Gamerz Online

Step 2:

Now we must sift out unnecessary values. Change movements speed by wearing boots (+1% to speed)


At this moment we don’t know the exact value of speed (it’s float and rounded…), but we know that this value was increased. Choose in CE scan type “increased value” and click “next scan”


Now we can move around and sift out results by choosing “unchanged value” or again remove the boots and use “value decreased”.
After several sift out iteration we will get maybe 10 or less values, it’s not a big deal (even if we got 100 values it’s not a problem).

Step 3:

Ok, next step. I removed boots, got speed 5 and got one suitable value with address $015368B0


Add this value to the list; Right click -> Find out what writes to this address


We see the list of opcodes that changed the selected address ($015368B0)


Don’t close this window, ‘coz we want to see all opcodes… Return to the game and change the speed value again. After that new opcode will be added to the list: mov [ecx + 10], eax


mov [ecx + 10], eax - this instruction means, that the some value (in our case – speed value) in eax register move (really a copy) into the memory address [ecx + 10] (in our case to the founded address $015368B0)
Choose this instruction and press “More information”, we got some disassembled instruction and registers value.


Step 4:

Important register is ecx = $015368A0 – next value for searching. Press “new scan”, check “hex” and start scanning.


If several results were found, add them all to the list.
Right click -> Find out what accesses this address
Note: I renamed the first result to the “+10”, second and the 4th to the “no result” (I already checked them


Ok, now we must repeat step 3 and 4 until we get the result – base address and offsets chain.
For Requiem speed value:




And the last one:


We enter $14A90718 and we get:


At the end we got the BaseAdress [BA] = $0071AAB0 (or Requiem.exe + $0031AAB0) and offsets chain
[BA] + $3A0 + $58 + $88 + $11C + $10 (float value)