We now know enough about cheat engine to locate the necessary data in Dota2. For our project, we need to know the ID's of the enemy heroes during the picking phase.
It is a difficult to use our standard approach to isolate data, since the game allows you to change your hero ID only once after you've picked a hero (aka re-picking). Furthermore, this feature is not available in offline modes (Local lobbies/Solo Bot matches). Attaching cheat engine to the game while playing the game with anyone online is likely to get you banned, and is not the most optimal way to locate the data (I got around 10 steam accounts banned while trying to go down that path).
Our alternative will involve finding other data that belongs to our hero (Hero Level, Kills, Assists, Deaths etc.). This data is easier to manipulate and observe in offline modes. The game is probably storing all of this data together as a struct, and gaining access to such a struct will lead us to the Hero ID we are looking for. Once we've located such a struct, we go one step further and check if it belongs to an array. It makes sense that the game would store all of its hero data as an array of Hero Information structs. Entries in the array are equidistant from each other, so we have access to all Hero ID's as soon as we can locate a member of this array
Extracting Hero ID's:
Once you have access to all the hero ID's, you still need to figure out which team you are on, in order to send the appropriate data to the hero picking website. We do this by locating the address for our hero's gold. I noticed that address would vary based on which team you were on.
Detecting your team:
The pointer chain to our hero gold will be valid when we're on the Radiant team, but the first level pointer will hold NULL when we're on the Dire team.
Pointer Chain when you're on Dire:
I also observed that the gold pointers would be initialized only when you load into a game, making them a good indicator of when to start searching for hero selections.
Here are some code snippets:
We will first need to determine the base address of the client module. We will be using a DLL wrapper for d3d9.dll (I will elaborate on that in a future blog post), so our code will be running in the same address space as "client.dll". The following code loops through all the modules in the current process and returns the base address for the desired module (HMODULE is just an alias for the starting address of a module).
Next, we want to start looking for hero ID's as soon as the match starts and the pick screen is presented. This happens when either of the radiant or dire gold values becomes valid.
Finally, we find the hero IDs. This works perfectly for any online game mode involving 10 heroes. Things get tricky for custom game modes and lobbies with bots. Hero ID storage order goes as follows for lobbies:
- Radiant non-bot hero IDs
- Dire non-bot hero IDs
- Radiant bot hero IDs
- Dire bot hero IDs
You could probably figure out how to detect if a match is a lobby match and adjust accordingly.
Note: All of The above addresses will change every time valve re-builds the game for a patch. Updating these values becomes tedious when such patches are released multiple times a week :/
Comments