I want to know how to find the memory addresses that HL uses (client/eng/ppmove, etc.)

yes please tuto for finding hexa adress

what program do you use for this ???

gl finding out.

You always give unuseful comments like that Cheetah, do you find it amusing or something? Ego leaking out your brain a little?

hes just saying that because he cant find it either lol

Ya, ill admit it too, I dont know how RetarT and Patrick and LanceV, blah the rest of them find those Engfunc addresses with OllyDbg / Softice :(

softice dont work with xp :(

OK well I can give a little help on say using GL functions, I use this method in my hook, don't ask why I do, I just like to.

This should tie in nicely with RetarT's tutorial.

Open up w32dasm, then open windows/system32/opengl32.dll

Scroll down to the exports, and say find glBegin for example.

On the left will be the address of that function, in this case it's 0x5ED02860

I'm sorry this isn't useful for engfuncs but its a start.

Now I do this so I can use the function in my hook:

DWORD * orig_glBegin = ( DWORD* ) ( 0x5ED02860 );

Now in my hook instead of using:


void __stdcall xglBegin(GLenum mode)
{
glBegin(mode);
}

I use:


void __stdcall xglBegin(GLenum mode)
{
__asm
{
push mode
call orig_glBegin
}
}

Now for I know this technically may make no difference or produce the same opcode, but that wasn't the purpose of the example. I hope that this is a little useful to some of you.

or of course you can use GetProcAddress and get it that way :)

typedef void(APIENTRY *tglBegin)(GLenum);
tglBegin oglBegin;

oglBegin = (tglBegin)GetProcAddress(GetModuleHandle("opengl32"), "glBegin");

or like Xen said, oglBegin = (tglBegin)0x5ED02860;


void APIENTRY my_glBegin(GLenum mode)
{
//do junk
oglBegin(mode);
}

Smart way Xen :p And Azorbix too, even though I think that's how OGC does it :D

And about Cheetah, I don't know what to say. My brother told me he came into one of his channels he idles in and begged someone for instructions on how to get these pointers. And somehow he got banned LOL but the point is, he shouldn't be making it look like he knows how to do it heh :p

I myself use mempatcher and genpatch to "fix" programs that "restrict" themselves to opperate after a period of days :o

nice thx

Xen(or anyone else that knows): With your method, if I have a function with more than one parameters would I just do like:

__asm {
push param1
push param2
push param3
...
call function
}
?

Push the arguments in reverse order, confusing I know :s .


push arg3
push arg2
push arg1
call function

say you had this in c++:

Function1(arg1,arg2,arg3);
Function2(arg1,arg2,arg3);

would look like:



push arg3
push arg2
push arg1
call Function2

push arg3
push arg2
push arg1
call Function1

For examples take whitewalls inlined.

Looks like:


if(mode != GL_TRIANGLES && mode != GL_TRIANGLE_STRIP && mode != GL_TRIANGLE_FAN && mode != GL_QUADS)
{
glTexEnvi(GL_TEXTURE_ENV,GL_TEXTURE_ENV_MODE);
}

Then using inline asm:


if(mode != GL_TRIANGLES && mode != GL_TRIANGLE_STRIP && mode != GL_TRIANGLE_FAN && mode != GL_QUADS)
{
__asm
{
push 0x00002101 // GL_DECAL
push 0x00002200 // GL_TEXTURE_ENV_MODE
push 0x00002300 // GL_TEXTURE_ENV
call orig_glTexEnvi
}
}

Hope that helps, btw the asm version seems to produce different opcode :)

you can also do:

push GL_DECAL;
push GL_TEXTURE_ENV_MODE;
push GL_TEXTURE_ENV;

because all that GL_TEXTURE_ENV_MODE and the rest are all just #defines.

This is from gl/gl.h

/* TextureEnvParameter */
#define GL_TEXTURE_ENV_MODE 0x2200
#define GL_TEXTURE_ENV_COLOR 0x2201

this is like a tutorial unto itself!

gj guys i like these methods

0BE2 = GL_BLEND

//for ***ht mode;

for nite mode;



if(mode != GL_TRIANGLES && mode != GL_TRIANGLE_STRIP && mode != GL_TRIANGLE_FAN && mode != GL_QUADS)
{
__asm
{
push 0x00000BE2 // GL_BLEND
push 0x00002200 // GL_TEXTURE_ENV_MODE
push 0x00002300 // GL_TEXTURE_ENV
call orig_glTexEnvi
}
}

Heh.. actually i know how to find them i just can't do it on win98 :(

But for those of you interested in ASM... i'll write a wrapper in asm if you could would find it useful....

I don't know how well this would work, but you can try, I'm just doing this off the top of my head

void declspec( naked ) JmpTo
{
__asm retn;
}

DWORD jmpAddress = ( DWORD ) &JmpTo
__asm
{
cmp mode, GL_TRIANGLES;
jz jmpAddress;
cmp mode, GL_TRIANGLE_STRIP;
jz jmpAddress;
cmp mode, GL_TRIANGLE_FAN;
jz jmpAddress;
cmp mode, GL_TRIANGLE_FAN;
jz jmpAddress;
cmp mode, GL_QUADS;
jz jmpAddress;

push GL_DECAL;
push GL_TEXTURE_ENV_MODE;
push GL_TEXTURE_ENV;
call orig_glTexEnvi;
}

i dont find 0x5ED02860 (or 5ED02860)

i have just find 3 adress for gl begin ... :(

look please
http://site.voila.fr/strokom/screens/hexa1.JPG

i have open mp.dll i find this (lol)
Addr:10001000 Ord: 335 (014Fh) Name: weapon_ak47
Addr:10001970 Ord: 336 (0150h) Name: weapon_aug
Addr:10002010 Ord: 337 (0151h) Name: weapon_awp
Addr:100026B0 Ord: 338 (0152h) Name: weapon_c4
Addr:100033E0 Ord: 339 (0153h) Name: weapon_deagle
Addr:10003AC0 Ord: 340 (0154h) Name: weapon_elite
Addr:100042D0 Ord: 341 (0155h) Name: weapon_famas
Addr:10004A50 Ord: 342 (0156h) Name: weapon_fiveseven
Addr:10005080 Ord: 343 (0157h) Name: weapon_flashbang
Addr:100059A0 Ord: 344 (0158h) Name: weapon_g3sg1
Addr:10005FB0 Ord: 345 (0159h) Name: weapon_galil
Addr:10006690 Ord: 346 (015Ah) Name: weapon_glock18
Addr:10007000 Ord: 347 (015Bh) Name: weapon_hegrenade
Addr:10007720 Ord: 348 (015Ch) Name: weapon_knife
Addr:10008AE0 Ord: 349 (015Dh) Name: weapon_m249
Addr:10009150 Ord: 350 (015Eh) Name: weapon_m3
Addr:100098B0 Ord: 351 (015Fh) Name: weapon_m4a1
Addr:1000A1D0 Ord: 352 (0160h) Name: weapon_mac10
Addr:1000A7B0 Ord: 353 (0161h) Name: weapon_mp5navy
Addr:1000ADA0 Ord: 354 (0162h) Name: weapon_p228
Addr:1000B4C0 Ord: 355 (0163h) Name: weapon_p90
Addr:1000BB10 Ord: 356 (0164h) Name: weapon_scout
Addr:1000C1C0 Ord: 357 (0165h) Name: weapon_sg550
Addr:1000C7F0 Ord: 358 (0166h) Name: weapon_sg552
Addr:10057750 Ord: 359 (0167h) Name: weapon_shield
Addr:1000CF40 Ord: 360 (0168h) Name: weapon_smokegrenade
Addr:1000D690 Ord: 361 (0169h) Name: weapon_tmp
Addr:1000DC40 Ord: 362 (016Ah) Name: weapon_ump45
Addr:1000E220 Ord: 363 (016Bh) Name: weapon_usp
Addr:1000EB50 Ord: 364 (016Ch) Name: weapon_xm1014
Addr:10079FD0 Ord: 365 (016Dh) Name: weaponbox
Addr:100422B0 Ord: 366 (016Eh) Name: world_items
Addr:1007C050 Ord: 367 (016Fh) Name: worldspawn

i have the name for weapon esp

ex : Addr:1000D690 Ord: 361 (0169h) Name: weapon_tmp

Originally posted by -Str0kOm-
i dont find 0x5ED02860 (or 5ED02860)

i have just find 3 adress for gl begin ... :(

look please
http://site.voila.fr/strokom/screens/hexa1.JPG
Look in the exported functions near the top.

thank man :)

i cant open sw.dll and hw.dll with win32asm.

i need hexa adress ( for decode ? )

please help me (lol i need help every time , i noob in hexa and asm )

They are encrypted.

do you can decrypt this ???

Can you please stop asking questions and do a little research for yourself.

I'm trying to make a wrapper using this but I get this error in glDrawElements() :

opengl32.cpp(40) : error C2400: inline assembler syntax error in 'first operand'; found 'newline'
here is where it points to:

void sys_glDrawElements (GLenum mode, GLsizei count, GLenum type, const GLvoid *indices)
{
__asm {
push indices
push type
push count
push mode
call orig_glDrawElements
}
}

ya still gotta put ';'s behind the opcodes

No you don't Azorbix. ( ;'s count as starting a comment i.e '//', ;'s are used for commenting like in VB with asm and inline asm)

BTW I tried that once and it makes no difference at all 5hard, it really isn't worth it.

The error is because your trying to push something that isn't known in ASM, the 'GLsizei'.

As far as I know there is no solution.

in your declairations, replace 'GLsizei count' with 'int count', im pretty sure it will work.

Thanks, I'll try it.

<EDIT>
I tried it, I still get the same error.

Well just to add this.. if you get access to the client funcs (somehow.. possible through pointers) you can actually have pEngFuncs pointer and the others passed to you.. just log those and viola.. u got them..

Originally posted by Xen
No you don't Azorbix. ( ;'s count as starting a comment i.e '//', ;'s are used for commenting like in VB with asm and inline asm)

BTW I tried that once and it makes no difference at all 5hard, it really isn't worth it.

The error is because your trying to push something that isn't known in ASM, the 'GLsizei'.

As far as I know there is no solution.
GLsizei = int
This is from gl.h:

typedef int GLsizei;
And I tried using 'int count'
So, anyone know what my problem is?

try:



void sys_glDrawElements (GLenum mode, GLsizei count, GLenum type, const GLvoid *indices)
{
__asm {
push [indices]
push type
push count
push mode
call dword ptr [orig_glDrawElements]
}
}

the call might work without dwort ptr but i suppose that might work... if it doesn't issue errors on GLenum, it's not going to issue one on GLsizei, i think it's because you were pushing a pointer as a variable

ok so how do you get the offsets for engfuncs? :)

Originally posted by Cheetah
try:



void sys_glDrawElements (GLenum mode, GLsizei count, GLenum type, const GLvoid *indices)
{
__asm {
push [indices]
push type
push count
push mode
call dword ptr [orig_glDrawElements]
}
}

the call might work without dwort ptr but i suppose that might work... if it doesn't issue errors on GLenum, it's not going to issue one on GLsizei, i think it's because you were pushing a pointer as a variable
Still no luck :mad:, the error is pointing to 'push count' and it says it found a new line so the error could also be at 'push type'

DWORD m, c, t, pi;
m=mode;
c=count;
t=type;

_asm
{
push indices
push t
push c
push m
call [orig_glDrawElements]
}

Originally posted by exrazile
ok so how do you get the offsets for engfuncs? :)

this thread got waaaaaay derailed...

however, exrazile's comment parallels my original request...

Originally posted by MrHax
DWORD m, c, t, pi;
m=mode;
c=count;
t=type;

_asm
{
push indices
push t
push c
push m
call [orig_glDrawElements]
}

Thanks MrHax :D, works perfectly.
But what is 'pi' for?

yes please... lets actually get the tutorial we asked for :(

second that

i'm bumping my own thread in a subforum with a total of 5

lol i thought i found a way to to it but guess not! :(

Here's one way... thx to billdoor :)

<table> would anyone please point me to a tutorial on how to find the offset for engfuncs? i looked everywhere, cant find one.. :(
<table> also.. anyone got the new offsets?
<%billdoor> get the half life sdk
<%billdoor> compile a new mod
<%billdoor> load it up in steam
<%billdoor> print out engfuncs
<%billdoor> its the same for all mods
<%Da_BuzZ|Gaming> billdoor: you should write a tut!! :D
<%billdoor> its kind of simple for a tut :(
<%ZOX|Azorbix> do it
<%billdoor> I think I'm going to make a new HL/HL2 mod when I get some free time
<%billdoor> it will be like HLDM but with collectable weapons, Diablo 2 style
<table> lol this is gonna sound ultra-noob
<%billdoor> table you can just do fprintf(fp, "%x", pEngfuncs) in one of the client functions to dump the offset to a file
<table> but i dunno how to make a mod... all i've done is take a base hook ect :P
<+Xen> dont say it then!
<%billdoor> get the SDK
<%billdoor> there's a project set up for cl_dll
<+Xen> do you need the full SDK or just the source?
<%billdoor> you just have to put some code to dump the engfuncs in somewhere -- doesnt really matter where, even if it dumps it 10 times a frame
<%billdoor> just the source I think
<%billdoor> but it probably has to be 2.3
<%billdoor> you dontn really have to make a new mod
<table> where can i get the sdk
<%billdoor> you can just replace the Half-Life client.dll and set it readonly so steam doesnt replace it, then load normal HL
<%billdoor> www.valve-erc.com has it for download
<%billdoor> although I think that site redirects to the new one
<%billdoor> its like 30mb for the source only, 100mb for the full sdk
<+Xen> yah i downloaded it like 20 minutes ago
<+Xen> 5mb for source only
<%billdoor> oh, cool
<+Xen> you stand corrected!!!
<%billdoor> :(
<table> ok so... i replace the original client.dll with mine
<table> which mod tho?
<%billdoor> HLDM
<table> ahh ok
<%billdoor> or DMC
<%billdoor> theyre the only ones you have source for
<table> gotcha
<%billdoor> and I think the partial SDK only has HLDM... not certain
<table> where should i print it to the file? in initialize?
<%billdoor> HUD_Init is good
<+Xen> doesn't matter at all
<+Xen> aslong as you print
<table> mmkay
<%billdoor> but the Initialize is fine as long as you do it after the funs are loaded
<table> cool! thanks man

What a simple way, effective too :p

yea lol i tried that but for some reason im getting whacked out addresses that are totally wrong.

Yea, I tried to do this the other day, but HL keeps saying my client.dll is not a valid Window's image, any ideas?

(it's in release mode)

u gotta right click on your client.dll and go to properties, then make it "read only" :)

Ahh... thanks, that fixed it. Got the correct addresses too.

edit: By the way, is there a way to make a file read only with the DOS prompt (In VC++6, under Custom Build)?

so weird... i get the wrong addresses. What function are you outputting the address in?

At the end of Initialize. (before 'return 1;')

as am I...but the addresses are wrong too 0:

Mmmm, that's messed up. ;)

oh it's because you are printing gEngfuncs...do pEnginefuncs

oh sweet. Well what about engstudio? i keep getting the wrong offsets for that too...

pEnginefuncs: 0x01EAC270
pEnginefuncs->pEfxAPI: 0x01EC7600
pEnginefuncs->pTriAPI: 0x01EC7CE8
pEnginefuncs->pNetAPI: 0x01EC1BC0
pEnginefuncs->pDemoAPI: 0x01EAD28C
pEnginefuncs->pEventAPI: 0x01EB64F8
pEnginefuncs->pVoiceTweak: 0x01ED2D80
ppmove: 0x02D4F320
pEngstudio: 0x01EC7A60


look about right?

Looks right to me, but btw what do you all use ppmove for? No recoil/nospread? I've never used it before because I've always had other methods for norecoil/nospread, but if that's not what it is for please tell me.

well pmove is used for bunnyhopping and other similair things

dont use the other ones personally

i had a problem with this:

02:59:24 - pEnginefuncs: 0x1eac270
02:59:24 - pEngstudio: 0x0
02:59:24 - ppmove: 0x0

i tried using various forms of pmove and enginestudio for logging but i can never get them to work right...

where are you finding engstudio and pmove in the source

i tried gathering the values by using externs;

extern playermove_s *ppmove;
extern engine_studio_api_t *pstudio;

and get unresolved externals

unresolved external symbol "struct playermove_s * ppmove" (?ppmove@@3PAUplayermove_s@@A)

i tried calling it directly since it's needed to initialize any way:


void DLLEXPORT HUD_PlayerMoveInit( struct playermove_s *ppmove )
{
PM_Init( ppmove );
}


but i cant seem to find the right variable and/or how to link to it->

but as you can see i had no problem with engfuncs

log_add("pEnginefuncs: 0x%x",pEnginefuncs);
log_add("pEngstudio: 0x%x",pstudio);
log_add("ppmove: 0x%x",ppmove);

eh? help?

I only know this because someone was kind enough to send me what you need to insert into the project.

Inside cdll_int.cpp look for HUD_PlayerMoveInit and grab the address for ppmove there after the call to PM_Init.

For the other one, look inside GameStudioModelRenderer.cpp for the HUD_GetStudioModelInterface function... Before it returns you can get pEngstudio.

do someone know how to get the last value ?


cl_enginefuncs_s = 0x01eac270
engine_studio_api_s = 0x01ec7A60
slots = 0x01eac478

when the addresses changed last time and nobody could find ppmove i went and found it using a hex editor and my brain
i was the first hurray for me :D

I am able to see value of pointer at 0x01eac270 How to use it ? Do you have little code about that ? not full souce code like ogc... Too complex to understand when we start !

ThX