1. Open the game and ce5.2 (nonsense, no game, Ce search, haha) and load the game with Ce
2. Let your blood volume reach its full level and remember the blood volume value.
For example, I have 1312 Blood points. Okay, use ce to search for "1312",. Use the "exact value" method, 4 bytes.
Search for N addresses. Well, let's go back to the game. Let's drop down the characters (it's best to drop more points if it's weird, so that we can check the numbers later ), search again with "decreased value" (reduced number), so that blood is lost, searched once, searched once, searched several times, OK, there are only four addresses left (four addresses are found twice, and different computers may have different numbers of times, but the method is the same, first find the maximum blood volume, then drop the blood, and then use the reduced search, so the cycle is OK a few times) write down the first address (Why use the first address, in CE's tutorial, if a small number of addresses are found, the correct ones are generally the first. If you are not sure, you can let the characters automatically return blood and you will see it, the number of the first address is also increasing :)~)
Next, double-click the first address, add it to the column below, and right-click the address, select "find out what writes to this address" in the pop-up menu (who is changing this address), call out the monitoring window, and return to the game, you can see that the invigilator has a command to rewrite the address ~ Select this command and click "mor information" to obtain the red highlighted sentence of mov [ESI + 00000254] and ECx (+ 00000254 is the offset of the blood volume)
We can see that the value of ECx is written into the memory address ESI + 00000254. Therefore, let's write down the following ESI address: ESI = 05c0b548 and return to the CE main interface, search for the number "05c0b548" (select Hex and search by hexadecimal four-byte mode). All 26 addresses contain this number. OK, save the three numbers at the beginning to the bottom bar, and then move back (return to the character selection page and go to the game). You can see that the values of the three addresses have changed. OK, run the above hex address again to get the ESI value, write down, and compare the number of the three addresses that have just been saved.
The value in 010aeae4 is exactly the same as ESI, so we can be sure that 010ae4 must be a second-level base address. Well, we are monitoring 010ae4, "Find out what writes to this address ". okay. Let's move back and enter the game again. Now there is something in the monitoring window. For example, mov [ESI + 24], 0000000.
Write down the ESI value 010aeac0, return to the CE main interface, and use the hexadecimal method to find 010 aeaco
Obtain n numbers and search several times repeatedly.
According to the CE tutorial, the smallest address is generally correct ,~~~~~~~~~~~~
Select the first 008be594 and add it to the following bar. The game is completely exited and then enters the game.
Repeat and finally get 008be594, so you can be sure that 008be594 is the first-level base address.
The formula is as follows:
Level 1 base address: 008be594
The value saved in the 008be594 address + the offset of 24 = the second base address
The number of addresses saved in the second-level base address + 254 offset to get the address of the blood volume