Page 1 of 3

Finding memory addresses in RoM, a How to Guide.

Posted: Tue Jun 14, 2011 7:33 am
by lisa
Ok welcome to the step by step guide to memory stuff in rom =)
Hopefully This will be kind of easy to follow, I added lots of images.

First thing to do is have a good read of the stickies in this section of the site on memory.
http://www.solarstrike.net/phpBB3/viewforum.php?f=5

Also need to download Cheat Engine
A good idea to also get Olly DBG

For the rest of this How to Guide I will assume you have read those stickies and understand the information in them.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Tue Jun 14, 2011 6:04 pm
by Administrator
This is definitely a good idea. I never did quite get some of the instructions posted by other users to work for me once the client had some major updates, so that is also something we need to keep in mind: things change. This could very well help us keep the information updated as well, I suppose.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Tue Jun 14, 2011 9:41 pm
by lisa
We'll start with something very simple, gold, cash, money, coins.
What ever you want to call it, this stuff is the currency of the game.
In addresses.lua it is refered to as moneyPtr

client 3.0.11 address is 0x9CDC6C
client 3.0.4 address is 0x9C6B04

This is a good place to start as it is probably the easiest to find.

Have a look in game at how much gold you have, for this example I will use 2,933,805
Go to CE and do a new search for that value
2933805
if there are a few results, alter how much gold your character has by selling or buying items at a vendor. Then do a next scan for the new amount of gold you have. It shouldn't take to long and you will see on the left side of CE a green address with the value of how much gold you have.
That is the address with no alterations or offsets and can be added to the addresses.lua with only the minor change.
The address in CE wil say
009CDC6C
but in the addresses.lua we use the format
0x9CDC6C
Job done you have found your first usable address.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Tue Jun 14, 2011 10:24 pm
by lisa
Ok let's jump right into something more complicated.
inventoryBagIds
client 3.0.11 = 0x9D18FC
client 3.0.4 = 0x9CA794

For this 1 it is a good idea to have access to a hex calculator and dec - hex converter

First thing is the game randomizes the bags so that the slot numbers don't just go from 61-90 in order. So we need to get some slot numbers to be able to search for.
Use this in game to post some results you will need

Code: Select all

/script SendSystemChat(GetBagItemInfo(1)..GetBagItemInfo(2)..GetBagItemInfo(3)..GetBagItemInfo(4))
bagid2.jpg
bagid2.jpg (23.5 KiB) Viewed 29062 times
results will vary every time you log into game. For this example I have
67667564
-- seperate them in groups of 2
67 66 75 64
-- convert to hex
43 42 4B 40
-- subtract 1
42 41 4A 3F

in CE open the memory view, make sure display type is set to 4 byte hex.
Then do a search.
bagid1.jpg
Tick (array of) byte and add in the bytes you have from before,
42 41 4A 3F
First and probably only result in client 3.0.11 will be address 009D1938
When looking at the address you will notice that it has a value of 3F4A4142 which is those values we found but written in reverse.

Ok so now we have an address of 009D1938 to work with. Because of how the bot is designed to work we will need to subtract decimal value 60 from that address. Convert that to hex is 3C. so
009D1938 - 3C = 009D18FC
that is the address we want, change format to 0x9D18FC and add it into addresses.lua
inventoryBagIds = 0x9D18FC,

--=== Ok now the easier Lisa version of finding it ===--
First is an observation that makes this easier. The slot Id of unrented bags isn't random. So we can do a search for them in order. I personally like to search for array of byte
ec ed ee ef
these are the very last slots of the last bag.
Easy way.
Easy way.
Now scroll up from this spot until you reach the
00 00 00 00 00 00 00 00 00 00 00 00 00
The address at the first spot after the 0's is what you want.
In this case
9DCED8
you then - 3C as before and you have your address =)
Took all of 30 seconds instead of 5 minutes.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 10:44 am
by lisa
Ok now let's look at making patch transition easier. So lets make up a database of sections of memory that give us the addresses we want. Easiest way to do this is with Ollydbg. The great thing about Olly is you don't need to actually start the client (game) in order to use Olly. So if you have an old version of the game you can search it's memory without starting it, as starting client will no doubt make it patch to latest version.

Ok so what you can do is try this on the existing client 4.0.1
Start Olly then click open and find the client.exe file in runes of magic folder, click Open.
Only window I care about is top left, looks like this, if not then get the newer version of Olly.
olly1.jpg
Now next step is look up an address we already know for the current client. For this example lets use
actionBarPtr = 0xA1BAFC,
not for any other reason except it's top of the list lol

Right click in the only window I care about (top left) and go to "search for" and then click "Constant..."

Ok add in the address, A1BAFC is enough, don't need the 0x
click entire block and then click ok.
olly2.jpg
Now you want to save the screen, so click print screen and paste it into an image editor and save the image.
That is all you need to do to make a database of already known addresses.
--=== NOTE ===--
Not all addresses can be found this way, in fact you arn't actually looking at the address you are looking at a pointer to the address but for our purpose that's what we want. Some addresses you will actually need to take an image of the actual address. The way to know which is which is the address itself.
If you scroll that window all the way to the bottom you see the last address is 008D8FFF. Any address you are looking for that is less then that, like for example
staticpattern_char = 0x5E32F7,
you would just go to the actual address without doing the search for constant and take a screen shot of that area, make sure to highlight the address, makes it easier later.

Ok so now we have a folder filled with images of memory spots.
How do we use this to find new addresses after a patch?
Ok well first you have a look at the image, I'll use the same example from above. actionBarPtr = 0xA1BAFC.
olly3.jpg
The highlighted section is what we are looking at.
You will see lots of stuff, you don't need to understand it but you do need to know a few things.
1. Any number with either 7 or 8 digits and starts with 0 is refering to an address and would have changed in the patch aswell.
2. you want to get a few lines that don't have addresses to reduce the number of results you get from your search.

Ok so lets look closer.
olly4.jpg
in this example I have highlighted
pop esi
pop edi
pop ebx
retn 14
push 4
5 lines in a row and not one mention of an address, chances are you will only get 1 result from the search.
Ok so now we know what we are looking for lets do the search.
Right click, then go to "Search for" and then click "Sequence of Commands.." and enter in that section we want to look for.
olly5.jpg
Click search.

--=== Continued next post ===--

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 10:53 am
by lisa
Ok so search result will look like this
olly6.jpg
Now you compare this spot with your image from your database. You will see that the writing on the right side column is exactly the same.
olly7.jpg
If they arn't the same the short cut to find next is ctrl + L and it will go to the next spot with the same code in your search. So look for the exact same spot where the address was referenced to in your previous image and you will see the new address you want.

This is an image from a previous version of the game.
olly8.jpg
Well that may have been a long explanation but once you have done that a few times and get used to it you will be able to find updated addresses in less then a minute. Just like me =)
Just make sure you have a database of images of the sections of memory.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 11:07 am
by lisa
Ok I am going to add in some sections of memory from an old client. See if you can find the current addresses using that method with Ollydbg

The names of the images refer to the client, 311 and the address the image refers to.
Edit, actually they are from client 3.0.4 but I'm not going to change all the file names, no need.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 11:09 am
by lisa
--=== tableBase ===--
Finding tableBase is a little more complicated then most addresses to find, this is the post that teaches how to do it by VoidMain.
VoidMain wrote:The process to find the address for the "table of tables" is quite simple (its simple now that i know what i'm looking for...):
Open CE and do a text search for: "ImageObjectDB", memory browse to the first result (might be 1,2 or more depending on game version but the important one is always first one so far), set the view to 8 columns (just expand the window horizonatly until you see 8).
Here comes a tricky part: you have to align the result by moving lef or right depending on how you see it, to align the result until you get the version of the database on one line and the name on the next one (version is something like: "v0.20 min 0730" and a date) align the view so the "v" is the first char on the line and then you can see the first address we need is the the address that points to the previous 4 bytes to that char.
Here is a picture of the result aligned to get the first address needed
Here is a picture of the result aligned to get the first address needed
Ok, now we do another search in CE, this time we search for 4 bytes in hexa, and the term is the address we just found (in this case: 016449C0), the result we need is the first one, after all this patches it always has been the 1st one, but thats easy to check, go memory browse the first result, and if that points to a list of addresses close to each other, then it is the one we looking for, once we are sure this is the address we are looking for, in memory browse window press CTRL+P (or go to Tools->Pointer scan) and do a pointer scan search for this address, put the address in "Address to find" and leave all by default except for "Max level", set it at 2.
When pointer scan finish look for a pointer in Client.exe whose offsets are: 540 the first one and 78 the last one, yo probably get more than one of those results, go for the first again and we're set. the result will be a 2 pointer address, the only one we need is the first one (Client.exe+XXXXX) Client.exe starts at 004XXX so if the result is: Client.Exe+005D7914 the addres we need is: 009D7914 and thats all, thats the address we need to put in addresses.lua in tablesBase like this: tablesBase = 0x9D7914,
I hope this makes any sense because i'm really tired, didn't sleep the last 2 nights because of work... But more than that, i hope it helps to get someone else that can do this besides me...

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 11:10 am
by lisa
--=== RESERVED ===--

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 9:44 pm
by rock5
I followed those instructions. They work.

I don't know if it will work for all addresses though. Also I think you would still need CE to test the values. I have a bunch of pre-setup pointers that, once I've updated the address, I can see if they point to values that I expect. That way I know they are correct and work. Still... I might have to go ahead and make a database of images.

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Wed Jul 27, 2011 10:06 pm
by lisa
Using Olly like that deffinately won't work for all addresses, it does get about 90% though.

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Thu Jul 28, 2011 4:16 am
by lisa
--=== Reserved ===--

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Thu Jul 28, 2011 11:49 pm
by lisa
Anyone want to try finding the address for daily quest status, it looks like this in 400

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Fri Jul 29, 2011 1:07 am
by rock5

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Sun Aug 21, 2011 11:38 am
by rock5
I'll add it to my next commit.

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Sun Oct 23, 2011 7:45 am
by mmorpgplayer
thanks again

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Tue Oct 25, 2011 6:29 am
by OneofMany
ok, i thought i give it a try

actionBarPtr was in last patch 4.0.3
pop esi
pop edi
pop ebx
retn 14
push 4

i did a search in 4.0.4 but no results returned ?

What am i missing?

edit: found the way to do it :)

2 clients, 1 old, 1 new. check old address in addresses.lua (old one) then find that same string in old client, find new strings in new client and you got the new address too :)
But some addresses dont seem to be in the client.exe (egg addresses). Where can i find those? or does the client need to be open?

And how to find offsets?

Learning keeps the mind young ;-)

OneofMany

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Tue Oct 25, 2011 9:18 pm
by kanta
OneofMany wrote:ok, i thought i give it a try

actionBarPtr was in last patch 4.0.3
pop esi
pop edi
pop ebx
retn 14
push 4

i did a search in 4.0.4 but no results returned ?
Trying to learn this myself now. Figured out that any time you do a search you always want the search "Entire block" whether it's for the address or the sequence of commands.

Re: Finding memory addreses in RoM, a How to Guide.

Posted: Tue Oct 25, 2011 9:32 pm
by lisa
lisa wrote: Right click in the only window I care about (top left) and go to "search for" and then click "Constant..."

Ok add in the address, A1BAFC is enough, don't need the 0x
click entire block and then click ok.
I guess I should have mentioned setting search to entire block will always get the first occurance of what you are looking for.

At the moment when I search for a sequence what I do is scroll to before the previous address, so if old address was at 55EE67 in the image I would scroll to 550000 and then just do search forward, makes it much faster and you can do searches with less lines in the sequence and not have to worry about sifting through 100 occurances.

Re: Finding memory addresses in RoM, a How to Guide.

Posted: Wed Oct 26, 2011 7:10 am
by OneofMany
Figured that out too :) also, i think having an old client AND a new client loaded in 2 seperate olly's is the fastest for me.

Some addresses i couldnt find tho. not in the old client (old address from old addresses.lua). But i think/hope that will be explained soon where to find those :)