# Forum > Diablo 2 Resurrected > Diablo 2 Resurrected Bots and Programs >  [0.1.62115] Offsets

## ejt

<removed, you go figure it out>

----------


## Crazyloon

Any idea how we can apply these patches using Ferib's method of bypassing crc32 checks?

We've got a text file that should make it pretty easy to apply additional patches... it looks like this:



```
0xD4AD68:9090
0xD4E25F:909090909090
0xCAFB9D:90B001
0x597E1C:90909090909090
0xC5E81C:9090C346455242: ~ MP stack corruption bypass
0xD615F2:909090909090909090909090909090909090909090909090909090: ~ show all calsses on load (shalzuth)
0x39FC03:9090909090909090909090909090909090909090: ~ allow chars to load (shalzuth)
```

I want to do something like this to display item levels:
0x1EE2990:871

----------


## ejt

You need to modify the memory using cheat engine or some other software that can modify it. It is a 8-bit integer, 0 = false 1 = true

----------


## Crazyloon

Ah, ok... never mind I figured it out.


adding
0x1EE3201:90 
to patches.txt will make item levels show

I'm still testing the rest

*NOTE: Using this approach will not work in any version since I posted this. There is a race condition causing them to be overwritten. The suggested approach is to use Cheat Engine to modify these values manually.*
0x1EE3200:90: ~ allowLadderRunewords
0x1EE3201:90: ~ displayItemLevel 
0x1EE31FF:90: ~ allowCowPortalWhenCowKingWasKilled
0x1EE3203:90 ~ enableUberQuest
0x1EE3202:90: ~ allowStatUnassignment
0x1EE3204:90: ~ allowSkillUnassignment (doesn't seem to be working) 
0x1EE320D:90: ~ enableWorldEventOffline (Assume Uber Diablo - haven't tested)
0x1EE320E:90: ~ enableMultipleHirelings
//0x1EE3211:90: ~ worldEventMonsterClass (probably needs correct ID for Uber Diablo)
//0x1EE3215:90: ~ worldEventGlobalMessage (probably needs correct ID for the string to reference)
//0x1EE3315:90: ~ worldEventGlobalSound	(probably needs correct ID for audio file to reference)

----------


## oclurker

> +0x870 = allowLadderRunewords





> 0x1EE3200:90: ~ allowLadderRunewords


can confirm ladderrunewords are enabled!

Ty sir @ejt

----------


## ZeltMarv

Thank you!!

Any chance you could find a patch to enable "alwaysRegenMapInSP"?

EDIT: 

0x1EE31FC:90: ~ AlwaysRegenMapInSP

This seems to be the switch but it doesn't seem to do anything.

----------


## ejt

> Thank you!!
> 
> Any chance you could find a patch to enable "alwaysRegenMapInSP"?
> 
> EDIT: 
> 
> 0x1EE31FC:90: ~ AlwaysRegenMapInSP
> 
> This seems to be the switch but it doesn't seem to do anything.


Are you sure you understand what it *should* do?

Given the name I think setting it to 1 will make it so you get a new map seed every time you save and exit.

Edit: If you insist on using the patch.txt file for making changes to the .data memory section, at least use *01* instead of *90* when setting a 8-bit integer to true.

----------


## Crazyloon

@ejt what was your technique for finding these values and their purpose? I would like to find others. Specifically, EnableLadderUniqueItems

----------


## ejt

> @ejt what was your technique for finding these values and their purpose? I would like to find others. Specifically, EnableLadderUniqueItems


Just lurking around in IDA and trying to figure out what stuff does, searching for strings and going down the rabbit hole.

----------


## ejt

<removed, you go figure it out>

----------


## lanzajamones

> Ah, ok... never mind I figured it out.
> 
> 
> adding
> 0x1EE3201:90 
> to patches.txt will make item levels show
> 
> I'm still testing the rest
> 
> ...


I extracted the CASC storage and it seems the game uses the classic patchstring.tbl, so if it works the game should show it.
if we could some way to modify the CASC or make game.exe load "local files" we could test more things.

If we can access the CASC, we won't need the next beta test either, just mod the current game with the next CASC.

----------


## ejt

<removed, you go figure it out>

----------


## MrNoble

There is one function making use of that configuration offset, xref that function and you will be able to find plenty of functions making use of that function.
For those who didn't know yet, the return value _(the configStruct in our case)_ will be stored in register RAX when the function returns.

func sig:


```
48 83 EC ?? E8 ?? ?? ?? ?? 48 C7 C1 FF FF FF FF
```



FYI these patches are located in the .data section and do not need any special type of bypass AFAIk.

----------


## ejt

<removed, you go figure it out>

----------


## Crazyloon

I find this very interesting. I wonder if we can figure out how to turn the console on and see if there is any interesting information in there.

possible_console.png

How do you find a memory offset for something like this in Cheat Engine? I understand, in Cheat Engine, we can manually add an address if we know the offset.

So how did you go from something like this in IDA:
.rdata:0000000141A1B528 aAllowladderrun db 'allowLadderRunewords',0

to something like this in Cheat Engine:
game.exe+0x1EE3200

----------


## QuadroTony

anyone can help me. how to unlock Hell? i dont need other saves, i want it on mine
so i need to edit my save
already figured out how to unlock Nightmare with HEX editor
but not Hell

----------


## dschu012

> anyone can help me. how to unlock Hell? i dont need other saves, i want it on mine
> so i need to edit my save
> already figured out how to unlock Nightmare with HEX editor
> but not Hell


d2s - Example

load your save. click 'Unlock Hell'. click 'Save D2R'.

----------


## QuadroTony

> Did some work on UI stuff today, got the panel manager offset and some structures to go with it.
> 
> PanelManager = 0x234AF30
> There is also a copy on 0x234AF40 but haven't looked into what that is used for yet.
> 
> InitializePanelManager = 0x5A3C50
> InitializeGameWidgets = 0x5B30B0 lot of initialization going on in there
> 
> 
> ...




do you tihnk it will be possible to turn ON gamepad UI and other gamepad features, but play with keyboard and mouse?

----------


## QuadroTony

> Ah, ok... never mind I figured it out.
> 
> 
> adding
> 0x1EE3201:90 
> to patches.txt will make item levels show
> 
> I'm still testing the rest
> 
> ...



not working for me

at least i cant see item levels

didint test other things, what i am doing wrong? tried 01 instead of 90 as suggested few posts above = same issue

----------


## dschu012

> I find this very interesting. I wonder if we can figure out how to turn the console on and see if there is any interesting information in there.
> 
> Attachment 77216
> 
> How do you find a memory offset for something like this in Cheat Engine? I understand, in Cheat Engine, we can manually add an address if we know the offset.
> 
> So how did you go from something like this in IDA:
> .rdata:0000000141A1B528 aAllowladderrun db 'allowLadderRunewords',0
> 
> ...


I can't claim to be great at this either. But I'd search for references to the string in code. That narrowed me down to

Untitled.png

you can see they call a func which we can presume checks for s_show_console being set. you can see the result of the call being stored in Game.exe+0x22E1CB8. however patching that address nor patching the instructions to just `MOV RAX,0x1` did not result in any kind of difference in game to me.

----------


## ejt

> not working for me
> 
> at least i cant see item levels
> 
> didint test other things, what i am doing wrong? tried 01 instead of 90 as suggested few posts above = same issue


The way you're changing the value is at startup when you're using the patches.txt method of doing things. This is why you should load up something like cheat engine and modify the value yourself. What probably happens is that when you enter a game or somewhere along the way the game overwrites your modified value and make the patch useless.

----------


## QuadroTony

> The way you're changing the value is at startup when you're using the patches.txt method of doing things. This is why you should load up something like cheat engine and modify the value yourself. What probably happens is that when you enter a game or somewhere along the way the game overwrites your modified value and make the patch useless.


all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect

----------


## ejt

> all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect


You're wrong

----------


## iceblade7

> all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect


everything worked fine for me, but like ejt said, the program modifies values and not working always as it should

----------


## Crazyloon

> all other things inside patches.txt works fine, so it looks like just that item level parameter/adress incorrect


I recommend opening the game with Cheat Engine and modifying the values that way. There's a race condition when using patches.txt that can sometimes cause some of the values to be overwritten.

----------


## ejt

<removed, you go figure it out>

----------


## QuadroTony

anyone know to be able to open cow level after killing cow king

i need edit save file, or game exe itself? ie cheat engine

----------


## knochenrolf

> anyone know to be able to open cow level after killing cow king
> 
> i need edit save file, or game exe itself? ie cheat engine


did u check the first page at all? its posted there ^^

"game.exe+1EE31FF" set it to true

----------


## rm10

> Here's some offsets that will be needed for maphack later.
> 
> 
> 
> ```
> // tested globals
> PanelManager = 0x234AF30,
> AutomapLayer = 0x22E46E8,
> 
> ...


How did you adapt so well from x86 assembly to x64 to find the functions. Without being able to debug / breakpoint I'm still having a hard time understanding how everyone is finding so much useful stuff. Do you all really sit their for hours on end looking at the C code to find the similarities ? Thanks for your contributions and findings.

----------


## ejt

> How did you adapt so well from x86 assembly to x64 to find the functions. Without being able to debug / breakpoint I'm still having a hard time understanding how everyone is finding so much useful stuff. Do you all really sit their for hours on end looking at the C code to find the similarities ? Thanks for your contributions and findings.


Most of my experience come from reversing World of Warcraft which is also x64 other than that there is not that much difference between x86 and x64 so its not a hard swap to do.

And yes, I do sit for hours on end looking for stuff.

----------


## rm10

> Most of my experience come from reversing World of Warcraft which is also x64 other than that there is not that much difference between x86 and x64 so its not a hard swap to do.
> 
> And yes, I do sit for hours on end looking for stuff.


Roger that. Well thanks again <3.

----------


## rm10

> There wasn't anything yet so lets bring out heads together and see if we can't get some good info out of this alpha build.
> 
> I haven't looked a lot into the client just yet but this is what I found so far.
> 
> 0x1EE2990 is some sort of configuration global that has a lot of fun stuff. Further reversing needed
> 
> 
> ```
> +0x638	=  ??
> ...


Your mailbox is full trying to send you an invite.

----------


## djain

> Here's some offsets that will be needed for maphack later.
> 
> 
> 
> ```
> // tested functions
> LoadAct = 0x278BD0
> ```


LoadAct takes mapID as a parameter, right? Did you happen to find the offset where that is stored? I'm interested in finding it to see if procedural generation changed at all.

----------


## ejt

<removed, you go figure it out>

----------


## ejt

Added updated structures, offsets and function definitions in first post.

----------


## rm10

> Added updated structures, offsets and function definitions in first post.


Thank you for your efforts. I'm going to look further into it on the weekend.

Trying to find ReceivePacket function atm.

----------


## madowsky

> can confirm ladderrunewords are enabled!
> 
> Ty sir @ejt


Hello, there I am new but trying to figure it out how I could made Ladder Runewords working in d2r.


That line (0x1EE3200:90: ~ allowLadderRunewords) was add into patches.txt, I also try to add it via Cheat Engine by "Add Address Manually" . I typed there "0x7FF6963F3200" with value "90" and nothings seems to happend after. Ladder runewords still not working ingame. 

How I can force game to do that (step by step) to make this happend?

----------


## ejt

> Hello, there I am new but trying to figure it out how I could made Ladder Runewords working in d2r.
> 
> 
> That line (0x1EE3200:90: ~ allowLadderRunewords) was add into patches.txt, I also try to add it via Cheat Engine by "Add Address Manually" . I typed there "0x7FF6963F3200" with value "90" and nothings seems to happend after. Ladder runewords still not working ingame. 
> 
> How I can force game to do that (step by step) to make this happend?


The offset is most likely a boolean value.

Imagine something like this (pseudo-code):



```
if (GetConfig()->allowLadderRunewords == 0) { /* trying to create a runeword that is ladder-only */ }
```

Now this code would make it so setting the value of the variable to '0x90' will let you create ladder-only runewords.

Now take this code instead (again, pseudo-code):



```
if (GetConfig()->allowLadderRunewords == 1) { /* create runeword */ }
```

Here, setting the value of the variable to '0x90' will NOT work because the code itself is actually checking for the value '0x01' or 'true'.

EDIT: Additionally, I see a lot of people in this thread and the other thread about D2R-Offline do this mistake.

0x90 is actually an opcode called 'nop' which in executable code does NOTHING, hence why it's used in the patches to make different things work like playing even though there is no connection to the battle.net service.

However, those that do not know about opcodes or why they are used and where just puts 0x90 everywhere expecting things to work, the offsets posted in THIS thread are all data offsets which has nothing to do with opcodes because they are in R+W memory section (.data).

If you can't figure out the difference between a opcode and boolean maybe you should wait until the game actually releases or someones creates hacks to do the things you want. This thread is NOT suppose to be an AMA or support thread for how to use or abuse the information posted here! Stop asking questions which has already been explained and if you don't have anything that is actually useful to share, open your own thread instead.

----------


## dschu012

Some random stuff



```
D2UnitStrc* pUnitList[5][128]; //Game.exe +0x22DA360


D2MonStatsTxt* pMonStatsTxt; //Game.exe +0x02312900;
D2SkillsTxt* pSkillsTxt; //Game.exe +0x02312B58; changed. now sizeof 0x25E
D2CharStatsTxt* pCharStatsTxt; //Game.exe +0x02312BE8;
D2ItemStatCostTxt* pItemStatCostTxt; //Game.exe +0x02312C00;
D2ItemTypesTxt* pItemTypesTxt; //Game.exe +0x02312C78;
D2SetItemsTxt* pSetItemsTxt; //Game.exe +0x02312CD8;
D2UniqueItemsTxt* pUniqueItemsTxt; //Game.exe +0x02312CF8;
D2GemsTxt* pGemsTxt; //Game.exe +0x023141C8;
D2ItemsTxt* pItemsTxt; //Game.exe +0x023141E0;
D2ItemsTxt* pWeapons; //Game.exe +0x023141F8;
D2ItemsTxt* pArmor; //Game.exe +0x02314200;
D2ItemsTxt* pMisc; //Game.exe +0x02314208;
```

pUnitList is collection of units by the unit type. the first index is the unit type excluding tiles (i.e player, monster, missile, item) . the second index is pUnit->UnitId % 128. you can get the current player from pUnitList[0][1].

most of the txt tables look more or less the same as 1.14d except D2SkillsTxt. a lot of the structs can be found here. D2MOO/source/D2Common/include/DataTbls at master . ThePhrozenKeep/D2MOO . GitHub

----------


## raph0x88

any discord I could join to help with this effort?

----------


## Darhole

Anyone happen to have messed around with the new beta and found offline patches?

----------


## dudeabides

This version looks different. Don't know if it will be possible to make it offline.

edit: They even removed the TCP/IP mode from the game so I doubt it will be possible.

edit 2: Maybe someone talented can patch the alpha version with the missing textures and voice lines from the full version later but that is probably a lot of work.

----------


## dudeabides

You can download the retail version now.

----------


## anon3259

> You can download the retail version now.


Looks like the executable is just a shell binary, not much we can do with it till launch.

----------


## ZLOFENIX

Released already.
Also same as was in beta - sp game creating game on blizz servers.

----------


## 0x6f4b0000

Any tips on how to get around their anti-debugging mechanism? I moved to x64dbg for D2R. I want to start reversing some pointers but am not familiar with newer blizzard games.

----------

