Ill show you how to find FastAmmo with Pictures
For Memory Signatures:
Step1 : Open Ida Pro, Open the newest WarRock.exe
Step2 : Do Jump > Just to address : Enter the newest address B183F0 (Without 0x00/0x!!)
Next step's (3 till 7)
Text must be : Save these *Always save 10-20 bytes!!*
Step8 : Now do the same thing for the OLD address (Do this in the unpacked warrock from that patch)
Step9 : Now you got a OLD pattern and a NEW pattern how to get it to the Signature?
Lets say we got
New: D8 D9 D0 D1 D2 D3 D4
Old: D9 D9 D0 D1 D3 D3 D4
For every CHANGED byte u get a ? if its not changed u get a x
So the mask will be :
Code:
?xxx?xx
In our example that would be :
Code:
/xD8/xD9/xD0/xD1/xD2/xD3/xD4
THIS IS JUST AN EXAMPLE!!!
Step10: Now u need to tell C++ that it is a memory hack, most addy logger sources uses:
Code:
DWORD(PBYTE)" ", " ", 0 , true);
The 0 respresents the one WE need to change. It depends on the addy you are logging, normally its between 1-4 (For Memory hacks, If its wrong your logger logs something like: 0x0089384918)
For ASM Signatures:
Step1 : Open Ida Pro, Open the newest WarRock.exe
Step2 : Do Jump > Jump to address > Newest OPK1 Addres (68570C) (WITHOUT 0X/0X00!!)
Step3/4:
Step5: Now do the same thing for the OLD address (Do this in the unpacked warrock from that patch)
Step6(Same as Memory Step9) : Now you got a OLD pattern and a NEW pattern how to get it to the Signature?
Lets say we got
New: D8 D9 D0 D1 D2 D3 D4
Old: D9 D9 D0 D1 D3 D3 D4
For every CHANGED byte u get a ? if its not changed u get a x
So the mask will be :
Code:
?xxx?xx
In our ex that would be :
Code:
/xD8/xD9/xD0/xD1/xD2/xD3/xD4
THIS IS JUST AN EXAMPLE!!!
Step10:
Code:
DWORD(PBYTE)" ", " ", 0 , 0);
Code:
DWORD(PBYTE)" ", " ", 0 , true);
Important : Why the byte length must be 10-20?
Sometimes bytes change so you have to reference with line of codes near the original address to find new address in updated warrock.exe.(quote from Vince')
This tut is for people who are just starting with finding addies!
Havefun
