Blequi
01-15-2014, 05:47 AM
Addresses: Automatic Updates
Abstract
After a few months programming my cheats for Tibia, I knew how to find several addresses I was using
and each update, it was just a repetitive task of searching for specific things in Cheat Engine (www.cheatengine.org (http://www.cheatengine.org)) to find such addresses.
Moreover, whenever a update comes, Blackd releases a list of addresses (http://www.blackdtools.com/forum/showthread.php?61387-10-31-Blackd-Tibia-addresses-10-31) which he is currently using and since my first days of tibia cheating, I was thinking:
Why every list he begins with:
; [[[[[[[[[[[[[[[[[[[[[[[[[[[
; BEGIN AUTOMATIC UPDATE ZONE
and ends with:
; ]]]]]]]]]]]]]]]]]]]]]]]]]]]
; END - AUTOMATIC UPDATE ZONE
?
Back in the time when I was starting out, I didn't know that was possible to update addresses just by scanning the Tibia's memory like CE (Cheat Engine) does.
So, this is our goal at the end of this tutorial: learn how to search for some addresses we want and update them automatically.
Scanning the Tibia.exe memory looking for a byte (or bit) array, we can find our desired address.
Requirements
As any programming task we need to complete, we have to assume a few constraints:
You do understand the basic programming concepts like what an array is.
To follow the examples, you might previously know some information about them and the region around the address you are trying to "automatically" find (will be discussed in details in the main portion of the tutorial).
Introduction
Common data types
What is a bit?
Basically, an option: 0 or 1.
What is a byte?
An array of 8 bits, i.e., { (0 or 1), (0 or 1), ..., (0 or 1) } in the left-right order (assume this order from now on). It leads to any number n in the 0 <= n <= 255 = (2^8 - 1)
What is a unsigned short (or word)?
An array of 16 bits (consequently, an array of 2 bytes). Ex: Any number n in the 0 <= n <= 65535 = (2^16 - 1) range
What is a unsigned int (or dword)?
An array of 32 bits (consequently, an array of 4 bytes or an array of 2 words). Ex: Any number n in the 0 <= n <= 4294967295 = (2^32 - 1) range
What is a unsigned long (or qword)?
An array of 64 bits (consequently, an array of 8 bytes or an array of 2 dwords). Ex: Any number n in the 0 <= n <= 18446744073709551615 = (2^64 - 1) range
What is a string? (raw data)
An arbitrary array of bits (its raw data relies upon the character encoding, but for our purposes, each character of the Tibians string is uniquely translated to (and from) a byte, so it's an array of bytes for our purposes)
Example:
"hello" <-> { 'h' <-> 104, 'e' <-> 101, 'l' <-> 108, 'l' <-> 108, 'o' <-> 111, 0 }
<-> { 104, 101, 108, 108, 111, 0 }
0 at the end of the array is there to tell it's the end of the string.
How does a memory scanner work?
As we have seen, all the data comes down to an array of bits or bytes. In most cases, the scanner will convert the input (word, dword, qword, string, whatever) to a byte array and perform a search for this byte array.
So, a memory scanner works by searching for a byte array in the memory. In rare cases like storing data as flags [EX: player status (Is Poisoned, Is Electrified, Is Burning, etc)] (or any other manner to store data directly in bits), we need to find the address of the correct bit (not byte).
Our problem is often to find an int (dword), a boolean, a byte, a flag-like value. From our previous experience using CE, we know that trying to find an int in the memory
often leads to several addresses rather than a single address (our desired address). The reason is that two (or more) variables have the same value at some point
int shielding = 100;
int hp = 100;
.
.
.
int mana = 100;
and if we search for 100 to get the shielding address, we will get a ton of addresses to guess the right one.
Have you ever tried to find yours character name in the battle list? It was pretty easy to find or not? I guess your answer was "Yes, it was easy like to steal a kid's candy!".
But did you think why it was so easy? If not, the answer is pretty simple. In general, it's an array of bytes with size other than 4 (probably higher).
you: Hmm, but why the heck this 4 is so special?
me: Well, in the study-case, int is the most used data in Tibia and another games as well, I guess. Also, Tibia is a x86 process. I don't cheat in x64 processes, but probably they have the same "problem" when you are trying to find values 8-bytes long due pointers length.
you: Hmm, so the solution is to search for anything with size higher than 4 to avoid several addresses. But hey, my data is 4-byte long, what do I do?
me: Don't search for your data. Instead, look the region around your address, find something you are confident will be there and is longer than 4 bytes (strings are lovely candidates as also sequence of ints) and search for it. Later, just offset your result to the data you want.
The procedure above described the key point of how to decide the correct address. The most important is not the data itself, but the region around it, because things are kept (or grouped) in structs most of the times.
Abstract
After a few months programming my cheats for Tibia, I knew how to find several addresses I was using
and each update, it was just a repetitive task of searching for specific things in Cheat Engine (www.cheatengine.org (http://www.cheatengine.org)) to find such addresses.
Moreover, whenever a update comes, Blackd releases a list of addresses (http://www.blackdtools.com/forum/showthread.php?61387-10-31-Blackd-Tibia-addresses-10-31) which he is currently using and since my first days of tibia cheating, I was thinking:
Why every list he begins with:
; [[[[[[[[[[[[[[[[[[[[[[[[[[[
; BEGIN AUTOMATIC UPDATE ZONE
and ends with:
; ]]]]]]]]]]]]]]]]]]]]]]]]]]]
; END - AUTOMATIC UPDATE ZONE
?
Back in the time when I was starting out, I didn't know that was possible to update addresses just by scanning the Tibia's memory like CE (Cheat Engine) does.
So, this is our goal at the end of this tutorial: learn how to search for some addresses we want and update them automatically.
Scanning the Tibia.exe memory looking for a byte (or bit) array, we can find our desired address.
Requirements
As any programming task we need to complete, we have to assume a few constraints:
You do understand the basic programming concepts like what an array is.
To follow the examples, you might previously know some information about them and the region around the address you are trying to "automatically" find (will be discussed in details in the main portion of the tutorial).
Introduction
Common data types
What is a bit?
Basically, an option: 0 or 1.
What is a byte?
An array of 8 bits, i.e., { (0 or 1), (0 or 1), ..., (0 or 1) } in the left-right order (assume this order from now on). It leads to any number n in the 0 <= n <= 255 = (2^8 - 1)
What is a unsigned short (or word)?
An array of 16 bits (consequently, an array of 2 bytes). Ex: Any number n in the 0 <= n <= 65535 = (2^16 - 1) range
What is a unsigned int (or dword)?
An array of 32 bits (consequently, an array of 4 bytes or an array of 2 words). Ex: Any number n in the 0 <= n <= 4294967295 = (2^32 - 1) range
What is a unsigned long (or qword)?
An array of 64 bits (consequently, an array of 8 bytes or an array of 2 dwords). Ex: Any number n in the 0 <= n <= 18446744073709551615 = (2^64 - 1) range
What is a string? (raw data)
An arbitrary array of bits (its raw data relies upon the character encoding, but for our purposes, each character of the Tibians string is uniquely translated to (and from) a byte, so it's an array of bytes for our purposes)
Example:
"hello" <-> { 'h' <-> 104, 'e' <-> 101, 'l' <-> 108, 'l' <-> 108, 'o' <-> 111, 0 }
<-> { 104, 101, 108, 108, 111, 0 }
0 at the end of the array is there to tell it's the end of the string.
How does a memory scanner work?
As we have seen, all the data comes down to an array of bits or bytes. In most cases, the scanner will convert the input (word, dword, qword, string, whatever) to a byte array and perform a search for this byte array.
So, a memory scanner works by searching for a byte array in the memory. In rare cases like storing data as flags [EX: player status (Is Poisoned, Is Electrified, Is Burning, etc)] (or any other manner to store data directly in bits), we need to find the address of the correct bit (not byte).
Our problem is often to find an int (dword), a boolean, a byte, a flag-like value. From our previous experience using CE, we know that trying to find an int in the memory
often leads to several addresses rather than a single address (our desired address). The reason is that two (or more) variables have the same value at some point
int shielding = 100;
int hp = 100;
.
.
.
int mana = 100;
and if we search for 100 to get the shielding address, we will get a ton of addresses to guess the right one.
Have you ever tried to find yours character name in the battle list? It was pretty easy to find or not? I guess your answer was "Yes, it was easy like to steal a kid's candy!".
But did you think why it was so easy? If not, the answer is pretty simple. In general, it's an array of bytes with size other than 4 (probably higher).
you: Hmm, but why the heck this 4 is so special?
me: Well, in the study-case, int is the most used data in Tibia and another games as well, I guess. Also, Tibia is a x86 process. I don't cheat in x64 processes, but probably they have the same "problem" when you are trying to find values 8-bytes long due pointers length.
you: Hmm, so the solution is to search for anything with size higher than 4 to avoid several addresses. But hey, my data is 4-byte long, what do I do?
me: Don't search for your data. Instead, look the region around your address, find something you are confident will be there and is longer than 4 bytes (strings are lovely candidates as also sequence of ints) and search for it. Later, just offset your result to the data you want.
The procedure above described the key point of how to decide the correct address. The most important is not the data itself, but the region around it, because things are kept (or grouped) in structs most of the times.