Finding memory addresses in RoM, a How to Guide.

Runes of Magic/Radiant Arcana (http://www.runesofmagic.com)
Message
Author
User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Finding memory addresses in RoM, a How to Guide.

#1 Post by lisa » Tue Jun 14, 2011 7:33 am

Ok welcome to the step by step guide to memory stuff in rom =)
Hopefully This will be kind of easy to follow, I added lots of images.

First thing to do is have a good read of the stickies in this section of the site on memory.
http://www.solarstrike.net/phpBB3/viewforum.php?f=5

Also need to download Cheat Engine
A good idea to also get Olly DBG

For the rest of this How to Guide I will assume you have read those stickies and understand the information in them.
Last edited by lisa on Thu Jul 28, 2011 6:05 am, edited 4 times in total.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: Finding memory addreses in RoM, a How to Guide.

#2 Post by Administrator » Tue Jun 14, 2011 6:04 pm

This is definitely a good idea. I never did quite get some of the instructions posted by other users to work for me once the client had some major updates, so that is also something we need to keep in mind: things change. This could very well help us keep the information updated as well, I suppose.

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#3 Post by lisa » Tue Jun 14, 2011 9:41 pm

We'll start with something very simple, gold, cash, money, coins.
What ever you want to call it, this stuff is the currency of the game.
In addresses.lua it is refered to as moneyPtr

client 3.0.11 address is 0x9CDC6C
client 3.0.4 address is 0x9C6B04

This is a good place to start as it is probably the easiest to find.

Have a look in game at how much gold you have, for this example I will use 2,933,805
Go to CE and do a new search for that value
2933805
if there are a few results, alter how much gold your character has by selling or buying items at a vendor. Then do a next scan for the new amount of gold you have. It shouldn't take to long and you will see on the left side of CE a green address with the value of how much gold you have.
That is the address with no alterations or offsets and can be added to the addresses.lua with only the minor change.
The address in CE wil say
009CDC6C
but in the addresses.lua we use the format
0x9CDC6C
Job done you have found your first usable address.
Attachments
moneyPtr.jpg
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#4 Post by lisa » Tue Jun 14, 2011 10:24 pm

Ok let's jump right into something more complicated.
inventoryBagIds
client 3.0.11 = 0x9D18FC
client 3.0.4 = 0x9CA794

For this 1 it is a good idea to have access to a hex calculator and dec - hex converter

First thing is the game randomizes the bags so that the slot numbers don't just go from 61-90 in order. So we need to get some slot numbers to be able to search for.
Use this in game to post some results you will need

Code: Select all

/script SendSystemChat(GetBagItemInfo(1)..GetBagItemInfo(2)..GetBagItemInfo(3)..GetBagItemInfo(4))
bagid2.jpg
bagid2.jpg (23.5 KiB) Viewed 29061 times
results will vary every time you log into game. For this example I have
67667564
-- seperate them in groups of 2
67 66 75 64
-- convert to hex
43 42 4B 40
-- subtract 1
42 41 4A 3F

in CE open the memory view, make sure display type is set to 4 byte hex.
Then do a search.
bagid1.jpg
Tick (array of) byte and add in the bytes you have from before,
42 41 4A 3F
First and probably only result in client 3.0.11 will be address 009D1938
When looking at the address you will notice that it has a value of 3F4A4142 which is those values we found but written in reverse.

Ok so now we have an address of 009D1938 to work with. Because of how the bot is designed to work we will need to subtract decimal value 60 from that address. Convert that to hex is 3C. so
009D1938 - 3C = 009D18FC
that is the address we want, change format to 0x9D18FC and add it into addresses.lua
inventoryBagIds = 0x9D18FC,

--=== Ok now the easier Lisa version of finding it ===--
First is an observation that makes this easier. The slot Id of unrented bags isn't random. So we can do a search for them in order. I personally like to search for array of byte
ec ed ee ef
these are the very last slots of the last bag.
Easy way.
Easy way.
Now scroll up from this spot until you reach the
00 00 00 00 00 00 00 00 00 00 00 00 00
The address at the first spot after the 0's is what you want.
In this case
9DCED8
you then - 3C as before and you have your address =)
Took all of 30 seconds instead of 5 minutes.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#5 Post by lisa » Wed Jul 27, 2011 10:44 am

Ok now let's look at making patch transition easier. So lets make up a database of sections of memory that give us the addresses we want. Easiest way to do this is with Ollydbg. The great thing about Olly is you don't need to actually start the client (game) in order to use Olly. So if you have an old version of the game you can search it's memory without starting it, as starting client will no doubt make it patch to latest version.

Ok so what you can do is try this on the existing client 4.0.1
Start Olly then click open and find the client.exe file in runes of magic folder, click Open.
Only window I care about is top left, looks like this, if not then get the newer version of Olly.
olly1.jpg
Now next step is look up an address we already know for the current client. For this example lets use
actionBarPtr = 0xA1BAFC,
not for any other reason except it's top of the list lol

Right click in the only window I care about (top left) and go to "search for" and then click "Constant..."

Ok add in the address, A1BAFC is enough, don't need the 0x
click entire block and then click ok.
olly2.jpg
Now you want to save the screen, so click print screen and paste it into an image editor and save the image.
That is all you need to do to make a database of already known addresses.
--=== NOTE ===--
Not all addresses can be found this way, in fact you arn't actually looking at the address you are looking at a pointer to the address but for our purpose that's what we want. Some addresses you will actually need to take an image of the actual address. The way to know which is which is the address itself.
If you scroll that window all the way to the bottom you see the last address is 008D8FFF. Any address you are looking for that is less then that, like for example
staticpattern_char = 0x5E32F7,
you would just go to the actual address without doing the search for constant and take a screen shot of that area, make sure to highlight the address, makes it easier later.

Ok so now we have a folder filled with images of memory spots.
How do we use this to find new addresses after a patch?
Ok well first you have a look at the image, I'll use the same example from above. actionBarPtr = 0xA1BAFC.
olly3.jpg
The highlighted section is what we are looking at.
You will see lots of stuff, you don't need to understand it but you do need to know a few things.
1. Any number with either 7 or 8 digits and starts with 0 is refering to an address and would have changed in the patch aswell.
2. you want to get a few lines that don't have addresses to reduce the number of results you get from your search.

Ok so lets look closer.
olly4.jpg
in this example I have highlighted
pop esi
pop edi
pop ebx
retn 14
push 4
5 lines in a row and not one mention of an address, chances are you will only get 1 result from the search.
Ok so now we know what we are looking for lets do the search.
Right click, then go to "Search for" and then click "Sequence of Commands.." and enter in that section we want to look for.
olly5.jpg
Click search.

--=== Continued next post ===--
Last edited by lisa on Wed Jul 27, 2011 10:54 am, edited 1 time in total.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#6 Post by lisa » Wed Jul 27, 2011 10:53 am

Ok so search result will look like this
olly6.jpg
Now you compare this spot with your image from your database. You will see that the writing on the right side column is exactly the same.
olly7.jpg
If they arn't the same the short cut to find next is ctrl + L and it will go to the next spot with the same code in your search. So look for the exact same spot where the address was referenced to in your previous image and you will see the new address you want.

This is an image from a previous version of the game.
olly8.jpg
Well that may have been a long explanation but once you have done that a few times and get used to it you will be able to find updated addresses in less then a minute. Just like me =)
Just make sure you have a database of images of the sections of memory.
Last edited by lisa on Wed Jul 27, 2011 9:20 pm, edited 1 time in total.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#7 Post by lisa » Wed Jul 27, 2011 11:07 am

Ok I am going to add in some sections of memory from an old client. See if you can find the current addresses using that method with Ollydbg

The names of the images refer to the client, 311 and the address the image refers to.
Edit, actually they are from client 3.0.4 but I'm not going to change all the file names, no need.
Attachments
311staticEquipBase.jpg
311partyIconList_base.jpg
311loadingScreenPtr.jpg
311hotkeysPtr.jpg
311actionBarPtr.jpg
Last edited by lisa on Wed Jul 27, 2011 11:16 am, edited 1 time in total.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#8 Post by lisa » Wed Jul 27, 2011 11:09 am

--=== tableBase ===--
Finding tableBase is a little more complicated then most addresses to find, this is the post that teaches how to do it by VoidMain.
VoidMain wrote:The process to find the address for the "table of tables" is quite simple (its simple now that i know what i'm looking for...):
Open CE and do a text search for: "ImageObjectDB", memory browse to the first result (might be 1,2 or more depending on game version but the important one is always first one so far), set the view to 8 columns (just expand the window horizonatly until you see 8).
Here comes a tricky part: you have to align the result by moving lef or right depending on how you see it, to align the result until you get the version of the database on one line and the name on the next one (version is something like: "v0.20 min 0730" and a date) align the view so the "v" is the first char on the line and then you can see the first address we need is the the address that points to the previous 4 bytes to that char.
Here is a picture of the result aligned to get the first address needed
Here is a picture of the result aligned to get the first address needed
Ok, now we do another search in CE, this time we search for 4 bytes in hexa, and the term is the address we just found (in this case: 016449C0), the result we need is the first one, after all this patches it always has been the 1st one, but thats easy to check, go memory browse the first result, and if that points to a list of addresses close to each other, then it is the one we looking for, once we are sure this is the address we are looking for, in memory browse window press CTRL+P (or go to Tools->Pointer scan) and do a pointer scan search for this address, put the address in "Address to find" and leave all by default except for "Max level", set it at 2.
When pointer scan finish look for a pointer in Client.exe whose offsets are: 540 the first one and 78 the last one, yo probably get more than one of those results, go for the first again and we're set. the result will be a 2 pointer address, the only one we need is the first one (Client.exe+XXXXX) Client.exe starts at 004XXX so if the result is: Client.Exe+005D7914 the addres we need is: 009D7914 and thats all, thats the address we need to put in addresses.lua in tablesBase like this: tablesBase = 0x9D7914,
I hope this makes any sense because i'm really tired, didn't sleep the last 2 nights because of work... But more than that, i hope it helps to get someone else that can do this besides me...
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#9 Post by lisa » Wed Jul 27, 2011 11:10 am

--=== RESERVED ===--
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
rock5
Posts: 12173
Joined: Tue Jan 05, 2010 3:30 am
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#10 Post by rock5 » Wed Jul 27, 2011 9:44 pm

I followed those instructions. They work.

I don't know if it will work for all addresses though. Also I think you would still need CE to test the values. I have a bunch of pre-setup pointers that, once I've updated the address, I can see if they point to values that I expect. That way I know they are correct and work. Still... I might have to go ahead and make a database of images.
  • Please consider making a small donation to me to support my continued contributions to the bot and this forum. Thank you. Donate
  • I check all posts before reading PMs. So if you want a fast reply, don't PM me but post a topic instead. PM me for private or personal topics only.
  • How to: copy and paste in micromacro
    ________________________
    Quote:
    • “They say hard work never hurt anybody, but I figure, why take the chance.”
          • Ronald Reagan

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#11 Post by lisa » Wed Jul 27, 2011 10:06 pm

Using Olly like that deffinately won't work for all addresses, it does get about 90% though.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#12 Post by lisa » Thu Jul 28, 2011 4:16 am

--=== Reserved ===--
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#13 Post by lisa » Thu Jul 28, 2011 11:49 pm

Anyone want to try finding the address for daily quest status, it looks like this in 400
Attachments
400dailyquest.jpg
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
rock5
Posts: 12173
Joined: Tue Jan 05, 2010 3:30 am
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#14 Post by rock5 » Fri Jul 29, 2011 1:07 am

  • Please consider making a small donation to me to support my continued contributions to the bot and this forum. Thank you. Donate
  • I check all posts before reading PMs. So if you want a fast reply, don't PM me but post a topic instead. PM me for private or personal topics only.
  • How to: copy and paste in micromacro
    ________________________
    Quote:
    • “They say hard work never hurt anybody, but I figure, why take the chance.”
          • Ronald Reagan

User avatar
rock5
Posts: 12173
Joined: Tue Jan 05, 2010 3:30 am
Location: Australia

Re: Finding memory addresses in RoM, a How to Guide.

#15 Post by rock5 » Sun Aug 21, 2011 11:38 am

I'll add it to my next commit.
  • Please consider making a small donation to me to support my continued contributions to the bot and this forum. Thank you. Donate
  • I check all posts before reading PMs. So if you want a fast reply, don't PM me but post a topic instead. PM me for private or personal topics only.
  • How to: copy and paste in micromacro
    ________________________
    Quote:
    • “They say hard work never hurt anybody, but I figure, why take the chance.”
          • Ronald Reagan

mmorpgplayer
Posts: 1
Joined: Tue Oct 04, 2011 10:36 pm

Re: Finding memory addresses in RoM, a How to Guide.

#16 Post by mmorpgplayer » Sun Oct 23, 2011 7:45 am

thanks again

User avatar
OneofMany
Posts: 119
Joined: Mon May 09, 2011 2:30 am

Re: Finding memory addresses in RoM, a How to Guide.

#17 Post by OneofMany » Tue Oct 25, 2011 6:29 am

ok, i thought i give it a try

actionBarPtr was in last patch 4.0.3
pop esi
pop edi
pop ebx
retn 14
push 4

i did a search in 4.0.4 but no results returned ?

What am i missing?

edit: found the way to do it :)

2 clients, 1 old, 1 new. check old address in addresses.lua (old one) then find that same string in old client, find new strings in new client and you got the new address too :)
But some addresses dont seem to be in the client.exe (egg addresses). Where can i find those? or does the client need to be open?

And how to find offsets?

Learning keeps the mind young ;-)

OneofMany
Its not about cheating. Its about being smarter than the game...

kanta
Posts: 424
Joined: Thu Nov 11, 2010 4:08 pm

Re: Finding memory addresses in RoM, a How to Guide.

#18 Post by kanta » Tue Oct 25, 2011 9:18 pm

OneofMany wrote:ok, i thought i give it a try

actionBarPtr was in last patch 4.0.3
pop esi
pop edi
pop ebx
retn 14
push 4

i did a search in 4.0.4 but no results returned ?
Trying to learn this myself now. Figured out that any time you do a search you always want the search "Entire block" whether it's for the address or the sequence of commands.
Scout/Knight/Rogue 70/66/66

User avatar
lisa
Posts: 8332
Joined: Tue Nov 09, 2010 11:46 pm
Location: Australia

Re: Finding memory addreses in RoM, a How to Guide.

#19 Post by lisa » Tue Oct 25, 2011 9:32 pm

lisa wrote: Right click in the only window I care about (top left) and go to "search for" and then click "Constant..."

Ok add in the address, A1BAFC is enough, don't need the 0x
click entire block and then click ok.
I guess I should have mentioned setting search to entire block will always get the first occurance of what you are looking for.

At the moment when I search for a sequence what I do is scroll to before the previous address, so if old address was at 55EE67 in the image I would scroll to 550000 and then just do search forward, makes it much faster and you can do searches with less lines in the sequence and not have to worry about sifting through 100 occurances.
Remember no matter you do in life to always have a little fun while you are at it ;)

wiki here http://www.solarstrike.net/wiki/index.php?title=Manual

User avatar
OneofMany
Posts: 119
Joined: Mon May 09, 2011 2:30 am

Re: Finding memory addresses in RoM, a How to Guide.

#20 Post by OneofMany » Wed Oct 26, 2011 7:10 am

Figured that out too :) also, i think having an old client AND a new client loaded in 2 seperate olly's is the fastest for me.

Some addresses i couldnt find tho. not in the old client (old address from old addresses.lua). But i think/hope that will be explained soon where to find those :)
Its not about cheating. Its about being smarter than the game...

Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot] and 30 guests