Postby WhiteHat » Fri May 02, 2008 10:48 am
Obtaining attack range address is easy: Use any heroes with ability to alter their attack range.

First time i did this, i used Dwarven Sniper. His Take Aim ability was very helpful since it change Kardel’s attack range gradually..

But, again, we can’t use standard Data-Type Search and Sub-Search for Attack Range since most heroes have static attack range. So, we’re gonna use Group Search.

Before we begin, we have to know how to obtain the value of our attack range. There are two ways in DotA:
- Hovering your mouse pointer to the Attack Icon, below your EXP bar.
- Read the Attack Range value in Heroes brief description before you choose them.
Please note that you can only use the 2nd option to obtain attack range for Melee Heroes...

Now that i found the address of Kardel’s Attack Range. Next thing to do is ALWAYS study the values arround it...

After several trial with various heroes, i managed to make the Group Search pattern base on this hex-editor:

So the Group Search would be like this:

Hero’s Attack Speed and Attack Damage addresses are just a few hundreds bytes before Attack Range address like shown in this Hex Editor:
In above picture:
- Attack Range = 605.00 float (0x44174000)
- Awareness Range = 800.00 float (0x44480000)
- Attack Speed = 1.21 float (0x3F9AE147)
- Attack Damage = 34 Unsigned Long (0x00000022)
I got that values by clicking each address and check the value in Conversions Tab of Helper Window...

Note that for Attack Damage, the value shown in game slightly differ in Hex Editor. However, it is the right address...

Finally, we can make the table regards these attacking things:

I used above method to hack Elazor's Attack Range and Attack Damage, enabled him to destroy scourge tower out-range of the tower itself...
Pay attention to the range from where Elazor destroy the tower (the gold he gained confirm that he is the one who destroy the tower)...

This conclude my tutorial series of Hacking DotA Heroes. There are still lot things to hack though, so we can’t just stop here...

Feel free to ask anything related to this tutorial. I’ll do my best to answer them... Also, feel free to make any corrections should there are any..

I have to apologize for using a lot of pictures due my bad English... I humbly hope that these tutorial would be useful..

Have fun... Peace... :)


Postby WhiteHat » Fri May 02, 2008 10:46 am

Hacking movement speed is a bit tricky... I’ve tried various way to get its address and failed for about a week. That was until i decided to use Nerubian Waver’s skill Shukuchi.

Using Unknown Data-type search followed by Difference From Before and Same as Original Sub-Search, i managed to get a fact when Anub'seran is in Shukuchi mode there would be exactly one address had a value of 11.00 float. And the same address changed to 01.00 float when the Shukuchi mode worn off...

When i studied values arround the address, i found the base movement speed (original speed of Anub'seran without any speed booster item) address just 8 bytes before. The value of this address is static, means that it is not affected by whatever speed booster item put on. So, if you want to know your hero original movement speed, you have to put off all speed booster item before type "-ms" command in DotA...

Based on the Hex Editor view, the inputs for Group Search would be something like this:

Now, with simillar way i maxed out Rhasta movement. And here’s the screen-shot result:

Since Rhasta original movement speed is 275, the values input for group search was: 0 0 275 1 0 0. Then i simply changed the address of value 275.00 with 1000.00.
But, no matter how high you change the speed value, the max speed is limited to 522.

Heroes Base Movement Speed in DotA is a static value. No matter what speed boosting equipment you have, the value remains the same. Thanks to Group Search so we can search the value address in single step...

Can you imagine that you have to search value 275.00 float and sub-search for the same value just to obtain your movement speed address ?.. It’s more likely that the game is over before you find the address...


Postby WhiteHat » Fri May 02, 2008 10:45 am

Health and Manna values stored in similar way. You’ll find them like following pattern within memory:
Current Health/Manna - Health/Manna Regeneration Rate - NULL - Max Health/Manna
They are all float data-type... NULL (0x00000000) equals 0.00 float.

All values but Regeneration Rate can be found with group search. Regeneration Rate is very hard to memorized nor it is hard to calculate (actually, it is not hard if you’re not lazy...). So we’re just gonna put Current Health/Manna, NULL, Max Health/Manna in Group Search find values.

However, before you begin performing Group Search, you have to be very very sure that your hero is at full health/manna. There are times when you read her current health is full (same value as max health), or manna, but in fact it is not the same value within the memory.

So, the best time to apply following Group Search is at very-very early of the game, that is right after you choose your hero...

For this tutorial session, we’ll be using Drow Ranger...

Health and Manna for Traxex:
- Max Health = 473
- Max Manna = 195

The group search would be something like this:

As usual, the search found only 1 address, unless there are other heroes have the same health or manna...

And this is the Hex Editor for Health (Hex Editor for Manna is very similar):

Now you can make MHS table by manually add the addresses from Hex Editor:

Once you have the table, you can make your hero invincible by increasing both Current Health and Max Health as high as you want and freeze them...

Personally, i prefer to modify Regeneration Rate. If you put 10000.00 to both Regeneration Rate, you are virtually frozen your Health and Manna...
