In Game Messaging

[tA-Kane]

Try a different debugger?

[Don Cullen]

SoftICE is being evil for me!  Particularly: it will not break.  ever.  It refuses to break even when I set breakpoints at the memory addresses I found for the text.  Any ideas?

That means you put BPM at the wrong offset. What offset are you trying to put BPM at, and how did you get that offset?

[R.a.B.B.i.T]

659EDD, (among others, my list is on my other computer), which I found by searching the memory (as the tutorial said).

I also tried the old offsets (listed in the tutorial), but they didn't work either.

[Okee]

Hey guys, where did everyone download SoftICE for WinXP and IDA? I've been searching, and they're all broken links, etc.

Thanks.

[NicoQwertyu]

Rabbit, do you use SP2 on the machine that uses SoftICE?

[R.a.B.B.i.T]

Yes, but I also installed the patch that Blaze(?) posted.

[Don Cullen]

659EDD, (among others, my list is on my other computer), which I found by searching the memory (as the tutorial said).

I also tried the old offsets (listed in the tutorial), but they didn't work either.

Those offsets in the tutorial are worthless. They are completely inaccurate- they might have been accurate before, but they aren't now because of the patches Blizzard released since that.

In any case, let me tell you what to do... My apologies in advance if I'm explaining this in layman's terms- I'm trying to keep it easy for anyone else who needs it to be... :-P Also, keep in mind I haven't solved the timer offset problem- so I'm just going to give you what I got. So yeah, I'm writing my own tutorial for ya guys. Heh. You'll need SoftIce, IDA, WinHack, and a calculator capable of doing HEX mathematics. You'll also need a paper and a pen. Or whatever writing implement you use... To get the software I mentioned, just google it. It's how I got my copies. Be wary though, most sites are disreputable.

Once you have obtained **AND INSTALLED** all of the software you'll need, go ahead with the tutorial. SoftIce also must be already running in the background.

Boot up starcraft, start a game on battle.net. When you're actively in the game- not just the game lobby, but IN the game-- press enter, type "TESTSTRING" and press enter again.

Now, open WinHack, select the starcraft process, then click the Edit Memory tab.

Now, in the text box to the right of the Search Now button, type: TESTSTRING, then click search now.

Now, what the tutorial failed to clairfy on is, in the memory offset it takes you to-- it is **NOT** the start of that specific memory offset. Remember, in the game, when you pressed enter after typing the string, it said:

YourName: TESTSTRING

YourName being your battle.net name that you were using when you sent that string. The 'YourName: ' is also part of that string-- so we don't want the start of TESTSTRING-- we want the start of YourName. In WinHack, using the ^ button, scroll up one line. You'll see:

ourName: TESTSTRING

in my case, my battle.net name is Kyro[sK], and it showed:

yro[sK]: TESTSTRING

In any case, the first letter of the string will be missing. The reason why it's missing is because if the first letter is NULL (empty), Starcraft knows not to print the string. Now, we want the offset that the string first starts at. Look at the left side of WinHack-- you'll notice alot of zeros (00 00 00 00).  Keep that in mind. Now, in the right side of the window, you'll see your string. Click on that place (in your bnet name) where the first letter is missing (Like for example, in mine, the place where there should have been a K, in Kyro, but yet K is missing).

That's the message offset. Now, look at the left side of the window- you'll notice a 00 that got selected too. Look at the far left side- the list of offsets. In my case, it was:

658D10

Okay, you've got the first part of the offset- you need a more specific offset. Now, look at the top row of buttons- the ones saying 0123456789ABCDEF... Look at the button that's in the same row as the offset that was selected. In my case, it was the C button.

Now, you replace the last character on the right of 658D10 with that letter/number.

658D10 turns into 658D1C.

That's the message offset. Now, we need to find out where the timer offset is...

Press Ctrl D to get into SoftIce. Look in the bottom right corner of SoftIce. That's the process it is looking at. Is it Starcraft? If not, close SoftIce by pressing Ctrl D again. Open it again, it'll be displaying a different process. If it's not Starcraft, close and re-open. Repeat until it is showing the Starcraft process.

Score! Now we got it showing the Starcraft process! Now, type:

BPM #######

#### being the message offset. For example, in mine, it was:

BPM 658D1C

Now the breakpoint is set. Press ctrl d to close SoftIce. SoftIce should immediately pop back up. See the line that it outlined in grey? That's where it broke at. Now, look to the left of that green line. The offset will be selected. Write it down. In mine, it was 46E63C. To the right, see the ASM line saying: TEST CL, CL? Keep that in mind. Look at the top right part of SoftIce. You'll see a part that says ESI =. Write the value of ESI. In mine, it was 00000008. Or to sum it up, 8.

Now, in SoftIce, type BC *. That clears all breakpoints. Press Ctrl D to exit SoftIce.

Now, open IDA. Disassemble the Starcraft Process. For those who don't know how, click the New button in the Welcome to IDA! window. Browse to where your Starcraft.exe is (usually in c:\program files\starcraft\). Select the Starcraft.exe file. Click open. It'll take a moment for the next window to pop up. When it does, just click OK. It'll take a moment while it disassembles the file. When it's done, in the top left menu, click Jump, then click Jump to Address. Type in that offset you found from SoftIce. Aha! See Test CL, CL on that line it selects (jumps to)? That confirms we're on the right line/offset. Now, this is the tricky part: it's **NOT** the timer offset.

!!!WARNING!!!! Up to this point, I'm completely sure the information above is correct, but past this point, I'm not sure if the information I have is correct- feel free to keep following what I explain-- but keep in mind, it may not be correct, as I am still having problems with using the Timer function. Maybe Kp will finally enlighten me on how to use the Timer function, but seeing how he's keeping his lips tightly sealed, we'll have to figure it out for ourselves... PM Kp-- maybe you'll have better luck than I did-- at least he did give some advice regarding why I shouldn't be doing this in VB.

Now, back to the tutorial. In IDA, you should be on the TEST CL, CL line. Or to be specific, the 46E63C offset (that's the offset I found in SoftIce to the left of Test CL, CL when SoftIce broke).  Look two lines below that. You should see:

.text:0046E644                 mov     edx, dword_659160[esi*4]

Now, open calculator. Microsoft Calculator. If you have a better software to use, fine. But in this, we'll use MSCalc. If you're not a windows user-- well then, use whatever calculator comes with the OS, and hope like heck it comes with advanced functions.

To open MSCalc for windows, just click start (bottom left corner of the screen...), click run, then type Calc, then press enter.

In MSCalc, if you're not already in Scientific Mode, click on View, then click on Scientific.

Now, below the text box and to the left, you'll see a couple of options; Hex, Dec, Oct, Bin. Select Hex. Multiply 4 by whatever the value of ESI you got. Since my value was 8, I got 20 (for those who're going what the-- it should be 32!, it didn't multiply decimal style, it multiplied HEX style, so it's 20).

.text:0046E644                 mov     edx, dword_659160[esi*4]

Remember this line? Look at the between of dword_ and [esi*4]. In that line, it's 659160. In MSCalc, it should still be at the number you got after multiplying ESI with 4. Click add. Then put in that number you got from between dword_ and [esi*4] (in this case, 20 + 659160).

Here's a fact: did you know HTML colors are usually in HEX? Cool.

Back to the tutorial. Now, when I added the results of ESI * 4 to the offset between dword and esi * 4, I got 659180.

(4 * ESI) + 659160 = 659180.

659180, is what I think is the timer offset. I could be wrong, but I suspect it is. Now, switch back to WinHack. See the Go To Address button? In the textbox to the immediate right of it, type the final result you got in MSCalc (in my case, 659180). Click on the Go To Address button. You're now at what I suspect is the timer offset. Click on what is selected, edit it to say:

0F

Repeat for the next three boxes to the right of that one. It should look like: 0F 0F 0F 0F. Now save changes right after you put in the 0F 0F 0F 0F, by clicking on the "Save Changes" button to the right middle of the window of WinHack.

Almost done! Now, write your message to the message offset- for example: Valhalla Legends rules!

If you scroll up, you'll see code that lets you write messages to message offsets. Or if you want to do it manually, just using WinHack, jump to the message offset (in my case, 658D1C). Then in the right side window pane, you should see your TESTSTRING part. Click at that first letter of your string (in my case, the missing letter part of Kyro[sK]: TESTSTRING, in WinHack, says yro[sK]: TESTSTRING)- IT MUST BE THAT EMPTY (NULL) FIRST LETTER PART! In my case, the C column at offset 658D10. Now, using the right side window pane, put in your message. For example, the C column would say V, D column would say a, E would say l, and so on. If you reach the end of the columns (F is the last column), just go down one row, and continue from column #1. When you finish your message, click save changes.

If you used a compiler like VB or C++ (As per due Kp's recommendation, I'll pass this on: use C++, just ignore the fact I chose to stick with VB), just make code that writes the message to the offset. There's code for that if you scroll up.

Now, once you've written the message to the offset, switch back to StarCraft. You should see the message being displayed.

Only one problem: the message won't go away, unless you scroll up by entering several text messages (or you get several text messages) using StarCraft. To make it go away, just change the first letter of your message to a NULL character (in VB, the null character is obtained using CHR$(0). In VB, you could just write a single NULL character to the message offset (in my case, 658D1C). This will result in Starcraft no longer displaying the message.

That's the end of my tutorial! Now I can start packing for the move to my apartment- I won't be online for three days (hopefully less), so if you need any help, others will assist you until then!

Take care!

[Don Cullen]

Oh, and if you manage to solve the timer problem, or manage to finish Drakken's tutorial, please let me know how you got the timer function to work! Thanks!!!

Also, there is more than one message offset-- the timer offsets are different for each message offset, so you will want to write down (or record using whatever method you use) each message offset you find, and the corresponding timer offset. Kudos for getting this far!

[hismajesty]

In reference to the multiple desktops question, I'm not sure if this is what you want, but get Virtual Desktop Manager here.

[NicoQwertyu]

Already said I tried that -- it's useless.  I fixed my problem by switching to SoftICE.

[R.a.B.B.i.T]

O shit!  I forgot about the name part!  Well...that explains it :\

[warz]

Just update the offsets, and the old tutorial works. Don't take it literally. Read it and get the idea of what he's doing, and re-do it.

[Don Cullen]

Actually, warz- the message writing works-- writing to the timer function DOES NOT work... If you want my source code, I'd be happy to send it. A friend of mine who's very good at this kind of stuff tried to assist, and also got stumped. Maybe you'll have better luck. If you want to message me, just AIM me. My screen name is in my profile- be sure to PM me what your screen name is so I can verify it's you. :-)

I'm on dial up by the way- finished moving to the apartment. Won't have DSL up until wednesday. Fun, fun.

[LivedKrad]

If anyone ever tried, I disassembled BWCoach. Apparently it uses a DLL that utilizes the SetWindowsHook* API to hook different functions inside of starcraft. I didn't look any further.

[l)ragon]

I thought of that too.  StarBoxViewer a program that displays ingame stats uses the api:

Code Select Expand


Public Declare Function TextOut Lib "gdi32.dll" Alias "TextOutA" (ByVal hdc As Long, ByVal x As Long, ByVal y As Long, ByVal lpString As String, ByVal nCount As Long) As Long



Heres the program I made to display ingame text and its source.

http://blazenet.servebeer.com/site/Downloads/StarcraftText.zip

Code Select Expand

Private Sub Timer1_Timer()
Dim hWnd As Long
Dim DCHdl As Long
Dim rEctR As RECT

    hWnd = FindWindow(vbNullString, "Brood War")
    DCHdl = GetDC(hWnd)
   
    SetRect rEctR, 5, 5, 256, 20

    'DrawTextA "USER32"
    DrawText DCHdl, "l)ragon was here!", Len("l)ragon was here!"), rEctR, DT_LEFT

    Call ReleaseDC(hWnd, DCHdl)
End Sub
could do that this way to ;p