EPTPart 1: http://www.liquiddota.com/blogs/503835-dota-2-bot-api-the-glutinitial-step
After trying out the directX/OpenGL interception I found out that somehow the directX/OpenGL interception programs weren't able to grab the 3d textures from Dota 2. I got maybe one or two, but other than that there were only 2d textures showing up.
So now I have to go the reverse engineering route anyway. So I decided to drop the graphics intercepting route for now and focus first on getting to know the internals of Dota 2. If hooking into the memory and calling functions from there ( and changing the opcodes every update ) turns out to be easy (as in, not protected), then I might as well go that route.
After asking around in some forums I came across someone by the username PrayDog who already made a SDK generator. I still have to figure out why it doesn't work for me. Maybe I messed up the cmake or I don't have the right DLL injector ( if any of you got it working, pm me pls).
So in the meantime I checked to see if I could already do some basic reverse engineering. To make it simple for me (and you), I followed the tutorial from Fleep about building a trainer ( link ) and tried to apply it to Dota 2.
The idea was to create a trainer where you could play as Abaddon in Solo vs Bots single-player and have a HP cheat where your HP would always stay the same. This basically involves finding the relevant static memory address and the offsets that lead to the HP of Abadon.
This is basically what I wanted to achieve (in single player vs bots ofc):
+ Show Spoiler +
And since this video is only uploaded to my channel, I have achieved it 
So how to find the memory address:
If you want to repeat these steps, make sure you start Steam in offline mode and disable your network connection completely
1. You start up cheat engine and hook it into dota2.exe
2. As your first scan, look for the current hp of Abaddon (not the maximum hp)
![[image loading]](http://i.imgur.com/4s4Ohv3.png)
3. Receive some damage ( for example by attacking roshan)
4. Use bigger than/Smaller than to filter out the memory addresses whose value is not the same as abaddon's current hp (as shown on the dota 2 screen).
![[image loading]](http://i.imgur.com/TMUZson.png)
5. Keep on doing this until you are only left with the values that correspond with the HP of abaddon. Since the game is still running and abaddon is healing HP slowly, these values should grow as well. In the version of 1 May 2016 there should be 4 memory addresses after you are done.
6. Try to change the value of each of these memory variables. Some are only used to store the hp number that is displayed. If you change them, you will see that they will get reset the moment abaddon heals 1 hp. One of them will permanently change the hp of abaddon.
![[image loading]](http://i.imgur.com/ZtUSkaI.png)
7. Double click on this address to add it to the address list below. Then right click the newly created row below and select "Find out what accesses this adress"
![[image loading]](http://i.imgur.com/ocjVhUF.png)
8. With the game still running, there will be several instructions that come up. To the left of those instructions ( first column) there will be the total amount of times that instruction has been called since the debugger was attached.
9. Basically you are looking for the instruction that has been called the same amount of time as abaddon gained hp when you started with the debugger. This basically is the instruction that heals abandon, and thus changes the HP memory address (instead of just reading it).
10. In the version of 1 May 2016 there are multiple options to chose from. Just choose any one of them. Both the offset and memory address it guesses are the same for all of them.
11. Write down the offset ( the hex value that appears after the red + sign ) and the pointer address given by cheat engine
![[image loading]](http://i.imgur.com/mWs7mUp.png)
12. Tick the hex box in cheat engine and start a new scan ( click new scan then click on first scan ).
![[image loading]](http://i.imgur.com/Rw91Gav.png)
13. This gives you all the memory addresses that hold the memory address you got in the previous step.
14. Add all the memory addresses to the list below
![[image loading]](http://i.imgur.com/7i506P6.png)
15. For each of the memory adresses, go through the same step as step 7 ( right click them, then select "Find out what accesses this adress" ). Make sure that abaddon is still damaged and thus healing himself.
16. Check to see if there is any memory address that has the same behavior as the memory address of step 9. So basically an instruction whose "count" variable is the same as the total amount of HP that abaddon has healed since the debugger has started.
![[image loading]](http://i.imgur.com/aK4xA0F.png)
17. Double click the instruction to get the offset ( 0 in my case)
18. Use the memory adress from 16 to perform a new scan with the hex checkbox still ticked. So don't use the one you get if you double click the instruction where you get a red text with the offset and an estimate of the pointer. You could maybe work with that as well, but it is not needed.
18. This new scan should give a green memory address. This is a static address which will never change, unlike the first memory address you found which contains the HP. If you restart Dota 2 you will see that the memory address you found at step 6 has now changed.
![[image loading]](http://i.imgur.com/uV24Q41.png)
19. You can add the green memory adress to the list below and double click the address. This should give you server.dll+14E62E0 . This basically means that the memory location of this static address is based on the memory location of server.dll when it is loaded in Dota2.exe
20. Make sure that you write down the memory locations and offsets you found ( BC , 0 in my case).
![[image loading]](http://i.imgur.com/tD08XKF.png)
Basically you can now use these (hex) values to edit the memory of dota 2. This will ofc only work if you are the server, because changing your HP as a client will cause a disconnect since your Dota 2 state will not be up to date with the HP value recorded on the server. However this same technique can be used to extract your own HP in an (offline) LAN game (where bots can play without bothering anyone playing online with VAC, they will only be able to play with other players willing to join their LAN lobby).
Since the goal is to make a bot API where the bot only has access to the same things a human player has, not being able to cheat is no concern to me.
With that said, you can ofc use these pointers/offsets in what is known as a trainer . For this I used a simple trainer framework created by a user called Fleep. You can find the link to the full tutorial of Fleep above. The direct link to the original framework can be found here .
That framework is based on Assault Cube. But since the HP of Abaddon is located based on the memory address of server.dll the framework needs to be extended with EnumProcessModules() to find all .dll files loaded by dota2.exe and their corresponding memory addresses. So for this I used the sample code from here and changed it such that it will only look for the memory address of server.dll , and add 0x14E62E0 to it to get the correct memory address.
You can see the source code of the hack hacked together on pastebin here .
If you want to try the hack yourself (works in single player vs bots only), you can download the .exe from below.
Just make sure that you only run it with steam in offline mode, and without your computer having any kind of internet connection whatsoever.
link to the .exe:
http://www.filedropper.com/testhack
Do note that this is only tested on the Windows 7 32 bit dota version from 1 May 2016. If Dota 2 has been updated in the meantime it might not work anymore. Any other specification difference from my PC might also cause differences in memory/opcodes.
I also used the launch options "-console -nosecure" which might make a difference ( probably not but I put it here just to be sure).
And as expected, you need to run the .exe as an admin (otherwise it won't have permission to write to the memory of dota2.exe).
All things considered you are better of recompiling it from source. I build it using Visual C++ 2012 with the option:
Character set: Use Unicode character set
IIRC that is the only option you need to change when you start with a default .exe template in Visual Studio. You can pm me if you want the full .sln
------------------------------------------------------------------------------------------------------------------------------
I found it quite interesting to know that it was possible to access this memory quite easily. And since you can be a server while playing an (offline) LAN ( offline as in, not connected to any valve service. Using hamachi or any other tunneling for LAN for online play without valve servers), it should be possible to get custom bots running on LAN servers. If it turns out that the client side is well protected, then it will be limited to bot vs human for the time being.
For now I will continue finding the offsets of the functions needed to actually perform commands in dota 2. IIRC not all of them have been found yet. If any of you know more about this do let me know. It would save me a lot of time.
p.s : yes I know that there are methods for finding the HP of every hero you can play as, not just abaddon. This blog post was just meant to show a simple example.
