-
Notifications
You must be signed in to change notification settings - Fork 18
Making a persistent loop plugin
If you don't know what a Persistent Loop Plugin is you can check it out on the introductory page.
In this guide you will learn how to read and write simple values from and to memory via pointers.
- Table of contents
- Requirements
- Setting a goal
- Grabbing a pointer
- Implementation
- Using the function
- Preventing Fireblight
To follow this guide you should know
- what a pointer is
- what it means to 'dereference' a pointer
- how to create a plugin for the game
- the basics of the C language
First we need to actually know what we want to do in our plugin.
For this example, I will be making a plugin to automatically get rid of Fireblight once the player gets affected by it.
We can do that by simply checking if the Fireblight timer is greater than 0, and if it is, we set it back to 0. This is because the game automatically applies buff/debuff effects if their timers are > 0.
In pseudocode:
START LOOP:
IF FIREBLIGHT_TIMER > 0:
FIREBLIGHT_TIMER = 0
END IF
END LOOP
Now that we have a goal, we of course need a pointer to this fireblight timer. There are many ways of going about this, but the most straight forward way is using Cheat Engine. If you don't know how to find values/pointers using CE, there are lots of tutorials on the internet that you can find with a quick google search. If you don't know where to start, here are 2 pretty good videos to get you started:
- Cheat Engine How to Pointer Scan with Pointermaps
- How to pointer scan and find offsets for any game using Cheat Engine
However for the prupose of this guide, I already have my pointer here:
MonsterHunterWorld.exe+0x506D270
+0x80
+0x7D20
+0x5EC
If you have absolutely no idea what you're looking at, I recommend watching one (or both) of the two videos mentioned above.
This is a 4 level deep pointer. Few things to take note of here: MonsterHunterWorld.exe+0x506D270
is the static base-address of the pointer. MonsterHunterWorld.exe
represents the image base address of the process. Which will always be 0x140000000
.
So this address would translate to 0x140000000 + 0x506D270 = 0x14506D270
.
0x80
, 0x7D20
, etc. are further offsets. A common beginner mistake is that you just add these offsets to one another and that's your value, but this is not the case.
The way multi-level pointers work, is that you need to go to the base address, dereference it as a 64bit integer. This gives you yet another pointer.
Now you add the first offset to that new pointer. Let's say we read 0xFC503A0
from this pointer. Now we add 0x80
to that and dereference there again. We continue this until we have added our final offset, where we will dereference as a float, to get our timer value.
Now all that above would be a big headache to do manually each time, so how about we write a function to take care of that for us.
This is where external and internal start to deviate. I will always provide examples for both approaches.
Internally, dereferencing a pointer is pretty straight forward. If our pointer is stored in a variable ptr
, all we need to do to dereference is to cast it to the correct pointer type and then dereference like this:
int value = *(int*)ptr;
If this doesn't make any sense to you, you should read up on pointers in the C language.
Now the function for reading multi-level pointers could look like this:
template<class T>
T* ReadMultiLevelPointer(void* base_address, const std::vector<uintptr_t>& offsets)
{
uintptr_t addr = (uintptr_t)base_address;
for (const auto& offset : offsets)
{
addr = *(uintptr_t*)addr;
addr += offset;
}
return (T*)addr;
}
Continue to Using the function.
The external function looks pretty similar, but we replace any dereferences by a call to ReadProcessMemory
:
template<class T>
T* ReadMultiLevelPointer(HANDLE process_handle, void* base_address, const std::vector<uintptr_t>& offsets)
{
uintptr_t addr = (uintptr_t)base_address;
for (const auto& offset : offsets)
{
ReadProcessMemory(process_handle, (void*)addr, &addr, sizeof(addr), NULL);
addr += offset;
}
return (T*)addr;
}
As you might have guessed, ReadProcessMemory
can be used to read the memory of an external process. There is also an equivalent function to write: WriteProcessMemory
.
Internally, all you need to do is call the function as is. So taking our pointer from above as an example, it would look like this:
float* timer = ReadMultiLevelPointer<float>((void*)0x14506D270, { 0x80, 0x7D20, 0x5EC });
You can now continue to Preventing Fireblight.
Now for external, you might've noticed that I've added an additional parameter process_handle
to the function. This is because reading memory from an external process requires some extra setup work. We first need to get a handle to the game process.
To do so, we need to get a window handle, use that to get the process id of the game, and finally open the process using appropriate access rights. That will allow us to read and write to the game's memory.
So first we need to get the game's window handle using the function FindWindowA
:
HWND window = FindWindowA(NULL, "MONSTER HUNTER: WORLD<buildNo>");
Next we need to get the process id of the game. We can do so using the function GetWindowThreadProcessId
:
DWORD pid;
GetWindowThreadProcessId(window, &pid);
Here we pass the pid
variable as a pointer. You can easily see how parameters need to be passed by checking out the documentation for each of these functions on MSDN.
Finally we use the process id to get a handle to the process using OpenProcess
:
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
Keep in mind you only need to do this once at the start of your program, and then simply store the process handle.
Now we can call our function:
float* timer = ReadMultiLevelPointer<float>(hProcess, (void*)0x14506D270, { 0x80, 0x7D20, 0x5EC });
Now we need to make sure we have our own thread for this, since we'll be checking this timer periodically in a loop. If we were to run our loop on the game's thread we would stall it forever.
So, we need to launch a thread from our DllMain
. And inside our thread function we need to start off with setup code. This is, once again, different between internal and external.
For internal, since our dll is loaded upon boot, we need to delay our pointer reading until the Object containing our times is created.
To do so we can simply check for nullpointers each dereference step. Let's create a function that waits until it can read proper pointers.
template<class T>
T* ReadMultiLevelPointerSafe(void* base_address, const std::vector<uintptr_t>& offsets)
{
uintptr_t addr = (uintptr_t)base_address;
for (const auto& offset : offsets)
{
while (*(uintptr_t*)addr == nullptr) Sleep(30);
addr = *(uintptr_t*)addr;
addr += offset;
}
return (T*)addr;
}
This function will now return only once it has successfully read this pointer. This is definitely not the best solution to this problem, but it'll work for now.
So instead of calling ReadMultiLevelPointer
we now instead call ReadMultiLevelPointerSafe
to get the pointer to our timer.
For external the setup code is
- What was explained in Using the function
- Optionally the delayed pointer reading function
The pointer reading function for external would look like this:
template<class T>
T* ReadMultiLevelPointerSafe(HANDLE process_handle, void* base_address, const std::vector<uintptr_t>& offsets)
{
uintptr_t addr = (uintptr_t)base_address;
for (const auto& offset : offsets)
{
uintptr_t tmp = nullptr;
do {
Sleep(30);
ReadProcessMemory(process_handle, (void*)addr, &tmp, sizeof(tmp), NULL);
} while (tmp == nullptr);
addr = tmp;
addr += offset;
}
return (T*)addr;
}
So at the end of our handle obtaining setup code, we call our new function:
float* timer = ReadMultiLevelPointerSafe<float>(hProcess, (void*)0x14506D270, { 0x80, 0x7D20, 0x5EC });
Now we have our main loop (identical for internal/external):
while (true)
{
// ...
Sleep(10);
}
Now we need to check the timer each loop iteration and if it's greater than 0, we set it back to 0:
Internally, this is as simple as this:
if (*timer > 0.0f)
{
*timer = 0.0f;
}
As for external, we need a little more as usual:
float timerval = 0.0f;
// Read timer value into 'timerval' variable
ReadProcessMemory(hProcess, (void*)timer, &timerval, sizeof(timerval), 0);
// Check if timer is > 0
if (timerval > 0.0f)
{
// Reset timer value back to 0
timerval = 0.0f;
// Write value back to game memory
WriteProcessMemory(hProcess, (void*)timer, &timerval, sizeof(timerval), 0);
}
We just put this if statement in our while
loop, and there we go. We're done! Now all we have to do is build the dll and move it into our plugins folder.
And there you go, you have successfully created a plugin that automatically removes fireblight.
General Tutorials
Animation Tutorials
Audio Tutorials
File & In Game IDs
- Accessory and Specialized Tool IDs (Asset)
- Armor IDs (Asset)
- Decorations IDs
- EFX IDs
- Endemic Critter IDs (Asset)
- Face IDs (Asset)
- Furniture IDs (Asset)
- Gimmick IDs (Asset)
- Hairstyle IDs (Asset)
- Item IDs
- LMT IDs
- Material IDs
- Medal IDs
- Model Bone Function IDs
- Monster IDs
- Monster Shell IDs (A-P)
- Monster Shell IDs (Q-Z)
- NPC IDs (Asset)
- NPC Base Model (Asset)
- Palico Equipment IDs (Asset)
- Pendant IDs (Asset)
- Poogie Clothes IDs
- Quest IDs
- Skill IDs
- Stage IDs (Asset)
- Player Weapon Action IDs
- Weapon IDs (Asset)
- Weapon ID Dump (GS,SnS,DB)
- Weapon ID Dump (LS,Ham,HH)
- Weapon ID Dump (Lan,GL)
- Weapon ID Dump (SA,CB)
- Weapon ID Dump (Bow,HBG,LBG)
Model Tutorials
- Quick Guide to Importing Models (Blender 2.79)
- Walkthrough of a Weapon Import
- Basics of Exporting Into the .mod3 Format
- How To Fix UVs Sharing a Seam
- How To Separate Mesh Parts in Blender
- Rotating, Moving and Resizing in Blender
- How to Split a Single Mesh Outfit into Player Equippable Parts
- Jigglebone Chains (.ctc) and Colliders (.ccl)
- Axial CTC Rotations
- Editing Hair Models and Materials
- Useful Blender Scripts
- [external page] How to Make All Polygons Into Triangles (Required for MHW models)
- [external page] How to Convert Triangles Back Into Quads
- [external page] How to Change The View-port clipping Parameters For Large Models
- [external page] How to Set Origin to Vertex in Edit Mode
- [external page] Shortcut to repeat the last operation in Blender
- [external page] Transferring Rig Weights From One Mesh To Another
- [external page] How to Copy Paint Weights From One Object to Another
- [external page] How to Remove All Zero-Weight Vertex Groups
- [external page] How to Weight Paint Against Current Pose
- [external page] Making a Hair Rig
- [external page] Physics Transfer
EFX Tutorials
FSM Editing
MRL3 Tutorials
NPC Editing
Plugins and Memory Editing
Monster AI Editing
General Texture Tutorials
- Obtaining, Converting and Replacing Textures
- Textures with Paint NET
- How To Open DDS Files
- Editing Textures
- Understanding Alpha Channels
- Exporting Textures with Transparency
- How To Achieve Glass Texture
- How to create Crystal materials with Alpha Textures
- Working Around the Mip Map Loading Bug
- [external page] Extracting a UV Layout
Specific Texture Tutorials
Asterisk's Plugin Notes
Miscellaneous Tutorials
Outdated Tutorials
- How to Make an NPC Skin Material Support Skin Color Customization
- Plugin Comparison
- A Theoretical Proposal on Skeleton Extension
- Monster Hunter World Save Editor Tutorial
- Making Copies of a Save Slot
- Making a Green Screen
- Notes on CTC Physics Jiggle Files
- Opening MRL3 file with a template
- Transferring MRL3 Files Between Models
- Expanding mrl3 Reference List
- How to Edit Eye Color in mrl3 Files