Quick Tutorial on use
[quote]To Find an Address over multiple patches, in Olly Starting from the address you want to find and
moving down, highlight it and 6 or 7 lines below it (or approx 20-30bytes). Then go Right-Click -> Binary -> Copy.
You will have something like this:
Quote:
85 C9 56 74 64 83 3D 50 C5 8F 00 00 74 5B 8B 55 08
That line relates to:
Quote:
004AC2C9 |. 85C9 TEST ECX,ECX
004AC2CB |. 56 PUSH ESI
004AC2CC |. 74 64 JE SHORT BF2.004AC332
004AC2CE |. 833D 50C58F00 >CMP DWORD PTR DS:[8FC550],0
004AC2D5 |. 74 5B JE SHORT BF2.004AC332
004AC2D7 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
To make it findable over multiple patches u need to wildcard out all the things that might change over a patch such as conditional jump lengths, Calls by Address, Static Addresses etc
So the wildcard modified code of the above would be:
Quote:
85 C9 56 74 ?? 83 3D ?? ?? ?? 00 00 74 ?? 8B 55 08
64 is removed as the distance for the code to Jump in the next patch will very likely be different.
50C58F is removed as its a static pointer? and may be different in a new patch.
5B is removed as its a jump.
Other situations:
004AC36C |. E8 AFD60C00 CALL BF2.00579A20
E8 ????????
0067A9DB |. D83D 88208200 FDIVR DWORD PTR DS:[822088]
D83D ????????
Any more situations feel free to post and ask.
Also you don't need Bf2 open while searching, it just slows things down.
Once you've launched BF2 and it has said [Bf2.exe]Success. Then it has dumped all the memory it needs for searching and you no longer need to have Bf2 running. You don't need to press 'launch' again until a new patch, or the dump files are deleted etc.
Credits: Kosire
Copy-pasted from here
