PDA

View Full Version : DEVS: Locating offsets - part 2



MQSEQ2
12-21-2003, 05:18 PM
How to Locate EverQuest Offsets
===============================

This is the beginners guide to offset tracking and reverse engineering.
I'm using EverQuest as the basis to this example.

Programs needed: EQ (Running and in the world), Memory Sniffer, Hex Calculator


I will be using WinHack 2.00 demo version and Windows Calc in Scentific Mode.

1) Open a DOS prompt
2) Type: Calc{Enter}
3) This will launch Windows Calculator (if not locate it and launch it)
4) Type: at 15:00 /interactive "C:\Program Files\WinHack v2.00\WinHack2.exe"{Enter}

Note: 15:00 represents 3 PM in this example. If your locale time is 7:29 PM then
add 1 minute (or 2 minutes if slow typer) this would say launch WinHack at 7:30 PM.
Replace the 15:00 to 19:30 for it to launch at 7:30 PM. The /interactive switch is
the key to launching WinHack so it has access at the System Level, making it able
to connect to all Processes in memory. AT command: use at /? to get help.
If WinHack doesn't launch at the time you choose type AT{Enter} an ut will show you
when it was suppose to launch. More than likey it will say tomorrow, use AT /delete
to remove it. This happened becaue the time that was set was to close to the launch
time and the OS didn't get it registered in time, so redo it and change the time to
maybe 2 minutes ahead.

5) Select eqgame.exe in the Process dropdown list.
6) Select the Edit Memory tab

The next few steps are the main things to remember when trying to reverse engineer anything.

Finding patterns:
1) In Search Now type: {Your character's name}{Enter}

Congrats you have found the first offset needed.


Zone Offset:
======== 0 1 2 3 4 5 6 7 8 9 A B C D E F
===========================================
006C91D0 00 00 00 00 00 00 00 00 00 00 00 00 53 63 72 65
006C91E0 77 45 51 00 00 00 00 00 00 00 00 00 00 00 00 00
006C91F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
006C9200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
006C9210 00 00 00 00 00 00 00 00 00 00 00 00 42 61 7A 61
006C9220 61 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00
006C9230 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20
006C9240 42 61 7A 61 61 72 00 00 00 00 00 00 00 00 00 00

2) Write down the location of the first letter of your charcters name.

In this eaxmple the Zone Structure starts Memory Address 006C91DC

006C91DC CharacterName[0x40] // 64 Bytes
006C921C ZoneShortName[0x20] // 32 Bytes
006C923C ZoneLongName[0x80] // 128 Bytes

For more of the Zone Structure look in the MQ2 file EQData.h for struct _ZONEINFO

3) Click Find Next (Repeat until you see the blue progress bar take a few seconds)

Congrats you have found the next offset needed. This is the most important offset to find.


Character Data Offset:
======== 0 1 2 3 4 5 6 7 8 9 A B C D E F
===========================================
063D18D0 00 00 53 63 72 65 77 45 51 00 00 00 00 00 00 00
063D18E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
063D18F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
063D1900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
063D1910 00 00 48 61 63 6B 65 72 73 52 75 6C 65 73 00 00
063D1920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
063D1930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
063D1940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

In this eaxmple the CharacterData Structure starts Memory Address 063D18D0

063D18D0 Unknown01 // 1 Byte
063D18D1 Unknown02 // 1 Byte
063D18D2 CharacterName[0x40] // 64 Bytes
063D1912 LastName[0x20] // 32 Bytes

For more of the CharacterData Structure look in the MQ2 file EQData.h for struct _CHARINFO

We are looking for the CharacterData Structure starting Memory Address, this will
allow us to backtrack to the to the Calling Memory Address.

The Calling Memory Address is a static location everytime the program is launched.
The Calling Memory Address stores the memory location of the the Actual Data we are
looking for to populate the structure.
The Actual Data is located in a dynamic location, this means it could move around
everytime the program is launched.

In this example we are looking for 063D18D0. We need to do a search for anything
calling this location. Do to this we need to reverse the hex number to D0183D06,
the reason why is when storing jump locations it uses the First In Last Out (FILO) method.

4) Select Hex String
5) In Search Now type: D0183D06{Enter}

Congrats you have found the Calling Memory Address for the CharacterData Structure.


Calling Memory Address Offset:
======== 0 1 2 3 4 5 6 7 8 9 A B C D E F
===========================================
0072B7A0 30 BB 3D 06 00 00 00 00 D0 18 3D 06 30 BB 3D 06
0072B7B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0072B7C0 00 00 00 00 00 00 00 00 00 00 00 00 80 6F 98 02
0072B7D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This is the main area for most of the Calling Memory Addresses for the structures we need.

6) Write down the location: 0072B7A8

For MQ2 this Address is in EQGame.h
#define pinstCharData 0x0072B7A8

For MySEQ this Address is in MySEQServer.Ini
CharAddr=7518120

0x0072B7A8 hex = 7518120 decimal

7) Write down the location: 0072B7AC

For MQ2 this Address is in EQGame.h
#define pinstTarget 0x0072B7AC

For MySEQ this Address is in MySEQServer.Ini
TargetAddr=7518124

0x0072B7AC hex = 7518124 decimal

Now you should be getting the drift of how to search and to locate things in memory.

Let's look for the Guilds now. This will be pretty easy becuase we will start at the
memory location 0072B7A8.

8) In the Go to Address type: $0072B7A8{Enter}
9) Click the Page Down button (it has the 2 arrows pointing down) (Repeat about 60 or so times)

You will start to see Guild names in a pattern. Scroll to the first one in the
list of Guild names.

Congrats you have found the Guild Structure


Calling Memory Address Offset:
======== 0 1 2 3 4 5 6 7 8 9 A B C D E F
===========================================
0072FE40 00 00 00 00 00 00 00 00 00 00 00 00 4D 79 53 45
0072FE50 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0072FE60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0072FE70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0072FE80 00 00 00 00 00 00 00 00 00 00 00 00 4D 61 63 72
0072FE90 6F 51 75 65 73 74 00 00 00 00 00 00 00 00 00 00
0072FEA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

10) Write down the location: 0072FE4C

For MQ2 this Address is in EQGame.Ini
Guilds=0x0072FE4C

For MySEQ this Address is in MySEQServer.Ini
GuildsAddr=7536204

0x0072FE4C hex = 7536204 decimal

11) In the Go to Address type: $0072B7A8{Enter}
12) Click the Up Arrow (Single Up Arrow) (4 times)

Congrats you have found the Calling Memory Address for the SpawnInfo Structure.

13) Write down the location: 0072B768

For MQ2 this Address is in EQGame.h
pinstSpawnList=0x0072B768

For MySEQ this Address is in MySEQServer.Ini
SpawnHeaderAddr=7518056

0x0072B768 hex = 7518056 decimal

Move over 4 Bytes

Congrats you have found the Calling Memory Address for the Items Structure.

14) Write down the location: 0072B76C

For MQ2 this Address is in EQGame.h
pinstEQItemList=0x0072B76C

For MySEQ this Address is in MySEQServer.Ini
ItemsAddr=7518060

0x0072B76C hex = 7518060 decimal

The next area of memory we need to locate is the Group members. The best way to do this
is to get in a group with atleast 3 folks. This will allow you to see the pattern.

15) Select Ascii String
16) In Search Now type: {1st Group member ie. F2 person}{Enter}

Congrats you have found the Group List

You should see the folks in your group.


Group Offset:
======== 0 1 2 3 4 5 6 7 8 9 A B C D E F
===========================================
00729CF0 01 01 00 00 00 53 63 72 65 77 45 51 45 55 4C 41
00729D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00729D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00729D20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00729D30 00 00 00 00 00 4C 65 61 72 4E 54 6F 50 72 6F 67
00729D40 72 61 6D 00 00 00 00 00 00 00 00 00 00 00 00 00
00729D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00729D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

In this example the GroupMemberF2 starts at location 00729CF5.
The structure actually starts of 5 bytes before this at location 00729CF0.

Here is the structure I have worked out.

00729CF0 BYTE Unknown00 // 1 Byte
00729CF1 BYTE Unknown01 // 1 Byte
00729CF2 BYTE Unknown02 // 1 Byte
00729CF3 BYTE Unknown03 // 1 Byte
00729CF4 BYTE Unknown04 // 1 Byte
00729CF5 CHAR GroupMemberF2[0x40] // 64 Bytes
00729D35 CHAR GroupMemberF3[0x40] // 64 Bytes
00729D75 CHAR GroupMemberF4[0x40] // 64 Bytes
00729DB5 CHAR GroupMemberF5[0x40] // 64 Bytes
00729DF5 CHAR GroupMemberF6[0x40] // 64 Bytes
00729E35 BYTE Unknown03 // 1 Byte
00729E36 BYTE Unknown03 // 1 Byte
00729E37 BYTE Unknown03 // 1 Byte
00729E38 DWORD GroupMemberF2Address // 4 Bytes
00729E3C DWORD GroupMemberF3Address // 4 Bytes
00729E40 DWORD GroupMemberF4Address // 4 Bytes
00729E44 DWORD GroupMemberF5Address // 4 Bytes
00729E48 DWORD GroupMemberF6Address // 4 Bytes
00729E4C CHAR GroupLeader[0x40] // 64 Bytes
00729EBC

That's it for Part 1 of How to Locate EverQuest Offsets.

Future documents will be how to get the the Struxture Offsets but for now use EQData.h from MQ2.

PS. Since I used live data please don't decipher the stuff and post my characters name.

sauron
12-21-2003, 07:05 PM
HAHA!...

edit == 8*)

MQSEQ2
12-21-2003, 07:21 PM
You not suppose to post it :D

nelmer
12-23-2003, 07:29 PM
I am looking for some place to download Win Hack 2.0

The author has passed on to that great byte dump in the sky and his site no longer exists.

Anyone have it?

Bob the builder
12-23-2003, 08:26 PM
Very cute MQSEQ2 /winks


MQSEQ2 wrote this in another post as well:


MySEQSneakPreview 2.0 Server and MySEQTester will give you the visual information and makes it very clear if the data has been shifted and helps quickly reset the structure location.

/tosses a bone

WinHack 2.0 download from FH (http://forever-hacking.net/?p=files)

Bob

MQSEQ2
12-23-2003, 10:46 PM
Hey Bob I guess you liked the easter eggs in the tutorial? ;)

nelmer
12-25-2003, 08:12 AM
Originally posted by Bob the builder
Very cute MQSEQ2 /winks


MQSEQ2 wrote this in another post as well:



/tosses a bone

WinHack 2.0 download from FH (http://forever-hacking.net/?p=files)

Bob

I found this link earlier and it was dead.
Now it is working.
Weird.

Thanks

MQSEQ2
12-25-2003, 09:04 AM
It's not strange, FH has a very poor connection and goes up and down all the time.

NovaUSC
12-29-2003, 01:25 PM
I seem to be having some problems trying to find the offsets. I created a new character to play around with in the hopes that less info might make everything easier for me. I found my Zone Offset without a problem. It was the same as what you have in the tutorial for character name, zone short and zone long. The problem is finding the character offset. I did the search next and founf only one other instance of my name at location 0072B6C0. This is the only other instance of my name. if I do a reverse lookup for C0B67200 I get 00491358. I know I've missed something. Any ideas on where I'm screwing up?

MQSEQ2
12-29-2003, 01:54 PM
Try going to the CharAddr=7518120 and see what address it points to then go to that address.

The easiest way I found was once you go to the address 7518120 you will see 4 bytes of data in reverse order, instead of reversing them you can copy the content from the DWORD box (which has been reversed and converted to decimal, so don't add the $) and then paste it in the Go To box.

Give that a try and see what you come up with, once you do it a couple of times you will see the patterns.

NovaUSC
12-29-2003, 02:57 PM
I noticed something while I've been working with the offsets. Everyones eqgame.exe should be slightly different but shouldn't they be roughly the same size? The range of my exe is 00400000 to 01000000 roughly. I noticed yours is much larger. Is there a reason for that?

MQSEQ2
12-29-2003, 03:11 PM
Yes, the reason is the area of memory that holds the Character Data is in Dynamic Memory which will change all the time when you launch the eqgame.exe. If I have alot of stuff open then mine will be alot higher in range.

The static memory location are always in the same spot so that's why we go there to get the dynamic location.

NovaUSC
12-30-2003, 01:31 PM
edited!

MQSEQ2
12-30-2003, 01:35 PM
Good Job NovaUSC.

I will try out WinHex to see if I like it better than WinHack (not hard to do hehe) or should I just right my own.

MQSEQ2
12-30-2003, 08:12 PM
I bought a copy of WinHex tonight so I will write a How To based on WinHex.

A single copy cost me $57 US so if you want to stat a nice set of tools then this is a very cheap way to start.

NovaUSC
12-30-2003, 09:56 PM
It really is a nice program. Just so everyone knows, you don't have to buy it to use it for finding offsets. It does add alot of bells and whistles if you do though.

Reepicheep
01-03-2004, 11:41 PM
i have tried to get offsets on my own.
it is not working very well for me because at the top it shows each process as having a beginning and an end (around 004 to about 04)...

the charinfo call address points to an 06 address, which is out of range of the process.... which is probably why i cant find it when i use my name as the search term.

why is mine out of the range of the process? how would i go about searching it?

MQSEQ2
01-04-2004, 01:22 AM
You can't use my Dynamic numbers because they are Dynamicand may not be the same on your machince.

Try jumping to the 7518120 Address to find your Character Dynamic Address location. Remmebr the 4bytes are in reverse order.

TempLoginName
01-04-2004, 05:45 AM
Quick question. Why do you use
at 15:00 /interactive "C:\Program Files\WinHack v2.00\WinHack2.exe"{Enter}
?

I just run winhack normally and I have no trouble finding the offsets.

Old No Name

MQSEQ2
01-04-2004, 11:24 AM
You must be running Win98/ME. In the NT/XP line of OS's they protect the memory from each process. If you can launch WinHack without the AT command and can see the eqgame process then the AT command is one less step for you to do.

Squiffy
01-13-2004, 05:50 PM
WinHex won't work for me. At least, it won't work on Test/Beta servers. It doesn't even show testeverquest as a possible process to analyze. It's just about the only thing missing out of the list, though.

/boggle

Doesn't matter if I run a scheduled task or not.

MQSEQ2
01-13-2004, 08:53 PM
The reason it's missing in the process list is because you are running Win NT/XP and these operating systems uses secure memory locations so that multiple users can be on the system without seeing other peoples memory space. They also prevent one application interferring with another process, for example in the old 16 bit days if you ran MS Word and Excel at the same time and say Word crashed, you would have a 98% chance that Excel would crash too.

Now for you to get WinHex to work on your system so it can see all the running processes you must set it up to access the memory at the System Level access by using the following command:

C:\WinHex>AT 20:00 /INTERACTIVE "C:\WinHex\WinHex.exe"

See the original post to get more details on how to use the AT command.

wardave
01-24-2004, 12:28 PM
This is how they made those eq trainers back in the days right? Like the speed movement one and stuff right? =)

MQSEQ2
01-24-2004, 01:54 PM
yep, it's very easy to do.

wardave
01-24-2004, 07:10 PM
Kinda weird that they are easy to do and you cant seem to find any on the net=/

MQSEQ2
01-24-2004, 07:47 PM
You got to know where to look at on the net. try HF. They have alot of them.

wardave
01-24-2004, 08:33 PM
=) sweet, thanks

bootyjuice
02-02-2004, 03:57 PM
First, I'd like to say that your tutorial is excellent and very well thought out.

I'm just beginning with memory editing myself although I have a fairly strong programming background and have one question. I've been browsing around in eqgame.exe's memory via WinHack and can find my character's information just fine.

The problem I encounter is when I try to find any entry on the npc spawn list. I know that they're in there somewhere because I have MySEQ running and the spawn list is accurate ... but when I search for, as an example, the ascii string "Iramai" and my character is in Plane of Tranquility I come up with nothing.

I know I must be missing something obvious but can't figure out what.

Thanks in advance for any responses.

booty