Release How to Find Offsets

G

Gentle

Guest
I DIDN'T MAKE THIS!
There is a lot of information about offsets all over the forum, but not much info on how to actually find them. I'm gonna show how to find offsets searching them by strings. The same methods of finding offsets can be used in any call of duty game. These examples are based on CoD4 patch 1.7.

RegisterTag:
Search for string "j_helmet" or "j_head".
First push is length of the string + 1(int value), in this case "j_helmet" is (strlen("j_helmet")+1)==9
Second push is also int, representing the entity type. Type 1 is human/player.
Third push is the name of the bone, string type variable.
PHP:
004EB7C0   6A 09            PUSH 9
004EB7C2   6A 01            PUSH 1
004EB7C4   68 D0F86D00      PUSH iw3mp.006DF8D0    ; ASCII "j_helmet"
004EB7C9   66:A3 946E4001   MOV WORD PTR DS:[1406E94],AX
004EB7CF   E8 BCCA0200      CALL iw3mp.00518290 '<<<--- Offset of RegisterTag function'
004EB7D4   83C4 0C          ADD ESP,0C '<<<--- Size of the func.'
#define OFFSET_REGISTERTAG 0x518290

//--------------------------------------------------------------------------------------------------------------------------------------------------------
GetPlayerTagPos:
Search for string "AimTarget_GetTagPos".
Scroll down and look for a call.
PHP:
00402508   68 FCD16900      PUSH iw3mp.0069D1FC    ; ASCII "AimTarget_GetTagPos: Cannot find tag [%s] on entity
"
0040250D   6A 01               PUSH 1
0040250F   E8 1CAE0F00    CALL iw3mp.004FD330
00402514   83C4 0C           ADD ESP,0C
00402517   B8 01000000    MOV EAX,1
0040251C   5F                     POP EDI
0040251D   59                     POP ECX
0040251E   C3                     RETN
0040251F   CC                     INT3
00402520   8B4C24 08        MOV ECX,DWORD PTR SS:[ESP+8]
00402524   83EC 10          SUB ESP,10
00402527   83B9 D0000000 01 CMP DWORD PTR DS:[ECX+D0],1
0040252E   56                      PUSH ESI
0040252F   75 19                 JNZ SHORT iw3mp.0040254A
00402531   0FB735 946E4001  MOVZX ESI,WORD PTR DS:[1406E94]
00402538   8B4424 18        MOV EAX,DWORD PTR SS:[ESP+18]
0040253C   52                      PUSH EDX
0040253D   E8 6EFFFFFF      CALL iw3mp.004024B0 '<<<--- GetTagPosPos function offset'
#define OFFSET_GETTAGPOS 0x4024B0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RegisterShader:
Search for string "black" or "white" or "compassping_grenade" or "nightvision_overlay_goggles" or "killiconheadshot" or "voice_on".
There is a lot more strings you could look for, which this function is using, but I just list a few as reference.
PHP:
0043EAFA   B8 002A5F00        MOV EAX,iw3mp.005F2A00 '<<<<---RegisterShader function offset'
0043EAFF   6A 07               PUSH 7
0043EB01   68 F4BC6C00        PUSH iw3mp.006CBCF4  ; ASCII "compassping_enemy"
0043EB06   FFD0                 CALL EAX
0043EB08   8B0D 785D4301    MOV ECX,DWORD PTR DS:[1435D78]    ; iw3mp.0CBAB8EC
0043EB0E   A3 48F28400         MOV DWORD PTR DS:[84F248],EAX
0043EB13   83C4 08             ADD ESP,8
#define OFFSET_REGISTERSHADER 0x5F2A00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RegisterFont:
Search for string "fonts/smalldevFont" or "fonts/bigFont".
PHP:
005F4F17   B8 C01E5F00      MOV EAX,iw3mp.005F1EC0 '<<<---RegisterFont offset'
005F4F1C   75 05            JNZ SHORT iw3mp.005F4F23
005F4F1E   B8 201E5F00      MOV EAX,iw3mp.005F1E20
005F4F23   6A 01            PUSH 1
005F4F25   68 280D7000      PUSH iw3mp.00700D28 ; ASCII "fonts/smalldevfont"
005F4F2A   FFD0             CALL EAX
005F4F2C   83C4 08          ADD ESP,8
#define OFFSET_REGISTERFONT 0x5F1EC0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

DrawText:
Search for string "fonts/consoleFont" or "Glow".
PHP:
005F92BD   68 5C0E6D00      PUSH iw3mp.006D0E5C   ; ASCII "fonts/consoleFont"
005F92C2   FFD0             CALL EAX
005F92C4   D9EE             FLDZ
005F92C6   83C4 08          ADD ESP,8
005F92C9   6A 00            PUSH 0
005F92CB   83EC 14          SUB ESP,14
005F92CE   D95424 10        FST DWORD PTR SS:[ESP+10]
005F92D2   B9 98456B00      MOV ECX,iw3mp.006B4598
005F92D7   D905 0C0C7000    FLD DWORD PTR DS:[700C0C]
005F92DD   D95C24 0C        FSTP DWORD PTR SS:[ESP+C]
005F92E1   D905 E0B47000    FLD DWORD PTR DS:[70B4E0]
005F92E7   D95C24 08        FSTP DWORD PTR SS:[ESP+8]
005F92EB   D905 20BE7000    FLD DWORD PTR DS:[70BE20]
005F92F1   D95C24 04        FSTP DWORD PTR SS:[ESP+4]
005F92F5   D91C24           FSTP DWORD PTR SS:[ESP]
005F92F8   50               PUSH EAX
005F92F9   68 FFFFFF7F      PUSH 7FFFFFFF
005F92FE   68 6CFB6F00      PUSH iw3mp.006FFB6C ; ASCII "GLOW"
005F9303   E8 F8D7FFFF      CALL iw3mp.005F6B00 '<<<--- DrawText offset'
005F9308   83C4 24          ADD ESP,24
#define OFFSET_DRAWTEXT 0x5F6B00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RenderScene:
Search for string "R_RenderScene".
PHP:
005FAF00   55               PUSH EBP '<<<---RenderScene offset'
005FAF01   8BEC             MOV EBP,ESP
005FAF03   83E4 F8          AND ESP,FFFFFFF8
005FAF06   81EC A0000000    SUB ESP,0A0
005FAF0C   803D 90D2C90C 00 CMP BYTE PTR DS:[CC9D290],0
005FAF13   56               PUSH ESI
005FAF14   57               PUSH EDI
005FAF15   8BF0             MOV ESI,EAX
005FAF17   0F84 D8000000    JE iw3mp.005FAFF5
005FAF1D   A1 8495560D      MOV EAX,DWORD PTR DS:[D569584]
005FAF22   8078 0C 00       CMP BYTE PTR DS:[EAX+C],0
005FAF26   0F85 C9000000    JNZ iw3mp.005FAFF5
005FAF2C   8B0D F897560D    MOV ECX,DWORD PTR DS:[D5697F8]           ; iw3mp.0CBBDA14
005FAF32   8379 0C 00       CMP DWORD PTR DS:[ECX+C],0
005FAF36   74 0A            JE SHORT iw3mp.005FAF42
005FAF38   BA E8FB6F00      MOV EDX,iw3mp.006FFBE8                   ; ASCII "====== R_RenderScene ======
"
005FAF3D   E8 FE1F0400      CALL iw3mp.0063CF40
005FAF42   833D 20A3C90C 00 CMP DWORD PTR DS:[CC9A320],0
005FAF49   75 0F            JNZ SHORT iw3mp.005FAF5A
005FAF4B   68 08FC6F00      PUSH iw3mp.006FFC08                      ; ASCII 15,"R_RenderScene: NULL w"
#define OFFSET_RENDERSCENE 0x5FAF00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Unlock Cheat/Write protected console commands:
Search for string "cheat protected" or "write protected".
Scroll few lines up and look for JNZ/JE and simply reverse them.
PHP:
0056B358   74 19               JE SHORT iw3mp.0056B373 '<<<--Reverse this asm command, changing JE to JNZ'
0056B35A   8B0F                MOV ECX,DWORD PTR DS:[EDI]
0056B35C   51                    PUSH ECX
0056B35D   68 683E6F00   PUSH iw3mp.006F3E68  ; ASCII "%s is write protected.
"
0056B362   6A 10                   PUSH 10
0056B364   E8 5718F9FF        CALL iw3mp.004FCBC0
0056B369   83C4 0C              ADD ESP,0C
0056B36C   5F                        POP EDI
0056B36D   5E                        POP ESI
0056B36E   5B                        POP EBX
0056B36F   8BE5                     MOV ESP,EBP
0056B371   5D                        POP EBP
0056B372   C3                        RETN
0056B373   83F9 01               CMP ECX,1
0056B376   75 29                   JNZ SHORT iw3mp.0056B3A1
0056B378   84C0                   TEST AL,AL
0056B37A   79 25                   JNS SHORT iw3mp.0056B3A1
0056B37C   8B0D 0474BA0C  MOV ECX,DWORD PTR DS:[CBA7404]           ; iw3mp.0CBAB808
0056B382   8079 0C 00         CMP BYTE PTR DS:[ECX+C],0
0056B386   75 19                  JNZ SHORT iw3mp.0056B3A1' <<<--Reverse this asm command, changing JNZ to JE'
0056B388   8B17                   MOV EDX,DWORD PTR DS:[EDI]
0056B38A   52                       PUSH EDX
0056B38B   68 803E6F00      PUSH iw3mp.006F3E80  ; ASCII "%s is cheat protected.
"
#define OFFSET_WRITEPROTECTED 0x56B358
#define OFFSET_CHEATPROTECTED 0x56B386
//--------------------------------------------------------------------------------------------------------------------------------------------------------

NoRecoil:
Seach for string "CG_FireWeapon: weapon".
There is several ways/offsets to remove weapon recoil. I'm gonna show a few.
PHP:
00457C8B   68 2CEA6C00       PUSH iw3mp.006CEA2C ; ASCII 15,"CG_FireWeapon: weapon"
00457C90   6A 01               PUSH 1
00457C92   E8 99560A00    CALL iw3mp.004FD330
00457C97   83C4 08             ADD ESP,8
00457C9A   5F                   POP EDI
00457C9B   5E                   POP ESI
00457C9C   5D                 POP EBP
00457C9D   5B                   POP EBX
00457C9E   83C4 18             ADD ESP,18
00457CA1   C3                   RETN
00457CA2   8BD3             MOV EDX,EBX
00457CA4   C1E2 04             SHL EDX,4
00457CA7   03D3                 ADD EDX,EBX
00457CA9   8D0495 58867400  LEA EAX,DWORD PTR DS:[EDX*4+748658]
00457CB0   8B149D B86D7300  MOV EDX,DWORD PTR DS:[EBX*4+736DB8]
00457CB7   C681 C1010000 01 MOV BYTE PTR DS:[ECX+1C1],1
00457CBE   894424 18           MOV DWORD PTR SS:[ESP+18],EAX
00457CC2   A1 5CE37400       MOV EAX,DWORD PTR DS:[74E35C]
00457CC7   F640 20 06           TEST BYTE PTR DS:[EAX+20],6  '<<<--- Change this value (6) to 0 to remove recoil.'
00457CCB   895424 10         MOV DWORD PTR SS:[ESP+10],EDX
00457CCF   74 12               JE SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JE to JNZ )'
00457CD1   8B75 00             MOV ESI,DWORD PTR SS:[EBP]
00457CD4   3BB0 E8000000   CMP ESI,DWORD PTR DS:[EAX+E8]
00457CDA   75 07               JNZ SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JNZ to JE )'
00457CDC   B8 01000000       MOV EAX,1  ' <<<<---Change this value (1) to 0 to remove recoil.'
#define OFFSET_NORECOIL1 0x457CC7
#define OFFSET_NORECOIL2 0x457CCF
#define OFFSET_NORECOIL3 0x457CDA
#define OFFSET_NORECOIL4 0x457CDC
//--------------------------------------------------------------------------------------------------------------------------------------------------------

SendCommandToConsole:
Search for string "stoprecord" or "screenshot silent" or "quit" or "pb_sv_guidrelax".
PHP:
0046C90F   68 400E6D00    PUSH iw3mp.006D0E40  ; ASCII "screenshot silent"
0046C914   6A 00               PUSH 0
0046C916   6A 00               PUSH 0
0046C918   E8 93D10800    CALL iw3mp.004F9AB0 '<<<--- SendCommandToConsole function offset'
0046C91D   83C4 0C               ADD ESP,0C
#define OFFSET_SENDCOMMAND 0x4F9AB0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

CG_Init:
CG_Init is the struct that holds offsets to all other important classes.
Search for string "CL_InitCGame", scroll down a few lines and look for a call.
PHP:
0045BFD3   68 E4EE6C00      PUSH iw3mp.006CEEE4  ; ASCII "Setting state to CA_LOADING in CL_InitCGame
"
0045BFD8   6A 0E                    PUSH 0E
0045BFDA   C706 07000000    MOV DWORD PTR DS:[ESI],7
0045BFE0   E8 DB0B0A00        CALL iw3mp.004FCBC0
0045BFE5   A1 E44C8F00        MOV EAX,DWORD PTR DS:[8F4CE4]
0045BFEA   8B0D 244E9100    MOV ECX,DWORD PTR DS:[914E24]
0045BFF0   8B15 1C4E9100    MOV EDX,DWORD PTR DS:[914E1C]
0045BFF6   50                         PUSH EAX
0045BFF7   51                         PUSH ECX
0045BFF8   52                         PUSH EDX
0045BFF9   53                         PUSH EBX
0045BFFA   C605 F7F8C500 01 MOV BYTE PTR DS:[C5F8F7],1
0045C001   C605 DE4C8F00 00 MOV BYTE PTR DS:[8F4CDE],0
0045C008   E8 C33AFEFF      CALL iw3mp.0043FAD0    '<<<--- CG_Init class offset'
#define OFFSET_CG_INIT 0x43FAD0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Entity, CG, CGs classes:
Now, that you have found CG_Init class offset, lets take a look for other classes inside it.
PHP:
0043FAD0   55                     PUSH EBP
0043FAD1   8BEC                     MOV EBP,ESP
0043FAD3   83E4 F8                 AND ESP,FFFFFFF8
0043FAD6   83EC 44                 SUB ESP,44
0043FAD9   53                       PUSH EBX
0043FADA   8B5D 08                MOV EBX,DWORD PTR SS:[EBP+8]
0043FADD   56                       PUSH ESI
0043FADE   57                      PUSH EDI
0043FADF   68 243A0000             PUSH 3A24
0043FAE4   33FF                   XOR EDI,EDI
0043FAE6   57                     PUSH EDI
0043FAE7   68 08A97400             PUSH iw3mp.0074A908 '<<<--- CGS class offset'
0043FAEC   E8 AFC92300             CALL iw3mp.0067C4A0
0043FAF1   83C4 0C                 ADD ESP,0C
0043FAF4   68 F0E70F00             PUSH 0FE7F0
0043FAF9   57                     PUSH EDI
0043FAFA   68 38E37400             PUSH iw3mp.0074E338 '<<<--- CG class offset'
0043FAFF   E8 9CC92300            CALL iw3mp.0067C4A0
0043FB04   8BC3                   MOV EAX,EBX
0043FB06   69C0 78160000           IMUL EAX,EAX,1678
0043FB0C   83C4 0C          A        DD ESP,0C
0043FB0F   68 78160000             PUSH 1678
0043FB14   8DB0 A86F7400         LEA ESI,DWORD PTR DS:[EAX+746FA8]
0043FB1A   57                     PUSH EDI
0043FB1B   56                       PUSH ESI
0043FB1C   897424 18               MOV DWORD PTR SS:[ESP+18],ESI
0043FB20   E8 7BC92300             CALL iw3mp.0067C4A0
0043FB25   8BCB                     MOV ECX,EBX
0043FB27   69C9 00700700           IMUL ECX,ECX,77000
0043FB2D   83C4 0C                 ADD ESP,0C
0043FB30   68 00700700             PUSH 77000
0043FB35   81C1 D8F28400       ADD ECX,iw3mp.0084F2D8 '<<<--- Entity class offset'
0043FB3B   57                     PUSH EDI
0043FB3C   51                     PUSH ECX
0043FB3D   E8 5EC92300             CALL iw3mp.0067C4A0
0043FB42   8BD3                     MOV EDX,EBX
0043FB44   69D2 00220000           IMUL EDX,EDX,2200
0043FB4A   83C4 0C                 ADD ESP,0C
0043FB4D   68 00220000             PUSH 2200
#define OFFSET_CENTITY 0x84F2D8
#define OFFSET_CG 0x74E338
#define OFFSET_CGS 0x74A908
//--------------------------------------------------------------------------------------------------------------------------------------------------------

ClientInfo class:
Search for string "g_TeamColor" and look up a few lines.
PHP:
00431F60   69C9 CC040000    IMUL ECX,ECX,4CC '<<<--- Size of the ClientInfo class'
00431F66   05 70928300         ADD EAX,iw3mp.00839270 '<<<---ClientInfo class offset'
00431F6B   8B40 1C             MOV EAX,DWORD PTR DS:[EAX+1C]
00431F6E   81C1 70928300    ADD ECX,iw3mp.00839270'<<<---ClientInfo class offset'
00431F74   83F8 03             CMP EAX,3
00431F77   57                   PUSH EDI
00431F78   75 0C               JNZ SHORT iw3mp.00431F86
00431F7A   68 887D6C00        PUSH iw3mp.006C7D88        ; ASCII "g_TeamColor"
00431F7F   68 A87F6C00       PUSH iw3mp.006C7FA8          ; ASCII "%s_Spectator"
#define OFFSET_CLIENTINFO 0x839270
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Minimap/Compass:
Search for string "g_compassShowEnemies" and look for a call under it.
PHP:
0042A080 BF 0C796C00   MOV EDI,iw3mp.006C790C;  "g_compassShowEnemies"
0042A085   894424 28        MOV DWORD PTR SS:[ESP+28],EAX
0042A089   D95C24 30        FSTP DWORD PTR SS:[ESP+30]
0042A08D   D84C24 64        FMUL DWORD PTR SS:[ESP+64]
0042A091   D84424 5C        FADD DWORD PTR SS:[ESP+5C]
0042A095   D95C24 34        FSTP DWORD PTR SS:[ESP+34]
0042A099   D903             FLD DWORD PTR DS:[EBX]
0042A09B   D95C24 48        FSTP DWORD PTR SS:[ESP+48]
0042A09F   D943 04          FLD DWORD PTR DS:[EBX+4]
0042A0A2   D95C24 4C        FSTP DWORD PTR SS:[ESP+4C]
0042A0A6   D943 08          FLD DWORD PTR DS:[EBX+8]
0042A0A9   D95C24 50        FSTP DWORD PTR SS:[ESP+50]
0042A0AD   D943 0C          FLD DWORD PTR DS:[EBX+C]
0042A0B0   D95C24 54        FSTP DWORD PTR SS:[ESP+54]
0042A0B4   E8 97151400      CALL iw3mp.0056B650 '<<<---- NOP it and enemies are visible on compass at all times.'
#define OFFSET_COMPASS 0x42A0B4
//--------------------------------------------------------------------------------------------------------------------------------------------------------


IsInGame:
Search for strings like "+speed" or "+melee" or "+speed"
PHP:
0042F193   C74424 28 647E6C>MOV DWORD PTR SS:[ESP+28],iw3mp.006C7E64 ; ASCII "+toggleads_throw"
0042F19B   C74424 2C 787E6C>MOV DWORD PTR SS:[ESP+2C],iw3mp.006C7E78 ; ASCII "+speed_throw"
0042F1A3   C74424 30 887E6C>MOV DWORD PTR SS:[ESP+30],iw3mp.006C7E88 ; ASCII "+speed"
0042F1AB   C74424 34 907E6C>MOV DWORD PTR SS:[ESP+34],iw3mp.006C7E90 ; ASCII "toggleads"
0042F1B3   C74424 20 9C7E6C>MOV DWORD PTR SS:[ESP+20],iw3mp.006C7E9C ; ASCII "+melee"
0042F1BB   C74424 24 A47E6C>MOV DWORD PTR SS:[ESP+24],iw3mp.006C7EA4 ; ASCII "+melee_breath"
0042F1C3   0F84 05020000    JE iw3mp.0042F3CE
0042F1C9   8B0D F8F8C500    MOV ECX,DWORD PTR DS:[C5F8F8]
0042F1CF   C1E9 04          SHR ECX,4
0042F1D2   F6C1 01          TEST CL,1
0042F1D5   0F85 F3010000    JNZ iw3mp.0042F3CE
0042F1DB   8B3D 5CE37400    MOV EDI,DWORD PTR DS:[74E35C]  '<<<---IsInGame offset '
#define OFFSET_ISINGAME 0x74E35C
//--------------------------------------------------------------------------------------------------------------------------------------------------------

I wanna point out that these methods might not be universal in quake3-engine based games and for finding every func/offset there is always more than 1 way. Be creative and you should be able to find any other offset based on these examples.
 
Last edited by a moderator:

Lucifer

Moderator
Staff member
Messages
771
Reaction score
499
Points
878
DON'T BITCH AT ME I DIDN'T MAKE THIS
There is a lot of information about offsets all over the forum, but not much info on how to actually find them. I'm gonna show how to find offsets searching them by strings. The same methods of finding offsets can be used in any call of duty game. These examples are based on CoD4 patch 1.7.

RegisterTag:
Search for string "j_helmet" or "j_head".
First push is length of the string + 1(int value), in this case "j_helmet" is (strlen("j_helmet")+1)==9
Second push is also int, representing the entity type. Type 1 is human/player.
Third push is the name of the bone, string type variable.
PHP:
004EB7C0   6A 09            PUSH 9
004EB7C2   6A 01            PUSH 1
004EB7C4   68 D0F86D00      PUSH iw3mp.006DF8D0    ; ASCII "j_helmet"
004EB7C9   66:A3 946E4001   MOV WORD PTR DS:[1406E94],AX
004EB7CF   E8 BCCA0200      CALL iw3mp.00518290 '<<<--- Offset of RegisterTag function'
004EB7D4   83C4 0C          ADD ESP,0C '<<<--- Size of the func.'
#define OFFSET_REGISTERTAG 0x518290

//--------------------------------------------------------------------------------------------------------------------------------------------------------
GetPlayerTagPos:
Search for string "AimTarget_GetTagPos".
Scroll down and look for a call.
PHP:
00402508   68 FCD16900      PUSH iw3mp.0069D1FC    ; ASCII "AimTarget_GetTagPos: Cannot find tag [%s] on entity
"
0040250D   6A 01               PUSH 1
0040250F   E8 1CAE0F00    CALL iw3mp.004FD330
00402514   83C4 0C           ADD ESP,0C
00402517   B8 01000000    MOV EAX,1
0040251C   5F                     POP EDI
0040251D   59                     POP ECX
0040251E   C3                     RETN
0040251F   CC                     INT3
00402520   8B4C24 08        MOV ECX,DWORD PTR SS:[ESP+8]
00402524   83EC 10          SUB ESP,10
00402527   83B9 D0000000 01 CMP DWORD PTR DS:[ECX+D0],1
0040252E   56                      PUSH ESI
0040252F   75 19                 JNZ SHORT iw3mp.0040254A
00402531   0FB735 946E4001  MOVZX ESI,WORD PTR DS:[1406E94]
00402538   8B4424 18        MOV EAX,DWORD PTR SS:[ESP+18]
0040253C   52                      PUSH EDX
0040253D   E8 6EFFFFFF      CALL iw3mp.004024B0 '<<<--- GetTagPosPos function offset'
#define OFFSET_GETTAGPOS 0x4024B0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RegisterShader:
Search for string "black" or "white" or "compassping_grenade" or "nightvision_overlay_goggles" or "killiconheadshot" or "voice_on".
There is a lot more strings you could look for, which this function is using, but I just list a few as reference.
PHP:
0043EAFA   B8 002A5F00        MOV EAX,iw3mp.005F2A00 '<<<<---RegisterShader function offset'
0043EAFF   6A 07               PUSH 7
0043EB01   68 F4BC6C00        PUSH iw3mp.006CBCF4  ; ASCII "compassping_enemy"
0043EB06   FFD0                 CALL EAX
0043EB08   8B0D 785D4301    MOV ECX,DWORD PTR DS:[1435D78]    ; iw3mp.0CBAB8EC
0043EB0E   A3 48F28400         MOV DWORD PTR DS:[84F248],EAX
0043EB13   83C4 08             ADD ESP,8
#define OFFSET_REGISTERSHADER 0x5F2A00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RegisterFont:
Search for string "fonts/smalldevFont" or "fonts/bigFont".
PHP:
005F4F17   B8 C01E5F00      MOV EAX,iw3mp.005F1EC0 '<<<---RegisterFont offset'
005F4F1C   75 05            JNZ SHORT iw3mp.005F4F23
005F4F1E   B8 201E5F00      MOV EAX,iw3mp.005F1E20
005F4F23   6A 01            PUSH 1
005F4F25   68 280D7000      PUSH iw3mp.00700D28 ; ASCII "fonts/smalldevfont"
005F4F2A   FFD0             CALL EAX
005F4F2C   83C4 08          ADD ESP,8
#define OFFSET_REGISTERFONT 0x5F1EC0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

DrawText:
Search for string "fonts/consoleFont" or "Glow".
PHP:
005F92BD   68 5C0E6D00      PUSH iw3mp.006D0E5C   ; ASCII "fonts/consoleFont"
005F92C2   FFD0             CALL EAX
005F92C4   D9EE             FLDZ
005F92C6   83C4 08          ADD ESP,8
005F92C9   6A 00            PUSH 0
005F92CB   83EC 14          SUB ESP,14
005F92CE   D95424 10        FST DWORD PTR SS:[ESP+10]
005F92D2   B9 98456B00      MOV ECX,iw3mp.006B4598
005F92D7   D905 0C0C7000    FLD DWORD PTR DS:[700C0C]
005F92DD   D95C24 0C        FSTP DWORD PTR SS:[ESP+C]
005F92E1   D905 E0B47000    FLD DWORD PTR DS:[70B4E0]
005F92E7   D95C24 08        FSTP DWORD PTR SS:[ESP+8]
005F92EB   D905 20BE7000    FLD DWORD PTR DS:[70BE20]
005F92F1   D95C24 04        FSTP DWORD PTR SS:[ESP+4]
005F92F5   D91C24           FSTP DWORD PTR SS:[ESP]
005F92F8   50               PUSH EAX
005F92F9   68 FFFFFF7F      PUSH 7FFFFFFF
005F92FE   68 6CFB6F00      PUSH iw3mp.006FFB6C ; ASCII "GLOW"
005F9303   E8 F8D7FFFF      CALL iw3mp.005F6B00 '<<<--- DrawText offset'
005F9308   83C4 24          ADD ESP,24
#define OFFSET_DRAWTEXT 0x5F6B00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

RenderScene:
Search for string "R_RenderScene".
PHP:
005FAF00   55               PUSH EBP '<<<---RenderScene offset'
005FAF01   8BEC             MOV EBP,ESP
005FAF03   83E4 F8          AND ESP,FFFFFFF8
005FAF06   81EC A0000000    SUB ESP,0A0
005FAF0C   803D 90D2C90C 00 CMP BYTE PTR DS:[CC9D290],0
005FAF13   56               PUSH ESI
005FAF14   57               PUSH EDI
005FAF15   8BF0             MOV ESI,EAX
005FAF17   0F84 D8000000    JE iw3mp.005FAFF5
005FAF1D   A1 8495560D      MOV EAX,DWORD PTR DS:[D569584]
005FAF22   8078 0C 00       CMP BYTE PTR DS:[EAX+C],0
005FAF26   0F85 C9000000    JNZ iw3mp.005FAFF5
005FAF2C   8B0D F897560D    MOV ECX,DWORD PTR DS:[D5697F8]           ; iw3mp.0CBBDA14
005FAF32   8379 0C 00       CMP DWORD PTR DS:[ECX+C],0
005FAF36   74 0A            JE SHORT iw3mp.005FAF42
005FAF38   BA E8FB6F00      MOV EDX,iw3mp.006FFBE8                   ; ASCII "====== R_RenderScene ======
"
005FAF3D   E8 FE1F0400      CALL iw3mp.0063CF40
005FAF42   833D 20A3C90C 00 CMP DWORD PTR DS:[CC9A320],0
005FAF49   75 0F            JNZ SHORT iw3mp.005FAF5A
005FAF4B   68 08FC6F00      PUSH iw3mp.006FFC08                      ; ASCII 15,"R_RenderScene: NULL w"
#define OFFSET_RENDERSCENE 0x5FAF00
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Unlock Cheat/Write protected console commands:
Search for string "cheat protected" or "write protected".
Scroll few lines up and look for JNZ/JE and simply reverse them.
PHP:
0056B358   74 19               JE SHORT iw3mp.0056B373 '<<<--Reverse this asm command, changing JE to JNZ'
0056B35A   8B0F                MOV ECX,DWORD PTR DS:[EDI]
0056B35C   51                    PUSH ECX
0056B35D   68 683E6F00   PUSH iw3mp.006F3E68  ; ASCII "%s is write protected.
"
0056B362   6A 10                   PUSH 10
0056B364   E8 5718F9FF        CALL iw3mp.004FCBC0
0056B369   83C4 0C              ADD ESP,0C
0056B36C   5F                        POP EDI
0056B36D   5E                        POP ESI
0056B36E   5B                        POP EBX
0056B36F   8BE5                     MOV ESP,EBP
0056B371   5D                        POP EBP
0056B372   C3                        RETN
0056B373   83F9 01               CMP ECX,1
0056B376   75 29                   JNZ SHORT iw3mp.0056B3A1
0056B378   84C0                   TEST AL,AL
0056B37A   79 25                   JNS SHORT iw3mp.0056B3A1
0056B37C   8B0D 0474BA0C  MOV ECX,DWORD PTR DS:[CBA7404]           ; iw3mp.0CBAB808
0056B382   8079 0C 00         CMP BYTE PTR DS:[ECX+C],0
0056B386   75 19                  JNZ SHORT iw3mp.0056B3A1' <<<--Reverse this asm command, changing JNZ to JE'
0056B388   8B17                   MOV EDX,DWORD PTR DS:[EDI]
0056B38A   52                       PUSH EDX
0056B38B   68 803E6F00      PUSH iw3mp.006F3E80  ; ASCII "%s is cheat protected.
"
#define OFFSET_WRITEPROTECTED 0x56B358
#define OFFSET_CHEATPROTECTED 0x56B386
//--------------------------------------------------------------------------------------------------------------------------------------------------------

NoRecoil:
Seach for string "CG_FireWeapon: weapon".
There is several ways/offsets to remove weapon recoil. I'm gonna show a few.
PHP:
00457C8B   68 2CEA6C00       PUSH iw3mp.006CEA2C ; ASCII 15,"CG_FireWeapon: weapon"
00457C90   6A 01               PUSH 1
00457C92   E8 99560A00    CALL iw3mp.004FD330
00457C97   83C4 08             ADD ESP,8
00457C9A   5F                   POP EDI
00457C9B   5E                   POP ESI
00457C9C   5D                 POP EBP
00457C9D   5B                   POP EBX
00457C9E   83C4 18             ADD ESP,18
00457CA1   C3                   RETN
00457CA2   8BD3             MOV EDX,EBX
00457CA4   C1E2 04             SHL EDX,4
00457CA7   03D3                 ADD EDX,EBX
00457CA9   8D0495 58867400  LEA EAX,DWORD PTR DS:[EDX*4+748658]
00457CB0   8B149D B86D7300  MOV EDX,DWORD PTR DS:[EBX*4+736DB8]
00457CB7   C681 C1010000 01 MOV BYTE PTR DS:[ECX+1C1],1
00457CBE   894424 18           MOV DWORD PTR SS:[ESP+18],EAX
00457CC2   A1 5CE37400       MOV EAX,DWORD PTR DS:[74E35C]
00457CC7   F640 20 06           TEST BYTE PTR DS:[EAX+20],6  '<<<--- Change this value (6) to 0 to remove recoil.'
00457CCB   895424 10         MOV DWORD PTR SS:[ESP+10],EDX
00457CCF   74 12               JE SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JE to JNZ )'
00457CD1   8B75 00             MOV ESI,DWORD PTR SS:[EBP]
00457CD4   3BB0 E8000000   CMP ESI,DWORD PTR DS:[EAX+E8]
00457CDA   75 07               JNZ SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JNZ to JE )'
00457CDC   B8 01000000       MOV EAX,1  ' <<<<---Change this value (1) to 0 to remove recoil.'
#define OFFSET_NORECOIL1 0x457CC7
#define OFFSET_NORECOIL2 0x457CCF
#define OFFSET_NORECOIL3 0x457CDA
#define OFFSET_NORECOIL4 0x457CDC
//--------------------------------------------------------------------------------------------------------------------------------------------------------

SendCommandToConsole:
Search for string "stoprecord" or "screenshot silent" or "quit" or "pb_sv_guidrelax".
PHP:
0046C90F   68 400E6D00    PUSH iw3mp.006D0E40  ; ASCII "screenshot silent"
0046C914   6A 00               PUSH 0
0046C916   6A 00               PUSH 0
0046C918   E8 93D10800    CALL iw3mp.004F9AB0 '<<<--- SendCommandToConsole function offset'
0046C91D   83C4 0C               ADD ESP,0C
#define OFFSET_SENDCOMMAND 0x4F9AB0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

CG_Init:
CG_Init is the struct that holds offsets to all other important classes.
Search for string "CL_InitCGame", scroll down a few lines and look for a call.
PHP:
0045BFD3   68 E4EE6C00      PUSH iw3mp.006CEEE4  ; ASCII "Setting state to CA_LOADING in CL_InitCGame
"
0045BFD8   6A 0E                    PUSH 0E
0045BFDA   C706 07000000    MOV DWORD PTR DS:[ESI],7
0045BFE0   E8 DB0B0A00        CALL iw3mp.004FCBC0
0045BFE5   A1 E44C8F00        MOV EAX,DWORD PTR DS:[8F4CE4]
0045BFEA   8B0D 244E9100    MOV ECX,DWORD PTR DS:[914E24]
0045BFF0   8B15 1C4E9100    MOV EDX,DWORD PTR DS:[914E1C]
0045BFF6   50                         PUSH EAX
0045BFF7   51                         PUSH ECX
0045BFF8   52                         PUSH EDX
0045BFF9   53                         PUSH EBX
0045BFFA   C605 F7F8C500 01 MOV BYTE PTR DS:[C5F8F7],1
0045C001   C605 DE4C8F00 00 MOV BYTE PTR DS:[8F4CDE],0
0045C008   E8 C33AFEFF      CALL iw3mp.0043FAD0    '<<<--- CG_Init class offset'
#define OFFSET_CG_INIT 0x43FAD0
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Entity, CG, CGs classes:
Now, that you have found CG_Init class offset, lets take a look for other classes inside it.
PHP:
0043FAD0   55                     PUSH EBP
0043FAD1   8BEC                     MOV EBP,ESP
0043FAD3   83E4 F8                 AND ESP,FFFFFFF8
0043FAD6   83EC 44                 SUB ESP,44
0043FAD9   53                       PUSH EBX
0043FADA   8B5D 08                MOV EBX,DWORD PTR SS:[EBP+8]
0043FADD   56                       PUSH ESI
0043FADE   57                      PUSH EDI
0043FADF   68 243A0000             PUSH 3A24
0043FAE4   33FF                   XOR EDI,EDI
0043FAE6   57                     PUSH EDI
0043FAE7   68 08A97400             PUSH iw3mp.0074A908 '<<<--- CGS class offset'
0043FAEC   E8 AFC92300             CALL iw3mp.0067C4A0
0043FAF1   83C4 0C                 ADD ESP,0C
0043FAF4   68 F0E70F00             PUSH 0FE7F0
0043FAF9   57                     PUSH EDI
0043FAFA   68 38E37400             PUSH iw3mp.0074E338 '<<<--- CG class offset'
0043FAFF   E8 9CC92300            CALL iw3mp.0067C4A0
0043FB04   8BC3                   MOV EAX,EBX
0043FB06   69C0 78160000           IMUL EAX,EAX,1678
0043FB0C   83C4 0C          A        DD ESP,0C
0043FB0F   68 78160000             PUSH 1678
0043FB14   8DB0 A86F7400         LEA ESI,DWORD PTR DS:[EAX+746FA8]
0043FB1A   57                     PUSH EDI
0043FB1B   56                       PUSH ESI
0043FB1C   897424 18               MOV DWORD PTR SS:[ESP+18],ESI
0043FB20   E8 7BC92300             CALL iw3mp.0067C4A0
0043FB25   8BCB                     MOV ECX,EBX
0043FB27   69C9 00700700           IMUL ECX,ECX,77000
0043FB2D   83C4 0C                 ADD ESP,0C
0043FB30   68 00700700             PUSH 77000
0043FB35   81C1 D8F28400       ADD ECX,iw3mp.0084F2D8 '<<<--- Entity class offset'
0043FB3B   57                     PUSH EDI
0043FB3C   51                     PUSH ECX
0043FB3D   E8 5EC92300             CALL iw3mp.0067C4A0
0043FB42   8BD3                     MOV EDX,EBX
0043FB44   69D2 00220000           IMUL EDX,EDX,2200
0043FB4A   83C4 0C                 ADD ESP,0C
0043FB4D   68 00220000             PUSH 2200
#define OFFSET_CENTITY 0x84F2D8
#define OFFSET_CG 0x74E338
#define OFFSET_CGS 0x74A908
//--------------------------------------------------------------------------------------------------------------------------------------------------------

ClientInfo class:
Search for string "g_TeamColor" and look up a few lines.
PHP:
00431F60   69C9 CC040000    IMUL ECX,ECX,4CC '<<<--- Size of the ClientInfo class'
00431F66   05 70928300         ADD EAX,iw3mp.00839270 '<<<---ClientInfo class offset'
00431F6B   8B40 1C             MOV EAX,DWORD PTR DS:[EAX+1C]
00431F6E   81C1 70928300    ADD ECX,iw3mp.00839270'<<<---ClientInfo class offset'
00431F74   83F8 03             CMP EAX,3
00431F77   57                   PUSH EDI
00431F78   75 0C               JNZ SHORT iw3mp.00431F86
00431F7A   68 887D6C00        PUSH iw3mp.006C7D88        ; ASCII "g_TeamColor"
00431F7F   68 A87F6C00       PUSH iw3mp.006C7FA8          ; ASCII "%s_Spectator"
#define OFFSET_CLIENTINFO 0x839270
//--------------------------------------------------------------------------------------------------------------------------------------------------------

Minimap/Compass:
Search for string "g_compassShowEnemies" and look for a call under it.
PHP:
0042A080 BF 0C796C00   MOV EDI,iw3mp.006C790C;  "g_compassShowEnemies"
0042A085   894424 28        MOV DWORD PTR SS:[ESP+28],EAX
0042A089   D95C24 30        FSTP DWORD PTR SS:[ESP+30]
0042A08D   D84C24 64        FMUL DWORD PTR SS:[ESP+64]
0042A091   D84424 5C        FADD DWORD PTR SS:[ESP+5C]
0042A095   D95C24 34        FSTP DWORD PTR SS:[ESP+34]
0042A099   D903             FLD DWORD PTR DS:[EBX]
0042A09B   D95C24 48        FSTP DWORD PTR SS:[ESP+48]
0042A09F   D943 04          FLD DWORD PTR DS:[EBX+4]
0042A0A2   D95C24 4C        FSTP DWORD PTR SS:[ESP+4C]
0042A0A6   D943 08          FLD DWORD PTR DS:[EBX+8]
0042A0A9   D95C24 50        FSTP DWORD PTR SS:[ESP+50]
0042A0AD   D943 0C          FLD DWORD PTR DS:[EBX+C]
0042A0B0   D95C24 54        FSTP DWORD PTR SS:[ESP+54]
0042A0B4   E8 97151400      CALL iw3mp.0056B650 '<<<---- NOP it and enemies are visible on compass at all times.'
#define OFFSET_COMPASS 0x42A0B4
//--------------------------------------------------------------------------------------------------------------------------------------------------------


IsInGame:
Search for strings like "+speed" or "+melee" or "+speed"
PHP:
0042F193   C74424 28 647E6C>MOV DWORD PTR SS:[ESP+28],iw3mp.006C7E64 ; ASCII "+toggleads_throw"
0042F19B   C74424 2C 787E6C>MOV DWORD PTR SS:[ESP+2C],iw3mp.006C7E78 ; ASCII "+speed_throw"
0042F1A3   C74424 30 887E6C>MOV DWORD PTR SS:[ESP+30],iw3mp.006C7E88 ; ASCII "+speed"
0042F1AB   C74424 34 907E6C>MOV DWORD PTR SS:[ESP+34],iw3mp.006C7E90 ; ASCII "toggleads"
0042F1B3   C74424 20 9C7E6C>MOV DWORD PTR SS:[ESP+20],iw3mp.006C7E9C ; ASCII "+melee"
0042F1BB   C74424 24 A47E6C>MOV DWORD PTR SS:[ESP+24],iw3mp.006C7EA4 ; ASCII "+melee_breath"
0042F1C3   0F84 05020000    JE iw3mp.0042F3CE
0042F1C9   8B0D F8F8C500    MOV ECX,DWORD PTR DS:[C5F8F8]
0042F1CF   C1E9 04          SHR ECX,4
0042F1D2   F6C1 01          TEST CL,1
0042F1D5   0F85 F3010000    JNZ iw3mp.0042F3CE
0042F1DB   8B3D 5CE37400    MOV EDI,DWORD PTR DS:[74E35C]  '<<<---IsInGame offset '
#define OFFSET_ISINGAME 0x74E35C
//--------------------------------------------------------------------------------------------------------------------------------------------------------

I wanna point out that these methods might not be universal in quake3-engine based games and for finding every func/offset there is always more than 1 way. Be creative and you should be able to find any other offset based on these examples.
Nice thread to much scrolling tho maybe but screenshots in spoilers lol but good thread
 

swoon

Entrepreneur
Premium Member
Messages
494
Reaction score
354
Points
698
These are very good ways to find Call of duties ****. Very useful if you want to create a CoD cheat.
 

swoon

Entrepreneur
Premium Member
Messages
494
Reaction score
354
Points
698
And that means?
They're programs. Sigma and cheat Engine. So what you do is download it, connect to your game. So let's say you want to find a unlimited ammo offset, so you would shoot a couple bullets, then search how many bullets you have left in the value. Then you will see the black ones, than the green ones. The green ones is the value you want to change then you can see which offset it is for unlimited ammo. You can narrow it down, by find next too. Also I tried to make this as friendly as possible without bigger words with their actual definitions lol. Hope it helps.
 

swoon

Entrepreneur
Premium Member
Messages
494
Reaction score
354
Points
698
I

know im stupidest human in the world
If you know German, we understand German well... Google translate isn't for everyone or just people who aren't familiar with English. Which its ok.
 
Top