!How to find addresses for WarRock!- In this tutorial we will learn how to find addresses using their searches.
-[Intro]-
- I've seen alot of tutorials but most of them aren't completely working(updated) anymore.
- Dumped/Unpacked WarRock.exe
-[Required materials]-
- IDA Pro
Open your dumped WarRock.exe and wait until it says "idle" at the bottom left hand corner. Now we are ready to start searching
-[GlassWalls]-
Now we are going to find the addie for Glasswalls so search "Frustum.FarDistance". You will see:
So it's #define Glasswalls 0x9E23F4___:004960D0 push offset flt_9E23F4
-[NearFog]-
Now we are getting the nearfog addie so search "Fog.NearDistance". You will see:
So it's #define NearFog 0x9E9954___:004960F1 push offset dword_9E9954
-[FarFog]-
Now FarFog, so search "Fog.FarDistance". You will see:
So it's #define FarFog 0x9E995C___:00496158 push offset dword_9E995C
-[FogColor]-
Now search "Fog.Color". You will see:
So...___:004961DF push offset flt_9E3484
___:004961E4 push offset flt_9E3480
___:004961E9 push offset flt_9E347C
#define FogColor1 0x9E3484
#define FogColor2 0x9E3480
#define FogColor3 0x9E347C
-[WaterShallowColor]-
Now search "Water.ShallowColor". You will see:
So...___:00496393 push offset flt_8A8D08
___:00496398 push offset flt_8A8D04
___:0049639D push offset flt_8A8D00
#define WaterShallow1 0x8A8D08
#define WaterShallow2 0x8A8D04
#define WaterShallow3 0x8A8D00
-[WaterDeepColor]-
Now search "Water.DeepColor". You will see:
So...___:004963BB push offset flt_8A8D14
___:004963C0 push offset flt_8A8D10
___:004963C5 push offset flt_8A8D0C
#define WaterDeep1 0x8A8D14
#define WaterDeep2 0x8A8D10
#define WaterDeep3 0x8A8D0C
-[FastAmmo]-
Now search "ammo_base". You will see:
So it's #define FastAmmo 0x9E9A2C___:0048FCC3 mov eax, offset dword_9E9A2C
-[FastRepair]-
Now search "repair_base". You will see:
So it's #define FastRepair 0x9E9A44___:0048FCEC mov eax, offset dword_9E9A44
-[Speed]-
BTW the functions is: *(double*)(addiehere) = 250;
Now search "Upper". You may need to search several times until you see this.
Now, once there search "fmul dbl_" but remove the "" until you see:___:004D8954 push offset aUpper ; "Upper"
___:004D8959 push esi
___:004D895A mov [ebp+arg_0], eax
KEEP SEARCHING IF YOU DONT SEE WHATS UNDER fmul!___:004DC256 fmul dbl_84AC98
___:004DC25C pop ecx
___:004DC25D pop ecx
___:004DC25E fstp dword ptr [ebp+8]
So it's #define SPEED 0x84AC98
-[Unlim.Ammo Memory]-
Now search "ReadLevelData done". You should see:
The addie would be 9E2730, so its #define UnlimammoMem 0x9E2730___:0048DB08 push offset aReadleveldataD ; "ReadLevelData done"
___:0048DB0D push ecx
___:0048DB0E call dword_8125C8
___:0048DB14 pop ecx
___:0048DB15 pop ecx
___:0048DB16 mov ecx, dword_9E2730
___:0048DB1C mov eax, [ecx]
___:0048DB1E call dword ptr [eax+1Ch]
___:0048DB21 cmp dword_9E23DC, 0
___:0048DB28 jz short locret_48DB2F
___:0048DB2A jmp sub_4A3E1C
-[NoFallDamage]-
Now search "S2_COM06". You will see:
Now from there search "lea esi, [edi+" but remove the "". You may have to search several times until you see:___:004B9124 push offset aS2_com06 ; "S2_COM06"
___:004B9129 push eax
___:004B912A call ebx
___:004B912C pop ecx
___:004B912D pop ecx
___:004B912E test eax, eax
Or just search "Backwardmove" and look above it. The offset is 102C8h so it would be #define OFS_NFD 0x102C8. Just remove the h__:004B957B fstp [ebp+var_4]
___:004B957E push ecx
___:004B957F fld [ebp+var_4]
___:004B9582 lea esi, [edi+102C8h]
___:004B9588 fstp [esp+2Ch+var_2C]
___:004B958B call sub_41164F
___:004B9590 mov eax, dword_9E27D8
___:004B9595 call sub_4D6C2F
___:004B959A xor ebx, ebx
___:004B959C mov esi, eax
___:004B959E cmp byte_9E23E6, bl
___:004B95A4 jnz short loc_4B95D3
___:004B95A6 cmp byte_9E23E7, bl
___:004B95AC jz short loc_4B95B5
___:004B95AE push offset aBackwardmove ; "Backwardmove"
-[OffsetZ]-
Now search "Bip01 R ForeArm" and you will see this:
If you dont, search again. Now search "lea eax, [ebx+" but remove the "". You may have to search twice but you should see something like this:___:004C1519 push offset aBip01RForearm ; "Bip01 R ForeArm"
___:004C151E lea eax, [esp+0F0h+var_B0]
102E8h is the ofs_z addie so it's #define OFS_Z 0x102E8___:004C1937 fld [esp+264h+var_250]
___:004C193B fstp dword ptr [eax+34h]
___:004C193E lea eax, [ebx+102E8h]
___:004C1944 mov ecx, [eax+4]
___:004C1947 xor ecx, [eax]
-[PlayerPointer]-
Now search "ChangeDisplaySettings Error". Always search more than once until you see something like this:
Now search "mov eax, dword_" until you see this: Remove the ""___:00409D0D push ebx
___:00409D0E push offset aChangedisplays ; "ChangeDisplaySettings Error"
___:00409D13 lea eax, [ebp+var_108]
___:00409D19 push eax
___:00409D1A push ebx
9E27B0 is the addie so it's #define Playerptr 0x9E27B0___:0040A0A8 loc_40A0A8: ; CODE XREF: sub_409FE8+89j
___:0040A0A8 call sub_427E6C
___:0040A0AD or eax, 0FFFFFFFFh
___:0040A0B0 mov word_8A3D7C, ax
___:0040A0B6 mov eax, dword_9E27B0
___:0040A0BB cmp eax, ebx
___:0040A0BD jz short loc_40A0D5
___:0040A0BF xor ecx, ecx
___:0040A0C1 inc ecx
___:0040A0C2 mov [eax+102A8h], ebx
___:0040A0C8 mov [eax+1018Ch], cx
___:0040A0CF mov [eax+1018Eh], cl
==== [ ADDED MORE! ] ====
-[ServerPointer]-
Now search "Claymore bounding box %s!". You should see this, if not search again:
Now from there search "cmp dword_" but remove the "". Search until you see something like this:___:00408BB1 push offset aClaymoreBoundi ; "Claymore bounding box %s!"
___:00408BB6 push eax
___:00408BB7 call dword ptr [edx+8]
The serverptr addie is 9E274C so look for something with the ,0 next to it . So it's #define Serverptr 0x9E274C___:00408F3C test ah, 41h
___:00408F3F jz short loc_408F60
___:00408F41 cmp dword_9E274C, 0
___:00408F48 jz short loc_408F51
___:00408F4A call sub_40919F
___:00408F4F jmp short loc_408F53
-[Fifth Slot]-
This one is much easier, just search "CA01" until you see this:
The offset for 5th slot is 1021B4h but just remove the h. So it's #define OFS_SLOT5 0x1021B4. To get the other slots just add 1 to the last number(4) and___:004B5589 loc_4B5589: ; CODE XREF: sub_4B5280+298j
___:004B5589 push offset aCa01 ; "CA01"
___:004B558E push eax
___:004B558F call sub_797F96
___:004B5594 pop ecx
___:004B5595 pop ecx
___:004B5596 test eax, eax
___:004B5598 jnz short loc_4B55A9
___:004B559A push 50h
___:004B559C mov byte ptr [ebx+1021B4h], 1
___:004B55A3 pop edi
___:004B55A4 jmp loc_4B56A2
that would be slot 6 or just subtract the last number from slot5 and 1021B3 is slot4. And if you subtract another from slot4 it would be 1021B2 and that's
slot3. Hopefully you get the point. So it's...
#define slot1 0x1021B0
#define slot2 0x1021B1
#define slot3 0x1021B2
#define slot4 0x1021B3
#define slot5 0x1021B4
#define slot6 0x1021B5
#define slot7 0x1021B6
#define slot8 0x1021B7CREDITS:
@Shunnai - Best minion EVER!!! <3
@barcoder - Writing tut
@TheCamels8 - Help with offsets
@Alex_Agnew - Help with addies
ADDING MORE SOON!