For those who were wondering how to find the offset when it changes, and don't feel like learning i386 assembler, here's a little program which should find the new offset in a changed eqgame.exe

Should be fairly robust, but no guarantees.

Tested only on Linux.


#include <stdio.h>

main (int argc, char **argv)
{
/* NOTE: search algorithm depends on each byte in this
* pattern being different.
*/
int pattern[] = { 0xc1, 0xe0, 0x08, 0x99, 0x09, 0x05 };
FILE *fp;
int c;
unsigned int pos = 0;
unsigned int last = sizeof pattern / sizeof (int) - 1;
unsigned long offset = 0;

if (argc != 2) {
fprintf(stderr, "Usage: %s %s\n", argv[0], argv[1]);
exit(1);
}

if ( argv[1][0] == '-' && argv[1][1] == '\0' ) {
fp = stdin;
}
else if ( (fp = fopen(argv[1], "r")) == NULL) {
fprintf(stderr, "Cannot open %s\n", argv[1]);
exit(1);
}
while ( (c = getc(fp)) != EOF) {
if (c == pattern[pos]) {
if (pos == last) {
break;
}
else {
pos++;
}
}
else {
pos = 0;
}
}
if (c == EOF) {
fprintf(stderr, "Key offset not found.\n");
exit(1);
}
/* next four bytes will be the key offset as a little-endian long */
for (pos = 0; pos <= 3; pos++) {
if ( (c = getc(fp)) == EOF ) {
fprintf(stderr, "Error while reading offset\n");
exit(1);
}
offset = (offset>>8) | (c << 24);
}
printf("Offset: 0x%0lx\n", offset);
return 0;
}

Thanks!

Thank you. I take it the search is based upon asm instructions relating to the data decoding? Thus this shouldnt change when eqgame is recompiled?

If anyone cares, here it is modified so it compiles under VC++...


#include <stdio.h>
#include <stdlib.h>

int main (int argc, char **argv)
{
/* NOTE: search algorithm depends on each byte in this
* pattern being different.
*/
int pattern[] = { 0xc1, 0xe0, 0x08, 0x99, 0x09, 0x05 };
FILE *fp;
int c;
unsigned int pos = 0;
unsigned int last = sizeof pattern / sizeof (int) - 1;
unsigned long offset = 0;

if (argc != 2) {
fprintf(stderr, "Usage: %s %s\n", argv[0], argv[1]);
exit(1);
}

if ( argv[1][0] == '-' && argv[1][1] == '\0' ) {
fp = stdin;
}
else if ( (fp = fopen(argv[1], "rb")) == NULL) {
fprintf(stderr, "Cannot open %s\n", argv[1]);
exit(1);
}
while ( (c = getc(fp)) != EOF) {
if (c == pattern[pos]) {
if (pos == last) {
break;
}
else {
pos++;
}
}
else {
pos = 0;
}
}
if (c == EOF) {
fprintf(stderr, "Key offset not found.\n");
exit(1);
}
/* next four bytes will be the key offset as a little-endian long */
for (pos = 0; pos <= 3; pos++) {
if ( (c = getc(fp)) == EOF ) {
fprintf(stderr, "Error while reading offset\n");
exit(1);
}
offset = (offset>>8) | (c << 24);
}
printf("Offset: 0x%0lx\n", offset);
return 0;
}

VERY interesting.

The location just changed on test, and I was about to crack open the exe and find the new location.. then I saw this.

Its an interesting test :) I'll manually find the new address, then use this, and see if they agree.

Looks like the only change was to open the file handle in binary mode. Good catch, I always forget about that when it comes Microsoft OSes. Should compile on Linux that way too.

It pretty much looks for the follow assembly:

shl eax, 8
cltd
or (offset), eax

and picks the offset up from the or instruction. I figure 6 bytes should be unique enough to make false positives improbable (unless they want to screw with us), but small enough to be fairy change-resistant.

It probably will need tweaking over the long term though.

Awesome job millie!

Just ran it agaisnt the changes to test and it came up with the same offset I manually did, and did it a lot faster than me lol.

Thanks!

It takes me 5 times as long just to load the exe into w32dasm!

Just for general knowledge, SEQLurker's code works in Borland Builder 5 as well.

Also, SEQLurker's code compiles and runs flawlessly with lcc-win32.

I'm still trying to find the equivalent instructions using w32dasm... no luck yet. I must be doing something wrong in my current case of beer-induced stupidity.

I think posting this was a bad idea to be honest. I toyed with the idea of posting my own - but I think showing VI exactly what they need to obfusticate will not help us. I think it would be far useful to post new offsets when needed than to post exactly what we look for to find them.
Do people agree? or pleased to see this?

Quest,

Mind posting the new offset for Test. Im guessing this came in the patch last eve when they mentioned the faction bug.

Have a copy if this little app but I wouldn't mind recompiling here before i head out for the day ;)

If ya would rather not no problem.

J

Originally posted by speedphreak
I think posting this was a bad idea to be honest. I toyed with the idea of posting my own - but I think showing VI exactly what they need to obfusticate will not help us. I think it would be far useful to post new offsets when needed than to post exactly what we look for to find them.
Do people agree? or pleased to see this?

Yeah I kinda have to agree here. While his app certainly is nice, and a bit of a time saver... i'd hate to have them start making it hard to find. Right now it is VERY easy to find if you disassemble the exe. If they start hiding it up, or using other tricks, because its too easy to grab, then we will all start hurting.

I'd encourage the original author to remove this now that I think about it.

Originally posted by Jel321
Quest,

Mind posting the new offset for Test. Im guessing this came in the patch last eve when they mentioned the faction bug.

Have a copy if this little app but I wouldn't mind recompiling here before i head out for the day ;)

If ya would rather not no problem.

J

0x789b00

I thought about whether or not I should post it quite a bit before doing so. I guess I have a soft spot in my heart for the poor test users :)

Mind you, if they want to obfuscate things, and I'm sure they will, it would probably be more useful to them to obfuscate how the offset is used than to hide the offset itself.

I'll leave it up for now, but think on it some more. I might remove it in a couple of days.

I guess I have a soft spot in my heart for the poor test users

I thank you heartily ;) and completly understand if you wanna yank this.

Thanks for the info quest.

J

This is probably a really dumb question...
Why don't I see the instructions and offset in question when I run W32dasm on the exe in question?

It would make my level of confidence a lot higher when I look at these exe's and dll's with a disassembler to know that I'm seeing the whole thing...

Load up w32dasm, and do a search for the offset. You should find a big chunj of code that baisclly does a bunch of ors and xors on that memory address. Thats the key code.

Well, that is what I tried to do...

but...

W32dasm claims that the code ends around 0x005DCFF8 -- well before the offset location.

The offset is a pointer into the data segment of the process. The disassembly will end at the end of the text segment. (Using UNIX terminology here; not sure how it applies to windows.)

The address of the code that the utility searches for is 004ebd11 in the current eqgame.exe

Yeah.. I didn't mean to go to the code offset indicated.. The offset indicated is a MEMORY offset being used by the code. Not a code offset. What Imeant was to do a SEARCh for that offset as if it was plain text, which would bring you to the code that references it..Which is the code that handles the key.

On the notion that this should be pulled from the forum..

If you yank it from the forum, and don't allow any other people to post similar code or walk-throughs on how to get the offsets with xyz program, people will simply start posting the offsets themselves.

I don't know which is worse.

Originally posted by cbreaker
people will simply start posting the offsets themselves.


what's wrong with that? posting the offset, whitout instructions on how the offset was found, gives no clues to the opposition.

if you are worried about getting the wrong offset, just compare posts with the various folks that will be verifying the work.

I compiled with no errors, but when running from a CMD screen I get Usage: offset (null)

I run the Offset.exe without parameters... Any ideas?

Chuin

Originally posted by Chuin
I compiled with no errors, but when running from a CMD screen I get Usage: offset (null)

I run the Offset.exe without parameters... Any ideas?

Chuin

use parameters.

you gotta tell it which executable you want to search (include the full path) eqgame.exe or testeqgame.exe

By the way, this code is now integrated into keyring version 2.2.

keyring -l <path>


Thanks millie!

nm

This seems to be broken now.

It's returning 6b4e18 instead of 6b4dc8 (the correct offset as per #showeq)

:)