| View previous topic :: View next topic |
| Author |
Message |
kiennguyen1101
Newbie cheater
![]() Reputation: 0
Joined: 10 Oct 2016
Posts: 10
|
 Posted: Mon Oct 10, 2016 9:32 am Post subject: Help finding player ID for Heroes 3 hota |
 |
|
Hi all,
I want to make a script for unlimited movement in Heroes 3 HoTA. So far I followed the tutorial on dissecting data structure and found that there's a fixed number near movement address that I think is playerID. So, again, following the tutorial on making script, here's what I got:
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem: //this is allocated memory, you have read,write,execute access
//This always jump to originalcode. Please help.
cmp [esi+22], 6
jne originalcode
//I've tried to compare esi, esi+4D and esi+22 and none of them work.
sub edx,ecx
cmp edx,eax
db 90 90
jmp exit
originalcode:
sub edx,ecx
cmp edx,eax
mov [esi+4D],edx
exit:
jmp returnhere
"h3hota.exe"+80AA8:
jmp newmem
nop
nop
returnhere:
|
|
|
| Back to top |
|
 |
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Mon Oct 10, 2016 10:20 am Post subject: |
|
|
| we need more info. what are the values at esi+22 and esi+4D? the number of moves left or the player ID? |
|
| Back to top |
|
|
kiennguyen1101
Newbie cheater
![]() Reputation: 0
Joined: 10 Oct 2016
Posts: 10
|
| Posted: Mon Oct 10, 2016 7:10 pm Post subject: |
|
|
| predprey wrote: | | we need more info. what are the values at esi+22 and esi+4D? the number of moves left or the player ID? |
Thank you for your time predprey. The value of esi+4D is the number of moves for hero, while esi+22 is always equal 6 for my own heroes (it varies for heroes of computer). Actually, it's my own conclusion from dissecting data structure and I would like to know other ways to get player Id for this game as well. |
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Mon Oct 10, 2016 7:47 pm Post subject: |
|
|
| Code: | alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)
newmem:
//byte ptr to cmp only the single byte and not 4bytes at [esi+22]
cmp byte ptr [esi+22], 6
//if player char ([esi+22] == 6), skip over original code which decrement the moves left
je exit
originalcode:
sub edx,ecx
cmp edx,eax
exit:
//original code for storing moves left at [esi+4d]
mov [esi+4D],edx
jmp returnhere
"h3hota.exe"+80AA8:
jmp newmem
nop
nop
returnhere: |
| kiennguyen1101 wrote: | | predprey wrote: | | we need more info. what are the values at esi+22 and esi+4D? the number of moves left or the player ID? |
Thank you for your time predprey. The value of esi+4D is the number of moves for hero, while esi+22 is always equal 6 for my own heroes (it varies for heroes of computer). Actually, it's my own conclusion from dissecting data structure and I would like to know other ways to get player Id for this game as well. |
generally dissecting data around key variables such as the moves left is enough to get you an offset value which differentiates player from cpu |
|
| Back to top |
|
|
kiennguyen1101
Newbie cheater
![]() Reputation: 0
Joined: 10 Oct 2016
Posts: 10
|
| Posted: Tue Oct 11, 2016 6:45 am Post subject: It worked |
|
|
Hi predprey.
I've copied/pasted your code and CE said the code could not be injected. I'll try to figure out why. But your cmp worked like a charm! Thannks! |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
