produces an exe compatible with XP, would be a first step.
I notice that War3Loader.exe seems to call the debug libraries, if I understand correctly what VirusTotal says about its PE imports.
Fyi, the current version of the Microsoft Redistributable for Visual Studio 2017 is 14.10.25017, and it installs just fine on XP SP3. VS 2017 builds upon and expands VS 2015's features.
I notice that War3Loader.exe seems to call the debug libraries, if I understand correctly what VirusTotal says about its PE imports.
Fyi, the current version of the Microsoft Redistributable for Visual Studio 2017 is 14.10.25017, and it installs just fine on XP SP3. VS 2017 builds upon and expands VS 2015's features.
Spell Reviewer
- Joined
- Jan 18, 2005
- Messages
- 27,285
Which requires one to download and install the XP compatibility module of VS, something not necessarily done by default (unless installing on XP for obvious reasons). If using C++ one then needs to change the windows version define macro to be appropriate for XP so that a suitable windows header is used (defaults to Windows 10). One then needs to remove all Windows Vista and later API calls, which might reduce compatibility for Vista and later operating systems as there is a reason they were added in the first place. It can turn out to be as simple as a rebuild, but also it could turn out to be impossible.
- Joined
- Mar 21, 2016
- Messages
- 2,985
That is why the developer of War3Loader is the best qualified to tell whether or not it can be made compatible with XP.
- Joined
- Mar 29, 2011
- Messages
- 2,607
War3Loader isn't working for me, throws bunch of MSVCP140D.DLL, VCRUNTIME140D.DLL errors.
- Joined
- Mar 21, 2016
- Messages
- 2,985
War3Loader requires the Microsoft Visual Studio 2017 dll files in order to run.
Such dll files come in two flavors: the ones for the end-users, and the ones for the developers. The name of the ones for the developers end with a 'D'. They are useful for debugging purposes.
Now if you have a look at the VirusTotal report, under the tab 'File Detail', paragraph 'PE Imports', you will notice that the executable uses the developer version of the dlls, not the regular end-user ones.
The problem is, the developer version of these files are not included in any of the Visual Studio 2015/2017 Redistributables afaik.
Fyi, the latest version of the 2017 Runtime for end-users can be downloaded from here:
Téléchargements | IDE, Code et Team Foundation Server | Visual Studio
(under 'Other Tools and Frameworks')
It supersedes any of the 2015 runtimes.
Such dll files come in two flavors: the ones for the end-users, and the ones for the developers. The name of the ones for the developers end with a 'D'. They are useful for debugging purposes.
Now if you have a look at the VirusTotal report, under the tab 'File Detail', paragraph 'PE Imports', you will notice that the executable uses the developer version of the dlls, not the regular end-user ones.
The problem is, the developer version of these files are not included in any of the Visual Studio 2015/2017 Redistributables afaik.
Fyi, the latest version of the 2017 Runtime for end-users can be downloaded from here:
Téléchargements | IDE, Code et Team Foundation Server | Visual Studio
(under 'Other Tools and Frameworks')
It supersedes any of the 2015 runtimes.
- Joined
- Jun 23, 2007
- Messages
- 4,066
This build should work on Windows XP and Windows 10. You also shouldn't have to download any developer libraries.
- Joined
- Mar 21, 2016
- Messages
- 2,985
This new version now also works on XP SP3 (tested with Patch 1.26a, French version).
Thanks a lot.
For some reason, the first time I launched War3Loader, it did not load its plugin ('Checking for plugins...' / 'No plugins were found' in the debug txt file). Therefore, proper widescreen worked in the Campaign, but not the transparency effect with the UI.
So I then quit the game, launched it again and this time I loaded your demo map. The transparency stuff worked.
Since then, the plugin seems to always load as expected, and therefore the transparency effect now works always. Even where it did not the first time. Go figure... Does your loader write something in the Registry?
Should you want to develop this loader some more, then maybe you could add the possibility to launch RoC, for those who want to play its solo campaign?
** edit **
- All You Need to Know About the WannaCrypt Ransomware - MajorGeeks
"Due to the scale of the attack, to deal with the unsupported Windows systems and to contain the spread of the ransomware, Microsoft has taken the unusual step of releasing updates for all older unsupported operating systems from Windows XP onwards."
- http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Plus, about the POSReady 2009 updates:
- POSReady 2009 updates ported to Windows XP SP3 ENU
(unofficial, and unsupported by Microsoft)
Thanks a lot.
For some reason, the first time I launched War3Loader, it did not load its plugin ('Checking for plugins...' / 'No plugins were found' in the debug txt file). Therefore, proper widescreen worked in the Campaign, but not the transparency effect with the UI.
So I then quit the game, launched it again and this time I loaded your demo map. The transparency stuff worked.
Since then, the plugin seems to always load as expected, and therefore the transparency effect now works always. Even where it did not the first time. Go figure... Does your loader write something in the Registry?
Should you want to develop this loader some more, then maybe you could add the possibility to launch RoC, for those who want to play its solo campaign?
** edit **
@Dr Super Good:
- All You Need to Know About the WannaCrypt Ransomware - MajorGeeks
"Due to the scale of the attack, to deal with the unsupported Windows systems and to contain the spread of the ransomware, Microsoft has taken the unusual step of releasing updates for all older unsupported operating systems from Windows XP onwards."
- http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Plus, about the POSReady 2009 updates:
- POSReady 2009 updates ported to Windows XP SP3 ENU
(unofficial, and unsupported by Microsoft)
Last edited:
- Joined
- Jul 30, 2012
- Messages
- 156
Updated libraries Memory and Version with brand new features (automatic offset detection and new syntax for bytecode). Check the 1st post for more info and get the updated libraries.
- Joined
- Jul 30, 2012
- Messages
- 156
Yes it is, although there was a small mistake of my part (forgot to remove a "return" instruction), I have just tested it under 1.28.5 and it worked.
I have uploaded a new version of the TestMap, please take a look on my post at the other thread.
However, if you say it's crashing "only sometimes" for you, it means that the searching algorithm might be hitting some false positives. I will make a better Testmap, that outputs Debug messages to a file via Preloader native. This will help me to detect the problem.
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
This is weird. I'm sure it worked quite well before, but after some hours the crash appeared much more often now. It crashed like 75% of times. :/
I hope you can find the solution soon. : )
I have tested the map btw, and I think the text is way too small to read.
I hope you can find the solution soon. : )
I have tested the map btw, and I think the text is way too small to read.
- Joined
- Jan 23, 2011
- Messages
- 351
Question: Is it possible to make a "PlayerPressesAnyKey" and detect which key is pressed?
I want to create a "quick cast" system :3
I want to create a "quick cast" system :3
- Joined
- Nov 21, 2012
- Messages
- 835
After replacing pjass.exe I imported to clean map: Typecast, Memory, Version, Bitwise, ObjectData, Utils libraries (from 1st post). Got error on saving: "Undeclared function Int2Hex()"
in library "Version". Do I need additional lib?
in library "Version". Do I need additional lib?
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
Just comment out all BJDebugMsg in a function called "StackSearcher".
BTW, if you have tested this version, please let me know whether it's crashing or not. The crash only happens sometimes tho.
- Joined
- Nov 21, 2012
- Messages
- 835
Thanks, Ill report how it works on my pc
edit
tested all functions from Utils lib except
all works fine, no crashes
Im using Jass NewGen and War3 version 1.27.1.7085
edit2
it would be very nice if we have here such a functions (like in MemoryHack) for example
IsUnitStunned2
IsAbilityOnCooldown
GetUnitAttackType1
GetUnitAttackType2
GetUnitAttackSpeed
edit
tested all functions from Utils lib except
GetAbilityCurrentCooldownall works fine, no crashes
Im using Jass NewGen and War3 version 1.27.1.7085
edit2
it would be very nice if we have here such a functions (like in MemoryHack) for example
IsUnitStunned2
IsAbilityOnCooldown
GetUnitAttackType1
GetUnitAttackType2
GetUnitAttackSpeed
Last edited:
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
@ZiBitheWand3r3r for me the crash only happened when map's loading. If it loads successfully, all functions gonna work fine.
This is strange, I use the same patch version as you. I tried to paste all the memory hack triggers into an empty map but the crash persists :/
EDIT:
I have found the problem. I tried to re-copy-paste all the codes and the crash seems to gone, literally. I took some times to dig in and find out what's the cause. And what I found was weirder than fiction (at least for me):
- If I do not modify anything in Version libs (other than deleting some debug messages that uses Int2Hex), it works fine.
- If I removed line:
- If I replace it with other function like
- If I add anything to that block like:
=> it also results in crash.
In short if I modify anything in that function, it will result in crash. I have re-confirmed it over and over again, and that's really what's happening here. I literally have no idea what's going on here.
This is strange, I use the same patch version as you. I tried to paste all the memory hack triggers into an empty map but the crash persists :/
EDIT:
I have found the problem. I tried to re-copy-paste all the codes and the crash seems to gone, literally. I took some times to dig in and find out what's the cause. And what I found was weirder than fiction (at least for me):
- If I do not modify anything in Version libs (other than deleting some debug messages that uses Int2Hex), it works fine.
- If I removed line:
call BJDebugMsg("Warning! Unsupported version!\nVersion-specific offsets have not been initialized!") in Init function, it results in crash.- If I replace it with other function like
DisplayTimedTextToPlayer, it also results in crash.- If I add anything to that block like:
JASS:
if i == 2894996 then
set PatchVersion = "1.28"
call Init28()
elseif i == 2889044 then
set PatchVersion = "1.27b"
call Init27b()
elseif i == 2586768 then
set PatchVersion = "1.27"
call Init27()
elseif i == 5205600 then
set PatchVersion = "1.26"
call Init26()
elseIn short if I modify anything in that function, it will result in crash. I have re-confirmed it over and over again, and that's really what's happening here. I literally have no idea what's going on here.
Last edited:
- Joined
- Nov 21, 2012
- Messages
- 835
I did the same 2 steps as you with no crash (tried few times to run war3),
do you have jass parser file as linked in first post? I do,
did you move/delete commands
//# +nosemanticerror?
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
Not exactly. I use TH's JNGP.
Nope. I don't remove anything else than what I mentioned above.
Anyway the most important thing is, it's now working
- Joined
- Jul 30, 2012
- Messages
- 156
This is what's going on here:
JASS:
exitwhen pJassContext*65536/65536 == 0x88 and pJassContext>65536 and Memory[pJassContext/4+8] == f+888Basically I use VM's instruction pointer (pJassContext/4+8) to verify that the candidate address is really the Jass Context that I want. The problem is, I am comparing that address to an offset from
function Init (f+888). So, if you modify ANYTHING in function Init, that offset will change, and stack searching will fail, causing a crash.But don't worry, I've already got a better search method, wait for it in the next hours.
- Joined
- Oct 18, 2013
- Messages
- 724
If this much work was going into Memory Hack development, we'd truly have some wonderful things by now.
- Joined
- Jul 30, 2012
- Messages
- 156
Updated Version library, please test the new code. I have removed the debug messages, and I'm no longer using instruction pointer for verification, so you are free to make some edits to the code.
This is the basis of memory hack, we can do nothing without having the game offsets, and typing them manually every patch is not only tedious, but any map that uses memory hack will have to be manually updated every time. I'm in the process of migrating the whole memory hack to this method, so that manual updates will no longer be necessary, and it will most likely work in all upcoming versions of WC3.
This is the basis of memory hack, we can do nothing without having the game offsets, and typing them manually every patch is not only tedious, but any map that uses memory hack will have to be manually updated every time. I'm in the process of migrating the whole memory hack to this method, so that manual updates will no longer be necessary, and it will most likely work in all upcoming versions of WC3.
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
@leandrotp I see. Looking forward for that update 
- Joined
- Jul 30, 2012
- Messages
- 156
First step of detection is ready. Jass context and main game class are automatically detected now. Please test the attached map and tell me if it works properly. Soon I will be updating the other libraries to work with this code.
Hosted Project: EC
- Joined
- Oct 12, 2011
- Messages
- 3,449
I retried several times. It works, no crash
- Joined
- Nov 21, 2012
- Messages
- 835
I can confirm AddressDetection.w3m works fine.
All values changes when I restart the map (without restarting game) except Found stack frame of VM
It prints the same value until I restart whole warcraft-then it changes.
All values changes when I restart the map (without restarting game) except Found stack frame of VM
It prints the same value until I restart whole warcraft-then it changes.
- Joined
- Jun 21, 2012
- Messages
- 431
Great job leandrotp!
- Joined
- Jul 30, 2012
- Messages
- 156
New code released. Introduced new functionality to assign bytecode arrays to a trigger, also introduced support for loading saved games.
Other libraries now work with the automatic detection method, though not all of the functions are available yet.
Other libraries now work with the automatic detection method, though not all of the functions are available yet.
- Joined
- Nov 21, 2012
- Messages
- 835
I commented:
game crashes everytime I call GetUnitArmor, GetHeroPrimaryAttribute or IsUnitStunned,
warcraft ver 1.27.1.7085.
(I had no problems with previous libraries)
library Version initializer Init requires Memory//, HexNumber because I have no HexNumber libgame crashes everytime I call GetUnitArmor, GetHeroPrimaryAttribute or IsUnitStunned,
warcraft ver 1.27.1.7085.
(I had no problems with previous libraries)
Last edited:
- Joined
- Jul 30, 2012
- Messages
- 156
Sorry, I forgot to divide GameState by 4
JASS:
function ConvertHandle takes handle h returns integer
return Memory[Memory[Memory[Memory[GameState/4]/4+7]/4+103]/4 + GetHandleId(h)*3 - 0x2FFFFF]
endfunction- Joined
- Nov 21, 2012
- Messages
- 835
must be something more to fix, it still crashes
- Joined
- Jul 30, 2012
- Messages
- 156
Indeed, there was 1 "Memory[]" read more than the necessary. Now it is working.
Thanks for reporting, I have changed the library in the OP.
JASS:
function ConvertHandle takes handle h returns integer
return Memory[Memory[Memory[GameState/4+7]/4+103]/4 + GetHandleId(h)*3 - 0x2FFFFF]
endfunction
- Joined
- Nov 7, 2014
- Messages
- 571
Library Version's 'integer GameState' variable doesn't seem to get initialized in 1.28.5 (it does in 1.26).
- Joined
- Nov 21, 2012
- Messages
- 835
yes, it works perfectly for me now, thanks, IsUnitStunned if really cool function
by the way , I tryed GetUnitFlags(u) game prints 3..4 digit integers. Can you explain what it shows?
- Joined
- Mar 29, 2011
- Messages
- 2,607
Can you please provide an older script code for mouse natives? They worked nicely and I can't find the code anymore. No need for any "mouseEnv".
- Joined
- May 9, 2014
- Messages
- 1,820
This ability to access memory is amazing! Even overkill at making the life of the coder much more comfortable. Thank you, @leandrotp for working on this library. But, ...
Is there a way to access Gameplay Constants in-game, using Memory Hack? (without having to create a global and assigning the same value of a certain data field to that global)
On another note, I found some of the offsets that may prove useful to the coder, and ported some from the Memory Hack thread:
Is there a way to access Gameplay Constants in-game, using Memory Hack? (without having to create a global and assigning the same value of a certain data field to that global)
On another note, I found some of the offsets that may prove useful to the coder, and ported some from the Memory Hack thread:
JASS:
function GetUnitAttackAbility takes unit u returns integer
return Memory[ConvertHandle(u)/4+0x1e8/4]
endfunction
function GetUnitBaseDamage takes unit u returns integer
return Memory[GetUnitAttackAbility(u)/4 + 0xA0/4]
endfunction
function GetUnitAttackSpeed takes unit u returns real
return RMemory[GetUnitAttackAbility(u)/4 + 0x1B0/4]
endfunction
function GetUnitAttackSpeedSec takes unit u returns real
local real r = GetUnitAttackSpeed(u)
return 1 / r
endfunction
function GetUnitAttackBackswing takes unit u returns real
return RMemory[GetUnitAttackAbility(u)/4 + 0x190/4]
endfunction
function GetUnitZ takes unit u returns real
return RMemory[ConvertHandle(u)/4 + 0x28C/4]
endfunction
// I made this type-safe, thanks for the 'AHer' ability field!
function GetHeroStatGain takes unit u, integer attribute returns real
if GetUnitAbilityLevel(u, 'AHer') != 0 then
return RMemory[Memory[ConvertHandle(u)/4 + 0x1F0/4]/4 + 0xCC/4 + 2*attribute]
endif
return 0.
endfunction
function CountUnitsInGroupEx takes group g returns integer
return Memory[ConvertHandle(g)/4 + 0x34/4]
endfunction
function IsUnitEthereal takes unit u returns boolean
return Memory[ConvertHandle(u)/4 + 0x1C0/4] != 0
endfunction- Joined
- Jul 30, 2012
- Messages
- 156
Code has been updated, please check the changelong and get the updated versions of all libraries.
Are you sure? I always test it in 1.28.5 before releasing and it was working just fine. Try the new code now, things changed a bit but it should be working as well, I tested here and it worked.
I don't remember exactly, that function is from the time me and Draco were messing with memory hack and discovering new stuff. That integer contains a lot of flags, things like invisibility, invulnerability and so on. I don't recall the meaning of each flag, maybe someday I will make functions like IsUnitInvisible that make use of it. Maybe you can find some info at Draco's Memory hack thread too.
The old code was using fixed memory offsets, and because of that it only worked up to 1.28.1, since I needed to manually update offsets each time a patch was released. As I said I am migrating everything to automatic detection, so the mouse functions are disabled until I write the code to detect the mouse offsets.
But don't worry, I've already got a method to find these offsets, soon I will be releasing an implementation. It won't be too long, I promise.
Of course! Any information that is used by the game can also be retrieved with memory access, it's just a matter of finding where it is. For now I am still developing the basis of memory hack (address detection and base API), but in the future things like this shall be implemented and much more! Maybe gameplay constants are stored in a place that will require me to detect another game offset, I don't know, but it shouldn't be much of a problem.
Also don't forget that you have Draco's thread as a reference, even though his code is a bit messy he made a huge progress in many areas, and you can port many functions from his code to this library if they use offsets that are already being detected.
Are you sure? I always test it in 1.28.5 before releasing and it was working just fine. Try the new code now, things changed a bit but it should be working as well, I tested here and it worked.
yes, it works perfectly for me now, thanks, IsUnitStunned if really cool function
by the way , I tryed GetUnitFlags(u) game prints 3..4 digit integers. Can you explain what it shows?
I don't remember exactly, that function is from the time me and Draco were messing with memory hack and discovering new stuff. That integer contains a lot of flags, things like invisibility, invulnerability and so on. I don't recall the meaning of each flag, maybe someday I will make functions like IsUnitInvisible that make use of it. Maybe you can find some info at Draco's Memory hack thread too.
The old code was using fixed memory offsets, and because of that it only worked up to 1.28.1, since I needed to manually update offsets each time a patch was released. As I said I am migrating everything to automatic detection, so the mouse functions are disabled until I write the code to detect the mouse offsets.
But don't worry, I've already got a method to find these offsets, soon I will be releasing an implementation. It won't be too long, I promise.
Of course! Any information that is used by the game can also be retrieved with memory access, it's just a matter of finding where it is. For now I am still developing the basis of memory hack (address detection and base API), but in the future things like this shall be implemented and much more! Maybe gameplay constants are stored in a place that will require me to detect another game offset, I don't know, but it shouldn't be much of a problem.
Also don't forget that you have Draco's thread as a reference, even though his code is a bit messy he made a huge progress in many areas, and you can port many functions from his code to this library if they use offsets that are already being detected.
- Joined
- Jun 13, 2016
- Messages
- 586
This reminds me, on a slightly tangetial note. I was meaning to ask someone this. Excuse me if you've been asked this a ton of times already.
How do you find the offsets for each version? Do you use signature scanning for it, or have you been doing it manually in disassembly or something?
Can you please give a general overview of the procedure you use to update the offsets? Just what tools you use and the general outline of the process, not asking for a detailed tutorial, haha.
I've just been recently looking into a certain, but very useful tool for WC3 called Lua Engine (I think it's on d3scene), but it's outdated and it uses fixed offsets (a few hundred of them), which have obviously broken with new versions, and I'm looking to update it for the latest version of WC3 since I can use it for my map. You'd help me immensely if you gave me some pointers in which direction I should dig.
- Joined
- Nov 7, 2014
- Messages
- 571
When compiling in debug mode (vJass) it doesn't work (the GameState variable is not initialized), but in release mode (vJass's inliner kicks in) it does work. I tend to always "stay" in debug mode =)...
- Joined
- Jul 30, 2012
- Messages
- 156
Having a ton of experience in this area, I can tell you that there isn't a standard step-by-step way that will work for every case. Actually what introduced me to the programming world many years ago was exactly this matter: I got the source code of a hack for the game Gunz: The Duel and, having never programmed anything in my life, I managed to find the updated offsets and recompile the hack for a newer version of the game client.
Obviously I didn't figure everything just by myself. Someone on those forums had posted a simple tutorial of finding some offsets in gunz.exe through signature searching. It worked on that particular case, but this method isn't guaranteed to work everywhere, especially in the case of WC3.
More important than specific byte signatures, is the ability to recognize similar code patterns across different versions. This requires some disassembly and reverse engineering skills, but it's something you'll be acquiring with time. Let's take a look at an example:
This is the disassembly of the native
GetUnitPointValueByType from patch 1.26. As you can see it hashes the rawcode, then calls GetObjectData passing the UnitData pointer as the 1st argument, in the ECX register.Now let's take a look at the same native from patch 1.27a:
Looks completely different, doesn't it? Where's the call to GetObjectData, and what is all this new code after IntegerHash? Did Blizzard change this function so drastically?
Now just take a look at GetObjectData itself, from 1.26:
Can you see the similarities? The code that comes after the IntegerHash call looks very similar to the code of GetObjectData itself. With the difference that we now have
MOV EAX,[67B1C494] in the place of MOV EAX,[ECX+24] and MOV ECX,[67B1C48C] instead of MOV EDX,[ECX+1C]The reason looks simple now: the call to GetObjectData has been inlined! And this is not something unexpected, because Blizzard changed the compiler for the 1.27 patch, migrating to a newer version of Visual Studio, which has a more aggressive optimizer. Many other function calls have been inlined like this.
So we can deduce, if [67B1C494] is [ECX+24], and [67B1C48C] is [ECX+1C], then the address of pUnitData is certainly 67B1C470. Subtract it from the base of game.dll (at this time it was 66F30000) and the result is 0xBEC470, the offset of the UnitData table for patch 1.27.
Well I suppose I did nothing but complicate the things for you until now right? As I said this job inevitably requires good disassembly skills, but I can give you some hints:
First step: Open game.dll from 1.26 and go to the offset you want. See if it's located in code or data sections, and find references to it.
As an example, I'll use the offset of MouseEnv object (game.dll+AB4F80), which gives access to mouse functions.
As you can see this object has 5 references, and 3 of them are in the same function. So the deal is, if we find this function in patch 1.27, we got our address.
Second step: now what you need to do is find something in this function that could possibly be used to search for it in the new patch. Strings and constants are always good candidates, WC3 has a lot of debug information in it's executables, like classes and source file names, and sometimes they helps us to find functions across versions.
Well, it found 42 references to the string "CGameUI.cpp". This is not so bad, in the worst case we could look at those functions one by one, and see if we find something more-or-less similar to what we are looking for. But let's try something different, the constant 1AAF:
Wow, we've got it! Only one reference, and it's exactly what we want! Just compare the two functions, and see that they are very similar. Some small changes here and there, like a conditional move (CMOVNZ) instruction in the place of a Jump, but as I said, this is just compiler optimization.
If you want more confirmation, just look at the function calls: they both are calling Storm.#401 with exactly the same parameters, and after that an object constructor (67279FA0) is called, which is also very similar to the one from 1.26 (6F2FE9F0) This is definitely the function we want.
So the address of MouseEnv in this version is 67B16350, subtract from base of game.dll and we get 0xBE6350.
If you cannot locate something noticeable that you can use to search, or if the search yields too many results, you can try looking for the callers and callees of that function. Try repeating the process above with a function that calls or is called by the function you want, and if succeed you will most likely find it too.
If the address you're looking is located in a Jass native, or a function that is called by a native, then it's bingo! All natives have well-defined addresses, and you can easily locate them through their name:
That is the initializer of the Jass natives table. The address of the native is in the MOV ECX instruction, right below the native name. In this case it is 6F3B2E20 for the native
GetUnitPointValueByType. You can easily find any native this way.Well, these are some methods that I use to find offsets myself. Other things include looking at objects' vTables and searching for generic instructions (OllyDbg allows to search for generics like "MOV R32, [R32+24]" which returns any MOV instruction that fits this pattern, independently of the used registers). As I said, every case is specific, and it all depends on your skills.
I'm pretty sure you'll learn a lot if you really dig into this subject. Reading some assembly lessons is a good starting point (it is how I started myself, learned ASM before any other language). And don't be afraid to ask for any further help, if I don't help you, certainly someone else will.
Last edited:
- Joined
- Jun 13, 2016
- Messages
- 586
Man, this is great! More than I'd ever hope for, and it certainly helps me get started. This subject always felt like somewhat arcane to me, even though I have a decent grasp on low-level concepts, and most of what you said made perfect sense to me. Although, I could never quite figure out how to even approach this, but this helped a lot. It's how they say, the hardest thing is to get started. Huge, huge, huge thanks to you!
This really inspires me to go and dig into this myself.
- Joined
- May 9, 2014
- Messages
- 1,820
Quite a nice approach to something low-level. Reading that also made me want to go about this memory thing myself, too. However, while using the debugging software, should warcraft 3 be running?
Another thing, how did you get the index of the natives? (Some arbitrary R for a native N)
Last edited:
- Joined
- Jul 29, 2007
- Messages
- 5,174
Very nice explanation.
Making hacks for Gunz was certainly a fun time. By now I don't remember anything about reverse engineering though
Making hacks for Gunz was certainly a fun time. By now I don't remember anything about reverse engineering though
- Joined
- Jul 30, 2012
- Messages
- 156
I found the reason, it's because I'm invisibly "returning" a value from function Step1, even though it returns nothing, I'm manipulating R0 to actually get a value passed back to bytecode. But when inliner is disabled, the Array sets become function calls, and every function call resets the value of R0, causing the VM crash when trying to access it. I'm gonna fix it in the next release
It doesn't need to be running, OllyDbg has the option to open a dll file directly for analysis, so you don't need to run wc3 at all, you can open game.dll directly with OllyDbg and see everything.
But it's possible to use it with the game running too! You can launch WC3 directly from OllyDbg, or launch it from WE and attach the debugger to it. But keep in mind that the game must ALWAYS be running in window mode if you're going to do that. If you're using NewGen it's better, as it can already launch WC3 in window mode.
If you forget to run in window mode, and the game gets paused by the debugger, you'll be unable to ALT-TAB out of the game screen, and you'll be forced to restart your computer! So don't make that mistake.
Also, what do you mean by "index of natives"? I didn't understand.
Very nice explanation.
Making hacks for Gunz was certainly a fun time. By now I don't remember anything about reverse engineering though
Did you make gunz hacks too? Did you release them? I'm Anônimo from GamerzPlanet (http://www.gamerzplanet.net/members/anônimo.2818941/).
Last edited:
- Joined
- Oct 3, 2017
- Messages
- 26
It's more convinient to read the code as C. Just take a look at GitHub - DracoL1ch/WC3Memory game126.c
That's way it's much easier to see constants, look for a strings, debug info, etc. IDA does this stuff, althought it's payed software, the best, with ExtraPass plugin. Converted code is much easier to compare between versions as well, if it's not that drastical jump as from 26 to 27.
Many constants are still searchable by patterns, offsets, etc. Just in case if you dont like byte-searching (like me) you can take this approach. It's not easier in common sense, it's just more human-like. Leandro the best, of course, but simple man needs simple solutions
That's way it's much easier to see constants, look for a strings, debug info, etc. IDA does this stuff, althought it's payed software, the best, with ExtraPass plugin. Converted code is much easier to compare between versions as well, if it's not that drastical jump as from 26 to 27.
Many constants are still searchable by patterns, offsets, etc. Just in case if you dont like byte-searching (like me) you can take this approach. It's not easier in common sense, it's just more human-like. Leandro the best, of course, but simple man needs simple solutions
- Status
