How To Find WarRock Addies - Up2Date

[barcoder]

!How to find addresses for WarRock!

-[Intro]-

- In this tutorial we will learn how to find addresses using their searches.
- I've seen alot of tutorials but most of them aren't completely working(updated) anymore.

-[Required materials]-

- Dumped/Unpacked WarRock.exe
- IDA Pro

Open your dumped WarRock.exe and wait until it says "idle" at the bottom left hand corner. Now we are ready to start searching

-[GlassWalls]-

Now we are going to find the addie for Glasswalls so search "Frustum.FarDistance". You will see:

___:004960D0 push offset flt_9E23F4

So it's #define Glasswalls 0x9E23F4

-[NearFog]-

Now we are getting the nearfog addie so search "Fog.NearDistance". You will see:

___:004960F1 push offset dword_9E9954

So it's #define NearFog 0x9E9954

-[FarFog]-

Now FarFog, so search "Fog.FarDistance". You will see:

___:00496158 push offset dword_9E995C

So it's #define FarFog 0x9E995C

-[FogColor]-

Now search "Fog.Color". You will see:

___:004961DF push offset flt_9E3484
___:004961E4 push offset flt_9E3480
___:004961E9 push offset flt_9E347C

So...
#define FogColor1 0x9E3484
#define FogColor2 0x9E3480
#define FogColor3 0x9E347C

-[WaterShallowColor]-

Now search "Water.ShallowColor". You will see:

___:00496393 push offset flt_8A8D08
___:00496398 push offset flt_8A8D04
___:0049639D push offset flt_8A8D00

So...
#define WaterShallow1 0x8A8D08
#define WaterShallow2 0x8A8D04
#define WaterShallow3 0x8A8D00

-[WaterDeepColor]-

Now search "Water.DeepColor". You will see:

___:004963BB push offset flt_8A8D14
___:004963C0 push offset flt_8A8D10
___:004963C5 push offset flt_8A8D0C

So...
#define WaterDeep1 0x8A8D14
#define WaterDeep2 0x8A8D10
#define WaterDeep3 0x8A8D0C

-[FastAmmo]-

Now search "ammo_base". You will see:

___:0048FCC3 mov eax, offset dword_9E9A2C

So it's #define FastAmmo 0x9E9A2C

-[FastRepair]-

Now search "repair_base". You will see:

___:0048FCEC mov eax, offset dword_9E9A44

So it's #define FastRepair 0x9E9A44

-[Speed]-

BTW the functions is: *(double*)(addiehere) = 250;

Now search "Upper". You may need to search several times until you see this.

___:004D8954 push offset aUpper ; "Upper"
___:004D8959 push esi
___:004D895A mov [ebp+arg_0], eax

Now, once there search "fmul dbl_" but remove the "" until you see:

___:004DC256 fmul dbl_84AC98
___:004DC25C pop ecx
___:004DC25D pop ecx
___:004DC25E fstp dword ptr [ebp+8]

KEEP SEARCHING IF YOU DONT SEE WHATS UNDER fmul!

So it's #define SPEED 0x84AC98

-[Unlim.Ammo Memory]-

Now search "ReadLevelData done". You should see:

___:0048DB08 push offset aReadleveldataD ; "ReadLevelData done"
___:0048DB0D push ecx
___:0048DB0E call dword_8125C8
___:0048DB14 pop ecx
___:0048DB15 pop ecx
___:0048DB16 mov ecx, dword_9E2730
___:0048DB1C mov eax, [ecx]
___:0048DB1E call dword ptr [eax+1Ch]
___:0048DB21 cmp dword_9E23DC, 0
___:0048DB28 jz short locret_48DB2F
___:0048DB2A jmp sub_4A3E1C

The addie would be 9E2730, so its #define UnlimammoMem 0x9E2730

-[NoFallDamage]-

Now search "S2_COM06". You will see:

___:004B9124 push offset aS2_com06 ; "S2_COM06"
___:004B9129 push eax
___:004B912A call ebx
___:004B912C pop ecx
___:004B912D pop ecx
___:004B912E test eax, eax

Now from there search "lea esi, [edi+" but remove the "". You may have to search several times until you see:

__:004B957B fstp [ebp+var_4]
___:004B957E push ecx
___:004B957F fld [ebp+var_4]
___:004B9582 lea esi, [edi+102C8h]
___:004B9588 fstp [esp+2Ch+var_2C]
___:004B958B call sub_41164F
___:004B9590 mov eax, dword_9E27D8
___:004B9595 call sub_4D6C2F
___:004B959A xor ebx, ebx
___:004B959C mov esi, eax
___:004B959E cmp byte_9E23E6, bl
___:004B95A4 jnz short loc_4B95D3
___:004B95A6 cmp byte_9E23E7, bl
___:004B95AC jz short loc_4B95B5
___:004B95AE push offset aBackwardmove ; "Backwardmove"

Or just search "Backwardmove" and look above it. The offset is 102C8h so it would be #define OFS_NFD 0x102C8. Just remove the h

-[OffsetZ]-

Now search "Bip01 R ForeArm" and you will see this:

___:004C1519 push offset aBip01RForearm ; "Bip01 R ForeArm"
___:004C151E lea eax, [esp+0F0h+var_B0]

If you dont, search again. Now search "lea eax, [ebx+" but remove the "". You may have to search twice but you should see something like this:

___:004C1937 fld [esp+264h+var_250]
___:004C193B fstp dword ptr [eax+34h]
___:004C193E lea eax, [ebx+102E8h]
___:004C1944 mov ecx, [eax+4]
___:004C1947 xor ecx, [eax]

102E8h is the ofs_z addie so it's #define OFS_Z 0x102E8

-[PlayerPointer]-

Now search "ChangeDisplaySettings Error". Always search more than once until you see something like this:

___:00409D0D push ebx
___:00409D0E push offset aChangedisplays ; "ChangeDisplaySettings Error"
___:00409D13 lea eax, [ebp+var_108]
___:00409D19 push eax
___:00409D1A push ebx

Now search "mov eax, dword_" until you see this: Remove the ""

___:0040A0A8 loc_40A0A8: ; CODE XREF: sub_409FE8+89j
___:0040A0A8 call sub_427E6C
___:0040A0AD or eax, 0FFFFFFFFh
___:0040A0B0 mov word_8A3D7C, ax
___:0040A0B6 mov eax, dword_9E27B0
___:0040A0BB cmp eax, ebx
___:0040A0BD jz short loc_40A0D5
___:0040A0BF xor ecx, ecx
___:0040A0C1 inc ecx
___:0040A0C2 mov [eax+102A8h], ebx
___:0040A0C8 mov [eax+1018Ch], cx
___:0040A0CF mov [eax+1018Eh], cl

9E27B0 is the addie so it's #define Playerptr 0x9E27B0

==== [ ADDED MORE! ] ====

-[ServerPointer]-

Now search "Claymore bounding box %s!". You should see this, if not search again:

___:00408BB1 push offset aClaymoreBoundi ; "Claymore bounding box %s!"
___:00408BB6 push eax
___:00408BB7 call dword ptr [edx+8]

Now from there search "cmp dword_" but remove the "". Search until you see something like this:

___:00408F3C test ah, 41h
___:00408F3F jz short loc_408F60
___:00408F41 cmp dword_9E274C, 0
___:00408F48 jz short loc_408F51
___:00408F4A call sub_40919F
___:00408F4F jmp short loc_408F53

The serverptr addie is 9E274C so look for something with the ,0 next to it . So it's #define Serverptr 0x9E274C

-[Fifth Slot]-

This one is much easier, just search "CA01" until you see this:

___:004B5589 loc_4B5589: ; CODE XREF: sub_4B5280+298j
___:004B5589 push offset aCa01 ; "CA01"
___:004B558E push eax
___:004B558F call sub_797F96
___:004B5594 pop ecx
___:004B5595 pop ecx
___:004B5596 test eax, eax
___:004B5598 jnz short loc_4B55A9
___:004B559A push 50h
___:004B559C mov byte ptr [ebx+1021B4h], 1
___:004B55A3 pop edi
___:004B55A4 jmp loc_4B56A2

The offset for 5th slot is 1021B4h but just remove the h. So it's #define OFS_SLOT5 0x1021B4. To get the other slots just add 1 to the last number(4) and

that would be slot 6 or just subtract the last number from slot5 and 1021B3 is slot4. And if you subtract another from slot4 it would be 1021B2 and that's

slot3. Hopefully you get the point. So it's...

#define slot1 0x1021B0
#define slot2 0x1021B1
#define slot3 0x1021B2
#define slot4 0x1021B3
#define slot5 0x1021B4
#define slot6 0x1021B5
#define slot7 0x1021B6
#define slot8 0x1021B7

CREDITS:

@Shunnai - Best minion EVER!!! <3
@barcoder - Writing tut
@TheCamels8 - Help with offsets
@Alex_Agnew - Help with addies

ADDING MORE SOON!

[Terell.]

Finally, a updated tut on finding addies Good job
Removed Pagns outdated tut and stuck yours.

[barcoder]

@Shunnai Thx and will be adding Serverptr, slots, and ofs invisible Also, think I messed up on 1 so gonna confirm. Should be fixed soon and have more. Whenever the searches update, I will update this with updated searches Thx for sticky

[vanerv10]

much better to add server pointer... and slot etc.. ehehehe

[AeroMan]

Good job bro
Keep it up!

[matthy]

good job thanks for posting

[akonsi]

how to code Unlim.Ammo Memory ????

[TheCamels8]

Good job!

[SK1LL0R.]

STW & WTW MEM SEARCHSTRINGS:

STW Search:"Claymore bounding box %s!"

WTW Search:"AIMode_Repair_Icon"

Addys:

#define MEM_STW 0x819D24
#define MEM_WTW 0x81CA14

Source:

if (CH_STW)
{
*(float*)(MEM_STW) = 999;
}
else
{
*(float*)(MEM_STW) = 0;
}
if (CH_WTW)
{
*(float*)(MEM_WTW) = -999;
}
else
{
*(float*)(MEM_WTW) = 6;
}

[nielshetschaap]

nice tut

[barcoder]

thx skillor, will add to tut with u in credits

[Terell.]

Thank barcoder or your all banned.

[AeroMan]

Thank barcoder or your all banned.

try me /

[barcoder]

And that's why shunnai is my bmf (best minion forever)

[barcoder]

@Alex_Agnew @makis5 @matthy @n4n033 @nielshetschaap @Shunnai @TheCamels8

Added more

EDIT: If you want me to find any searches, just tell me the current address and the name of the function and I will add to thread