SC Brood War offsets 1.5.3

[zonemikel]

Sorry i put version 1.5.3 i ment to put 1.15.3, so sorry feel like a idiot now!

If you want to know why i've found these im thinking about making a mod, read here if your interested http://www.bwhacks.com/forums/revers...-who-wish.html

Otherwise these are most of the offsets for the upgrades for player zero, if you want player 1 add 0x2E from these if you want player 2 add (0x2E*2) and so on . . . All of these were in the original starcraft if your looking for brood war upgrades look in this area

Code:

00454999  MOV BYTE PTR DS:[EAX+EDX*4+58F110],BL
edx=5 eax=ecx=1b
DS:[0058F13F]=mind control
DS:[0058F143]=malee storm

this is the code that sets the upgrade

Code:

difference between player 1 and 2 = 0x2E
so we have EAX= player offset, ecx = upgrade offset
and DL is the new value of the upgrade
004CE40C MOV BYTE PTR DS:[EAX+ECX+58D298],DL

and all the locations, these could be useful for a "upgrade alert" or something of that sort.

Code:

-- player zero  upgrade offsets -- 
DS:[0058D298]= ground armor terrain(2)
DS:[0058D299]= vehicle armor terrain(2)
DS:[0058D29A]= ship plating terrain(2)
DS:[0058D29B]= zerge carapace zerg (2)
DS:[0058D29C]= zerg air def (2)
DS:[0058D29D]= ground armor toss(2)
DS:[0058D29E]= air armor toss(2)
DS:[0058D29F]= ground attack terrain(2)
DS:[0058D2A0]= vehicle wepons terrain(2)
DS:[0058D2A1]= ship wepons terrain(2)
DS:[0058D2A2]= zerg melee wepons zerg (2)
DS:[0058D2A3]= zerg missle attacks zerg (2)
DS:[0058D2A4]= zerg air attack (2)
DS:[0058D2A5]= ground wepons toss(2)
DS:[0058D2A6]= air wepons toss(2)
DS:[0058D2A7]= psi sheild toss(2)
DS:[0058D2AB]= science vessel + energy terrain (2)
DS:[0058D2AC]= ghost ocular enhance terrain (2)
DS:[0058D2AD]= ghost +50 energy terrain (2)
DS:[0058D2AE]= +50 wraith energy terrain (2)
DS:[0058D2AF]= titain reactor terrain (2)
DS:[0058D2B3]= zergling speed upgrade zerg(2)
DS:[0058D2B4]= zergling faster attack 2 (2)
DS:[0058D2B5]= zerg faster hydra move (2)
DS:[0058D2B6]= zerg hydra inc attack (2)
DS:[0058D2B7]= zerg queen +energy (2)
DS:[0058D2B8]= zerg metasync thing (2)
DS:[0058D2B9]= dragoon attack range toss(2)
DS:[0058D2BA]= zlot leg enhance toss(2)
DS:[0058D2BB]= scarab damage toss(2)
DS:[0058D2BC]= rever capacity toss(2)
DS:[0058D2BD]= gravitic drive (transport) toss(2)
DS:[0058D2BE]= sensor array (probe) toss(2)
DS:[0058D2BF]= gravitic booster (probe) toss(2)
DS:[0058D2C0]= + templar energy toss(2)
DS:[0058D2C1]= apial sensors toss(2)
DS:[0058D2C2]= gravitic thursters (scout) toss(2)
DS:[0058D2C3]= +4 max interceptors toss(2)
DS:[0058D2C4]= + 50 arbitur energy toss(2)

here is a quick class to use this easily

Code:

lass SCUpgrades{
public:
	SCUpgrades(); // just a constructor
	char getUpgrade(short, char); // return current upgrade
	bool setUpgrade(short , int, char); // set this upgrade

private:
	char *upgrades;
};
SCUpgrades::SCUpgrades()
{ 
	this->upgrades = (char*)(0x0058D298); // setup char array 
}

// usage .getUpgrade(player number, upgrade offset)
char SCUpgrades::getUpgrade(short pnum, char upgrade)
{
	return *(this->upgrades + (pnum*0x2E) + upgrade);
}

// usage .setUpgrade(player number, upgrade offset, new value)
bool SCUpgrades::setUpgrade(short pnum, int upgoffset, char newval)
{
	*(this->upgrades + upgoffset + (pnum*0x2E)) = newval;
	if (getUpgrade(pnum, upgoffset) == newval)
		return true;
	return false;
}

If anyone has more offsets please post them here so we can save some time and do more real reversing instead of finding what is already found.

Ps, it feels icky doing this in c++, when i debug my code i dont recognize it at all. But im doing this to become more familiar with c++. Eventually ill use inline asm, but not yet.

[zonemikel]

// public printing function
0048CE90
If you put player 9+ it prints without a name, so it looks more like a system message or something of that sort.

Code:

void bwPubPrint(char* textin, int pnum)
{
    static DWORD BWFXN_PubTextOut = 0x0048CE90;
    // eax player number
    __asm{
        pushad
        mov eax, pnum
        mov esi, textin
        push esi
        call dword ptr [BWFXN_PubTextOut]
        popad
    }
}

Print anywhere on the screen, i havent gotten this in c++ yet

Code:

0048CC89  |. 50             |PUSH EAX                                ; /Arg1
0048CC8A  |. 8BC2           |MOV EAX,EDX                             ; |
0048CC8C  |. C605 F8E06C00 >|MOV BYTE PTR DS:[6CE0F8],11             ; | 12 centers text
0048CC93  |. 66:8935 B0E06C>|MOV WORD PTR DS:[6CE0B0],SI             ; | save x coord
0048CC9A  |. 66:C705 B4E06C>|MOV WORD PTR DS:[6CE0B4],276            ; |
0048CCA3  |. 66:893D B2E06C>|MOV WORD PTR DS:[6CE0B2],DI             ; | save y coord
0048CCAA  |. 66:890D B6E06C>|MOV WORD PTR DS:[6CE0B6],CX             ; | change = crash
0048CCB1  |. E8 1A36F9FF    |CALL starcraf.004202D0                  ; \starcraf.004202D0

there are many other locations for this

Code:

currPNum = (short*)(0x00512678); // current player number "you"

this is once you find the unit pointer these are the offsets for several unit variables. Not sure how you would find unit pointers, im doing it when they die/kill so that might not apply to you, but the offsets will be the same so here they are

Code:

   unit ptr + 0x09 = current hp
   unit ptr + 0x64 = type
   // change this "going to" and the unit will go to that location !
   unit ptr + 16d = going to (mouse click) 
   // if you change these below werid things happen
   // including jumping across the screen, overlapping and stuffs
   unit ptr + 20d = current location (cant change manually ?)
   unit ptr + 24d = current location (cant change manually ?)
   unit ptr + 27d = current location (cant change manually ?)

[zonemikel]

here are all the unit types, you can find them if you add 0x64 to the unit pointer(beginning of obj). Also if you want to find more bldgs or anything 0x0068C134 holds the "type" of the currently selected unit. of course its also a pointer to the unit selected if you subtract 0x64.

Code:

//Terrain
    ground
        scv = 7
        marines = 0
        ghost= 1
        firebat = 20
        medic = 22
    machine
        vulture=2
        goliath=3
        tanks = 5 in seige = 1e
    air
        wraith = 8
        transport = b
        sci vessel = 9
        battleship=c
        valkyre = 3a
        nuke = e  

protoss--
    gnd
        zlot = 41
        dragoon 42
        dtemplar 3d
        probe 40
    mid
        high templar 43
        reaver 53
        dark archon 3f
        archon 44
    Air
        shuttle 45
        observer 54
        carrier 48
        arbiter 47
        scout 46
        corsiair 3c
    bldg
        nexus 9a
        pylon 9c
        gateway a0
        battery ac
        assimilator 9d
        stargate A7
        forge a6
        cybernetics core a4
        templar archives a5
        arbiter tribunal AA
        robotics support ab
        observatory 9f

zerg--
        ground stuff
            larva 23, morphing 24
            drone 29
            hydra 26
            zergling 25
        medium mid
            defiler 2e
            ultralisk 27
        air stuff
            overlord 2a    
            scourge 2f
            mutalisk 2b
            guardian 2c
            devourer 3e
        bldgs
            spawn pool 8e
            hachery 83, hive 85
            extractor 95
            sunkin 92
            hydra den 87

also player names are all in this area 0x0057EEE8 there is a offest of 36 between them.

[zonemikel]

This is actually what sends commands to units. There are two players sometimes the unit doing the action and the unit thats getting the action, like me attacking you or you repairing my rod.

This is really funny if you tell your unit to attack then change the unit he is attacking to himself he will kill himself its freaking funny. Also think of scv's that can repair themselves !! You can have your scv's repair themselves while being attacked, and that wont disc you.

NOTE: these are actions with two participants, its not stuff like move and stop.

// ebx (command)
attack 0000000A
repair 00000022
gather 0000004F , then 55 for minerals 52 for gas
return minerals: 53 gas, 56 minerals

Code:

ECX = target unit ptr (the one your atking etc);
ESI = action unit pointer (pointer to the unit doing it);
EAX = same as esi
EBX = the action eg. attack 0000000A (attack)
EDX = high (mystery) low action just like ebx eg. 0013000A (attack)
esp and ebp stack stuff 
0047556D  |. E8 7E4E0000    CALL starcraf.0047A3F0

as soon as i get it in a c++ function ill post it here

// edit, as promised in the line above

Code:

DWORD commandFXN = 0x0047A3F0; // call this to command units
void commandUnit(DWORD unit, DWORD target, BYTE command)
{
	__asm{
		CMP unit, 0x00
		JE  END
		MOV ECX, target
		MOV ESI, unit
		MOV EAX, unit
		XOR EBX, EBX
		MOV BL, command
		XOR EDX, EDX
		MOV DL, command
		CALL commandFXN
		END:
	}
}

works well so far

[poiuy_qwert]

Im currently also writing plugins for mods, and I thought you might be interested in these:
1) Offset database (not very full and mostly older versions, currently has a MySQL error)
2) Unit node reference (has a few other things)
3) BWAPI (and more specifically, their SVN

Hope you find them useful.

[zonemikel]

Im currently also writing plugins for mods, and I thought you might be interested in these:
1) Offset database (not very full and mostly older versions, currently has a MySQL error)
2) Unit node reference (has a few other things)
3) BWAPI (and more specifically, their SVN

Hope you find them useful.

wow thanks, that stuff is like gold !

[MasterOfChaos]

Forum - View topic - Notes, Offsets, Infos, Tools... - BWProgrammers

[zonemikel]

That BWAPI is awesome, must be tons of people working on that. Compared to that im pissing in the wind, so ill stop! I could look at that code for hours, beautiful!

[poiuy_qwert]

Oh also forgot to mention the "Prime Struct" page in the BWAPI wiki.

[ViperSRT3g]

Hehe that's where I got those offsets from :3

[zonemikel]

I cant get the bwapi to compile, guess ill just have to use my imagination (i have vs 2008, not 2005). Never mind i got it to compile.

Now it crashes says something about stack corrupted around 'result', wish there was more documentation for this

[ViperSRT3g]

lol how sad, over the course of a few minutes these offsets are now old XD

[zonemikel]

I was looking at a old post that the creator of bwapi made here. We treated him like a noob, oh well. That project is huge, kinda overkill for anything i would want to do. I want the ai to play for me or at least do something useful for me, i dont want to play ai.

This post has become convoluted and pretty pointless, i found this in one of the files for the bwapi. This is way more time than i could ever spend on this crap.

Code:

Terran Marine = 0x00
Terran Ghost = 0x01
Terran Vulture = 0x02
Terran Goliath = 0x03
Goliath Turret = 0x04
Terran Siege Tank = 0x05
Tank Turret = 0x06
Terran SCV = 0x07
Terran Wraith = 0x08
Terran Science Vessel = 0x09
Gui Montag = 0x0A
Terran Dropship = 0x0B
Terran Battlecruiser = 0x0C
Vulture Spider Mine = 0x0D
Nuclear Missile = 0x0E
Terran Civilian = 0x0F
Sarah Kerrigan = 0x10
Alan Schezar = 0x11
Alan Turret = 0x12
Jim Raynor = 0x13
Jim Raynor = 0x14
Tom Kazansky = 0x15
Magellan = 0x16
Edmund Duke = 0x17
Duke Turret = 0x18
Edmund Duke = 0x19
Duke Turret = 0x1A
Arcturus Mengsk = 0x1B
Hyperion = 0x1C
Norad II = 0x1D
Terran Siege Tank = 0x1E
Tank Turret = 0x1F
Terran Firebat = 0x20
Scanner Sweep = 0x21
Terran Medic = 0x22
Zerg Larva = 0x23
Zerg Egg = 0x24
Zerg Zergling = 0x25
Zerg Hydralisk = 0x26
Zerg Ultralisk = 0x27
Zerg Broodling = 0x28
Zerg Drone = 0x29
Zerg Overlord = 0x2A
Zerg Mutalisk = 0x2B
Zerg Guardian = 0x2C
Zerg Queen = 0x2D
Zerg Defiler = 0x2E
Zerg Scourge = 0x2F
Torrasque = 0x30
Matriarch = 0x31
Infested Terran = 0x32
Infested Kerrigan = 0x33
Unclean One = 0x34
Hunter Killer = 0x35
Devouring One = 0x36
Kukulza = 0x37
Kukulza = 0x38
Yggdrasill = 0x39
Terran Valkyrie = 0x3A
Cocoon = 0x3B
Protoss Corsair = 0x3C
Protoss Dark Templar = 0x3D
Zerg Devourer = 0x3E
Protoss Dark Archon = 0x3F
Protoss Probe = 0x40
Protoss Zealot = 0x41
Protoss Dragoon = 0x42
Protoss High Templar = 0x43
Protoss Archon = 0x44
Protoss Shuttle = 0x45
Protoss Scout = 0x46
Protoss Arbiter = 0x47
Protoss Carrier = 0x48
Protoss Interceptor = 0x49
Dark Templar = 0x4A
Zeratul = 0x4B
Tassadar/Zeratul = 0x4C
Fenix = 0x4D
Fenix = 0x4E
Tassadar = 0x4F
Mojo = 0x50
Warbringer = 0x51
Gantrithor = 0x52
Protoss Reaver = 0x53
Protoss Observer = 0x54
Protoss Scarab = 0x55
Danimoth = 0x56
Aldaris = 0x57
Artanis = 0x58
Rhynadon = 0x59
Bengalaas = 0x5A
Unused = 0x5B
Unused = 0x5C
Scantid = 0x5D
Kakaru = 0x5E
Ragnasaur = 0x5F
Ursadon = 0x60
Zerg Lurker Egg = 0x61
Raszagal = 0x62
Samir Duran = 0x63
Alexei Stukov = 0x64
Map Revealer = 0x65
Gerard DuGalle = 0x66
Zerg Lurker = 0x67
Infested Duran = 0x68
Disruption Field = 0x69
Terran Command Center = 0x6A
Terran Comsat Station = 0x6B
Terran Nuclear Silo = 0x6C
Terran Supply Depot = 0x6D
Terran Refinery = 0x6E
Terran Barracks = 0x6F
Terran Academy = 0x70
Terran Factory = 0x71
Terran Starport = 0x72
Terran Control Tower = 0x73
Terran Science Facility = 0x74
Terran Covert Ops = 0x75
Terran Physics Lab = 0x76
Unused Terran Bldg = 0x77
Terran Machine Shop = 0x78
Unused Terran Bldg = 0x79
Terran Engineering Bay = 0x7A
Terran Armory = 0x7B
Terran Missile Turret = 0x7C
Terran Bunker = 0x7D
Norad II = 0x7E
Ion Cannon = 0x7F
Uraj Crystal = 0x80
Khalis Crystal = 0x81
Infested Command Center = 0x82
Zerg Hatchery = 0x83
Zerg Lair = 0x84
Zerg Hive = 0x85
Zerg Nydus Canal = 0x86
Zerg Hydralisk Den = 0x87
Zerg Defiler Mound = 0x88
Zerg Greater Spire = 0x89
Zerg Queen's Nest = 0x8A
Zerg Evolution Chamber = 0x8B
Zerg Ultralisk Cavern = 0x8C
Zerg Spire = 0x8D
Zerg Spawning Pool = 0x8E
Zerg Creep Colony = 0x8F
Zerg Spore Colony = 0x90
Unused Zerg Bldg = 0x91
Zerg Sunken Colony = 0x92
Zerg Overmind = 0x93
Zerg Overmind = 0x94
Zerg Extractor = 0x95
Mature Crysalis = 0x96
Zerg Cerebrate = 0x97
Zerg Cerebrate Daggoth = 0x98
Unused Zerg Bldg 5 = 0x99
Protoss Nexus = 0x9A
Protoss Robotics Facility = 0x9B
Protoss Pylon = 0x9C
Protoss Assimilator = 0x9D
Protoss Unused = 0x9E
Protoss Observatory = 0x9F
Protoss Gateway = 0xA0
Protoss Unused = 0xA1
Protoss Photon Cannon = 0xA2
Protoss Citadel of Adun = 0xA3
Protoss Cybernetics Core = 0xA4
Protoss Templar Archives = 0xA5
Protoss Forge = 0xA6
Protoss Stargate = 0xA7
Stasis Cell/Prison = 0xA8
Protoss Fleet Beacon = 0xA9
Protoss Arbiter Tribunal = 0xAA
Protoss Robotics Support Bay = 0xAB
Protoss Shield Battery = 0xAC
Khaydarin Crystal Formation = 0xAD
Protoss Temple = 0xAE
Xel'Naga Temple = 0xAF
Mineral Field = 0xB0
Mineral Field = 0xB1
Mineral Field = 0xB2
Cave = 0xB3
Cave-in = 0xB4
Cantina = 0xB5
Mining Platform = 0xB6
Independent Command Center = 0xB7
Independent Starport = 0xB8
Jump Gate = 0xB9
Ruins = 0xBA
Kyadarin Crystal Formation = 0xBB
Vespene Geyser = 0xBC
Warp Gate = 0xBD
Psi Disrupter = 0xBE
Zerg Marker = 0xBF
Terran Marker = 0xC0
Protoss Marker = 0xC1
Zerg Beacon = 0xC2
Terran Beacon = 0xC3
Protoss Beacon = 0xC4
Zerg Flag Beacon = 0xC5
Terran Flag Beacon = 0xC6
Protoss Flag Beacon = 0xC7
Power Generator = 0xC8
Overmind Cocoon = 0xC9
Dark Swarm = 0xCA
Floor Missile Trap = 0xCB
Floor Hatch (UNUSED) = 0xCC
Left Upper Level Door = 0xCD
Right Upper Level Door = 0xCE
Left Pit Door = 0xCF
Right Pit Door = 0xD0
Floor Gun Trap = 0xD1
Left Wall Missile Trap = 0xD2
Left Wall Flame Trap = 0xD3
Right Wall Missile Trap = 0xD4
Right Wall Flame Trap = 0xD5
Start Location = 0xD6
Flag = 0xD7
Young Chrysalis = 0xD8
Psi Emitter = 0xD9
Data Disc = 0xDA
Khaydarin Crystal = 0xDB
Mineral Chunk = 0xDC
Mineral Chunk = 0xDD
Vespene Orb = 0xDE
Vespene Orb = 0xDF
Vespene Sac = 0xE0
Vespene Sac = 0xE1
Vespene Tank = 0xE2
Vespene Tank = 0xE3

and much more stuff like that, they have found tons of stuff.

[ViperSRT3g]

That sir is the Unit ID list.

[zonemikel]

That sir is the Unit ID list.

Yes, which i spent hours finding by myself and posting in this thread. I think im gonna ignore all this stuff for a while, finals are coming up soon and im running in circles finding stuff that is well known.

[poiuy_qwert]

I'm trying to use the same print anywhere offset as you, but I can't seem to get anything other then a crash. This is what im using to call it:

Code:

void drawText(int x, int y, char* text) {
	__asm {
		mov eax, text;
		mov esi, x;
		mov edi, y;
		call [BW_DrawText];
	}
}

And i'm calling this from my function which is hooked into one of starcrafts screen update functions (0x00416DB0 if you want/need to know).

Note:
1) Yes I am on 1.15.3.
2) I know my hook is working correctly, but I don't know if maybe where I've hooked is a factor.

If you need any more info I'll be glad to post it and thanks for any help.

[Suteki]

Yes, which i spent hours finding by myself and posting in this thread. I think im gonna ignore all this stuff for a while, finals are coming up soon and im running in circles finding stuff that is well known.

Why are you spending so much time trying to "reinvent the wheel" as it were. That information has been well available for years, all you had to do was google it.

I'm trying to use the same print anywhere offset as you, but I can't seem to get anything other then a crash. This is what im using to call it:

Code:

void drawText(int x, int y, char* text) {
    __asm {
        mov eax, text;
        mov esi, x;
        mov edi, y;
        call [BW_DrawText];
    }
}

And i'm calling this from my function which is hooked into one of starcrafts screen update functions (0x00416DB0 if you want/need to know).

Note:
1) Yes I am on 1.15.3.
2) I know my hook is working correctly, but I don't know if maybe where I've hooked is a factor.

If you need any more info I'll be glad to post it and thanks for any help.

#1 is your first problem, if Starcraft is now at patch 1.16.0 unless you are just too pissed to update, your hack won't be used by anyone else because it won't work. It would be better to just convert it now before you get even further into it and decide to convert later anyways. You'll be saving yourself a lot of time in the future.

[poiuy_qwert]

I'm not making a hack, i'm making a plugin for a mod (same principle as a hack pretty much). It doesn't matter that its not for the current patch, this mod is for 1.15.3 not 1.16.0.

[Suteki]

You have no jumpback address or any type of return after you call your drawtext function.

[zonemikel]

If your getting a crash you need to attach olly while you run your mod. It will tell you where it crashed, if you cant get anything from there you need to step through your function in olly in its first run, then you can see where things go wrong.

If you using vs and olly, when you look through your code it actually shows you the c++ so its not very confusing. This is the best way to figure out what is crashing. Just set it to send text on a key, then find your code with olly and set a bp on it, then send text your bp will break. Then just step through the whole thing and see where things go wrong!

ya i know i was reinventing the wheel, really dumb. I didnt know i was at the time i was doing it.

gl all