Article How to find addresses with ROE

JayCoder

Veteran
Staff member
Messages
375
Reaction score
148
Points
903
Quick search:
[0001] - how to dump game
[0002] - opening dump in Ida
[0003] - updating addresses
[0004] - downloads

Wiki:
Please, Log in or Register to view URLs content!


First, let's get our tools together, not going to go over doing anything in c++ or c# (will go over this on a another topic) yet, Just how to dump, and find test address, and getting started finding things, testing as well.

I want to go head and say this for any game developers reading this, I only intended an educational learning use.

Tools:
Ida pro hex ray x86,
Undetected version of cheat engine or a different memory viewer, I suggest using memory viewer or another tool,
Last update dump bottom of page,
Current update dump bottom of page,
Previous update dump bottom of page,
Last update addresses collection bottom of page,
Current update addresses collection bottom of page

Cheat engine doesn't seem to be detected so you could use it, you could also use a plugin for cheat engine
idk never got banned using cheat engine no idea why so I mean....

Scylla for dumping the memory

When I want to know everything about a register or operation in x86 I use
Please, Log in or Register to view URLs content!

I usually nop it or change it to a different register, or operation depending on what I'm changing

A common one for roe is movss:
Please, Log in or Register to view URLs content!

Another common one is divss:
Please, Log in or Register to view URLs content!

I usually find more addresses when I mess with scalar single precision floating point values "operation + ss"
You can find a lot of stuff before and after the seh macros in the game

here is a link to seh macros:
Please, Log in or Register to view URLs content!
Not sure if that will help but it does issue the problem at hand.

How to dump the game [0001]

Step 1:
Opening the x86 version of Scylla and running as admin.
Please, Log in or Register to view URLs content!

Step 2:
Attaching to the process of the game.
Please, Log in or Register to view URLs content!

Step 3:
Pressing this button and choosing where to dump it
Please, Log in or Register to view URLs content!
Then waiting for this message
Please, Log in or Register to view URLs content!

Opening in ida pro [0002]

Step 1:
You need to open the dump file in x86 ida hex ray edition
< file , location>
Please, Log in or Register to view URLs content!
Just click ok
Please, Log in or Register to view URLs content!
Click cancel

Step 2 once open:
If loading has finished, you can see it in bottom left corner of application : number value stops changing, to au: idle
Click x on structures
Click x on enumeration types
Click x on imports
Click x on exports
Click Shift+f12 for string view will take a min or 2
When everything is ready it should look like this
Please, Log in or Register to view URLs content!

Addresses [0003]

Remove trees search this as text with all occurrences
Code:
divss   xmm0, dword ptr [ebp+0B94h]
Going down its the 2nd movss
Should look like this:
Please, Log in or Register to view URLs content!
We want to nop this address
Please, Log in or Register to view URLs content!
If you highlight you should see if look in the hex view:
Please, Log in or Register to view URLs content!
We want to change the bytes from that to these bytes
Code:
 90 90 90 90 90 90 90 90

Remove water search this as text with all occurrences:
Code:
movss   xmm0, dword ptr [ebp+1C9Ch]
Going up would be first movss
Should look like this:
Please, Log in or Register to view URLs content!
We want to nop this address
Please, Log in or Register to view URLs content!
If you highlight you should see if look in the hex view:
Please, Log in or Register to view URLs content!
We want to change the bytes from that to these bytes
Code:
 90 90 90 90 90 90 90 90

Remove grass search this as text with all occurrences:
Code:
mov     esi, [ebp-0A8h]
Going up would be first movss
Should look like this:
Please, Log in or Register to view URLs content!
We want to nop this address
Please, Log in or Register to view URLs content!
If you highlight you should see if look in the hex view:
Please, Log in or Register to view URLs content!
We want to change the bytes from that to these bytes
Code:
 90 90 90 90 90 90 90 90


I usually use a version of cheat engine to test addresses.

Using this method, it takes like 2 or 3 mins to update addresses if that
I tested the old addresses myself and the new ones myself
If anything isn't working comment below

Here are videos of some of the addresses:

Downloads [0005]
Old update dump don't remember:
Please, Log in or Register to view URLs content!

Old update addresses don't remember:
Please, Log in or Register to view URLs content!


dump release date 2.23.2019:
Please, Log in or Register to view URLs content!

addresses release date 2.23.2019:
Please, Log in or Register to view URLs content!


addresses 2.28.2019 ( current update ) :
Please, Log in or Register to view URLs content!

roe dump 2.28.2019 ( current update ) :
Please, Log in or Register to view URLs content!


i write it out like this
Address | Description | some instruction to find address

Scylla:
Please, Log in or Register to view URLs content!


Cheat engine:
Please, Log in or Register to view URLs content!


Will update soon, fix errors and grabbing more addresses and new ones​
 
Last edited:

AssumingAgate

Reverse Engineer
Messages
107
Reaction score
87
Points
903
is it me or do I see direct x involved?
holy **** im just seeing this thread but also i can tell you there was no direct x from what i know of as most of the stuff jay found was through ce

edit just seen the video and seen there was d3d :expressionless:
 
Top