Aurelius,

Use TCPDUMP on your linux machine. Search on the site here if you don't know how to use it. Basically TCPDUMP will show if you are receiving UDP packets from the correct host/port.

In my experience, I wasn't seeing packets being sent from the EQ machine. I switched to the MinGW/hoihoi solution and saw packets coming in. Decoding still doesn't work, but seeing packets being delivered makes you feel better anyways. :P

Ok, I run dll sniffer, but nothing gets decoded.
I run it "rundll.exe netscape.dll,DirList 192.168.0.102 10000 eqgame.exe 0x0078aad0".

I run "tcpdump dst port 10000" and I get
"21:04:39.474228 192.168.0.101.1105 > 192.168.0.102.10000: udp 8
21:06:45.327861 192.168.0.101.1112 > 192.168.0.102.10000: udp 8"

So I think the traffic highway is open between my two boxes, but nothing is decoded. I assume there was message traffic between the two boxes and that is why I received the above tcpdump info.

Now I would like to try changing the port that SeQ listens for to see if this would fix it but I do not know how to change the port assignment.

In Seq, I go to the Network heading, then check all the secondary areas that I think might change the port but I didn't see anything that I could use. (Or at least I thought I understood I couldn't use them.) About the only subheading that would apply I thought would be the opcode monitor but, again, I didn't see/understand anything that would effect the port. I checked the seq html file but I didn't see an input for a port to listen for.

What did I miss? can someone point it out? It might be a case of not seeing the trees for the forest. (( Thanx for our patience. )

Just as an after thought: WinXP Pro / mandrake 9 / MS c++ 6.0 compile.

First of all, use the DECODE menu, not NETWORK menu. If you dont' have it, why haven't you updated SEQ yet? It seems to me a menu named DECODE would be pretty obvious if you had it, RIGHT NEXT TO NETWORK.

Read the posts TWO ABOVE YOURS FFS.


The packet sent by you key sniffer should be sent to your Showeq box with a specified port, you will have best results using a destination port that is not in use by any other protocol on your network, I would recomend using ports in the range 10000 to 65000. ShowEQ defaults to port 10000 but can be configured using the Decoder menu. The packet itself MUST be UDP and the first 8 bytes of the payload MUST be the key in little endian byte order.

I guess you must have missed in my other post after you asked this question before (3 posts above this one and directly after you first post with this problem). So I'll post it again for you. This was taken directly from the Announcement forum (http://seq.sourceforge.net/showthread.php?s=&threadid=2372)
ShowEQ defaults to port 10000 but can be configured using the Decoder menu.

/boggle

-Edit-
SameFudge beat me to it....

I don't have any menus titled "DECODER" . Perhaps you could elaborate as to where it is located? I'll accept your attitude of frustration in dealing with a lesser mench but I'd appreciate it more if you'd be more specific in your redress. )

I just read Fudge's message. I just updated yesterday all my files from cvs. But I don't have any headings listed as "DECODER". Ok, now that I know there should be one I will redo my Seq again. Sorry for being stupid but if it is not listed and I didn't know it was supposed to be listed, a simple clue should have been, as you put it, it is SUPPOSED to be there.
Thanx. ))

Very strange, I have SEQ on two different computers, and I updated both yesterday. But on one computer I have version 4.3.0 and on the other computer I have 4.3.3 version. And because I didn't notice the difference at the time because the 4.3.3 puter is my slow one, I didn't recheck anything on it after updating. Sorry for being a dumb ass. I'll have to scrub the whole seq directory and start again. Sorry folks. ))

Final check, both puters working. I still don't know why I was always getting the old version on the one computer. Oh well, made me a bit smarter (about time hehe). Sorry

:) You are the man!

And thanks to all the other contributors to this. :)


I have to admit to stupid programmer tricks while I was moding the eqsniffer.def file. I tried to call the dll into memory using the default names not my new ones. Dooh!

Can't wait to try this out.. I miss seeing the mobs, track only helps so much.

Seems this is a touchy subject, but I have a decoder menu and no option to configure the port underneath it. What should be listed in the decoder menu?
I have input key, load key, and key filename.

You do not have the latest version of ShowEQ. Do a cvs update, recompile and make install. Make sure you have the newest libEQ.a first.

I noticed an issue a couple of versions back where updating the cvs and recompiling doesn't replace the existing version. For some reason, the "make install" portion doesn't overwrite the existing showeq and showeqitemdb.

I just started going into /ur/local/bin and moving the existing binaries to something else such as showeq.old and then removing showeq completely before the make install.

That way you KNOW the latest version is there.

Try this:

__asm
{
call next
next: pop pvmem
}



I still get unknown symbol next...

And some error about the use of call..

I have the rest of the program working - but this still does not work...

heh taking out the call and just putting pop pvmem doesn't seem to work either...

If I can get the assembly working I will post the changes to the source to work on a borland compiler...

I am currently using the V1 version and love it, but would like to change to the V2 code. The one thing stopping me is that this line is still in the original post....


Originally posted by maggotboy
WARNING This code is experimental and currently seems to be crashing the game to the desktop.........

Of course I'll be using any code here at my own risk, but I was hoping someone could post back and let me know how big of an issue this is.

Thanks

I've been using V2 for weeks, and have never had one problem.

Will this attach itself to the NEXT instance of eqgame.exe it finds or the first one in memory? Reason I ask is that often, I'll run multiple instances of EQ using EQWin, and I wanted to know exactly how the sniffer would attach.

Thanks

CGEQ

It should attach itself to the NEXT EQ process that the hook detects keyboard activity from. So what you'll have to do is get the sniffer up and running on the first instance, hit ctrl-alt-R, start another copy of the sniffer, and then start your second EQW. just make sure you don't switch back to your first EQW window before you hit a key in your new EQW window.

I may be wrong on this one...

However, I think it is going to connect to whichever instance of eqgame.exe has the lower numbered PID. It will process DLL_PROCESS_ATTACH events from all the running processes. It will stop and do its thing once it finds the first instance of EQGAME.

The only way to be certain is to launch the sniffer, launch one copy of EQ, get it to attach, then repeat for the second one...

I've been using this "DLL" for a couple of weeks now and I wanted to post what I've been noticing. It seems that after a random amount of time I will crash out of EQ completely to the desktop. there doesn't seem to be any "Set" amount of time, it varies from approx. 40 minutes to a couple of hours. Everything else works great.

Anyone else noticing this type of behavior?

Firstborn

Well now that I think about it, I have noticed one quirk.

Everquest doesn't ever crash out or anything, but while paying in Plane of Nightmare for hours I notice that I start getting grey dots (unknowns) for the mobs. It takes many hours in PoN for this to start to happen, but this has occurred on two different nights of playing for long periods. Actually, this can't be the sniffer's fault, since the KEY hasn't changed. So maybe this is a SEQ problem?

On the subject of the sniffer then -- V205 seems to run for 8-10 hours without any crashes.

I have compile and installed the sniffer. Seems to be running fine, but showeq is not decoding. Did a tcpdump -X port 555 and got

xx:xx:xx.xxxxxx 192.168.1.101.3644 > 192.168.1.106.555: udp 8
oxoooo yada yaday yada
0x0010 yada yada yada
0x0020 yada yada yada

went to showeq changed the decode port to 555 and it decodes nothing. Is there a way to tell if showeq is receiving the key?

am using run command of

"rundll32.exe eqsniffer2.dll,InstallHook 192.168.1.101 555 eqgame.exe 0x0078bcb8"

Try a port numbered 10000 or above...

"It seems that after a random amount of time I will crash out of EQ completely to the desktop...Anyone else noticing this type of behavior?"

Yes.

With the VS.NET compiled version. The LCC fails to do anything at all. Neither unload, ever.

emmt33 posted he found a possible bug in the other thread, looking at the code it sounds reasonable, hoping if he posts his fix that it may help

dn

Originally posted by sauron
Well now that I think about it, I have noticed one quirk.

Everquest doesn't ever crash out or anything, but while paying in Plane of Nightmare for hours I notice that I start getting grey dots (unknowns) for the mobs. It takes many hours in PoN for this to start to happen, but this has occurred on two different nights of playing for long periods. Actually, this can't be the sniffer's fault, since the KEY hasn't changed. So maybe this is a SEQ problem?

I have the same thing happening to me too Sauron, but in many zones. What Version of Linux are you using and which Compiler?

I am currently using V8.0 of Redhat Linux right out of the box, no
changes to it. I am wondering if it's RH Linux 8 or not.

Nope, not Redhat 8....

I'm using Redhat 7.2, QT 2.3.2-1

This is the same setup I've been using for a LONG time. I never noticed this (the grey unknowns after long period of playing in same zone) happening before the "sniffer" era.

Maggotboy,this is off topic, but could you email me? I am working on a project that is doing some hooking. I am using the method called API hajacking. I find your approach more elegant, but sadly I don't fully understand how your code works. If you have the time, I would like to explain what I am trying to accomplish and see if you have any suggestions.

--Bonkey
bonkeydcow@hotmail.com

BTW: Excellent job. This worked for me the first time I tried it.

I downloaded and compiled this the other day without any problems at all.

SEQ decodes faster than ever :)

Only problem I have right now is that spawns do not "come back"... once a mob is killed, when it respawns, it is not showing up on SEQ. I don't really care about it, I use this mostly for scouting anyway, but I was wondering if anyone else was having this problem?

~Firstborn~

I used to have the same problem WAY before the expansion and the advent of sniffing from the EQ box.

After reading every post I could find, I found that others were having the same problem. It boiled down to the firmware in my switch. Yes, I said switch - not the hub between EQ -->SEQ. I went to an older version of the firmware and solved the prolem.

I dont think this is any problem within the sniffer or SEQ. I'd look into this 1st....

I too have started to notice (unknowns) after some time playing in multiple zones. I have just shut down, restarted my hook and reloaded EQ again. All fixed. Only has happened twice in past couple weeks. Hasn't happened since changing offset to 09 from 04. I doubt this had something to do with it, but I do remember a post talking about the computations surrounding pos vs. neg numbers within the memory structure. (Obviously I'm not at the level of most of you, but there are enough hints within this board to fix almost EVERY problem imaginable within SEQ)

I hope this helps a bit.

Maggotboy kick ass, very clean code, working flawlessly on my end! Thanks for a job well done, kudos to you!

Maggotboy rules .

But any hints to make the sniffer work with 2 copy of eqgame.exe running on same machine ?

I use EQW a lots . But it will screw up the sniffer. I assume SEQ working fine because there have a option named something like thread session ......... I wonder if I ran 2 copy eqgame.exe and there will have 2 set of key , how can sniffer program send to correct one ?

Try doing a search on here. People were talking about that at one point.

If I remember correctly, there isn't an easy way to do this. The current sniffers will find the first eqgame.exe process in the list, so they would both be watching the same session. You may have to settle for your second session in GPS mode.

Hmmm, I wonder if you could rename 1 copy of eqgame.exe..? You'd have to run it outside of the patcher... Just an idea..... /shrug

Originally posted by Dedpoet
The current sniffers will find the first eqgame.exe process in the list, so they would both be watching the same session
One could modify the current sniffers to grab the second, third, or all instances of eqgame.exe as appropriate...

... Use the source, Luke!

Running 2 copies may soon be a moot point anyway.

Windowed EQ on Test (http://pub140.ezboard.com/fgraffeswizardcompilationfrm1.showMessageRange?top icID=23795.topic&start=21&stop=28)

using latest version of v2, compiled perfectly no errors or warnings at all, got latest offset verified, correct IP address of my SEQ box, using port 10060, nothing is decoding. I can't even tell if the SEQ box is getting the key at all or not.

Any thoughts?

-OldNecro

Did you setup ShowEQ to listen to port 10060?

Try using tcpdump to look for the UDP traffic.

yes, i did do that after searching the forums a little more after I posted. there are no packets coming in on that port from either of my NICs. I have my linux box set up as a gateway since I use a switch. And yes, I set SEQ to listen to 10060.

I built the DLL (using win98 and Visual Studio 6 C++) and I can launch the dll for testing when it is in the directory that I created for the project. Once I move the dll to another directory (Or computer) I get an error when I try to launch the dll using the command. The error I get is : Error in C:\eqsniffer.dll Missing entry: Installhook

Of courseI changed the dll and the def files.

I am a newbie to this but I thought I followed the instructions correctly. I can launch tcpdump and get info to the linux box but I get that error anytime I move it.

Any help would be appreciated.

Nitro

Edit
PS. If I change nothing (in the def and cpp file) and build the dll and copy it to the root of my c: drive and launch it I get the same error.

Can anyone help me get this to compile on minGW please?

I get:

C:\Program Files\MinGW\bin>gcc -c sniff.cpp
sniff.cpp: In function `LRESULT InternalHookProc(int, unsigned int, long int)':
sniff.cpp:572: parse error before `{' token
sniff.cpp: At global scope:
sniff.cpp:578: ISO C++ forbids declaration of `pvmem' with no type
sniff.cpp:578: invalid conversion from `void*' to `int'
sniff.cpp:581: ISO C++ forbids declaration of `pinj' with no type
sniff.cpp:581: invalid conversion from `_injectstruct*' to `int'
sniff.cpp:584: parse error before `if'
sniff.cpp:592: ISO C++ forbids declaration of `s' with no type
sniff.cpp:592: base operand of `->' is not a pointer
sniff.cpp:593: parse error before `if'
sniff.cpp:597: syntax error before `->' token
sniff.cpp:600: syntax error before `->' token

.. and I know nothing about this stuff :o)

Thanks,

Joe.

I'm not strong with Visual C++. is there a post or site that has step by step instructions of how to compile this project?

Originally posted by Deoen
I'm not strong with Visual C++. is there a post or site that has step by step instructions of how to compile this project?

Yes there is, you're reading it.

First I'd like to give a huge thanks to Maggotboy for the excelent work. I have skittle for the first time since they hosed us up!!

But, I am noticing that Rundll32.exe isnt leaving the task list even after I shut down EQ. Is anyone else having this problem?

I complied on MS VC++ 6.0 on WinXP.

Just so you know how it's supposed to work, rundll.exe will leave memory when you press the first key in eqgame.exe. This is usually at the big SOE screen (I press enter to bypass this screen, and move on to the login screen). I have looked in the Task List, and watched Rundll go away when I press enter.

Perhaps you should check to see if RunDLL is already running before you run the sniffer, for some other program?

Other than that, be sure you are running the latest version of the code (it has a few fixes).

P.S. -- Use EQW so you can watch the task list.

Don't know if this helps...

Fairly sure Rundll32 isnt in the list before i kick off the sniffer, but I'll check to make sure. I'll try the EQW thing also, to see if its there while EQ is running.

What I am actually seeing is that after im done playing and I shut down EQ, Rundll32 is in the task list and I was assuming it was from the sniffer not unloading it properly. I'll take a closer look and make sure that its coming from the sniffer and not another program.

Latest v2 compile is making me totally dump to desktop after about 1 hour to 90 minutes of play. I have failed to locate the problem, as I have no way of debugging the locked-up EQ exe since it totally dumps and unloads. Also, if I exit EQ, I have to reboot before it will work again at all... Using VS6 compiler and win98 se.

-OldNecro

OldNecro- I have the same problem. My rundll32 doesn't leave the tasklist after EQ exists, or crashes. But, I am able to kill off the rundll32 with the task manager in win98 (ctrl-alt-delete, end task) and restart it and everything works fine untill the next crash.

No idea why.

This is just a simple question for you experienced guys. I compiled the SSSV2 using MS Visual C++ on a WinXP Pro. It works with no problems. But I copied it to my WinME box and it doesn't decode the spawns or players, just a GPS and ground spawn items. Is this because I didn't compile it on the WinME system or is there another problem/solution that I have missed?

Thanx for you time and if it is something stupidly easy I apologize at this time before the 'hate' mail comes in. ))

Merry Christmas to you and yours and best wishes for a safe but enjoyable holiday season. (Unless you don't celebrate Christmas, then, in that case, have a nice day!)

Oldnecro try the modifications that make enough room for the inj struct. I haven't yet but after looking at the current code I agree that the current code is bound to crash out of bounds at some point. Might fix your problem.

Or might not;)

dn

I haven't looked at the changes yet, but the thread he is talking about is " Thread for those crashing using the V1 or V2 sniffers ..."

Note, there is a lot of talk about setting compiler options that will fix crashes too. Definitely the thread for people who are crashing to go look for help.

My sniffer compile was working fine till I swapped characters yesterday. Now I can't decrypt buttkis. I've recompiled, unloaded other memory managers, etc. Nada... I mean the offset didn't change?

Any ideas on what I might be missing? :confused:

If I figure it out I'll post the fix.

Thanks Maggotboy.

I got the sniffer to work with little effort. I am Windows guru, not proficient with Linux at all. Nor have I ever written any code beyond a MS-DOS script.

It was a fun little project getting everything together and making it work. It was much like a Quest of its own.

You have become better at compiling code (1)
You have become better at searching forums (44)
You have become better at following directions (180)
Your faction standing with Network Nazi's of Sony could not possibly get any worse.

Originally posted by ZeroSkillz
You have become better at compiling code (1)
You have become better at searching forums (44)
You have become better at following directions (180)
Your faction standing with Network Nazi's of Sony could not possibly get any worse.

God, did this crack me up. Been having a bad day until I saw this. Don't know why it tickled me so much but good to have a holiday laugh jag. ))

Got a different problem now. While SSSV2 works for me with regular eq I can't even get the GPS capability on test. I am changing the correct "eqgame' to testeqgame" but nothing is coming up. Just wondering?

That is because test has some changes that haven't been incorporated into SEQ and most likely won't till they go to the live servers.

I must be doing some thing wrong. I compiled the program with no errors. I entered the command line in a dos window and the cursor just sits there. I go to my SEQ machine and do tcpdump at the port i put in my command line and I see nothing. Can someoe give me some ideas on what I can check?

Just to give you some feedback, I run the sniffer V2 from within windows using the 'Run' button. What then happens to me is that the cursor has a little bitty hour glass for a few seconds and then back to the regular cursor. Then I start up the EQ program. I never dropped to DOS to run the program though so I don't know.

I got it to run somewhat. in the task managet I see the Rundll32. But as I start EQgame, Rundll32 stops. I see on tcpdump it send some information, but its not correct.


NM, found it a post, But SEQ is still not getting the correct information

this may help some of you with as little or less skillz then me....

this is how I know the dll is successfully loaded -

first off.. I load it from ms-dos command line... the dos prompt returns after the dll is loaded... after the DLL is loaded... the rate at which key presses repeat themselves becomes slow and regulated...

Normal if I hold down a key at the dos prompt.. like the letter Z for example... after about 3 seconds of holding it down... I will have a the letter Z repeating itself at lighting speed accross the window....

WITH the dll loaded... and a key held down... I get about 1 letter per second. This slowness goes away, and keys return to normal speed the moment the dll finds the eqgame and "hooks" itself (eep I used a big word... don't know what it means tho).

Thats find and I got it to work some what. it loads but is the information going to Seq wrong? this is what is sent to SEQ

17:21:58.666964 I92.168.0.171.1339 > 192.168.0.110.12666: upd 8

I used "tcpdump dst port 12666" to get the info

Trying to find out if this is normal? My seq still acts like a GPS. I set to port address to 12666 through Decoder/key port.

My game PC is 192.168.0.171
My Seq PC is 192.168.0.110

Am I missing something?

Also the code above is only outputed once.

I also up greaded my MS C++ with Sp5. recompiled my DLL and still no luck. I have been looking through this thread for any help.

17:21:58.666964 I92.168.0.171.1339 > 192.168.0.110.12666: upd 8
Looks right to me.

Try setting port 12666 manually in SEQ menu, then zone again.

Is anyone haveing problems with address 0x0078AAD0. I changed my and now it works.

What "address" are you referring to? Assuming you are actually talking about the "Offset" I believe it is currently 0x0078bcb8

I've been using SEQ for about a year now without much trouble. I've usually found that if I just dig long enough and teach myself some new stuff here and there I can figure what needs to be done to get it working. But for the first time I am stumped. This is the first time I have ever used C++ so it makes it a little difficult to troubleshoot. I'm a photographer, not a computer guru, which has been why I've been so hesitant to post here and potentially get flamed by people that I have a great deal of respect for.

I was able to compile 2.05, but I seem to be having the same problem a number of people have had. SEQ seems to be receiving the key (or something... more on that in a sec), but is not decoding. I've been using MS Visual C++ 6 with SP 5 on a WinXP Pro machine with sp1. The command line looks like:

ws2_32.lib wsock32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /incremental:yes /pdb:"Debug/Keylog.pdb" /machine:I386 /def:".\Keylog.def" /out:"Debug/Keylog.dll" /implib:"Debug/Keylog.lib" /pdbtype:sept
".\Debug\Keylog.obj"

in the build log. So if I'm reading this correctly ws2_32.lib and wsock32.lib are both included. I have read in several posts that these are needed. Like many people I was not able to select:

Category: Customize
- Enable function-level linking: CHECKED
- Eliminate duplicat strings: CHECKED

as they are greyed out no matter what I did. I did not find a solution this this anywhere on the boards. I did find elsewhere on the net that these can only be selected if you're using a static library... but to tell you the truth, I don't know what the means. It did compile however with this as the output:

Linking...
.\Keylog.def : warning LNK4017: Keylog statement not supported for the target platform; ignored
Creating library Debug/Keylog.lib and object Debug/Keylog.exp
Keylog.dll - 0 error(s), 1 warning(s)

So I don't know if that's a problem or not. I moved my Keylog.dll to my c: root and ran the hook with this command:

rundll32.exe C:\Keylog.dll,HI 192.168.1.103 10777 eqgame.exe 0x0078ABD0

... and it loads fine. I did notice that above Deoen said he had a problem with the 0x0078ABD0 address and I'm wondering if that has anything to do with the fact that it's not decoding. I'm not too sure what that adress does.

On the SEQ box when I run tcpdump -X dst port 10777 I get:

tcpdump: listening on eth0
13:54:16.995608 192.168.1.2.1988 > 192.168.1.103.10777: udp 8
0x0000 4500 0024 cdcc 0000 8011 e942 c0a8 0102 E..$.......B....
0x0010 c0a8 0167 07c4 2a19 0010 4a37 0000 0000 ...g..*...J7....
0x0020 0000 0000 ffff ffff ffff ffff ffff ..............

... and it pretty much always looks like that. Infact when I run SEQ the console says:

Decrypting and dispatching with key: 0x0000000000000000 and never changes even when I change zones. The only thing is does say when I change zones is:

EQPacket::dispatchZoneData():CharProfileCode:Not Decoded

Now color me stupid, but 0x0000000000000000 doesn't look like much of a key to me. So I was maybe wondering if it is somehow pulling the "key" from the wrong part of memory or something.

I don't even get gray dots on the map. I can see myself but that's it. And it runs REALLY slowly! Sometime up to 15 seconds behind where I'm at.

Well, I'm sorry for such a long post, but I figured I would have a better chance of someone in the know helping if they had as much info as possible. Thanks to all of you guys who have been so much help!

Ok, I'm an idiot. Sorry for the long post above... but I found my answer in the Keyring thread. I was running:

rundll32.exe C:\Keylog.dll,HI 192.168.1.103 10777 eqgame.exe 0x0078ABD0

when it needed to be:

rundll32.exe C:\Keylog.dll,HI 192.168.1.103 10777 eqgame.exe 0x0078bcb8

So now I see that' offset needs to be changed everytime the game is patched.

Thanks Maggotboy for such great code!

Code compiled and ran perfectly for me! Very important to use a high port number and make sure you're using correct memory address entry. :)

Thanks a bunch, Maggotboy!

When I close EQ - I have to reboot before I can get the sniffer to load again. And when I go to reboot, I get that pop-up saying there is a program running, would i like to "wait" or "end task" so it seems it isn't closing out.

Anyone else getting this problem?

I get that when I run the SSSV2 on my WinME machine. As a matter of fact it doesn't disappear from the running program list as it does on the WinXP machine. I think this is why I do not have any success running it from the WinME box. The WinXP runs fine and the decode is great. I compiled my SSSV2 on the WinXP box, does anyone think this may be the problem?

Dont think so.. i compiled and I run it all on Win. 98

Thanks Maggotboy..

compiled and ran like a champ on WinXP using VBS 6. Only thing that held me up some was the memory offset in the startup command needing to be changed.

Honestly, I don't think the port number really makes any bit of difference, as long as the port isn't in /etc/services, and even then, it really shouldn't matter. I've been using a # below 10k the entire time, and it's always worked fine. BUT, it's still a bad idea to use 10000, for obvious reasons.

Well, I have read every post in this topic 2 times. I compiled it with MVC++ on winME. I was able to check the 2 things everyone has had a problem with checking by changing the drop down menu from all config to debug something. I don't have SP5, dunno if I need it or not, I'm new to this. Followed the directions word by word. I moved the DLL too WINDOWS32 directory. Tried running from dos prompt and the RUN in windows. D/L task manager to watch for the rundll32.exe I have the command right.

RUNDLL32.EXE bah.dll , InstallHook xxx.xxx.xxx 10777 eqgame.exe 0x0078bcb8

PROBLEM:
Watching the task manager I never see RUNDLL32 come up at all. I do TCPDUMP dst port 10777 this is what I get:

tcpdump: listening on eth0

thats all, nothing else. I can run seq in GPS mode and see messages like spellcasts or text on my chat. My md5sum for libEQ.a checks out ok. I removed everything in my showeq directory and redid the install. I am currently trying to figure out how to run a debug program. So if anyone can post a walk-through on how to use one on winME that would be great. Dunno what else to tell ya, but I will be checking back often to answer any questions about my problems you would like to know.

BTW, great work on the code Maggotboy, just wish I could get this working.

EDIT: BTW If I do just TCPDUMP I can get all the info moving across my network ok

@sequsr0010:

Don't know if offset changed today with partial start of Ykesha (hadn't run patcher till now), but current offset is:



--------- snip ---------
*** New Offset 15.01.03 ***

eqgame.exe MD5: 9F50CC16BC9528375D794D1E78E2A6F9
New offset: 0x007ba178
--------- snap ---------


so it seems you can't catch key, because it isn't at that location, and so only GPS works.

RUNDLL32.EXE bah.dll , InstallHook xxx.xxx.xxx 10777 eqgame.exe 0x0078bcb8

Also, are you putting a spce in there around the comma? I am pretty sure you need to not have a space in there, like this:



rundll32.exe bah.dll,InstallHook xxx.xxx.xx.xxx 10777 eqgame.exe 0x007ba178


Note the current offset per Wishbringer's post as well.

When I take the space out, I get an error with bah.dll: Missing Entry

try entering the full path to the DLL. i.e. C:\somedirectory\bah.dll

Ok I got skittles, I noticed I had a space before and after the comma. I did notice while I am in game, rundll32 is still running and everquest.exe is running. Everything is working fine atm, but I think I have a memory leak somewhere. I will try to find out how to use this debugger and see if I can get what it says here.

I am haveing problems Decodeing.
I was using RH 7.2 for my seq box and Maggotboy's Super Steath Sniffer 2.05 with no problems. My HD went tits up on me so I decided to install RH 8.0 and loaded seq. I can get it to see my EQ but i can't get it to decode.
This is what i get when i run tcpdump
[root@evrtwa1-ar7-4-62-024-053 root]# tcpdump -X port 12086
tcpdump: listening on eth0
22:24:09.769290 evrtwa1-ar7-4-63-176-120.evrtwa1.dsl-verizon.net.3154 > evrtwa1-ar7-4-62-024-053.evrtwa1.dsl-verizon.net.12086: udp 8
0x0000 4500 0024 00e0 0000 8011 68bf 043f b078 E..$......h..?.x
0x0010 043e 1835 0c52 2f36 0010 f31b 0000 0000 .>.5.R/6........
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
22:24:09.793727 evrtwa1-ar7-4-63-176-120.evrtwa1.dsl-verizon.net.3154 > evrtwa1-ar7-4-62-024-053.evrtwa1.dsl-verizon.net.12086: udp 8
0x0000 4500 0024 00e0 0000 7f11 69bf 043f b078 E..$......i..?.x
0x0010 043e 1835 0c52 2f36 0010 f31b 0000 0000 .>.5.R/6........
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............

On my windows box my command line is: RUNDLL32.EXE tceqfar.dll, Mithman 4.62.24.53 12086 eqgame.exe 0x007ba178
can anyone see anything right off that i might be doing wrong??


OPPS....forgot to make opening in my firewall...lol

On my windows box my command line is: RUNDLL32.EXE tceqfar.dll, Mithman 4.62.24.53 12086 eqgame.exe 0x007ba178

Dont put any spaces between tceqfar.dll,Mithman

That was my problem for awhile.

ROFL, Ive spent hours and hours sitting out raids and browsing Sony's tech forums about constant random crashes to desktop. Tonight I was in a good group and wanted to get back quick so I rebooted and logged on without loading the keysniffer and was able to play for 5 hours without a crash at all.

That's when it hit me, I came here to see if anyone else had this problem and sure enough they did. I'm just happy I know what it is, i've been fooling with virtual memory settings and was about to even try underclocking my system!

Anyways, I have two questions..

First, my .cpp file says for 2.05, and on the first post on this thread (but not in the .cpp file) it says that it was updated to release the hook now. Did this change without a version number change because mine is still running after I close EQ.


And second of all.. does the file unloading fix the desktop crashing or does that still seem to be an issue?


Amazing Job MaggotBoy!

I am still having problems with mine not unhooking, so when I get into the game I just shut off my dll, seemed to fix my crashing after memory fills up. I cant figure out how to use any of the debuggers for winME, if someone could help me figure one out I can post what is happening to me

Ahh, so you just have to either "crtl+alt+del" the rundll32 or run RemoveHook?

I'll try that tonight and see if I stop crashing.

my EQ still crashes from this sniffer after a while also, and its probably because the hooker never releases itself, even with the unhook

how do you shut off the dll when in the game?

only way I have founf is to reboot then the system notices it and asks to kill it, but it doesnt show up in the task manager before that

dn

It should be in task manager as "Rundll32.exe", not the .dll file you made.

I don't know just how effective this would be to hiding it, but I copied rundll32.exe and gave it a different name, say something like ADUsermon.exe or something like that that other programs run (that im not running)... so many programs actually create processes anymore its sickening.

At any rate a process enumeration doesnt show "Rundll32.exe" sitting there and gone after EQ starts up.

I also placed the DLL on a network drive and used UNC to reference and use it thus removing the ability to detect it by scanning the local drive.

I spent many many hours reading these forums yesterday and I still cannot quite get my setup to work. I think it may be a topology thing as I think everything else I have is working.

* I was able to compile with no errors. Rundll32 loads and unloads as it should.

* I can get GPS mode with the grey unknowns

* When I run tcpdump to listen on my specified port I don't get anything, well kinda. When I hit any key to get past the first three screens before login (SOE, UELA, etc..) my TCPDUMP gets a few messages. But not the UDP 8 byte that I am expecting. Alot of ARP chatter asking who xxx.xxx.xxx.xxx is and responses with mac addresses. After about 15 lines of this chatter I get nothing, even when zoning.

*Here is my setup:

Internet -- Cable Router -- Hub -- SEQ, EQ, 2k Box

My 2k box is acting as gateway, dhcp, etc. Is there a problem with this setup?

Any help is appreciated.

Zewl_1,

This might be answer you're seeking or not. But most Cable companies only give 2 ip numbers. So if you're not using a switch where you listed hub, the SEQ system might not be getting an ip number assigned. Make sure you're setting the port number high too, like 50000..

Enig, thanks for the response. MY cable router has the ISP IP address assigned to it and it is NAT ing out to the rest of my boxes.

I have tried several addresses. The odd thing is, I can set the tcpdump to listen to all ports and it sees that data going from the EQ box out.

Thanks.

You get GPS-Mode = No problem with your IP-Setup.

Perhaps problem opening port, attaching to exe. If you would have a wrong offset you should see something in tcpdump, but it would not be the correct key ...

Hav not used the dll ... therefor only commen hints

* You get GPS-Mode = No problem with your IP-Setup.


That's what I was thinking Lord Crush. I am a little confused by the offset thing. In the example code of:

RUNDLL32.EXE mysniffer.dll,InstallHook 192.168.1.10 666 eqgame.exe 0x00773b90

Is the 0x00773b90 is the offset and should be set to 0x007c1950?


Thanks.

I am not sure about the current offset, it will change today anyway ... so we have to wait until a kind person with an debuggingskill of 250 will post the new offset. :D

but i suggest to change the port 666 to some number above 1024 or better above 10000

666 is used by a trojan

http://www.windowsecurity.com/whitepapers/Intrusion_Detection_FAQ___What_port_numbers_do_wel lknown_trojan_horses_use.html

perhaps you check this :p

and Doom uses it ;)

http://www.zvon.org/tmRFC/RFC1700/Output/chapter6.html

Hope it helps a little

He's showing you an example of the syntax

RUNDLL32.EXE mysniffer.dll,InstallHook 192.168.1.10 666 eqgame.exe 0x00773b90

Where 0x00773b90 would be replaced by whatever the current offset is found to be.


1.) Check to make sure you can ping each machine from the other.
2.) Check to make sure the firewall on your Linux box isnt blocking the port your using.
3.) Check in SEQ "Network => Keyport =>" Enter whatever you put into your sniffer
4.) Make sure your actually giving your TCPDump something to see. If you are installing the hook with a trigger of eqgame.exe, then you need to actually start EQ and wait for packets. (They will only be sent once or twice during boot of the game, then every time you zone for the most part)

New offset

http://seq.sourceforge.net/showthread.php?s=&threadid=3044