[Tutorial] How to find offsets

[aosma8]

Im going to show you how to find offsets searching them by strings. The same methods of finding offsets can be used in any call of duty game. These examples are based on CoD4 patch 1.7

The same concepts can be applied and used in MW2.

RegisterTag:
Search for string "j_helmet" or "j_head".
First push is length of the string + 1(int value), in this case "j_helmet" is (strlen("j_helmet")+1)==9
Second push is also int, representing the entity type. Type 1 is human/player.
Third push is the name of the bone, string type variable.

Code:

004EB7C0   6A 09            PUSH 9
004EB7C2   6A 01            PUSH 1
004EB7C4   68 D0F86D00      PUSH iw3mp.006DF8D0    ; ASCII "j_helmet"
004EB7C9   66:A3 946E4001   MOV WORD PTR DS:[1406E94],AX
004EB7CF   E8 BCCA0200      CALL iw3mp.00518290 '<<<--- Offset of RegisterTag function'
004EB7D4   83C4 0C          ADD ESP,0C '<<<--- Size of the func.'

#define OFFSET_REGISTERTAG 0x518290


GetPlayerTagPos:
Search for string "AimTarget_GetTagPos".
Scroll down and look for a call.

Code:

00402508   68 FCD16900      PUSH iw3mp.0069D1FC    ; ASCII "AimTarget_GetTagPos: Cannot find tag [%s] on entity
"
0040250D   6A 01               PUSH 1
0040250F   E8 1CAE0F00    CALL iw3mp.004FD330
00402514   83C4 0C           ADD ESP,0C
00402517   B8 01000000    MOV EAX,1
0040251C   5F                     POP EDI
0040251D   59                     POP ECX
0040251E   C3                     RETN
0040251F   CC                     INT3
00402520   8B4C24 08        MOV ECX,DWORD PTR SS:[ESP+8]
00402524   83EC 10          SUB ESP,10
00402527   83B9 D0000000 01 CMP DWORD PTR DS:[ECX+D0],1
0040252E   56                      PUSH ESI
0040252F   75 19                 JNZ SHORT iw3mp.0040254A
00402531   0FB735 946E4001  MOVZX ESI,WORD PTR DS:[1406E94]
00402538   8B4424 18        MOV EAX,DWORD PTR SS:[ESP+18]
0040253C   52                      PUSH EDX
0040253D   E8 6EFFFFFF      CALL iw3mp.004024B0 '<<<--- GetTagPosPos function offset'

#define OFFSET_GETTAGPOS 0x4024B0


RegisterShader:
Search for string "black" or "white" or "compassping_grenade" or "nightvision_overlay_goggles" or "killiconheadshot" or "voice_on".
There is a lot more strings you could look for, which this function is using, but I just list a few as reference.

Code:

0043EAFA   B8 002A5F00        MOV EAX,iw3mp.005F2A00 '<<<<---RegisterShader function offset'
0043EAFF   6A 07                PUSH 7
0043EB01   68 F4BC6C00        PUSH iw3mp.006CBCF4  ; ASCII "compassping_enemy"
0043EB06   FFD0                 CALL EAX
0043EB08   8B0D 785D4301    MOV ECX,DWORD PTR DS:[1435D78]    ; iw3mp.0CBAB8EC
0043EB0E   A3 48F28400          MOV DWORD PTR DS:[84F248],EAX
0043EB13   83C4 08              ADD ESP,8

#define OFFSET_REGISTERSHADER 0x5F2A00


DrawText:
Search for string "fonts/consoleFont" or "Glow".

Code:

005F92BD   68 5C0E6D00      PUSH iw3mp.006D0E5C   ; ASCII "fonts/consoleFont"
005F92C2   FFD0             CALL EAX
005F92C4   D9EE             FLDZ
005F92C6   83C4 08          ADD ESP,8
005F92C9   6A 00            PUSH 0
005F92CB   83EC 14          SUB ESP,14
005F92CE   D95424 10        FST DWORD PTR SS:[ESP+10]
005F92D2   B9 98456B00      MOV ECX,iw3mp.006B4598
005F92D7   D905 0C0C7000    FLD DWORD PTR DS:[700C0C]
005F92DD   D95C24 0C        FSTP DWORD PTR SS:[ESP+C]
005F92E1   D905 E0B47000    FLD DWORD PTR DS:[70B4E0]
005F92E7   D95C24 08        FSTP DWORD PTR SS:[ESP+8]
005F92EB   D905 20BE7000    FLD DWORD PTR DS:[70BE20]
005F92F1   D95C24 04        FSTP DWORD PTR SS:[ESP+4]
005F92F5   D91C24           FSTP DWORD PTR SS:[ESP]
005F92F8   50               PUSH EAX
005F92F9   68 FFFFFF7F      PUSH 7FFFFFFF
005F92FE   68 6CFB6F00      PUSH iw3mp.006FFB6C ; ASCII "GLOW"
005F9303   E8 F8D7FFFF      CALL iw3mp.005F6B00 '<<<--- DrawText offset'
005F9308   83C4 24          ADD ESP,24

#define OFFSET_DRAWTEXT 0x5F6B00


RenderScene:
Search for string "R_RenderScene".

Code:

005FAF00   55               PUSH EBP '<<<---RenderScene offset'
005FAF01   8BEC             MOV EBP,ESP
005FAF03   83E4 F8          AND ESP,FFFFFFF8
005FAF06   81EC A0000000    SUB ESP,0A0
005FAF0C   803D 90D2C90C 00 CMP BYTE PTR DS:[CC9D290],0
005FAF13   56               PUSH ESI
005FAF14   57               PUSH EDI
005FAF15   8BF0             MOV ESI,EAX
005FAF17   0F84 D8000000    JE iw3mp.005FAFF5
005FAF1D   A1 8495560D      MOV EAX,DWORD PTR DS:[D569584]
005FAF22   8078 0C 00       CMP BYTE PTR DS:[EAX+C],0
005FAF26   0F85 C9000000    JNZ iw3mp.005FAFF5
005FAF2C   8B0D F897560D    MOV ECX,DWORD PTR DS:[D5697F8]           ; iw3mp.0CBBDA14
005FAF32   8379 0C 00       CMP DWORD PTR DS:[ECX+C],0
005FAF36   74 0A            JE SHORT iw3mp.005FAF42
005FAF38   BA E8FB6F00      MOV EDX,iw3mp.006FFBE8                   ; ASCII "====== R_RenderScene ======
"
005FAF3D   E8 FE1F0400      CALL iw3mp.0063CF40
005FAF42   833D 20A3C90C 00 CMP DWORD PTR DS:[CC9A320],0
005FAF49   75 0F            JNZ SHORT iw3mp.005FAF5A
005FAF4B   68 08FC6F00      PUSH iw3mp.006FFC08                      ; ASCII 15,"R_RenderScene: NULL w"

#define OFFSET_RENDERSCENE 0x5FAF00


Unlock Cheat/Write protected console commands:
Search for string "cheat protected" or "write protected".
Scroll few lines up and look for JNZ/JE and simply reverse them.

Code:

0056B358   74 19               JE SHORT iw3mp.0056B373 '<<<--Reverse this asm command, changing JE to JNZ'
0056B35A   8B0F                MOV ECX,DWORD PTR DS:[EDI]
0056B35C   51                    PUSH ECX
0056B35D   68 683E6F00   PUSH iw3mp.006F3E68  ; ASCII "%s is write protected.
"
0056B362   6A 10                   PUSH 10
0056B364   E8 5718F9FF        CALL iw3mp.004FCBC0
0056B369   83C4 0C              ADD ESP,0C
0056B36C   5F                        POP EDI
0056B36D   5E                        POP ESI
0056B36E   5B                        POP EBX
0056B36F   8BE5                     MOV ESP,EBP
0056B371   5D                        POP EBP
0056B372   C3                        RETN
0056B373   83F9 01               CMP ECX,1
0056B376   75 29                   JNZ SHORT iw3mp.0056B3A1
0056B378   84C0                   TEST AL,AL
0056B37A   79 25                   JNS SHORT iw3mp.0056B3A1
0056B37C   8B0D 0474BA0C  MOV ECX,DWORD PTR DS:[CBA7404]           ; iw3mp.0CBAB808
0056B382   8079 0C 00         CMP BYTE PTR DS:[ECX+C],0
0056B386   75 19                  JNZ SHORT iw3mp.0056B3A1' <<<--Reverse this asm command, changing JNZ to JE'
0056B388   8B17                   MOV EDX,DWORD PTR DS:[EDI]
0056B38A   52                       PUSH EDX
0056B38B   68 803E6F00      PUSH iw3mp.006F3E80  ; ASCII "%s is cheat protected.
"

#define OFFSET_WRITEPROTECTED 0x56B358
#define OFFSET_CHEATPROTECTED 0x56B386


NoRecoil:
Seach for string "CG_FireWeapon: weapon".
There is several ways/offsets to remove weapon recoil. I'm gonna show a few.

Code:

00457C8B   68 2CEA6C00       PUSH iw3mp.006CEA2C ; ASCII 15,"CG_FireWeapon: weapon"
00457C90   6A 01                PUSH 1
00457C92   E8 99560A00    CALL iw3mp.004FD330
00457C97   83C4 08              ADD ESP,8
00457C9A   5F                   POP EDI
00457C9B   5E                   POP ESI
00457C9C   5D                  POP EBP
00457C9D   5B                   POP EBX
00457C9E   83C4 18              ADD ESP,18
00457CA1   C3                   RETN
00457CA2   8BD3              MOV EDX,EBX
00457CA4   C1E2 04              SHL EDX,4
00457CA7   03D3                 ADD EDX,EBX
00457CA9   8D0495 58867400  LEA EAX,DWORD PTR DS:[EDX*4+748658]
00457CB0   8B149D B86D7300  MOV EDX,DWORD PTR DS:[EBX*4+736DB8]
00457CB7   C681 C1010000 01 MOV BYTE PTR DS:[ECX+1C1],1
00457CBE   894424 18            MOV DWORD PTR SS:[ESP+18],EAX
00457CC2   A1 5CE37400       MOV EAX,DWORD PTR DS:[74E35C]
00457CC7   F640 20 06           TEST BYTE PTR DS:[EAX+20],6  '<<<--- Change this value (6) to 0 to remove recoil.'
00457CCB   895424 10           MOV DWORD PTR SS:[ESP+10],EDX
00457CCF   74 12                JE SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JE to JNZ )'
00457CD1   8B75 00              MOV ESI,DWORD PTR SS:[EBP]
00457CD4   3BB0 E8000000   CMP ESI,DWORD PTR DS:[EAX+E8]
00457CDA   75 07                JNZ SHORT iw3mp.00457CE3 '<<<<--Reverse this ( Change JNZ to JE )'
00457CDC   B8 01000000       MOV EAX,1  ' <<<<---Change this value (1) to 0 to remove recoil.'

#define OFFSET_NORECOIL1 0x457CC7
#define OFFSET_NORECOIL2 0x457CCF
#define OFFSET_NORECOIL3 0x457CDA
#define OFFSET_NORECOIL4 0x457CDC


SendCommandToConsole:
Search for string "stoprecord" or "screenshot silent" or "quit" or "pb_sv_guidrelax".

Code:

0046C90F   68 400E6D00    PUSH iw3mp.006D0E40  ; ASCII "screenshot silent"
0046C914   6A 00                PUSH 0
0046C916   6A 00                PUSH 0
0046C918   E8 93D10800    CALL iw3mp.004F9AB0 '<<<--- SendCommandToConsole function offset'
0046C91D   83C4 0C                ADD ESP,0C

#define OFFSET_SENDCOMMAND 0x4F9AB0


CG_Init:
CG_Init is the struct that holds offsets to all other important classes.
Search for string "CL_InitCGame", scroll down a few lines and look for a call.

Code:

0045BFD3   68 E4EE6C00      PUSH iw3mp.006CEEE4  ; ASCII "Setting state to CA_LOADING in CL_InitCGame
"
0045BFD8   6A 0E                    PUSH 0E
0045BFDA   C706 07000000    MOV DWORD PTR DS:[ESI],7
0045BFE0   E8 DB0B0A00        CALL iw3mp.004FCBC0
0045BFE5   A1 E44C8F00        MOV EAX,DWORD PTR DS:[8F4CE4]
0045BFEA   8B0D 244E9100    MOV ECX,DWORD PTR DS:[914E24]
0045BFF0   8B15 1C4E9100    MOV EDX,DWORD PTR DS:[914E1C]
0045BFF6   50                         PUSH EAX
0045BFF7   51                         PUSH ECX
0045BFF8   52                         PUSH EDX
0045BFF9   53                         PUSH EBX
0045BFFA   C605 F7F8C500 01 MOV BYTE PTR DS:[C5F8F7],1
0045C001   C605 DE4C8F00 00 MOV BYTE PTR DS:[8F4CDE],0
0045C008   E8 C33AFEFF      CALL iw3mp.0043FAD0    '<<<--- CG_Init class offset'

#define OFFSET_CG_INIT 0x43FAD0


Entity, CG, CGs classes:
Now, that you have found CG_Init class offset, lets take a look for other classes inside it.

Code:

0043FADD   56                       PUSH ESI
0043FADE   57                       PUSH EDI
0043FADF   68 243A0000              PUSH 3A24
0043FAE4   33FF                     XOR EDI,EDI
0043FAE6   57                       PUSH EDI
0043FAE7   68 08A97400              PUSH iw3mp.0074A908 '<<<--- CGS class offset'
0043FAEC   E8 AFC92300              CALL iw3mp.0067C4A0
0043FAF1   83C4 0C                  ADD ESP,0C
0043FAF4   68 F0E70F00              PUSH 0FE7F0
0043FAF9   57                       PUSH EDI
0043FAFA   68 38E37400              PUSH iw3mp.0074E338 '<<<--- CG class offset'
0043FAFF   E8 9CC92300              CALL iw3mp.0067C4A0
0043FB04   8BC3                     MOV EAX,EBX
0043FB06   69C0 78160000            IMUL EAX,EAX,1678
0043FB0C   83C4 0C          A        DD ESP,0C
0043FB0F   68 78160000              PUSH 1678
0043FB14   8DB0 A86F7400         LEA ESI,DWORD PTR DS:[EAX+746FA8]
0043FB1A   57                       PUSH EDI
0043FB1B   56                       PUSH ESI
0043FB1C   897424 18                MOV DWORD PTR SS:[ESP+18],ESI
0043FB20   E8 7BC92300              CALL iw3mp.0067C4A0
0043FB25   8BCB                     MOV ECX,EBX
0043FB27   69C9 00700700            IMUL ECX,ECX,77000
0043FB2D   83C4 0C                  ADD ESP,0C
0043FB30   68 00700700              PUSH 77000
0043FB35   81C1 D8F28400        ADD ECX,iw3mp.0084F2D8 '<<<--- Entity class offset'
0043FB3B   57                       PUSH EDI
0043FB3C   51                       PUSH ECX
0043FB3D   E8 5EC92300              CALL iw3mp.0067C4A0
0043FB42   8BD3                     MOV EDX,EBX
0043FB44   69D2 00220000            IMUL EDX,EDX,2200
0043FB4A   83C4 0C                  ADD ESP,0C
0043FB4D   68 00220000              PUSH 2200

#define OFFSET_CENTITY 0x84F2D8
#define OFFSET_CG 0x74E338
#define OFFSET_CGS 0x74A908


ClientInfo class:
Search for string "g_TeamColor" and look up a few lines.

Code:

00431F60   69C9 CC040000    IMUL ECX,ECX,4CC '<<<--- Size of the ClientInfo class'
00431F66   05 70928300          ADD EAX,iw3mp.00839270 '<<<---ClientInfo class offset'
00431F6B   8B40 1C              MOV EAX,DWORD PTR DS:[EAX+1C]
00431F6E   81C1 70928300    ADD ECX,iw3mp.00839270'<<<---ClientInfo class offset'
00431F74   83F8 03              CMP EAX,3
00431F77   57                   PUSH EDI
00431F78   75 0C                JNZ SHORT iw3mp.00431F86
00431F7A   68 887D6C00        PUSH iw3mp.006C7D88        ; ASCII "g_TeamColor"
00431F7F   68 A87F6C00       PUSH iw3mp.006C7FA8          ; ASCII "%s_Spectator"

#define OFFSET_CLIENTINFO 0x839270


Minimap/Compass:
Search for string "g_compassShowEnemies" and look for a call under it.

Code:

0042A080 BF 0C796C00   MOV EDI,iw3mp.006C790C;  "g_compassShowEnemies"
0042A085   894424 28        MOV DWORD PTR SS:[ESP+28],EAX
0042A089   D95C24 30        FSTP DWORD PTR SS:[ESP+30]
0042A08D   D84C24 64        FMUL DWORD PTR SS:[ESP+64]
0042A091   D84424 5C        FADD DWORD PTR SS:[ESP+5C]
0042A095   D95C24 34        FSTP DWORD PTR SS:[ESP+34]
0042A099   D903             FLD DWORD PTR DS:[EBX]
0042A09B   D95C24 48        FSTP DWORD PTR SS:[ESP+48]
0042A09F   D943 04          FLD DWORD PTR DS:[EBX+4]
0042A0A2   D95C24 4C        FSTP DWORD PTR SS:[ESP+4C]
0042A0A6   D943 08          FLD DWORD PTR DS:[EBX+8]
0042A0A9   D95C24 50        FSTP DWORD PTR SS:[ESP+50]
0042A0AD   D943 0C          FLD DWORD PTR DS:[EBX+C]
0042A0B0   D95C24 54        FSTP DWORD PTR SS:[ESP+54]
0042A0B4   E8 97151400      CALL iw3mp.0056B650 '<<<---- NOP it and enemies are visible on compass at all times.'

#define OFFSET_COMPASS 0x42A0B4


IsInGame:
Search for strings like "+speed" or "+melee" or "+speed"

Code:

0042F193   C74424 28 647E6C>MOV DWORD PTR SS:[ESP+28],iw3mp.006C7E64 ; ASCII "+toggleads_throw"
0042F19B   C74424 2C 787E6C>MOV DWORD PTR SS:[ESP+2C],iw3mp.006C7E78 ; ASCII "+speed_throw"
0042F1A3   C74424 30 887E6C>MOV DWORD PTR SS:[ESP+30],iw3mp.006C7E88 ; ASCII "+speed"
0042F1AB   C74424 34 907E6C>MOV DWORD PTR SS:[ESP+34],iw3mp.006C7E90 ; ASCII "toggleads"
0042F1B3   C74424 20 9C7E6C>MOV DWORD PTR SS:[ESP+20],iw3mp.006C7E9C ; ASCII "+melee"
0042F1BB   C74424 24 A47E6C>MOV DWORD PTR SS:[ESP+24],iw3mp.006C7EA4 ; ASCII "+melee_breath"
0042F1C3   0F84 05020000    JE iw3mp.0042F3CE
0042F1C9   8B0D F8F8C500    MOV ECX,DWORD PTR DS:[C5F8F8]
0042F1CF   C1E9 04          SHR ECX,4
0042F1D2   F6C1 01          TEST CL,1
0042F1D5   0F85 F3010000    JNZ iw3mp.0042F3CE
0042F1DB   8B3D 5CE37400    MOV EDI,DWORD PTR DS:[74E35C]  '<<<---IsInGame offset '

#define OFFSET_ISINGAME 0x74E35C


Credits:
All credit goes to Vossy for this tutorial.