[TUTORIAL] Finding Offsets (CEX/DEX)

1.  
2. Alright, so there are a few different ways you can hunt down offsets. This tutorial will cover using a debugger to locate static or dynamic offsets, as well as floats.
3.  
4. Dynamic Offsets
5.  
6. These offsets move either when you leave a given area or complete a specefic action. Regardless, Dynamic Offsets are usually kept in a small range and are often based off of 'Pointers', which are offsets that 'point' to other offsets; Pointers are difficult and I'm still trying to find a good way to grab them in CEX, once I do I'll let you all know!
7.  
8. Currently I'm not very good at finding Dynamic offsets, so I will typically use a search function that locates the offsets, write what I need and be done with it. Most games operate this way, case in point Grand Theft Auto 5. If you notice most tools say "Find Offsets" because they are Dynamic and change every time you reload the game (or the session)
9.  
10. Static Offsets
11.  
12. These are typically the best offsets to work with because they are always in the same place, ever time you load the game, these are the offsets you find with just a few simple searches.
13.  
14. An example for this would be like most tools where you find an offset, shut off the game, reset your PS3 and load the game back up, the offset would still have the same value and function it did when you initially found it.
15.  
16. Finding Ranges to search from
17.  
18. Ok, so all this talk about offsets, you must want ot start searching yes? WRONG You need to know what ranges are going to search from. Ranges are areas within the memory that yield results. they are divided to reduce the payload on the search tool you are using. On NetCheat, once you have connected and attached to your game (Either CCAPI or TMAPI) go to the search tab and simply click "Find Ranges" Depending on which API you are on and how big the eboot.bin is of the given game, this could be minimum of about 6-8 minutes, or it could be about 15-20 minutes.
19.  
20. Figure out a search method
21.  
22. Ok, so now we need to figure out what we are going to search for. this part takes some time to figure out and each game is different. As a general example, you can search for ammunition for a specefic weapon. Typically when you have a ammo offset, there are 2 things to search for; the Clip (How many rounds you can shoot) and the ammunition, you can search for either one. To do this, click the Range Tab after it has finished locating them all. Double click on one of the ranges and it'll bring up a small box. Next go to the search tab and where it says "Start Address" and "Finish Address" paste the ranges; then look at your game, now look at your computer, then look at your game now back at the computer, sadly there's no magic here, you'll have to do some work. For this example lets look at the clip, if you have 8 rounds in your clip, start the search with 8. hit search and wait for all the results to come in. Once they do, shoot your gun once, change search to 7 and hit Next Scan. Keep doing this until you have found the offset!
23.  
24. Big thanks to GamePwnzer for teaching me about floats!!!
25.  
26. Finding Floats!
27.  
28. Floats are amazing fun, typically floats are used in game as either multipliers or some sort of movement function. Either way, there is usually A LOT of them per game, in Metal Gear Solid 3 I found over 30,000 floats!
29.  
30. To find them is quite simple, go to NetCheat and choose a range and paste it into the search box as before. Now go to the plugins tab and click on the "Conversion" plugin, once open change the top drop down menu on the left to "Float" and the right to "Hexidecimal" now type in a whole number, in this case we will be using 1. a float value of 1 is equal to 3F800000 in Hx, so that is what we will be searching for. Back to the search tab, change the "type" to "X Bytes" or 4 bytes, then type in 3F800000. Hit search and wait for the results, there will be thousands... Once it finishes, right click in the search results box and hit "Select All" Then right click again and hit "Copy" Netcheat MAY freeze up on you, but don't touch it!!! Depending on how many you've found, it may take a minute or two. Now open up Notepad++ (or Notepad, either works, ++ is preferable) and paste all your floats.
31.  
32. Using Floats!
33.  
34. Now that we have found all these floats (Valued at 1) we can start poking around with them! Each game is different, so this method might not work for you, just play around with it and find what works for your game.
35.  
36. It would take far too long to test each float individually, so we are going to take chunks of floats and test them all at once. To do this, select a large number of floats (Typically I choose about 100 or so ) and create a new page in Notepad++ (or a new document if you are on Notepad) Paste those 100 floats. Now click "Control + H" to bring up the replace menu, first box type 3F800000 and second box, we will be going back to the conversion plugin to find. Lets do a float value of 2, which is 40000000. Hit Replace All, and you will see all those float values changed from 1 to 2. (3F800000 - 40000000) select about 50 of those floats and paste them into the codes tab on NetCheat. You can either hit Write Now or check the Constant Write box. This is where it gets tricky, after you write it, if the change wasn't obvious, try various in game functions to see if anything changed. If no change, then we grab the next 50 floats we changed earlier and paste them into the box. If there was a change however, you will need to go to each individual float and change them back to "default" in this case 3F800000. So in Netcheat, change the value of each float back to 3F800000 One at a time! (I'd check Constant Write for this one, makes it easier) and keep going down the line until you find something "change" back. This is why we do chunks, 2 reasons really; One being so we don't overload the game, or change too many things at once. and Two because when you do find something, it's easier to go back through 50 or 100 floats than it is going back through 500 or 1,000 floats.