Blizzhackers

Hi everyone,

I'm trying to develop an applet for the Logitech G19 Keyboard. My goal is, that the display shows the current supply and the current supply cap and warns you, if you are getting close to a supply block.
The programm is written in Visual Basic and is currently taking screenshots from the upper right corner and an OCR-Software detects the current supply and supply cap. This takes minimum 2 seconds, because the screenshot has to be stored so that it can be analysed.
After finally getting the keyboards display to work, i want to change this. So that the supply is shown in real time. This brought me to the idea of accessing the memory data of Starcraft 2. I've seen many tutorials and HowTos but none of them worked for me. What I found is the current amount of minerals, gas and workers and the collected amount of minerals and gas. Now I tasted blood and I want to include this in the applet too, but before this, I want to get the supply block warner work.
I cheat engined me through the memory but with no success.

But before we go on, let me tell you something about me:
I'm not a top programmer. The last programm in C I wrote is more than 10 years ago. I have no idea of C++, C#, Assembler or anything of this hardware near languages. I try to consider what I want, and what I need for my programm and try to make it happened. If my knowledge is at the end, I try to puzzle with google and forums. I have no idea of pointers or something, but I try to understand as much as possible.
My goal is not, that you guys tell me: "take address 0x0293209, this is what you want" and after the next patch I have to ask again. I want to understand how to get these addresses so i can do it on my own. Currently I even have no idea what to do with it in Visual Basic , but a few weeks ago, I even had no idea how to show something on the keyboards display.

So when you say, it's hopeless, I have to get more knowledge because this can't be explained, then tell me this and I will try to live with that

Can we go on?

So, how can I find the data I need in the memory of SC2? Is Cheat Engine the way to go or something else? I searched for current supply und the current supply cap, but i didn't found static addresses or the base addresses. Then I thought, maybe Blizzard is counting the pylons,depos etc. but even now luck with this. I only found dynamic addresses and when I searched with cheat engine what writes these addresses I ended up in an dead-end street. So what I'm doing wrong?

best thing you can hope for is to get addresses from somebody who will explain you how to use them and then make signatures and hope they won't break in next patch(es)(they dont most of the time)

CE is okay. Use it. Easy to use, powerful and free.

If you want to get the Supply on your own (without knowledge about it) you can do it like that:
(Lets assume you are in a game with no AI, you are Terran and start with 10 Supply):
1.) Search for an unknown value.
2.) Go in the game and build a supply. You have 18 Supply now.
3.) Search for an increased value
You repead those steps untill you have a few results left.

Lets assume you have found 6 results.
Some are green and black.
You put all results into the lower box where you can edit stuff.
Before changing them to some value, you know that they are not equal to the supply.
You could safe the current value and build another supply.
Or you divide the result by the ingame supply.
In both cases you get 4096.

Now you change the value of the results.
Because you know, that the values have anything to do with 4096, you simply add 4096.

If the value doesn't change by itself, it's a changeable value.
That means you could change it to 0 and make a lot units.

But that's not all. If you changed the value, it has to be changed ingame too.
If it did change, you are fine. If it didn't it's probably write- protected or the game copies stuff to that address.
So it' not the golden one.


But lets assume you've got the value that changes the ingame supply.
If this value is colored green (by CE) you are done.
Just implement the Baseaddress of SC2 and the address given by CE (when you double- click on the address).

Now you have the information about the supply.
But this is kinda static. It is only valid if you are on the first position (That changed with every new game you join, sometimes you are left, sometimes you are right).
You need to find out how many players are in that game and which player are you.


Another thing is to look at is the way Blizzard stores that information.
They did something weird with 1.5.3.
But I already screw you enough.


However, to use the stuff I just told you, you need functions.
Mostly, you use the WinAPI.
Functions like "ReadProcessMemory", "OpenProcess" and "CloseHandle" are essential for this task.


I actually don't know how to code in VB. I just think it's disgusting as hell.
Isn't there another way to put information to your display?

Btw. There are OpenSource- Hacks for the current version of SC2.
The first one is a mix of C# and C/C++.
https://github.com/MrNukealizer/SCII-External-Maphack

This one is completely in C#
https://github.com/bellaPatricia/AnotherSc2Hack


I'm posting C# sources because you can convert them kinda easily.


Hope this helps.

Thanks a lot. I have found the values for the supply und supply cap.
Now i try to figure out, how I can use them.

My problem is, that I have no idea of C# or C/C++ and my existing programm is already written in VB. I think that VB Code is a little bit easier to understand.
I used a wrapper (dll) for the display. The examples in the wrapper is written in C# and VB. VB was the one I understand the most so I used it and it worked.

I will look at the links, maybe I can build dlls und use them in my VB project.

Nearly a month later…..

My program is done and does more, then I could ever imagine.
The link (especially to the external maphack) helped me much to understand, what to do and how to find the addresses on my own.

I don’t know how easy it would have been with C# or C++. But everything was possible in Visual Basic. I read in many forums, that you have to get lower for tasks like reading the memory, but even getting the address to which a pointer points to (units lost sum for example), was possible.

At the beginning I faced the problem you told me. I tested vs. AI and was happy about the data on my display and then in my first match on ladder, I was player 2 and the data I saw was not mine. But StarCraft has a value which says, what player number the local player has and so I can display only this data.

Thank you so much for your informations. The links and the fact, that the supply is multiplied with 4096 helped me a lot.

How are the chances of being detected? I’m not hooking or injecting StarCraft or writing to it’s memory. Is it still possible to get detected by Blizzard? Is there an easy way to prevent it?
What are signatures DefNotACop is talking about in the first reply? Are they necessary?

Glad it worked out well for you.
Actually, you made me interested in your program.

Would you mind to upload some pictures?


About detection:
Currently, Blizzard is not allowed to scan your PC for hacks and such.
Since you only read memory, they can't detect this directly.
So you are safe.

If the law- situation changes, you have to get other mechanisms to get your tool working.


These signatures help to find addresses.
Think about the following situation:
There is a new patch that changed your addresses. So you have to search them again.
Really annoying.

However, it is possible to signature scan your addresses and be able to "restore" your invalid addresses.
This allows you to make quicker updates or even let the tool update itself.

There are tools that help creating signatures (Ollydbg + SignatureScanner.dll).

I don't understand the thing with the signatures. I think there is no problem to find the addresses again. I thought anyways, that there is no other way after a patch.

Here is a picture of the start screen. Everything you see in the picture box is also shown on the keyboards display.




If the programm detects a running match it displays either a 1 player screen or a 2 player screen. In 2 player screen the values that are whorse compared to the opponents values, are marked red. The two player screen shows only, if I play or allow the program to show it, otherwise it only shows the local player. If you play in 2 player screen, the local player column is marked with a white rectangle (not shown in the picure because none of the palyers are me).



You can load any background picture for "eye candy". At the moment it is only black.
In the future my girlfriend is making background pictures for 1 player screen with the symbols of supply, gas and minerals to make it look more fancy.

Those pictures are basically displayed on the keyboard? If so, cool.

Signature updating method. Basically it's using opcodes/bytes. You scan through a process memory looking for your buffer of opcodes, if found, that's your offset.

Yes, those picture are displayed on the keyboard und beeing updated nearly in real time. The interval of the timer are only a few ms.

Yesterday I tried to understand what signatures are and how to make them. I watched a video on Youtube and read something, but I still have no idea what to do.
If I'm not mistaken, than a signature is some kind of fingerprint of a process that writes the memory, right? And if the address has changed in a future patch, you can search for this fingerprint without using cheat engine again, to determ the new address, also right? If so, this is absolutely cool.
At the moment I use the address for current minerals, gas, supply etc. Do I have to make a signature for every address I use? Are there any easy to understand howtos? Or can this be explained here with the supply for example?

A signature isn't required but really a time-saver when Blizzard updates.

http://www.youtube.com/watch?v=OOFvxtJPulg

That video should help you better understand it. It's not a fingerprint of a process that writes the memory. Example:

Opcodes, Signature, Bytes, whatever you wanna call them. In my example I'll call it opcodes.

SC2: V2.0.7

SC2: V2.0.8


See how the only thing that changed was the offset? You can easily search for the offset by coding a signature scanner. In your signature scanner, you would scan for these bytes/opcodes "0B 01 00 00 00" which converts to mov eax, 1. Then you have your address. If your signature scanner finds those bytes, you save the address, and done. How would you do this to SC2? Get the module base, search for the pattern/signature of the offset you want, once a match is found 100%, save it in a variable.

This was the video I already watched. I rewatched it but I'm still not sure what to do.

I downloaded ollydgb but plugins are disabled. Where can I get the signature scanner and how do I install it?

I read another tutorial which should explain how to use ollydbg, but this guy is searching for some text, but still give me some information.

What I learned is: Start Starcraft than click attach in ollydbg press F9 till the games runs on it's own again. And now? I changed the addressing in the lower left to "relative to modul base". I've found my addresses but have no idea what to do. This brought me back to Cheat Engine. If you right click an a address, you can select "find out what writes this address". This gave me the following:



The upper block looks like your opcodes. Right? If yes, than what is the next step?

http://tuts4you.com/download.php?view.3079

Just download that and place the plugin in the same directory as OllyDBG and it should auto-load it (I think). Your not trying to make a auto-update offsets feature? I thought you were.

SC2 uses ASLR which basically means you gotta do base + relative (if thats the correct terminology). Here is what I do in masm to achieve this easily:

SC2 v2.0.7


EAX returns the offset I originally wanted then I save it in a variable. If you need one for C#, which can be converted to VB, I have a function for it in that I think.



Those are registers. For a simple mem read/write hack, you shouldn't really be focusing on those unless your setting a breakpoint on something. If you still didn't learn anything after these, read some tutorials . You can look through here http://www.d3scene.com/forum/starcraft-2-coding/ . You can look at my old hack source code for 1.3.2 http://bhfiles.com/files/StarCraft%20II ... e_code.zip .

http://forum.cheatengine.org/viewtopic.php?t=514168
http://bot-area.net/FileArchive/tutorials/sc2cht.pdf (highly recommended read)

After your post I thought it would be nice with an auto updater. But I think this to difficult for me. Then I thought, I can make signatures with ollydbg and search for them after the next patch to get the new addresses, but I don't know how to do it or if it works. I read through the stuff in your links, but this is to much for me.

After patch 2.0.8 it was easy to get the new addresses. So I'm fine at the moment. The only thing I'm concerned about is: what happens, if Blizzard changes the players record. In patch 2.0.8 the size is still 0xCE0 and all data is at the same offset as before. MrNukealizer did a great job in discovering the offsets in the players record. But he hasn't updated his tool yet, so I think he is never updating it again. The same is with BellaPatricias Hack.

@bellaPatricia
are you the same BellaPatricia, who developed "AnotherSC2Hack"? Are you a German guy? Some variables like ZuInfestedTerran, ZuBanelingCocoon, ZuBaneling sound german.

Sure it is easy to find the minerals, gas etc. but playerstatus which only changes at the end of a game is hard to find. Are there any easy ways to analyze the players record? I think it is easy to determ the players record size. Now the programm has to analyze within this range and say that at the beginning is a 4 byte variable, followed by 1 byte variable ....
Is this possible? Sure, with ollydbg and signatures you can find this immediately, but not me, I don't understand what to do.

Yes.
How come that ZergunitInfestedTerran sounds German?

There is a signature or a location that tells you the explicit size of the player and unitstruct.
I asked the posters of these locations how they got them (as it is really nice). They didn't knew either.[/quote]

Ahhh it means ZergunitInfestedTerran. First my brain was hiding Terran, so I read ZuInfested which meant to me larva morph to infestor, zergling morph to baneling cocoon etc.

Zu is the german word for to, so I thought you maybe a german guy.

The size of the playerstruct is not the problem, if they change it, I think. But if they change the struct itself, so that the status is no more 0x1E from the beginning of the playerstruct, because they added something before it. Hope that don't happened or somebody analyze it again.