Hello everyone,
I've been on MPGH for forever now, though not active in the past couple years. This is an alternate account I had to create as my other account was falsely banned for scamming and I'm too lazy to appeal for it.
Anyway, in this tutorial I'll be explaining how to find offsets to make your own zoom hack. I've noticed there was a tutorial to find the value in memory of the current zoom amount but, that alone isn't enough to create a (proper) zoom hack. For future reference we'll call this value mCurrZoom. Setting mCurrZoom to a new zoom value does yield the desired result however, it gets reset when you try to zoom in/out in game using the scroll-wheel or whatever binds you have to zoom in and out.
I'll explain how you can find the required addresses to create your very own zoom hack. The process is quite simple, though it'd be a little difficult to understand for less experienced hackers--but, fear not, you'd still be able to do it by following the instructions.
As for prerequisites: A basic knowledge of Cheat Engine will do you a solid. Other than that, to really understand what's being done, you'd have to know a little about computer memory and the assembly language--though, knowledge of these is not necessary to achieve the results following the tutorial.
I won't be posting any pictures as I'm too lazy to do that.
So, without further ado I'll explain the process of creating your own zoom hack step-by-step.
STEP 1: Finding mCurrZoom
-Firstly we'll need to find mCurrZoom
-Go into the practice tool or any other game mode and attach Cheat Engine to League of Legends
-Do an unknown initial value scan of type float
-Zoom in and out and do increased/decreased value scans respectively until you've filtered the address list down to 2 addresses
-Add both the addresses to your address list
-Test both addresses by changing the value to find the writable one--it should change the in-game zoom
-The writable address is mCurrZoom
Hint: 2250 is the maximum zoom amount
You can change the mCurrZoom value to the new, desired zoom value and it'll be done. Though, trying to zoom in game will clamp the zoom value if it's out of bounds. We're trying to create a professional hack so this is not what we want.
STEP 2: Analyzing how mCurrZoom is being used
-Now that you have mCurrZoom, we wan't to find out how it's being used by the game code to try and figure out what logic incurs the zoom clamp
-Right click on the address in your address list and select 'Find out what writes to this address'. We're only interested in what writes to the address because the address gets written to with the minimum and maximum zoom values when we try to exceed the bounds
-Go in game and zoom the camera with your mouse or whatever binding you have set up
-You'll notice that only one instructions writes to the address, which is good. Try to reach the lower and higher extremes and you'll see that this instruction only gets executed when zooming in bounds
Here's the portion of code you'll have end up to:
Code:
00CBF8A1 . /75 0D JNZ SHORT League_o.00CBF8B0
00CBF8A3 . |8B86 28020000 MOV EAX,DWORD PTR DS:[ESI+228]
00CBF8A9 . |F3:0F1040 28 MOVSS XMM0,DWORD PTR DS:[EAX+28]
00CBF8AE . |EB 08 JMP SHORT League_o.00CBF8B8
00CBF8B0 > \F3:0F1005 C0D8AE01 MOVSS XMM0,DWORD PTR DS:[1AED8C0]
00CBF8B8 > 0F2FC8 COMISS XMM1,XMM0
00CBF8BB . 77 0F JA SHORT League_o.00CBF8CC
00CBF8BD . 8B86 28020000 MOV EAX,DWORD PTR DS:[ESI+228]
00CBF8C3 . F3:0F1040 24 MOVSS XMM0,DWORD PTR DS:[EAX+24] // mZoomMinDistance moved into XMM0
00CBF8C8 . F3:0F5FC1 MAXSS XMM0,XMM1
00CBF8CC > 0F2E86 38020000 UCOMISS XMM0,DWORD PTR DS:[ESI+238]
00CBF8D3 . 9F LAHF
00CBF8D4 . F6C4 44 TEST AH,44
00CBF8D7 . 7B 08 JPO SHORT League_o.00CBF8E1
00CBF8D9 . F3:0F1186 38020000 MOVSS DWORD PTR DS:[ESI+238],XMM0 // mCurrZoom set here
00CBF8E1 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00CBF8E4 . 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
00CBF8EB . 59 POP ECX
00CBF8EC . 5E POP ESI
00CBF8ED . 8BE5 MOV ESP,EBP
00CBF8EF . 5D POP EBP
00CBF8F0 . C2 0400 RETN 4
-We can see that mCurrZoom ([ESI+238]) is being set to the value of the XMM0 register by the following instruction:
Code:
MOVSS DWORD PTR DS:[ESI+238],XMM0
STEP 3: Finding the address of mMaxZoomDistance
-There is only one instruction writing to the address from which we can assume that the value of XMM0 is being modified before it is being set--boundary checking and clamping is being done. So we look at some of the preceding instructions and see all instructions that write the value of XMM0 (using the MOV instruction). We're interested in anything that might seem like the minimum or maximum zoom value.
-You can infer the different values referenced by the instructions by debugging to see where the minimum and maximum zoom values are being. Anyway, I found that the following instruction was moving the minimum zoom value into XMM0:
Code:
MOVSS XMM0,DWORD PTR DS:[EAX+24]
-This means that XMM0 is being set to the mMinZoomDistance, so we assume that mCurrZoom is checked to be less than mMinZoomDistance and if it is, the instruction is executed and the zoom value is set the minimum value (clamped). The main thing we can 'harvest' from this instruction is the fact that mCurrZoomDistance is stored in the structure pointed to by ESI, 24 being the offset to get the value. Since mMaxZoomDistance is related to mMinZoomDistance, we can assume they're in the same structure--and we can also assume there'll be other useful, related data in the same structure.
-So, to get the actual address of the structure toggle a breakpoint on the instruction above where the minimum zoom value is being set and in the memory view, on the right-hand side, copy the value of EAX and add it to your address list. This is the address of the CameraController structure. Now, right click on it and click on 'Browse this memory region' and then do a Dissect data/structures. For the size of the structure, 64 bytes should be enough.
-The mMaxZoomDistance value is just 4 bytes below mMinZoomDistance, at offset 0x28. Setting this to a higher value will result in a higher zoom cap. I'd tell you to experiment and find out what the other values do as well but, I've already deciphered the structure and it's as follows:
Code:
0x00 mPositionSemiLockMaxZDown
0x04 mPositionSemiLockMaxZUp
0x08 mPositionSemiLockMaxXTop
0x0C mPositionSemiLockMaxXBottom
0x10 mAccelerationTimeMouse
0x14 mDecelerationTimeMouse
0x18 mAccelerationTimeKeyboard
0x1C mDecelerationTimeKeyboard
0x20 mTopdownZoom
0x24 mZoomMinDistance
0x28 mZoomMaxDistance
0x2C mZoomEaseTime
0x30 mZoomMinSpeed
0x34 mDragScale
0x38 mDragMomentumDecay
0x3C mDragMomentumRecencyWeight
And there you have it, all you need to create your zoom hack. You can modify the values within Cheat Engine itself or create an external trainer. The structure address you found is also dynamic, so doing a pointer scan on it would be a good idea.
Closing notes:
I hope I've sated the curiosity of everyone who's been wanting to do a zoom hack themselves and how things are done. You'll notice that it's actually quite simple. Hopefully everyone understood what I wrote as I have tried my best to convey this information. If it helped you out leave a thanks or something, or don't I don't care. This is still considered pretty basic and it is in fact aimed at the beginner hackers out there so they can pick up a thing or two.
I'm quite bored tonight and I also love to type away, thus the lengthy post. So, apologies for that if you hate reading and also if this topic wasn't worth this many words.
Finally, if you have any questions don't be afraid to ask.
Regards