Tsearch tutorial

lolp1

Full Member
Hello,

Just recently I used T-search for the first time and I was surprised at how easy it was to find some things.

For this tut, we will be using counterstrike. We will be getting the memory location using Tsearch.

First of all if you don't have Tsearch, I took the time to upload it here: www.valvesupport.info/tsearch_16b.zip

Next step will be to actually start Tsearch. You should be at a screen like so:




From here we will start counter strike. Once you have done that, go ahead and alt + tab back out to this window.

Ok, so we have counter strike loaded, and were ready to go. In Tsearch you should see a huge button called "Open process" go ahead and click that.

Then select "hl.exe".

Ok, now you should be looking for this button (right below Open process)
advtut3.jpg


When you see that button, go ahead and click it. You will now see a few options, let me explain what they mean. (By quoting from another site, to lazy to type those all out)

"Exact value" is used when you know the value you?re looking for (i.e. you have 20 bullets in your gun).

"Range" is used when you know the value is between two numbers (i.e. you have 1-2 lives but you don?t really know).

"Unknown value" is used when you don?t know the value you?re looking for (it?s used for energy bars mostly).

Now I bet you?re wondering what all these bytes are.

"1 byte" is used when the value can be between 0-255.
"2 bytes" is used when the value can be between 0-65535.
"4 bytes" is used when the value can be between 0-4294967295.
"8 bytes" is used when the value can be between 0-18446744073709551615.

"Float" is used when the value can be between 1.2E-38-3.4E38, it?s used for games like Zoo Tycoon and Age Of Empires.

"Double" is used when the value can be between 2.2E-308-1.8E308

From here, we need to decide what we want to search. In this case we will be searching for the memory location of "life" in counterstrike.

Go ahead and enter a game in counter strike. (Just make a local server, it will be important for a later step).

Ok, so now you are in game, you should have '100' life. So our life value is 100, thats what we need to search. This will need to be an exact value.

Then, the this will only be one byte as well. In the end it should look like so:



Go ahead and click ok. Now you will see alot of results, but thats ok, we are going to lower those results. The first button we orignaly clicked to search (the magnifying glass..) well directly on the right of that is another button, and thats what we will need to use soon.

Right now, go into counter strike and lose a bit of life. Then click the button I mentioned above ("search next") It will bring up a search box just like before, just fill in all the same as before, except this time for "Value" put in the value of life you currently have. (After losing some, like I said to above) and go and and click ok.

This should greatly narrow your results down, repeat that step to lower then down a bit more if you want.

Now you should be left with something like so:



Thats good, your almost done :) ok, now we will go through each of these and figure out which one is our life memory address.

Double click the first memory address out of your list. Doing so will 'transfer' that over to the other side of the screen, so it will look like so:




Then, change the value to '100' and check counter strike again, if your life has moved up to 100, you have just found the addres, repeat these steps on down the list untill you find the correct one. (Transfering the addres on the left side to to the other side of the screen, changing the value to 100, checking CS life)

Evuantly, you will end up with: 1A1BFC8

Congrats! You've just successfully found the memory address you were looking for in Tsearch. The point of this tut is to tell you how to find these addres in Tsearch, not what to do with them, but I will provide some rought example code and ideas anyways.

With the memory location of life in counter strike, you could make a 'life bar' in autoit(C++ readprocessmemory is more affective, and more powerfull, but we will use autoit in this case)

Here is a fully working example code(porrly made by my self in about 10 seconds for this example):

Code:
$Process = 'hl.exe' ;-> Target process
$PID = ProcessExists($Process) ;-> Get Process ID
$Address = 0x1A1BFC8 ;-> Read/write address
$Value = 100 ;-> Value to write


$OpenProcess = _MemOpen(0x38, False, $PID) ;-> Enable reading/writing to the process and get the handle

    $v_Read = _MemRead($OpenProcess, $Address, 1) ;-> Read a 1 byte value from the defined address
   ; MsgBox(0,"Info", "The value of address "&HEX($Address, 8)&" is now: "&$v_Read)


	   $button = GUICtrlCreateButton ("Start",75,70,70,20)



GUICreate("Counter-Strike life",220,100, 100,200)
$progressbar1 = GUICtrlCreateProgress (10,10,200,20)
GUICtrlSetColor(-1,32250); not working with Windows XP Style

GUISetState ()
While 1
	$v_Read = _MemRead($OpenProcess, $Address, 1)
	Sleep(10)
   GUICtrlSetData ($progressbar1,$v_read)
   Wend
_MemClose($OpenProcess)

You would need a memory UDF for this, so I'll provide that to:

Code:
Func _MemRead($i_hProcess, $i_lpBaseAddress, $i_nSize, $v_lpNumberOfBytesRead = '')
    Local $v_Struct = DllStructCreate ('byte[' & $i_nSize & ']')
    DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
    Local $v_Return = DllStructGetData ($v_Struct, 1)
    $v_Struct=0
    Return $v_Return
EndFunc ;==> _MemRead()

Func _MemWrite($i_hProcess, $i_lpBaseAddress, $v_Inject, $i_nSize, $v_lpNumberOfBytesRead = '')
    Local $v_Struct = DllStructCreate ('byte[' & $i_nSize & ']')
    DllStructSetData ($v_Struct, 1, $v_Inject)
    $i_Call = DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
    $v_Struct=0
    Return $i_Call[0]
EndFunc ;==> _MemWrite()

Func _MemOpen($i_dwDesiredAccess, $i_bInheritHandle, $i_dwProcessId)
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $i_dwDesiredAccess, 'int', $i_bInheritHandle, 'int', $i_dwProcessId)
    If @error Then
        SetError(1)
        Return 0
    EndIf
    Return $ai_Handle[0]
EndFunc ;==> _MemOpen()

Func _MemClose($i_hProcess)
    $av_CloseHandle = DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $i_hProcess)
    Return $av_CloseHandle[0]
EndFunc ;==> _MemClose()
 
just using tsearch by itself i think it would be detected... and yes local game as the health etc is all server side
 
T-search is safe to use. (Just use it on LAN to get the address.)

You can use the memory valuables for alot of things. You can get your current amount of bullets (Reload bar) maybe a weapon switch hack to. You can do a no recoil and read the current gun you have in your hand with memory to adjust recoil. The possiblyitys are alot. This tutorial how ever is just to teach you how to use TS, not to teach you to do those things :)
 
Back
Top