Could someone explain what an offset is?

[tommypxl]

These are needed for games, jailbreaks, etc.
1) What are they?
2) Why do we need them?
3) Why do they get updated every patch/update?

[Zaczero]

These are needed for games, jailbreaks, etc.
1) What are they?
2) Why do we need them?
3) Why do they get updated every patch/update?

1)
Offset is a value delta
For example:
x1 = 2
x2 = 6
Δx = 4 <-- offset for x1 to get x2 (x1 + Δx = x2)

2)
All variables got their place in the memory
For example:
Player health is stored at 0x10A000 runtime
When we get the base address of the process (0x100000 in this example)
we can calculate the delta (aka. offset) for the health so it will work every application launch
0x10A000 - 0x100000 = 0xA000 <--- offset for health
We need them to locate that variable in memory and modify it

~Note: it's a REALLY basic example, some offsets got multiple levels and they are not that easy to find

3)
Application structures / functions can be changed so we have to find new offsets.
They CAN change but don't have to. Depends what changes are made to the app / game.

---

Example before update:

Code:

struct Player {
    int health;
    float x;
    float y;
    float z;
    int team; <-- we want this
}

To get the team variable in this structure we need a 0x4 + 0x4 * 3 = 0x10 offset

---

Example after update:

Code:

struct Player {
    int health;
    float x;
    float y;
    float z;
    int state; <-- offset points here
    int team;
}

Now the 0x10 offset points to state variable which is wrong!
We have to find the new offset which will be 0x14 now

[tommypxl]

Wow! Thank you so much for this detail!

[sgbadman]

Why do we often define an offeset as DWORD? I've never really understood why we do that I just do it haha.

[Zaczero]

Why do we often define an offeset as DWORD? I've never really understood why we do that I just do it haha.

"DWORD is not a C++ type, it's defined in <windows.h>.

The reason is that DWORD has a specific range and format Windows functions rely on, so if you require that specific range use that type. (Or as they say "When in Rome, do as the Romans do.") For you, that happens to correspond to unsigned int, but that might not always be the case. To be safe, use DWORD when a DWORD is expected, regardless of what it may actually be." ~~ GManNickG

[sgbadman]

Thanks!, That would actually explain a few things haah. Great help .

[Hell_Demon]

"DWORD is not a C++ type, it's defined in <windows.h>.

The reason is that DWORD has a specific range and format Windows functions rely on, so if you require that specific range use that type. (Or as they say "When in Rome, do as the Romans do.") For you, that happens to correspond to unsigned int, but that might not always be the case. To be safe, use DWORD when a DWORD is expected, regardless of what it may actually be." ~~ GManNickG

Just a note; DWORD is an unsigned long, not an unsigned int. There is a difference, and this is both compiler and platform dependent.

MSVC uses what is called the LLP64 model, which means both int and long are 32-bits, even in 64-bit mode.
GCC uses what is called the LP64 model, which means that int is 32-bits but long are 64-bits under 64-bit mode.