CheatEngine : Speedhack & Mountain ClimbHello, as you are probably aware, cheatengine will give you almost an automatic ban following you logging in an enabling it. Well I am here to show you how to bypass warden's signature detection.
NOTE: I ADVISE YOU TO ONLY USE THIS ON A TRIAL ACCOUNT OR ACCOUNT THAT YOU DO NOT CARE IF IT GETS BANNED NO MATTER HOW UNDETECTABLE THIS IS. I AM NOT RESPONSIBLE FOR ANY BANS.
First of all, download the two programs that will be necessary here :
- Cheat engine 5.6 (Latest Version)
- WinHex v12.9
Now let me explain : It would be way to easy for me to just give you the download links and tell you to go to town. We cannot forget about World of Warcraft's anti-cheat detection Warden. So, knowing that the Warden based on signature detection (which stands for public file detection), we'll use WinHex (Hexadecimal editor) to change CheatEngine's signature (CRC32).
Step 1
Now that you have both programs downloaded, unzip WinHex where you want on your computer, and run "CheatEngine56.exe" in order to install CE.
Step 2
Run WinHex.exe, located in the folder in which you unzipped the archive.
File => Open : a dialog box will appear, navigate to the folder in which you have installed CheatEngine, and select "Cheat Engine.exe". Then, Search => Replace text. In Search for box, put Cheat Engine.
In Replace with box, put anything you want, as long as it is made of 12 caracters (Be sure it is personal, unique). For instance, let's take here "MMOwnedOwned". Now, click OK. Click OK when the message box appears.
Now let's do basically the same thing : Search => Replace Hex values. In Search for, put "6300680065006100740065006E00670069006E0065" in the box. Now, up your internet, and go to the Text/Hex/Dec Converter.
Ok, now you need to convert the word you are changing CheatEngine to, into hex. For this example, I typed in "MMOwnedOwned" into the String box. !!!DON'T FORGET, IT NEEDS TO BE 12 CHARACTERS LONG EXACTLY!!! When you are done typing it in, a series of letters and numbers with spaces should appear in "Equivelant Hex Value" !!You need to remove the spaces from this series, and add "00" (without the "") in its place!!
This is what I got for MMOwnedOwned = 4D004D004F0077006E00650064004F0077006E00650064 In the "Replace box" box, put the finished code with all of the zeroes. Once finished, click ok. Click ok once again with another box appears.
Now, File => Save. Click Yes on the message that appears.
Step 3
Congrats, that was the hardest part. Now, Go to the CheatEngine folder, and find the "Cheat Engine" executable (the one you just modified). Right click => rename. Now, put whatever you want
Step 4
That's it, you're done ! Now run WoW.exe (not Launcher.exe). Connect to your account, and enter the game with the character of your choice. Return then to Windows, and run CheatEngine, via the executable you modified and renamed. A first message box will appear, click yes. On the second one, click No. Now, click on the multicolor button (a small computer) on the top left. In the list that appears, find the "WoW.exe" executable, and click OK.
Step 5
Now click the "Add address manually" button on the bottom right. In Address, put the latest patch mountain climbing offset (Not sure what it is, on computer getting fixed and not enough tools on this computer to figure it out, will update when computer comes back).
Step 6
Right click on the line created => Change Record => Value. There, you put the number of your choice, made of 6 characters (important), chosen randomly (eg. 642187). Click OK.
If you want to deactivate Mountain Climb, simply repeat Step 6, and change the value to "1059360187" without the "".
That's it, you now have Mountain Climb activated (if you have the offset)!
Step 7
You may also use Speedhack... for it to work, check "Enable Speedhack" (right part of CheatEngine window). In "Speed", put the multiplicating factor you want, but do not touch "Sleeptime". Click now on Set Speed. Done! Speedhack is now activated... use at your own risk! Please don't be stupid with it, I don't want your account banned.
Careful : Speedhack actually speeds all the game, which may heat your processor and/or your motherboard; do not use it for too long. Mountain Climbing though, will not harm your computer in any way.
Careful : Please remember that Blizzard watches every cheat community here on the web, and may change their detection system, so whenever a new update comes out, please first try this method on a test account, and when you believe it is secure, inform other cheaters.
Thank you
I have found more offsets though not for 3.3.3.. I will keep looking around
This could be helpful to you..
IF THIS WAS HARD TO READ OR CONTAINED TOO MUCH COLOR, PLEASE LET ME KNOW, AND I WILL FIX IT ASAP.
WOTLK 3.1.1b
patches
505E36 collision M2(1)
505CBE collision M2(2)
50F08A collision WMO
797E33 inf jump patch
6CFADD language patch
statics
10B65F4 pPointer
A368DC lua unprotect
9D3BCC AirJumpVelocity
9D3BD0 WaterJumpVelocity
A3E7F0 fall speed
97C7B8 game speed
993D80 wall-climb angle
WOTLK 3.1
offsets changed.
player base is now (((10B65F4)+34h)+24h)
0x7CC movement state
0x7CF movement state 2
0x808 fall time
0x814 points to current speed
0x818 points to walk speed
0x81C points to run(forward)
0x820 points to run(backward)
0x824 points to swim(forward)
0x828 points to swim(backward)
0x82C points to flying speed
0x830 flying speed (backwards)
0x840 jump momentum
0x850 width
0x854 height
0x858 climb offset
0x798 X coord
0x79C Y coord
0x7A0 Z coord
0x7A8 rotation
0x18B0 faction
0x2768 track_objects
0x276C track_resources
functions
401050 GeneratePacket
402da0 PFreePacket
402e10 GetLocalBase
46e820 PerformanceCounter
46f090 InitSectionBounds
46f120 CheckBounds
5f81c0 PSendPacket
685c50 SendPacket
6d3cc0 PrintChatMsg
7b7b10 GetLocalGUID
7b93a0 GetBaseByGUID
831480 FreePacket
831610 AddBYTEToPacket
831670 AddWORDToPacket
8316d0 AddDWORDToPacket
831730 AddQWORDToPacket
831790 AddFLOATToPacket
831930 AddSTRINGToPacket
94b860 create_fields
5a4490 LoadMovePacket
5ac6a0 PossessNPC
5c0dc0 UpdateModel
5c26f0 UpdateMountDisp
6c1cc0 UpdateCamera
6e05f0 UpdateObjCamera
5679F0 UpdateArmor
patches
505F56 collision M2 (1)
505DDE collision M2 (2)
50F1AA collision WMO
797Ab3 inf jump patch
6CFA9D Language Patch
5DE3C4 Walk on water patch
statics
A368DC lua unprotect
9D3BE4 AirJumpVelocity
9D3BE8 WaterJumpVelocity
97C7C8 GameSpeed
99B37C Gravity
A3E7F0 FallSpeed
10B65F4 pPointer
993D80 wall-climb angle
wotlk general (3.0.9 and below)
P-base offsets for wotlk
0x800 movement state
0x803 movement state 2
0x83C fall time
0x840 starting jump position
0x848 points to current speed
0x84C points to walk speed
0x850 points to run(forward)
0x854 points to run(backward)
0x858 points to swim(forward)
0x85C points to swim(backward)
0x860 points to flying speed
0x864 flying speed (backwards)
0x874 jump momentum
0x898 width
0x89C height
0x8A0 climb offset
0x7EC map id? (i still didn't check if this was correct :S )
0x7D0 X coord
0x7D4 Y coord
0x7D8 Z coord
0x7DC rotation
0x808 starting X coord
0x80C starting Y coord
0x810 starting Z coord
0x814 starting orientation
0x9C player scale
0x2648 my GUID
0x26E8 targets GUID
0x2788 player state
0x2778 faction
0x3C78 hunter tracking
WOTLK 3.0.9 build 9551 stuff
functions:
4B50F0h UpdateCamera
681F60h UpdateMountDisp
46FD80h ObjDelete
5F9850h SendPacket
402DB0h ReleasePacket
7CAED0h PerformanceCounter
666690h LoadMovePacket
401070h GenPacket
6806D0h UpdateModel
66E6E0h PossessNPC
patches:
7129FEh collison M2
71288Eh collision M2
71bF3Ah collision WMO
8D7908h Inf jump patch
491B2Dh Language patch
696B24h Walk on water patch
8DAA37h nofalldmg
558514h flypatch1
61464Fh flypatch2
614A12h flypatch3
8D718Ah flypatch4
statics:
127F13Ch Ppointer
10A68D0h mouse over target GUID
92F588h game speed
100CD40h fall speed
9A9A80h jump velocity(water)
9A9A7Ch jump velocity(land)
0FC64ECh Lua Unprotect
p-Base = (((127F13C) +30) +2
WOTLK 3.0.3 build 9183 stuff
0x0096C428 player VMT pointer
0x0093A788 unit VMT pointer
0x0093A788 dynamic object VMT pointer
0x0096CE08 item VMT pointer
0x0096E0E8 game object VMT pointer
0x0096CCF0 container VMT pointer
0x0096CC08 corpse VMT pointer
patches
0x712A2E collision M2(1) SPECIAL 2 bytes change to 0x1DEB
0x7128BE collision M2(2) REGULAR 2 bytes change to 0xB4E9
0x71BA6A collision WMO 2 bytes change to 0x9090
0x8D6598 infinite jump patch 2 bytes change to 0x0075
statics
float 0x10A58A8 mouse over target GUID
float 0x92E52C game speed
float 0x100B5A0 fall speed
float 0x9717C8 Mountain Climb angle
float 0x96C9D4 gravity
float 0x9A8270 jump momentum (water)
float 0x9A826C jump momentum (land)
WorldFrame pointer 127E014
P-base pointer = (((WorldFrame pointer) +30) +2
WOTLK 3.0.2 build 9056 stuff
0x0096AC90 item VMT pointer
0x0096AB78 container VMT pointer
0x0096A2B0 player VMT pointer
0x0096AA90 corpse cVMT pointer
0x0096C6A0 unit VMT pointer
0x0096BF50 game object VMT pointer
0x0096A908 dynamic object VMT pointer
patches
0x00711E4E collision M2(1) SPECIAL 2 bytes change to 0x1DEB
0x00711CDE collision M2(2) REGULAR 2 bytes change to 0xB4E9
0x0071AF1A collision WMO 2 bytes change to 0x9090
0x008D53D8 infinite jump patch 2 bytes change to 0x0075
static addresses
Float 0x0092C530 game speed
Float 0x01009560 fall speed
Float 0x0093058C speed of time
Float 0x0096F640 Mountain Climb angle
Float 0x0096A85C gravity
Float 0x009A606C jump momentum (land)
Float 0x009A6070 jump momentum (water)
pointers
WorldFrame pointer 0127BFFC
camera pointer ((10A3D74) + 779C)
P-base pointer = (((WorldFrame pointer)+ 0x30)+ 0x2
2.4.3 and below st00fz
camera pointer is a double pointer! first offset is 732c second offset points to what you want with the camera (because i'm lazy i am not going to expand on this, i will leave finding specific offsets to you) one offset i do know (thanks to kyonx) is 100 which is camera Z.
0x00C6ECCC camera pointer (2.4.3)
0x00DDEFF4 camera pointer (2.4.2)
0x00DD8BF4 camera pointer (2.4.1)
0x00DD1FB4 camera pointer (2.4.0)
0x00E29D28 2.4.3 player base
0x00E8AA38 2.4.2 player base
0x00E849E0 2.4.1 player base
0x00E7D9E0 2.4.0 player base
2.4.3 static addresses
0x008C8398 Mountain Climb angle default value 0.6427 (float)
0x00BC4AF8 fall speed, 60.1480026245117 default value (float) set to to -1 and you fall up [IMG]http://www.***********.de/forum/images/smilies/biggrin.gif[/IMG]
0x008F7AC8 jump height/velocity -7.955547 default value (float)
0x008C8458 gravity, 19.2911033630371 default value (double)
0x00890608 game speed, 0.00100000004749745 default value (double)
0x0089060B game speed 2, 1.02048421388683E253 default value (double) messing with this will freeze time
0x00890750 speed of time, 1000 default value (double) time moves faster, you appear slower
0x0088D5E8 rendering, 0.5 default value (double) ****s shit up. but fun to screw with, ( 0.2 and 2 D: )
2.4.3 patches
0x006A4B6E walk through GO's (highlight able). (0x968B1D74) default value 4 byte {HEX}. (0x968B1DEB) to walk through!
0x006A49FE walk through GO's (non-highlight). (0x00B3840F) default value 4 byte {HEX}. (0x0000B4E9) to walk through!
0x006AC9EA walk through buildings (0xC0320675) default value 4 byte {HEX}. (0xC0329090) to walk through!
0x007B98DE jump patch (0x46F64175) default value 4 byte {HEX} change to (0x46F60075) for infinite jumps!
2.4.2 static addresses
0x008A00C8 MC angle default value 0.6427 (float)
0x00949694 fall speed 60.148 default value (float)
0x008ADAE0 gravity 19.2911 default value (double)
0x00899900 game speed 0.0010 default value (double)
2.4.2 patches
0x0052312E walk through GO's(highlightable) (0x968B1D74) default value 4 byte {HEX}. (0x968B1DEB) to walk through!
0x00522FBE walk through GO's (non-highlight) (0x00B3840F) default value 4 byte {HEX}. (0x0000B4E9) to walk through!
0x0052A9DA walk through buildings (0xC0320675) default value 4 byte {HEX}. (0xC0329090) to walk through!
0x0076024E jump patch (0x46F64175) default value 4 byte {HEX} change to (0x46F60075) for infinite jumps!
2.4.1 static addresses
0x0089DE50 mc angle default value 0.6427 (float)
0x00946564 fall speed 60.148 default value (float)
0x008A9BB0 gravity 19.29 default value (double)
0x008976E0 game speed 0.0010 default value (double)
2.4.1 patches
0x00522CEE walk through GO's(highlightable) (0x968B1D74) default value 4 byte {HEX}. (0x968B1DEB) to walk through!
0x00522B7E walk through GO's (non-highlight) (0x00B3840F) default value 4 byte {HEX}. (0x0000B4E9) to walk through!
0x0052A56A walk through buildings (0xC0320675) default value 4 byte {HEX}. (0xC0329090) to walk through!
0x0075EDDE jump patch (0x46F64175) default value 4 byte {HEX} change to (0x46F60075) for infinite jumps!
2.4.0 static addresses
0x0089DE50 mc angle default value 0.6427 (float)
0x00946564 fall speed 60.148 default value (float)
0x008AB9D0 gravity 19.29 default value (double)
0x008976D8 game speed 0.0010 default value (double)
2.4.0 patches
0x00522D3E walk through GO's(highlightable) (0x968B1D74) default value 4 byte {HEX}. (0x968B1DEB) to walk through!
0x00522BCE walk through GO's (non-highlight) (0x00B3840F) default value 4 byte {HEX}. (0x0000B4E9) to walk through!
0x0052A5BA walk through buildings (0xC0320675) default value 4 byte {HEX}. (0xC0329090) to walk through!
0x0075F29E jump patch (0x46F64175) default value 4 byte {HEX} change to (0x46F60075) for infinite jumps!
Most movement related offsets *grey ones have a decent use*
C00 points to vertical orientation, no default value (float)
C20 points to movement state 0 default value (4 byte) {HEX}
C23 points to movement type 128 default value (4 bytes)
C28 points to starting X point, X coord default value (float)
C2C points to starting Y point, Y coord default value (float)
C30 points to height in water, no default value (float)
C34 points to starting orientation , no default value (float) *point at which you start*
C38 points to starting V orientation, no default value (float) *point at which you start*
C3C points to odd movement thing, no default value (double)
C40 points to forward movement angle, no default value (float)
C44 points to forward movement angle, no default value (float)
C48 points to turning movement angle, no default value (float)
C4C points to turning movement angle, no default value (float)
C50 points to turning movement angle, no default value (float)
C54 points to allowed to turn while moving, no default value (float) *test*
C5C points to fall time, 824 default value (4 byte) *effects how much fall damage you take*
C60 points to starting Z point, Z coord, default (float) *jump starting position*
C68 points to current speed, no default value (float) *effects all other speeds also while moving!*
C6C points to walk speed 2.5 default value (float)
C70 points to run(forward) 7 default value (float)
C74 points to run(backward) 4.5 default value (float)
C78 points to swim(forward) 4.72222185134888 default value (Float)
C7C points to swim(backward) 2.5 default value (float)
C80 points to flying speed 7 default value (float) *changes forward and backward*
C84 points to flying speed(backward) 4.5 default value (float)
C88 points to turning speed, 3.14 default value (float)
C8C points to jump height, -7.955547 default value *after jump* (float)
CB0 points to player... thing, 1 default value (float) *set to 200 to climb most things similar to wall climb* (still tryin ta figure this 1 out)
player size
CA8 points to width (as in how fat), 0.2777 default value (float) *set it to 0 to noclip through ANYTHING (includes floor XD)*
CAC points to height (as in how tall), 2.25 default value (float)
9C points to player scale, 1 default value (float)
location
BEC points to map ID, no default value (4 byte) *not entirely sure*
BF0 points to X coord, no default value (float)
BF4 points to Y coord, no default value (float)
BF8 points to Z coord, no default value (float)
BFC points to orientation, no default value (float)
MISC
3AC8 points to hunter tracking, 0 default value (byte)
28E4 points to emote state, 0 default value (4 byte)
26CC points to player faction, no default value (4 byte)
F40 points to casting spell, 0 default value (4 byte)
2640 points to my GUID, no default value (4/8 byte) {HEX}
2680 points to target GUID, no default value (4/8 byte) {HEX}
26D0 points to player race, no default value (byte)
26D1 points to player class, no default value (byte)
26D2 points to player sex, no default value (byte)
26D3 points to power type, no default value (byte)
26F8 points to playerState, 8 default value (4 byte) {HEX}
0x00DA563C address
80 points to can mount, no default value (byte)
2.4.3 VMT pointers
although these address aren't constant through patches they will always be at the start of the specific structure in memory (ie, if you searched for the player constant in CE or some other debugger, all the addresses that appear will be players around you *or you*)
0x008C32B8 PLAYER VMT pointer
0x008C5580 UNIT VMT pointer
0x008C3A70 CONTAINER VMT pointer
0x008C3B60 ITEM VMT pointer
0x008CFF90 M2 VMT pointer
0x008C4AF0 GAME_OBJECT VMT pointer
0x008C3860 DYNAMIC_OBJECT VMT pointer
0x008C39B8 CORPSE VMT pointer
to use these simply open up CE, click the add address manually button, select pointer and use the base address (which i posted at the top) as the address and these number/letter combo's (such as C6C for walk speed) to get the actual value.
here are also some notes i took on it.
*notes*
movement state
movement state can be used to unroot you, if you ever find yourself rooted. just set it to 00000000 (8 0's) and you will be unrooted, this counts for logging out root/gm root/griffen riding root (unrooting yourself while on a griffen has some weird effects,)
0x1 = Moving Forward
0x2 = Moving Backward
0x4 = Strafing Left
0x8 = Strafing Right
0x10 = Turning Left
0x20 = Turning Right
0x100 = Walking
0x400 = floaty thing
0x1000 = falling
0x4000 = Fall Forwards
0x8000 = Fall Backwards
0x2000 = Freefall/Jumping
0x10000 = Strafing while jumping
0x200000 = Swimming
0x10000000 = Spirit Form
0x80000000 = Unknown
*note: 0x400 in particular interests me, it lets you levitate at the same height, you can go up but never down, it basically lets you walk on air at the same height you are at, (example, im on a cliff. i walk off cliff, instead of falling, i still walk at the same height as before)*
movement type
1 = flyhack (can land)
2 = flyhack (can't land *swim-like*)
16 = whisp * walk on water*
64 = floating (levitate)
80 = (floaty dead?)
128 = normal
129 = (flyhack actual gm-like value)
130 = (flyhack *theres alot of different ones heres another, swim-like*)
144 = (dead) *walk on water*
160 = slow fall
notes: playerState *note* this is the real player state.
0x000008 not in combat *can be used to fake not in combat
0x00000C logging out *can be used to wall-climb
0x001008 pvp toggled * can be used to either force others to be pvp toggled >:3
0x080008 in combat
0x10000C on a taxi
0x400008 blinded
0x0C0008 stunned
hunter tracking
0 = Nothing
1 = Beasts
2 = Dragonkin
4 = Demons
8 = Elementals
16 = Giants
32 = Undead
64 = Humanoids
132 = Misc
255 = Everything
Code:
emote state
0 = None
1 = Talk
2 = Bow
3 = Wave
4 = Cheer
5 = Exclamation
6 = Question
7 = Eat
10 = Emote State Dance
11 = Laugh
12 = Emote State Sleep
13 = Emote State Sit
14 = Rude
15 = Roar
16 = Kneel
17 = Kiss
18 = Cry
19 = Chicken
20 = Beg
21 = Applouad
22 = Shout
23 = Flex
24 = Shy
25 = Point
26 = stand
27 = ready unarmed
28 = work
29 = point
30 = none
33 = Wound
34 = wound critical
35 = attack unarmed
36 = attack 1h
37 = attack 2h tight
38 = attack 2h loose
39 = parry unarmed
43 = parry shield
44 = ready unarmed
45 = ready 1h
48 = ready bow
50 = spell precast
51 = spell cast
53 = battle roar
54 = special attack 1h
60 = Kick
61 = attack thrown
64 = Stun
65 = Dead
66 = Salute
68 = Kneel
69 = use standing
70 = wave no sheath
71 = cheer no sheath
92 = eat no sheath
93 = stun no sheath
94 = Dance
113 = salute no sheath
133 = use standing no sheath
153 = laugh no sheath
173 = work no sheath
193 = spell precast
213 = ready rifle
214 = ready rifle
233 = work no sheath mining
234 = work no sheath choping
253 = lightOff (old)
254 =LiftOff
273 = Yes
274 = No
275 = Train
293 = Land
313 = at ease
333 = ready 1h
353 = spell kneel start
373 = submerged
374 = sumberge
375 = ready 2h
376 = ready bow
377 = MountSpecial
378 = Talk
379 = Fishing
380 = Fishing
381 = Loot
382 = whirlwind
383 = drowned
384 = hold bow
385 = hold rifle
386 = hold thrown
387 = drown
388 = stomp
389 = attack off
390 = attack off pierce
391 = roar
392 = laugh
393 = creature special
394 = JumpLandRun
395 = JumpLand
396 = talk no sheath
397 = point no sheath
398 = cannibalize
399 = Jumpstart
400 = DanceSpecial (Human Only)
401 = DanceSpecial (Human Only)
402 = custom spell 1
403 = custom spell 2
404 = custom spell 3
405 = custom spell 4
406 = custom spell 5
407 = custom spell 6
408 = custom spell 7
409 = custom spell 8
410 = custom spell 9
411 = custom spell 10
412 = Execlaim
415 = Sit Chair
also, the lower the value of the mountain climb angle the steeper the angle you can climb.