One, open the game and CE5.2 (nonsense, do not open the game, ce search what thing, hehe), with the CE load game
Second, let your blood return to the full state, remember the blood measure
As pictured above, my blood is 1312, OK, with the CE search "1312",. In "Exact Value" mode, 4 bytes
Search n Address, good, then back to the game, we let the characters drop some blood (play strange things, the best to drop points, so convenient to check the number of later), and then use "decreased Value" (reduced number) to search, so that a drop of blood, search once, search some blood search once, a few times down, OK, Find the address is only four (I was two times to find only four, the computer is different, may find the number of times is also different, but the method is the same, first find the maximum amount of blood, and then, then drop some blood, and then reduce the search, so a few times on the loop OK to write down the first address (why use the first address, the CE of the course said, Generally if you find a small number of addresses, the correct general in the first, if you are not sure, you can let the characters automatically gyrus, you can see that the number of the first address also in the following increase: ~)
Next, double click on the first address, add the following column, and then right-click the Address, pop-up menu select "Find out what writes to this" (who in reformulation the address), pull up the Watch window, then back to the game, drop some blood, You can see that there's an order to rewrite that address in the Watch window.
Select the command, point "Mor information", and get the following figure
mov [esi+00000254],ecx Red Highlights, (+00000254 is the amount of blood offset)
You can see that the ECX value is written to esi+ 00000254 This memory address, so, we note the following ESI address: esi=05c0b548, and then back to the CE main interface, search the number of "05c0b548" (select hex, search in hexadecimal four bytes)
010aeae4 is just equal to ESI, which can be sure, 010aeae4 a certain level two base address, well, we monitor 010aeae4, "find out what writes to this address ". Ok, once again a small retreat, and then into the game, then watch the window has dongdong, the following figure
get: mov [esi+24],0000000
Note the value of ESI, 010AEAC0, and then back to the CE main interface, Use the hexadecimal method to find 010AEACO
Get the number of N, repeatedly search several times, good, get the following figure
by CE Tutorial Said, generally the smallest address is the right, oh, a bit of that Ah, ~~~~~~~~~~~~
Choose the first 008be594, add to the following column, completely out of the game, and then into the game
Repeat, finally or get 008be594, so you can be sure, 008be594 is the first base address.
Draw the formula as follows
A primary address: 008be594
The offset of the value +24 stored in the 008be594 address = Two base address
Two-level base addresses the number +254 offset to the amount of blood Address
