1.15.1 Offsets / Functions / Notes

**LCSBSSRHXXX** · 08-21-2007 02:32 PM

I made this list right after the patch yesterday in about 10 min but then the site went down so I couldn't post it up.

Post 1.15.1 offsets, functions and notes here, please moderate this thread heavily, spam is not tolerated in this thread what so ever.

*If you use offsets from this thread give the person who found them full credit for what they did.

Code:

005122C8 - ver #
19044EA8 - spoofer
00596870 - HH

Public text printing function:

Code:

004F2EC0  /$ 56             PUSH ESI
004F2EC1  |. 8BF0           MOV ESI,EAX
004F2EC3  |. 0FB605 2CC1680>MOVZX EAX,BYTE PTR DS:[68C12C]
004F2ECA  |. 83E8 02        SUB EAX,2                                ;  Switch (cases 2..3)
004F2ECD  |. 57             PUSH EDI
004F2ECE  |. 66:8B3D C2F157>MOV DI,WORD PTR DS:[57F1C2]
004F2ED5  |. 74 17          JE SHORT StarCraf.004F2EEE
004F2ED7  |. 48             DEC EAX
004F2ED8  |. 75 1D          JNZ SHORT StarCraf.004F2EF7
004F2EDA  |. E8 71CBF9FF    CALL StarCraf.0048FA50                   ;  Case 3 of switch 004F2ECA
004F2EDF  |. E8 9CF1FCFF    CALL StarCraf.004C2080
004F2EE4  |. 66:893D C2F157>MOV WORD PTR DS:[57F1C2],DI
004F2EEB  |. 5F             POP EDI
004F2EEC  |. 5E             POP ESI
004F2EED  |. C3             RETN
004F2EEE  |> 66:C705 C2F157>MOV WORD PTR DS:[57F1C2],0FFFF           ;  Case 2 of switch 004F2ECA
004F2EF7  |> E8 84F1FCFF    CALL StarCraf.004C2080                   ;  Default case of switch 004F2ECA
004F2EFC  |. 66:893D C2F157>MOV WORD PTR DS:[57F1C2],DI
004F2F03  |. 5F             POP EDI
004F2F04  |. 5E             POP ESI
004F2F05  \. C3             RETN

Client-sided text printing function:

Code:

0048CD60  /$ 85FF           TEST EDI,EDI
0048CD62  |. 56             PUSH ESI
0048CD63  |. 8BF0           MOV ESI,EAX
0048CD65  |. 74 71          JE SHORT StarCraf.0048CDD8
0048CD67  |. 85F6           TEST ESI,ESI
0048CD69  |. 75 05          JNZ SHORT StarCraf.0048CD70
0048CD6B  |. BE 581B0000    MOV ESI,1B58
0048CD70  |> 6A 00          PUSH 0                                   ; /Arg3 = 00000000
0048CD72  |. FF15 C4E04F00  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; |[GetTickCount
0048CD78  |. 03C6           ADD EAX,ESI                              ; |
0048CD7A  |. 50             PUSH EAX                                 ; |Arg2
0048CD7B  |. 6A 03          PUSH 3                                   ; |Arg1 = 00000003
0048CD7D  |. 8BC7           MOV EAX,EDI                              ; |
0048CD7F  |. E8 4CFCFFFF    CALL StarCraf.0048C9D0                   ; \StarCraf.0048C9D0
0048CD84  |. A1 CCDF6C00    MOV EAX,DWORD PTR DS:[6CDFCC]
0048CD89  |. 85C0           TEST EAX,EAX
0048CD8B  |. 74 4B          JE SHORT StarCraf.0048CDD8
0048CD8D  |. 0FB605 47C4680>MOVZX EAX,BYTE PTR DS:[68C447]
0048CD94  |. B9 63000000    MOV ECX,63
0048CD99  |. 3BC1           CMP EAX,ECX
0048CD9B  |. 7C 0F          JL SHORT StarCraf.0048CDAC
0048CD9D  |. 85C0           TEST EAX,EAX
0048CD9F  |. 7D 04          JGE SHORT StarCraf.0048CDA5
0048CDA1  |. 33C9           XOR ECX,ECX
0048CDA3  |. EB 07          JMP SHORT StarCraf.0048CDAC
0048CDA5  |> 83F8 63        CMP EAX,63
0048CDA8  |. 7C 02          JL SHORT StarCraf.0048CDAC
0048CDAA  |. 8BC8           MOV ECX,EAX
0048CDAC  |> A1 54086400    MOV EAX,DWORD PTR DS:[640854]
0048CDB1  |. 85C0           TEST EAX,EAX
0048CDB3  |. 74 12          JE SHORT StarCraf.0048CDC7
0048CDB5  |. B8 67666666    MOV EAX,66666667
0048CDBA  |. F7E9           IMUL ECX
0048CDBC  |. D1FA           SAR EDX,1
0048CDBE  |. 8BC2           MOV EAX,EDX
0048CDC0  |. C1E8 1F        SHR EAX,1F
0048CDC3  |. 03C2           ADD EAX,EDX
0048CDC5  |. 8BC8           MOV ECX,EAX
0048CDC7  |> 83F9 0A        CMP ECX,0A
0048CDCA  |. 7E 0C          JLE SHORT StarCraf.0048CDD8
0048CDCC  |. 6A 00          PUSH 0                                   ; /Arg4 = 00000000
0048CDCE  |. 6A 00          PUSH 0                                   ; |Arg3 = 00000000
0048CDD0  |. 51             PUSH ECX                                 ; |Arg2
0048CDD1  |. 6A 17          PUSH 17                                  ; |Arg1 = 00000017
0048CDD3  |. E8 18F10200    CALL StarCraf.004BBEF0                   ; \StarCraf.004BBEF0
0048CDD8  |> 5E             POP ESI
0048CDD9  \. C3             RETN

Starcraft's screen drawing function:

Code:

0048CC00  /$ 55             PUSH EBP
0048CC01  |. 8BEC           MOV EBP,ESP
0048CC03  |. 51             PUSH ECX
0048CC04  |. 8B0D E0E06C00  MOV ECX,DWORD PTR DS:[6CE0E0]
0048CC0A  |. 53             PUSH EBX
0048CC0B  |. 56             PUSH ESI
0048CC0C  |. 57             PUSH EDI
0048CC0D  |. E8 0E2FF9FF    CALL StarCraf.0041FB20
0048CC12  |. 0FB61D 400B640>MOVZX EBX,BYTE PTR DS:[640B40]
0048CC19  |. BF 70000000    MOV EDI,70
0048CC1E  |. C745 FC 0B0000>MOV DWORD PTR SS:[EBP-4],0B
0048CC25  |. BE 0A000000    MOV ESI,0A
0048CC2A  |. 8D9B 00000000  LEA EBX,DWORD PTR DS:[EBX]
0048CC30  |> 8BC3           /MOV EAX,EBX
0048CC32  |. 69C0 DA000000  |IMUL EAX,EAX,0DA
0048CC38  |. 8D90 480B6400  |LEA EDX,DWORD PTR DS:[EAX+640B48]
0048CC3E  |. 803A 00        |CMP BYTE PTR DS:[EDX],0
0048CC41  |. 74 43          |JE SHORT StarCraf.0048CC86
0048CC43  |. 8A83 5C166400  |MOV AL,BYTE PTR DS:[EBX+64165C]
0048CC49  |. E8 B229F9FF    |CALL StarCraf.0041F600
0048CC4E  |. 8B0D 54096400  |MOV ECX,DWORD PTR DS:[640954]
0048CC54  |. 0FB7C7         |MOVZX EAX,DI
0048CC57  |. 03CF           |ADD ECX,EDI
0048CC59  |. 50             |PUSH EAX                                ; /Arg1
0048CC5A  |. 8BC2           |MOV EAX,EDX                             ; |
0048CC5C  |. C605 F8E06C00 >|MOV BYTE PTR DS:[6CE0F8],11             ; |
0048CC63  |. 66:8935 B0E06C>|MOV WORD PTR DS:[6CE0B0],SI             ; |
0048CC6A  |. 66:C705 B4E06C>|MOV WORD PTR DS:[6CE0B4],276            ; |
0048CC73  |. 66:893D B2E06C>|MOV WORD PTR DS:[6CE0B2],DI             ; |
0048CC7A  |. 66:890D B6E06C>|MOV WORD PTR DS:[6CE0B6],CX             ; |
0048CC81  |. E8 1A36F9FF    |CALL StarCraf.004202A0                  ; \StarCraf.004202A0
0048CC86  |> 8B0D 080B6400  |MOV ECX,DWORD PTR DS:[640B08]
0048CC8C  |. 8D43 01        |LEA EAX,DWORD PTR DS:[EBX+1]
0048CC8F  |. 99             |CDQ
0048CC90  |. 03F9           |ADD EDI,ECX
0048CC92  |. B9 0B000000    |MOV ECX,0B
0048CC97  |. F7F9           |IDIV ECX
0048CC99  |. FF4D FC        |DEC DWORD PTR SS:[EBP-4]
0048CC9C  |. 8BDA           |MOV EBX,EDX
0048CC9E  |.^75 90          \JNZ SHORT StarCraf.0048CC30
0048CCA0  |. A0 80156400    MOV AL,BYTE PTR DS:[641580]
0048CCA5  |. 84C0           TEST AL,AL
0048CCA7  |. 74 4C          JE SHORT StarCraf.0048CCF5
0048CCA9  |. A0 68166400    MOV AL,BYTE PTR DS:[641668]
0048CCAE  |. E8 4D29F9FF    CALL StarCraf.0041F600
0048CCB3  |. 8B15 54096400  MOV EDX,DWORD PTR DS:[640954]
0048CCB9  |. 81C2 27010000  ADD EDX,127
0048CCBF  |. 68 27010000    PUSH 127                                 ; /Arg1 = 00000127
0048CCC4  |. B8 80156400    MOV EAX,StarCraf.00641580                ; |
0048CCC9  |. C605 F8E06C00 >MOV BYTE PTR DS:[6CE0F8],12              ; |
0048CCD0  |. 66:8935 B0E06C>MOV WORD PTR DS:[6CE0B0],SI              ; |
0048CCD7  |. 66:C705 B4E06C>MOV WORD PTR DS:[6CE0B4],276             ; |
0048CCE0  |. 66:C705 B2E06C>MOV WORD PTR DS:[6CE0B2],127             ; |
0048CCE9  |. 66:8915 B6E06C>MOV WORD PTR DS:[6CE0B6],DX              ; |
0048CCF0  |. E8 AB35F9FF    CALL StarCraf.004202A0                   ; \StarCraf.004202A0
0048CCF5  |> A0 A6146400    MOV AL,BYTE PTR DS:[6414A6]
0048CCFA  |. 84C0           TEST AL,AL
0048CCFC  |. 74 49          JE SHORT StarCraf.0048CD47
0048CCFE  |. A0 67166400    MOV AL,BYTE PTR DS:[641667]
0048CD03  |. E8 F828F9FF    CALL StarCraf.0041F600
0048CD08  |. A1 54096400    MOV EAX,DWORD PTR DS:[640954]
0048CD0D  |. 83C0 18        ADD EAX,18
0048CD10  |. BE A4010000    MOV ESI,1A4
0048CD15  |. 66:A3 B6E06C00 MOV WORD PTR DS:[6CE0B6],AX
0048CD1B  |. 6A 18          PUSH 18                                  ; /Arg1 = 00000018
0048CD1D  |. B8 A6146400    MOV EAX,StarCraf.006414A6                ; |
0048CD22  |. C605 F8E06C00 >MOV BYTE PTR DS:[6CE0F8],14              ; |
0048CD29  |. 66:8935 B0E06C>MOV WORD PTR DS:[6CE0B0],SI              ; |
0048CD30  |. 66:C705 B4E06C>MOV WORD PTR DS:[6CE0B4],26C             ; |
0048CD39  |. 66:C705 B2E06C>MOV WORD PTR DS:[6CE0B2],18              ; |
0048CD42  |. E8 5935F9FF    CALL StarCraf.004202A0                   ; \StarCraf.004202A0
0048CD47  |> 33C9           XOR ECX,ECX
0048CD49  |. E8 D22DF9FF    CALL StarCraf.0041FB20
0048CD4E  |. 5F             POP EDI
0048CD4F  |. 5E             POP ESI
0048CD50  |. 5B             POP EBX
0048CD51  |. 8BE5           MOV ESP,EBP
0048CD53  |. 5D             POP EBP
0048CD54  \. C3             RETN

Campaign Editor Link:

Code:

004DB0A1  |. 52             PUSH EDX                                 ; /pProcessInfo
004DB0A2  |. 8D45 AC        LEA EAX,DWORD PTR SS:[EBP-54]            ; |
004DB0A5  |. 50             PUSH EAX                                 ; |pStartupInfo
004DB0A6  |. 8D8D A8FEFFFF  LEA ECX,DWORD PTR SS:[EBP-158]           ; |
004DB0AC  |. 51             PUSH ECX                                 ; |CurrentDir
004DB0AD  |. 6A 00          PUSH 0                                   ; |pEnvironment = NULL
004DB0AF  |. 6A 20          PUSH 20                                  ; |CreationFlags = NORMAL_PRIORITY_CLASS
004DB0B1  |. 6A 00          PUSH 0                                   ; |InheritHandles = FALSE
004DB0B3  |. 6A 00          PUSH 0                                   ; |pThreadSecurity = NULL
004DB0B5  |. 6A 00          PUSH 0                                   ; |pProcessSecurity = NULL
004DB0B7  |. 8D95 A4FDFFFF  LEA EDX,DWORD PTR SS:[EBP-25C]           ; |
004DB0BD  |. 52             PUSH EDX                                 ; |CommandLine
004DB0BE  |. 6A 00          PUSH 0                                   ; |ModuleFileName = NULL
004DB0C0  |. C745 AC 440000>MOV DWORD PTR SS:[EBP-54],44             ; |
004DB0C7  |. FF15 34E14F00  CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \CreateProcessA

**LCSBSSRHXXX** · 08-21-2007 02:34 PM

Battle.net /commands:

Code:

0047FC7D  |. 6A 00          PUSH 0                                   ; /Arg2 = 00000000
0047FC7F  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]             ; |
0047FC82  |. 8D77 01        LEA ESI,DWORD PTR DS:[EDI+1]             ; |
0047FC85  |. 50             PUSH EAX                                 ; |Arg1
0047FC86  |. B9 08000000    MOV ECX,8                                ; |
0047FC8B  |. B8 50455000    MOV EAX,StarCraf.00504550                ; |ASCII "squelch "
0047FC90  |. 8BD6           MOV EDX,ESI                              ; |
0047FC92  |. E8 A9FBFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FC97  |. 85C0           TEST EAX,EAX
0047FC99  |. 0F85 8E010000  JNZ StarCraf.0047FE2D
0047FC9F  |. 50             PUSH EAX                                 ; /Arg2
0047FCA0  |. 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]             ; |
0047FCA3  |. 51             PUSH ECX                                 ; |Arg1
0047FCA4  |. B9 07000000    MOV ECX,7                                ; |
0047FCA9  |. B8 48455000    MOV EAX,StarCraf.00504548                ; |ASCII "ignore "
0047FCAE  |. 8BD6           MOV EDX,ESI                              ; |
0047FCB0  |. E8 8BFBFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FCB5  |. 85C0           TEST EAX,EAX
0047FCB7  |. 0F85 70010000  JNZ StarCraf.0047FE2D
0047FCBD  |. 50             PUSH EAX                                 ; /Arg2
0047FCBE  |. 8D55 FC        LEA EDX,DWORD PTR SS:[EBP-4]             ; |
0047FCC1  |. 52             PUSH EDX                                 ; |Arg1
0047FCC2  |. B9 0A000000    MOV ECX,0A                               ; |
0047FCC7  |. B8 3C455000    MOV EAX,StarCraf.0050453C                ; |ASCII "unsquelch "
0047FCCC  |. 8BD6           MOV EDX,ESI                              ; |
0047FCCE  |. E8 6DFBFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FCD3  |. 85C0           TEST EAX,EAX
0047FCD5  |. 0F85 CC000000  JNZ StarCraf.0047FDA7
0047FCDB  |. 50             PUSH EAX                                 ; /Arg2
0047FCDC  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]             ; |
0047FCDF  |. 50             PUSH EAX                                 ; |Arg1
0047FCE0  |. B9 09000000    MOV ECX,9                                ; |
0047FCE5  |. B8 30455000    MOV EAX,StarCraf.00504530                ; |ASCII "unignore "
0047FCEA  |. 8BD6           MOV EDX,ESI                              ; |
0047FCEC  |. E8 4FFBFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FCF1  |. 85C0           TEST EAX,EAX
0047FCF3  |. 0F85 AE000000  JNZ StarCraf.0047FDA7
0047FCF9  |. E8 52410400    CALL StarCraf.004C3E50
0047FCFE  |. 85C0           TEST EAX,EAX
0047FD00  |. 74 14          JE SHORT StarCraf.0047FD16
0047FD02  |. 57             PUSH EDI                                 ; /Arg1
0047FD03  |. E8 D8FCFFFF    CALL StarCraf.0047F9E0                   ; \StarCraf.0047F9E0
0047FD08  |. 5E             POP ESI
0047FD09  |. 5B             POP EBX
0047FD0A  |. B8 01000000    MOV EAX,1
0047FD0F  |. 5F             POP EDI
0047FD10  |. 8BE5           MOV ESP,EBP
0047FD12  |. 5D             POP EBP
0047FD13  |. C2 0400        RETN 4
0047FD16  |> 6A 01          PUSH 1                                   ; /Arg2 = 00000001
0047FD18  |. 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]             ; |
0047FD1B  |. 51             PUSH ECX                                 ; |Arg1
0047FD1C  |. B9 08000000    MOV ECX,8                                ; |
0047FD21  |. B8 24455000    MOV EAX,StarCraf.00504524                ; |ASCII "whisper "
0047FD26  |. 8BD6           MOV EDX,ESI                              ; |
0047FD28  |. E8 13FBFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FD2D  |. 85C0           TEST EAX,EAX
0047FD2F  |. 75 55          JNZ SHORT StarCraf.0047FD86
0047FD31  |. 6A 01          PUSH 1                                   ; /Arg2 = 00000001
0047FD33  |. 8D55 FC        LEA EDX,DWORD PTR SS:[EBP-4]             ; |
0047FD36  |. 52             PUSH EDX                                 ; |Arg1
0047FD37  |. B9 04000000    MOV ECX,4                                ; |
0047FD3C  |. B8 1C455000    MOV EAX,StarCraf.0050451C                ; |ASCII "msg "
0047FD41  |. 8BD6           MOV EDX,ESI                              ; |
0047FD43  |. E8 F8FAFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FD48  |. 85C0           TEST EAX,EAX
0047FD4A  |. 75 3A          JNZ SHORT StarCraf.0047FD86
0047FD4C  |. 6A 01          PUSH 1                                   ; /Arg2 = 00000001
0047FD4E  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-4]             ; |
0047FD51  |. 50             PUSH EAX                                 ; |Arg1
0047FD52  |. B9 02000000    MOV ECX,2                                ; |
0047FD57  |. B8 18455000    MOV EAX,StarCraf.00504518                ; |ASCII "w "
0047FD5C  |. 8BD6           MOV EDX,ESI                              ; |
0047FD5E  |. E8 DDFAFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FD63  |. 85C0           TEST EAX,EAX
0047FD65  |. 75 1F          JNZ SHORT StarCraf.0047FD86
0047FD67  |. 6A 01          PUSH 1                                   ; /Arg2 = 00000001
0047FD69  |. 8D4D FC        LEA ECX,DWORD PTR SS:[EBP-4]             ; |
0047FD6C  |. 51             PUSH ECX                                 ; |Arg1
0047FD6D  |. B9 02000000    MOV ECX,2                                ; |
0047FD72  |. B8 14455000    MOV EAX,StarCraf.00504514                ; |ASCII "m "
0047FD77  |. 8BD6           MOV EDX,ESI                              ; |
0047FD79  |. E8 C2FAFFFF    CALL StarCraf.0047F840                   ; \StarCraf.0047F840
0047FD7E  |. 85C0           TEST EAX,EAX
0047FD80  |. 0F84 7D010000  JE StarCraf.0047FF03
0047FD86  |> 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
0047FD89  |. 8D14C9         LEA EDX,DWORD PTR DS:[ECX+ECX*8]
0047FD8C  |. 50             PUSH EAX                                 ; /Arg1
0047FD8D  |. 8B0495 E4EE570>MOV EAX,DWORD PTR DS:[EDX*4+57EEE4]      ; |
0047FD94  |. E8 77FDFFFF    CALL StarCraf.0047FB10                   ; \StarCraf.0047FB10

Protection:

Code:

004DFDF0  /$ 55             PUSH EBP
004DFDF1  |. 8BEC           MOV EBP,ESP
004DFDF3  |. 81EC 1C020000  SUB ESP,21C
004DFDF9  |. 53             PUSH EBX
004DFDFA  |. 33DB           XOR EBX,EBX
004DFDFC  |. 56             PUSH ESI
004DFDFD  |. 57             PUSH EDI
004DFDFE  |. 885D F4        MOV BYTE PTR SS:[EBP-C],BL
004DFE01  |. 885D F5        MOV BYTE PTR SS:[EBP-B],BL
004DFE04  |. 885D F6        MOV BYTE PTR SS:[EBP-A],BL
004DFE07  |. 885D F7        MOV BYTE PTR SS:[EBP-9],BL
004DFE0A  |. 885D F8        MOV BYTE PTR SS:[EBP-8],BL
004DFE0D  |. C645 F9 01     MOV BYTE PTR SS:[EBP-7],1
004DFE11  |. FF15 3CE24F00  CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentProcess
004DFE17  |. 8BF0           MOV ESI,EAX
004DFE19  |. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
004DFE1C  |. 50             PUSH EAX
004DFE1D  |. 53             PUSH EBX
004DFE1E  |. 53             PUSH EBX
004DFE1F  |. 53             PUSH EBX
004DFE20  |. 53             PUSH EBX
004DFE21  |. 53             PUSH EBX
004DFE22  |. 53             PUSH EBX
004DFE23  |. 53             PUSH EBX
004DFE24  |. 53             PUSH EBX
004DFE25  |. 6A 01          PUSH 1
004DFE27  |. 8D4D F4        LEA ECX,DWORD PTR SS:[EBP-C]
004DFE2A  |. 51             PUSH ECX
004DFE2B  |. 8975 E4        MOV DWORD PTR SS:[EBP-1C],ESI
004DFE2E  |. 895D EC        MOV DWORD PTR SS:[EBP-14],EBX
004DFE31  |. 895D FC        MOV DWORD PTR SS:[EBP-4],EBX
004DFE34  |. 895D E8        MOV DWORD PTR SS:[EBP-18],EBX
004DFE37  |. 895D F0        MOV DWORD PTR SS:[EBP-10],EBX
004DFE3A  |. FF15 14E04F00  CALL DWORD PTR DS:[<&ADVAPI32.AllocateAn>;  ADVAPI32.AllocateAndInitializeSid
004DFE40  |. 85C0           TEST EAX,EAX
004DFE42  |. 0F84 EF000000  JE StarCraf.004DFF37
004DFE48  |. 8D55 FC        LEA EDX,DWORD PTR SS:[EBP-4]
004DFE4B  |. 52             PUSH EDX                                 ; /phToken
004DFE4C  |. 6A 08          PUSH 8                                   ; |DesiredAccess = TOKEN_QUERY
004DFE4E  |. 56             PUSH ESI                                 ; |hProcess
004DFE4F  |. FF15 24E04F00  CALL DWORD PTR DS:[<&ADVAPI32.OpenProces>; \OpenProcessToken
004DFE55  |. 85C0           TEST EAX,EAX
004DFE57  |. 0F84 DA000000  JE StarCraf.004DFF37
004DFE5D  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
004DFE60  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18]
004DFE63  |. 50             PUSH EAX                                 ; /pRetLen
004DFE64  |. 53             PUSH EBX                                 ; |BufSize
004DFE65  |. 53             PUSH EBX                                 ; |Buffer
004DFE66  |. 6A 01          PUSH 1                                   ; |InfoClass = TokenUser
004DFE68  |. 51             PUSH ECX                                 ; |hToken
004DFE69  |. FF15 20E04F00  CALL DWORD PTR DS:[<&ADVAPI32.GetTokenIn>; \GetTokenInformation
004DFE6F  |. 8B75 E8        MOV ESI,DWORD PTR SS:[EBP-18]
004DFE72  |. 81FE 00040000  CMP ESI,400
004DFE78  |. 0F87 B9000000  JA StarCraf.004DFF37
004DFE7E  |. 8BC6           MOV EAX,ESI
004DFE80  |. 83C0 03        ADD EAX,3
004DFE83  |. 83E0 FC        AND EAX,FFFFFFFC
004DFE86  |. E8 F55FF2FF    CALL StarCraf.00405E80
004DFE8B  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
004DFE8E  |. 8BFC           MOV EDI,ESP
004DFE90  |. 8D55 E8        LEA EDX,DWORD PTR SS:[EBP-18]
004DFE93  |. 52             PUSH EDX                                 ; /pRetLen
004DFE94  |. 56             PUSH ESI                                 ; |BufSize
004DFE95  |. 57             PUSH EDI                                 ; |Buffer
004DFE96  |. 6A 01          PUSH 1                                   ; |InfoClass = TokenUser
004DFE98  |. 50             PUSH EAX                                 ; |hToken
004DFE99  |. FF15 20E04F00  CALL DWORD PTR DS:[<&ADVAPI32.GetTokenIn>; \GetTokenInformation
004DFE9F  |. 85C0           TEST EAX,EAX
004DFEA1  |. 0F84 90000000  JE StarCraf.004DFF37
004DFEA7  |. 6A 02          PUSH 2
004DFEA9  |. 68 00020000    PUSH 200
004DFEAE  |. 8D8D E4FDFFFF  LEA ECX,DWORD PTR SS:[EBP-21C]
004DFEB4  |. 51             PUSH ECX
004DFEB5  |. FF15 18E04F00  CALL DWORD PTR DS:[<&ADVAPI32.Initialize>;  ADVAPI32.InitializeAcl
004DFEBB  |. 85C0           TEST EAX,EAX
004DFEBD  |. 74 78          JE SHORT StarCraf.004DFF37
004DFEBF  |. 8B55 EC        MOV EDX,DWORD PTR SS:[EBP-14]
004DFEC2  |. 52             PUSH EDX
004DFEC3  |. 68 FA000000    PUSH 0FA
004DFEC8  |. 6A 02          PUSH 2
004DFECA  |. 8D85 E4FDFFFF  LEA EAX,DWORD PTR SS:[EBP-21C]
004DFED0  |. 50             PUSH EAX
004DFED1  |. FF15 1CE04F00  CALL DWORD PTR DS:[<&ADVAPI32.AddAccessD>;  ADVAPI32.AddAccessDeniedAce
004DFED7  |. 85C0           TEST EAX,EAX
004DFED9  |. 74 5C          JE SHORT StarCraf.004DFF37
004DFEDB  |. 8B0F           MOV ECX,DWORD PTR DS:[EDI]
004DFEDD  |. 51             PUSH ECX
004DFEDE  |. 68 01071000    PUSH 100701
004DFEE3  |. 6A 02          PUSH 2
004DFEE5  |. 8D95 E4FDFFFF  LEA EDX,DWORD PTR SS:[EBP-21C]
004DFEEB  |. 52             PUSH EDX
004DFEEC  |. FF15 10E04F00  CALL DWORD PTR DS:[<&ADVAPI32.AddAccessA>;  ADVAPI32.AddAccessAllowedAce
004DFEF2  |. 85C0           TEST EAX,EAX
004DFEF4  |. 74 41          JE SHORT StarCraf.004DFF37
004DFEF6  |. 68 54F84F00    PUSH StarCraf.004FF854                   ; /pModule = "advapi32.dll"
004DFEFB  |. FF15 38E24F00  CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
004DFF01  |. 3BC3           CMP EAX,EBX
004DFF03  |. 74 32          JE SHORT StarCraf.004DFF37
004DFF05  |. 68 44F84F00    PUSH StarCraf.004FF844                   ; /ProcNameOrOrdinal = "SetSecurityInfo"
004DFF0A  |. 50             PUSH EAX                                 ; |hModule
004DFF0B  |. FF15 44E24F00  CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
004DFF11  |. 3BC3           CMP EAX,EBX
004DFF13  |. 74 22          JE SHORT StarCraf.004DFF37
004DFF15  |. 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
004DFF18  |. 53             PUSH EBX
004DFF19  |. 8D8D E4FDFFFF  LEA ECX,DWORD PTR SS:[EBP-21C]
004DFF1F  |. 51             PUSH ECX
004DFF20  |. 53             PUSH EBX
004DFF21  |. 53             PUSH EBX
004DFF22  |. 68 04000080    PUSH 80000004
004DFF27  |. 6A 06          PUSH 6
004DFF29  |. 52             PUSH EDX
004DFF2A  |. FFD0           CALL EAX
004DFF2C  |. 85C0           TEST EAX,EAX
004DFF2E  |. 75 07          JNZ SHORT StarCraf.004DFF37
004DFF30  |. C745 F0 010000>MOV DWORD PTR SS:[EBP-10],1
004DFF37  |> 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
004DFF3A  |. 3BC3           CMP EAX,EBX
004DFF3C  |. 74 07          JE SHORT StarCraf.004DFF45
004DFF3E  |. 50             PUSH EAX                                 ; /hObject
004DFF3F  |. FF15 18E14F00  CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004DFF45  |> 8B45 EC        MOV EAX,DWORD PTR SS:[EBP-14]
004DFF48  |. 3BC3           CMP EAX,EBX
004DFF4A  |. 74 07          JE SHORT StarCraf.004DFF53
004DFF4C  |. 50             PUSH EAX                                 ; /pSID
004DFF4D  |. FF15 0CE04F00  CALL DWORD PTR DS:[<&ADVAPI32.FreeSid>]  ; \FreeSid
004DFF53  |> 8B45 F0        MOV EAX,DWORD PTR SS:[EBP-10]
004DFF56  |. 8DA5 D8FDFFFF  LEA ESP,DWORD PTR SS:[EBP-228]
004DFF5C  |. 5F             POP EDI
004DFF5D  |. 5E             POP ESI
004DFF5E  |. 5B             POP EBX
004DFF5F  |. 8BE5           MOV ESP,EBP
004DFF61  |. 5D             POP EBP
004DFF62  \. C3             RETN

Set Text Color Channel Names / Game Names:

Code:

00449F66  |. 68 FFFFFF00    PUSH 0FFFFFF                             ; /Color = <WHITE>
00449F6B  |. 50             PUSH EAX                                 ; |hDC
00449F6C  |. 83E7 01        AND EDI,1                                ; |
00449F6F  |. FFD3           CALL EBX                                 ; \SetTextColor

Check For Mult Instances:

Code:

004DFF74  |. 68 C8F84F00    PUSH StarCraf.004FF8C8                   ; /EventName = "Starcraft Check For Other Instances"
004DFF79  |. 6A 00          PUSH 0                                   ; |InitiallySignaled = FALSE
004DFF7B  |. 6A 00          PUSH 0                                   ; |ManualReset = FALSE
004DFF7D  |. 6A 00          PUSH 0                                   ; |pSecurity = NULL
004DFF7F  |. FF15 10E14F00  CALL DWORD PTR DS:[<&KERNEL32.CreateEven>; \CreateEventA

**-187-** · 08-22-2007 03:39 AM

Heres what i found...

0048CE60 - Starcrafts Text Function
19044EA8 - Holds in-game user name (spoofer :P)
004D9010 - Removes chat from screen function.
00596870 - 1 = Host 0 = Not Host
004512D8 - Host Hack
00596814 - Holds host name

**ulliklliwi** · 08-22-2007 02:16 PM

57EEEB - In pre-game lobby Player name Array ( just add 0x24 for next player)
57EEE4 - In pre-game lobby Player ID (Add 0x24 for next ID)
48CE60 - In Game Client-side print TEXT
4F2EC0 - In Game Sends Text
4512D8 - Host Hack (NOP 2 Bytes)
4B8BB0 - In pre-game lobby Client-side text display
470BD0 - In pre game lobby Text send Function
48A0F7 - Stay alive (NOP 5 Bytes)- if u loss
48A0F2- Stay alive (NOP 5 Bytes) - if u won/draw
4B95F4 - Start game without ppl
45022D - Download Stats (NOP 9 Bytes)
4A2FF7 - NULL Drop Timer
66FE10 - Whos host of the game in pre-game lobby

**-187-** · 08-30-2007 01:45 AM

Code:

void CreateUnit(DWORD Y, DWORD X, DWORD UNITID)
{
	const int BWFXN_CreateUnit = 0x4A0770;

	__asm
	{
		mov eax,Y
		push eax
		mov ecx,X
		push ecx
		mov edi,UNITID
		push edi
		call dword ptr ds:[BWFXN_CreateUnit]
	}
}

This code IS VERY UNSTABLE, it creates units. The problem is the only units is does create are black units that you cant control! But o well i thought i'd release this anyway I guess its not mine but here :D (its not mine but i did go through the work of finding this.

use decimal for the parameters, NOT HEX. (12,12,12) will work

**-187-** · 08-30-2007 11:04 PM

0057F0D8 = Player 1 Minerals
0057F0DC = Player 2 Minerals
0057F0E0 = Player 3 Minerals
0057F0E4 = Player 4 Minerals
0057F0E8 = Player 5 Minerals
0057F0EC = Player 6 Minerals
0057F0F0 = Player 7 Minerals
0057F0F4 = Player 8 Minerals

Edit: Yes it does :P

**bLueStar** · 08-31-2007 05:30 AM

Units block in memory are 336 bytes containing all info(X position , y position, direction, landing point, action, unit type, unit player id.........)

0x00628443

You must read backward, 336 bytes of distance between each unit

Units include ressource, neutral unit, player unit, player building, Special object like mineral chunk and crystaline

From what i remember, the 0xE4 0x00 0xE4 0x00 0xE4 0x00 0xE4 0x00 0xE4
are the 5 spot in a building for unit building. Even units such as a scv have those(would that be possible to make units from units ?). well i have made a Fenix out of a gateway using this function(single player of course)

Have fun exploring those chunk of huge information about the heart of the game.

Edit : Simple reason why you need to read backward : When a chunk is added, the whole stuff is expanding by its begining. The pointer at the very end is never moving.

**Chaoschild91** · 09-11-2007 08:41 PM

0058DC28=Switch 1(0=clear, 1=set)

Will edit post and post other switches.

EDIT: =( doesn't work online sadly, just checked. Thought it would desync and it did....though it can work as a game disconnect.

**Jiggie=#1** · 09-11-2007 10:47 PM

Code:

IssueCommand 4858F0
CancelUnit 423480
PrintXY 4202A0 
SetFont 41FB20
 Small  6CE0DC
 Normal 6CE0E0
 Large  6CE0E4
 Huge   6CE0E8

**pnaimoli** · 09-18-2007 03:53 AM

Originally Posted by bLueStar

Units block in memory are 336 bytes containing all info(X position , y position, direction, landing point, action, unit type, unit player id.........)

0x00628443

You must read backward, 336 bytes of distance between each unit

I'm getting 0x00628280 as the location of the first unit... where are you getting 0x00628443 from??

**ulliklliwi** · 09-18-2007 07:03 AM

Originally Posted by bLueStar

Units block in memory are 336 bytes containing all info(X position , y position, direction, landing point, action, unit type, unit player id.........)

sry to say buddy, but unit blocks are from 336 bytes and or 672 bytes

**nilphase** · 09-19-2007 01:25 AM

The title of this thread includes Notes. So here is my notes about what I dug up from the unit info block.

Quick Facts:

I belive the highest address of the beginning of a unit info block is 628280.
Sometimes the first unit can be located at 59CC90 (instead of 628280)
I also believe the length of each unit info block is 336 bytes. (But I can be wrong.)

!! Hit points is actually 9 bytes off the beginning of the block.
But I find it easier to first locate the HP of a unit and then calculate the offsets. (In other words, the address of HP - 9 is the actual beginning of a unit info block).

!! Question marks indicate... questions.

, and uncertainty, too.

PHP Code:


0000  signed?    WORD    hit points

0007  unsigned?  WORD    destination - x

0009  unsigned?  WORD    destination - y

000F  unsigned?  WORD    next path node? - x (?1)

0011  unsigned?  WORD    next path node? - y (?1)

0013  unsigned?  WORD    next path node? - x (?1)

0015  unsigned?  WORD    next path node? - y (?1)

001F  unsigned?  WORD    current position? - x (?1)

0021  unsigned?  WORD    current position? - y (?1)

0024  unsigned?  WORD    current position? - x (?1) (?3)

0026  ?          WORD    ? (?3)

0028  unsigned?  WORD    current position? - y (?1) (?3)

0043  unsigned?  BYTE    owner ID (?5)

0044  unsigned?  BYTE?   current command?

0047  ?          WORD    ? sometimes constants 0xE4 is written here

004B  ?          BYTE    ? (constantly changing, looks like counting down)

004F  ?          WORD    command destination - x

0051  ?          WORD    command destination - y

0058  signed?    WORD    shield points

005B  unsigned?  WORD    unit type ID (?7)

005F  ?          BYTE    (?6)

0060  ?          BYTE    (?6)

0061  ?          BYTE    (?6)

0064  ?          BYTE    (?6)

0065  ?          BYTE    (?6)

006B  ?          DWORD   (?8)

006F  ?          DWORD   (?8)

0073  ?          DWORD   ? seems related to command destination

007B  ?          BYTE    ?

007C  ?          BYTE    ? (constantly changing, looks like counting down)

008A  ?          BYTE    ? used by IssueCommand

008B  unsigned?  BYTE    unit type ID (?7)

008F  unsigned?  WORD    building queue slot

0091  unsigned?  WORD    building queue slot

0093  unsigned?  WORD    building queue slot

0095  unsigned?  WORD    building queue slot

0097  unsigned?  WORD    building queue slot

009A  signed?    WORD    mana points

00B7  unsigned   BYTE    spider mine count for vulture (?4)

00D3  ?          DWORD   ? seems related to command destination

00DA  ?          BYTE    ? seems related to command destination

00F7  ?          DWORD   ? seems related to command destination

012B  ?          DWORD   ? seems related to command destination

* Current Command (incomplete)
0x02 stopped
0x03 idling
0x06 moving
0x0A attacking (?2)
0x0E attack-moving
0x6B holding

* Coordinate (0,0) is at top-left.

?1 Why are there two pairs of coordinates that seem to always show the same
value?

?2 Is this only 'attacking', or is it 'moving until specified target is in
range' ?

?3 What is this gap?

?4 This may be used by carriers or reavers, too.

?5 Apparently player X's ID is (X-1). However, if a unit had been initialized
as rescueable and has been rescued, setting this value back to the
rescueable player's ID will not make this unit rescueable again.

?6 In a testing scenario, player 1 (P1) is human player, player 2 (P2) is
rescueable computer player. While P1 rescues a P2 Kerrigan (ghost), the
following memory address are modified (assuming 0x00 is HP).

Address Old Value -> New Value
0x43 0x01 -> 0x00 ; Owner is changed from P2 to P1.
0x5F 0xB0 -> 0x00
0x60 0x76 -> 0x00
0x61 0x62 -> 0x00
0x64 0x00 -> 0x78
0x65 0x00 -> 0x62

Manually changing 0x5F, 0x60, 0x61, 0x64, 0x65 from New Value to Old Value
from New Value to Old Value (without changing 0x43) results the unit killed
and SC crashed.

?7 Why is unit ID recorded in two places?

?8 These bytes are normally 0; only set to certain values when a command is
issued.

**Doobers** · 09-19-2007 02:31 AM

The health is @ offset 8 because the first 2 DWORDS are the pointers *pBlink and *pFlink - All the unit buffers are linked together through a doubly linked list:

Code:

struct UnitBuffer {
     UnitBuffer *pBlink;
     UnitBuffer *pFlink;
     DWORD dwHealth;
     ...
     ...
};

You should start a new thread that lists all the members in struct format so it's easier to visualize.

**nilphase** · 09-19-2007 02:38 PM

Unit Type Id list (incomplete, yet)

I guess this list has not changed since Brood War came out and almost everyone already has his own copy, but just in case you do not have your own copy, here it is. I will edit and add Protoss and Zerg units to the list when I have time. (You are welcome to contribute to the list too.

)

Edit: incomplete list removed. Thanks to Pinnah who pointed out there is already a list available.

**gamepin126** · 09-19-2007 03:14 PM

Originally Posted by nilphase

Unit Type Id list (incomplete, yet)

I guess this list has not changed since Brood War came out and almost everyone already has his own copy, but just in case you do not have your own copy, here it is. I will edit and add Protoss and Zerg units to the list when I have time. (You are welcome to contribute to the list too.

)

http://www.bwhacks.com/forums/showthread.php?t=27282

**bLueStar** · 09-19-2007 05:39 PM

thanks everyone for clarifying and correcting my info about Units block.
nilphase thanks for exploiting it

keep those info somewhere cause the position of information in a unit block never change patch to patch... just the starting address.

I used to make a DLL that read every info about starcraft and i was ready to make a AI Bot when it patched..... However i will look back in my archive and add as many pointer your missing in the block. Btw theres like 3 address saying the current position of the unit, 2 of them lag about 10-20 ms before showing up in memory.

0044 unsigned? BYTE? current command?

Yes it is. Send a worker gather mineral(i cant remember the value) and it will change until he return cargo etc.. What is messed up is gathering and attacking got the same ID. Maybe you have to realise yourself in programming that when the destination is a ressource he is gathering and else he is attacking. I will post more about this. (Sorry for my poor english, im french)

Before i go, i forgot to mention there is the unit elevation in this block. Shouldnt be that hard to find even tho i never spent time trying to play with it.

Btw thanks for everyones help and free service, im pretty sure everyone appreciate even if they are not telling

Have a good hacking day.

**Suteki** · 09-19-2007 10:23 PM

BWFXN_Unsiege--dd 423440h
BWFXN_Siege--dd 4232B3h
BWFXN_CancelNuke-dd 4231C0h
BWFXN_CancelResearch-dd 4231C0h

Is it possible to exploit a low ground unit and give it the properties of a unit that is on higher ground without a desynch?

Thanks for the notes.

**bLueStar** · 09-28-2007 04:48 PM

Originally Posted by Suteki

BWFXN_Unsiege--dd 423440h
BWFXN_Siege--dd 4232B3h
BWFXN_CancelNuke-dd 4231C0h
BWFXN_CancelResearch-dd 4231C0h

Is it possible to exploit a low ground unit and give it the properties of a unit that is on higher ground without a desynch?

Thanks for the notes.

I am actually working to know what is considered in the anti-cheat hashing function. When itll be done, i will post in the Notes and Offsets sticky what is considered.

We still have to take care about the desynch
Ex: You can change a scv path node without dropping but when he will start going in the wrong direction, people will drop you for bad position.

Good Luck

**ProMasser** · 10-21-2007 07:56 PM

PubTxt 4F2EC0h

**LCSBSSRHXXX** · 10-21-2007 08:38 PM

Originally Posted by LCSBSSRHXXX

Public text printing function:

Code:

004F2EC0  /$ 56             PUSH ESI
004F2EC1  |. 8BF0           MOV ESI,EAX
004F2EC3  |. 0FB605 2CC1680>MOVZX EAX,BYTE PTR DS:[68C12C]
004F2ECA  |. 83E8 02        SUB EAX,2                                ;  Switch (cases 2..3)
004F2ECD  |. 57             PUSH EDI
004F2ECE  |. 66:8B3D C2F157>MOV DI,WORD PTR DS:[57F1C2]
004F2ED5  |. 74 17          JE SHORT StarCraf.004F2EEE
004F2ED7  |. 48             DEC EAX
004F2ED8  |. 75 1D          JNZ SHORT StarCraf.004F2EF7
004F2EDA  |. E8 71CBF9FF    CALL StarCraf.0048FA50                   ;  Case 3 of switch 004F2ECA
004F2EDF  |. E8 9CF1FCFF    CALL StarCraf.004C2080
004F2EE4  |. 66:893D C2F157>MOV WORD PTR DS:[57F1C2],DI
004F2EEB  |. 5F             POP EDI
004F2EEC  |. 5E             POP ESI
004F2EED  |. C3             RETN
004F2EEE  |> 66:C705 C2F157>MOV WORD PTR DS:[57F1C2],0FFFF           ;  Case 2 of switch 004F2ECA
004F2EF7  |> E8 84F1FCFF    CALL StarCraf.004C2080                   ;  Default case of switch 004F2ECA
004F2EFC  |. 66:893D C2F157>MOV WORD PTR DS:[57F1C2],DI
004F2F03  |. 5F             POP EDI
004F2F04  |. 5E             POP ESI
004F2F05  \. C3             RETN

Originally Posted by ulliklliwi

4F2EC0 - In Game Sends Text

Thread: 1.15.1 Offsets / Functions / Notes

LinkBack

Thread Tools

1.15.1 Offsets / Functions / Notes

Thanks

Thread Information

Users Browsing this Thread

Similar Threads

Tackling those offsets that change game-to-game?

1.15 Offsets / Functions / Notes

Text offsets

Diablo 2 - 1.11b Offsets / Functions / Notes

Posting Rules