SA-MP Forums

Go Back   SA-MP Forums > SA-MP Scripting and Plugins > Plugin Development

Reply
 
Thread Tools Display Modes
Old 27/01/2016, 06:18 PM   #1
kurta999
High-roller
 
kurta999's Avatar
 
Join Date: Apr 2009
Location: Slovakia (HU)
Posts: 1,420
Reputation: 626
Default Update memory hacking plugins

This tutorial is about how to find structure addresses in samp server. I'm not really going to say why to do that, I will just say how to do. I do not have a big assembly skill, you do not need too if you just want to update structures or memory offsets. It's fucking easy, just time consuming. Use your head, and think every time.

SA-MP needs more people, who know how to update memory hacking plugins. Lot of them die because it's boring to update them after every version realease, and author just give a fuck for them and almost nobody can update, casue don't know how to do that.

First of all, you need to download IDA Pro, use ******. I recommend 6.8 version, I won't post it here since warez not allowed. Older version will be good too.

Findig memory offsets:

Open IDA, and you'll see this window:



Click on "Go - Work on your own"



Nice, if you see this then you're not retard. Click on File -> Open and open "samp-server.exe"





Click on OK, and wait a bit. Processing the .exe is done, when you see something similar to image below:



Click with Right mouse, select Text view.

If you did everything good, you'll see something similar to image below:



Nice! Now we are going to find player health variable, which memory location is used in samp server to store player health.

Press SHIFT + 12, it will show a new toolbar, called "Strings". Navigate here and press ALT + T. Search for GetPlayerHealth


Double click on GetPlayerHealth string. If you did everything well, then you will see something like image below:





Press F5. IDA now will create pseudocode from assembly code, which is SO MUCH easyer to read.



Now you have info to get these 5 things:
pNetGame
CPlayerPool *pPlayerPool pointer location inside CNetGame class
CPlayer *pPlayer pointer location inside CPlayerPool class
fHealth in CPlayer class
amx_GetAddr (sub_403100)

Click on dword_4F6CC8, press N - type pNetGame. This is the pNetGame pointer, now you renamed this "address name" to readable name, it will appear as pNetGame next time. Address of pointer is: 0x4F6CC8. You'll have DIFFERENT ADDRESS, SINCE MY TEST SERVER IS 0.3.7 R1 not R2-1.

----------------------------------------------------

(_DWORD *)pNetGame + 2) is the location of pPlayerPool pointer. (_DWORD *)pNetGame + 2) equal to (char*)pNetGame + .

Go here and figure out from answers to why: http://stackoverflow.com/questions/2...ter-and-offset
pawn Code:
(char*)pNetGame +8). // 8 is the offset of pPlayerPool pointer INSIDE CNetGame class
---------------

Now we have pPlayerPool! Nice! Wee need to find pPlayer inside pPlayerPool which is a pointer array, every index stores data about one player.

Now look at first line, where we get pNetGame address.

pawn Code:
((_DWORD *)pNetGame + 2) + 4 * playerid + 154012)

154012 - this is the address of pPlayer pointer inside CPlayerPool class.

Nice! Now we have pPlayer pointer. Now we have to find fHealth location inside CPlayer class.

pawn Code:
*(_DWORD *)a2 = *(_DWORD *)(v3 + 10529);
v3 + 10529
DONE!

pawn Code:
struct CPlayer
{
    BYTE padding[10529];
    float fHealth;

};

struct CPlayerPool
{
    BYTE padding[154012];
    CPlayer *pPlayer[MAX_PLAYERS];
};

struct CNetGame
{
    BYTE padding[8]; // offsets starts from 0
    CPlayerPool *pPlayerPool; // stars from 8, ends at 12
};

// Initializing pNetGame
CNetGame* pNetGame = NULL;

PLUGIN_EXPORT int PLUGIN_CALL AmxLoad(AMX *amx)
{
    if (pNetGame == NULL)
        pNetGame = ((CNetGame*)(*(void**)0x4F6CC8));

    return amx_Register(amx, projectNatives, -1);
}

// Or you can check YSF how to init pNetGame from ppData, since it's stored here and you not need to find it every time.

If you want to test this example, then don't forget to do the following thing in Visual Studio; You have to set struct alignment to 1 byte, insted of default 4. If you skip this option, you code won't work.

In Visual Studio: Project File -> Properties -> C/C++ -> Code Generation -> Sturct member Alignment -> 1Byte (Zp1)
In GCC: -fpack-struct=1

Now we have everything. If you want to get player health, then now you can do:

pawn Code:
pNetGame->pPlayerPool->pPlayer[playerid]->fHealth;

If you want to access every classes which are in CNetGame, check YSF: https://github.com/kurta999/YSF/blob...Structs.h#L734

Findig RPCs:

For functions

For findig SetGravity RPC:
1.) Find for "SetGravity" in strings windows, then do same what I said before how to navigate to the function
2.) Check assembly/pseudo code, there only one function call and nothing more. ( call sub_48E260 )
3.) Navigate into this function, press F5 - check the code in pseudocode how it looks - now you see that's there are more code, we are at good place - go back to assembly view.
4.) RPC can be a BYTE ( 0 - 255 ), there only one character, which is one byte.
.text:0048E2FA push offset aT ; "ĺ"

5.) Double click on aT, you'll see:
.rdata:004B592C aT db 'ĺ',0

6). Select ĺ, switch to hex view at toolbar menu, and which is selected, that's your RPC ID.
0x92 for SetGravity.

For callbacks

1.) Search for "OnPlayerSpawn" in strings menu, then do same what I said before how to navigate to the function
2.) You have to go back, where FROM this function will be called:

This is the basic function, which will call pawn callbacks when player spawn. Rename it to PAWN_OnPlayerSpawn.
.text:0046ADF0 sub_46ADF0 proc near ; CODE XREF: sub_48EA70+118p

Double click at memory address after CODE XREF. You've jumped to function, which is the function of RPC. Rename it to INTERNAL_OnPlayerSpawn This function will be called when server receives RPC with OnPlayerSpawn RPC ID and then call PAWN_OnPlayerSpawn, which will call OnPlayerSpawn in pawn scripts

So let's go back, we have function which called by RPC. Click on DATA XREF address, press F5.

You'll see something like:
(*(void (__thiscall **)(int, void *, char **(__cdecl *)(int)))(*(_DWORD *)v1 + 116))(
v1,
&unk_4B5E18,
INTERNAL_OnPlayerSpawn);

Now you went back to RakServer::RegisterAsRemoteProcedureCall-s. This function has two parameters:
pawn Code:
virtual void RegisterAsRemoteProcedureCall( int* uniqueID, void ( *functionPointer ) ( RPCParameters *rpcParms ) );

You know the last one - this is OnPlayerSpawn. You have to click on first parameter (unk_4B5E1, select it, switch to hex view and copy the rpc id. This is 0x34.

https://github.com/kurta999/YSF/blob/YSF_/src/RPCs.cpp

Exercise

I would recommend you to try to find offsets like player position, player weapon, vehicle color, etc, etc.. You can use Structs.h from YSF to check that your offset are correct, or not.
__________________
I don't play and have ANY interest in SA:MP anymore! Please do not ask for help, because I'm not going to reply.

Last edited by kurta999; 12/02/2016 at 08:15 AM.
kurta999 is offline   Reply With Quote
Old 27/01/2016, 06:32 PM   #2
SecretBoss
Gangsta
 
SecretBoss's Avatar
 
Join Date: Dec 2014
Location: Greece
Posts: 818
Reputation: 103
Default Re: Update memory hacking plugins

Incredible tutorial, great work, +REP
__________________
SecretBoss is offline   Reply With Quote
Old 27/01/2016, 07:07 PM   #3
codectile
Huge Clucker
 
codectile's Avatar
 
Join Date: Jul 2014
Posts: 306
Reputation: 116
Default Re: Update memory hacking plugins

Nice tutorial, but you missed out signature finding/obtaining.
codectile is offline   Reply With Quote
Old 27/01/2016, 07:15 PM   #4
kurta999
High-roller
 
kurta999's Avatar
 
Join Date: Apr 2009
Location: Slovakia (HU)
Posts: 1,420
Reputation: 626
Default Re: Update memory hacking plugins

I'll continue it soon. The basics are here. Try to find armour and vehicleid from CPlayer based on this.

E: Added tutorial how to find RPC. If it's not clear, then I'll make screenshots.
__________________
I don't play and have ANY interest in SA:MP anymore! Please do not ask for help, because I'm not going to reply.

Last edited by kurta999; 27/01/2016 at 08:09 PM.
kurta999 is offline   Reply With Quote
Old 27/01/2016, 08:38 PM   #5
Crystallize
Banned
 
Join Date: Aug 2013
Posts: 1,596
Reputation: 314
Default Re: Update memory hacking plugins

Amazing tutorial , shouldn't this be posted on "Tutorials" section? Thank you for this kurta
Crystallize is offline   Reply With Quote
Old 27/01/2016, 09:15 PM   #6
ExTaZZ69
Big Clucker
 
ExTaZZ69's Avatar
 
Join Date: Mar 2015
Location: Romania
Posts: 150
Reputation: 23
Default Re: Update memory hacking plugins

I think this topic should be pinned.
ExTaZZ69 is offline   Reply With Quote
Old 27/01/2016, 11:06 PM   #7
awsomedude
Big Clucker
 
awsomedude's Avatar
 
Join Date: Oct 2011
Posts: 192
Reputation: 47
Default Re: Update memory hacking plugins

Nice work, will help lots of people
awsomedude is offline   Reply With Quote
Old 27/01/2016, 11:49 PM   #8
graef
Little Clucker
 
Join Date: May 2015
Posts: 41
Reputation: 2
Default Re: Update memory hacking plugins

Thanks!, you teach me how plugin developer hack memory.
__________________
[g_raef]
graef is offline   Reply With Quote
Old 28/01/2016, 02:02 AM   #9
Su37Erich
Huge Clucker
 
Su37Erich's Avatar
 
Join Date: Dec 2013
Location: USEA Strangereal
Posts: 343
Reputation: 16
Default Re: Update memory hacking plugins

I do not know but I should make a copy of this tutorial now and keep it in a safe place!
Thank you and good job!
__________________
Neucom Inc.
Su37Erich is offline   Reply With Quote
Old 28/01/2016, 02:02 PM   #10
SeanGarnier
Big Clucker
 
Join Date: Jan 2016
Posts: 67
Reputation: 5
Default Re: Update memory hacking plugins

O.o Muito bom!
SeanGarnier is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Memory Hacking Plugin Oskaar1994 Scripting Help 1 18/02/2015 09:23 AM
Update me Plugins Azazelo Scripting Help 0 04/03/2013 07:49 PM
About memory hacking plugins (avoid them) Kalcor Plugin Development 0 17/02/2010 10:49 AM


All times are GMT. The time now is 07:10 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.