I was able to get WinHex to browse the memory space for testeverquest.exe but the values I came up with for the offsets didn't work. I think part of the problem was that there were multiple locations to choose from for the first 2 steps... I went through all the steps using the live server so that I could see what was in memory around what I was looking for then went to test and looked for the same patterns. Any hints on narrowing down the possible choices?

I'm getting stumped similarly to an earlier poster on the reverse lookup part...

I'm trying to get offsets for test at the moment, so don't fret if the numbers are different than they should be.

I get the Zone Structure offset fine, but everything after that has me totally lost. I dunno if Sony's put in some added SEQ protection, or if I'm just doing things wrong.

I do a search on my toon's name, and have yet to find anything similar to a structure of FirstName (buncha blanks) LastName.

The test server is always running different offsets aka the ones that will be used after next patch.
The characters info is in protected memory but it can be found. If you are using WinHex make sure you are looking at the Entire Memory space for EQGame.exe not just the EQGame.exe process.

The Entire memory space will reveal everything that you want to see. The best way is to get familiar with the current offsets on the Live servers and then once you see how thing work and where they are located go to the Test servers and try to find the same things.

What you want to try and find is the Main memory locations for the dynamic memory. Try and find the CharAddr location because it's the area of memory that will point you to the area that has the memory locations for alot of other regions, I call this the main memory location.

OK. I went back last night and went through the process of finding offsets for test again. The testeqgame.exe file was new as of yesterday, so my previous offsets had changed (as expected).

To narrow down the possible extra locations, I created a new character, betabuffed, and gave him a surname.

Following the how-to:

Step 1. I found the character name followed by the surname easily. But, the first location had the surname at +68 bytes as did the second. Third and fourth locations had surname at +64 bytes. There were a few other locations in between with first name only.

Step 2. I continued until I found the character name with short zone name and long zone name matching the same structure shown. I'm really unclear what to do with this location at this point.

Step 3. I found the characters name and surname in the same general memory range as posted. I had to skip a few finds of first name only to get to it. And it matched what I saw in live with a couple of things in memory just before it. (text that says something like "this is text dude", twice) I used this to find the calling memory location...

Steps 4-6. If I used the correct name location, the calling location is at 00732980 hex. (7547264 dec) This should be the CharAddr value, correct?

Step 7. TargetAddr was verified by actually finding the CharAddr location, verifying that the next 4 bytes were empty, then going into the game and tagetting something. Next 4 bytes changed. TargetAddr= 7547268 Does this in fact verify that I had found the correct location for CharAddr?

Steps 8-10. The guilds structure was found after 21 page downs from the charaddr location. :) It's kind of a no-brainer. GuildsAddr= 7565948

Steps 11-14. I followed the directions for the next 2 locations. A way to verify them other than moving to a location would be nice. Anywho, SpawnHeaderAddr= 7547200 and ItemsAddr= 7547204

I skipped the steps for finding GroupAddr as I didn't think it'd be too wise to join a group then go AFK for 15 minutes...

When I plug the above numbers into either 1.x or 2.x servers, I get abolutely nothing from the clients. Shouldn't I get at least a little something from using the CharAddr at a bare minimum? It's possible the structs have changed, but from what I was looking at with the zone names and the targeting, I suspect they haven't changed that much if at all.

I think I'm on the right track but would appreciate any help in figuring out what I did wrong. I know there are some people out there that would love to see where they are going while on test, even more true since the beta is going...

Sounds like you are on the right track.

The Zone Memory location is the first character of the Toons name, so just convert the Hex number to dec and update the server Ini file. If you are running 1.15.17 the Short Zone name in the lower rightt corner of the client. If you see the correct Short name then you should be gtg.

You should know when you are at the correct CharacterAddress when yo reverse search it to get to the Main Memory location. +4 Bytes will get you the Target Address and will be 0's if nothing is targeted and will change to to the Memory Address of the spawn that is targeted. To test it jump to the location and you will see the Spawn info for the targetted spawn.

If you have the correct Main memory location then you should be able to branch out from their and find the rest of the offsets needed.

You should also use the MySEQTester to verify the structures are aligned correctly as well. If you see partially populated data then you know where the structure has changed and you can modify the Ini file to try and realign to structure.

Then use the 1.x stuff to test it in game by running around and verifying stuff like zone names, ground item/spawn locations etc.

ZoneAddr=7144628

That's what you do with the first instance of your name followed by the zone short/long names. First character of your toon's name = ZoneAddr

Worked for me on Beta, and was popping up the correct map.

Beyond that, though, nothing worked. I tried every possibility I could.

One thing I noticed, as I was finding my name, is if I scrolled up or down a bit at a spot that found a location of my name, it would change to an NPC or PC name occasionally, then back to mine, even though I wasn't doing a thing at the time. So I tended to skip those locations, figuring they were some kind of non-related data.

But the only decimal values I got for CharInfo tended to be in the under-6000000 range.

Edit: Only times I ran into any instance of my toon's name that didn't change second by second to a mob/player name, was UI and Log file text, stuff like that. Maybe the sneaky buggers have done something to it? Maybe I'm just confusing myself unnecessarily, but do I have to take a snapshot of the memory and fool around with that? Because beyond the first instance for ZoneAddr, nothing works.

I would use the existing CharInfo Address for Live servers and look in that general area a little to see if it's off a little first. I will try to look tonight at the Test servers to see what I can figure out.

ZoneAddr=7144628 points directly at the short zone name. And I checked, it doesn't exist anywhere else in memory. :) But, if we should use the address of the toon name immediately preceding this then ZoneAddr=7144564 instead.

I've gone through all the steps again up to group address and keep coming up with the same numbers. Only thing I've noticed different tonight is that the memory location for the TargetAddr isn't changing dynamically like it was last night... I had to reload the memory to see the change. :(

Using the values...
ZoneAddr=7144564
CharAddr=7547264
TargetAddr=7547268
GuildsAddr=7565948
SpawnAddr=7547200
ItemsAddr=7547204
... I still get no data from 1.x or 2.x servers.

I know that the 1.x server/client is working with the live servers. I'll double check the 2.x server/client to be sure it's still working with live. I'm totally stumped as to why I am getting absolutely no response while on test...

Verified some things with the live server. Using the current offset for ZoneAddr on live, the memory location stored there points to the beginning of the short zone name, not the toon's name. So ZoneAddr=7144628 is correct. The walk through instructs us to use the start of the toon's name, this may need to be changed.

I also verified that the server/client 2.x is in fact working with the live servers. Using the offsets I posted before, I get absolutely nothing on the tester but the server indicates a connection. The only thing I can think of being the problem is the line "EQProgram=eqgame" in the .ini file. Does this need to be changed when using test?

OK. I am officially kicking myself now... :D

First of all, the test executable was updated last night. Going through the same process I did before, I got the new offsets for CharAddr and TargetAddr. (7512176 and 7512180 respectively). I changed the line "EQProgram=eqgame" in the server 2.x .ini file to "EQProgram=testeqgame" and got charinfo in the 2.x tester. Silly me, I had it looking for the wrong program in memory. :) Still doesn't explain why the 1.x programs weren't working but I'm at least on the right track.

I'll try to finish up the rest of the offsets tomorrow but they should be something like:

ZoneAddr=7109540
CharAddr=7512176 *verified*
TargetAddr=7512180 *verified*
SpawnHeaderAddr=7512112
ItemsAddr=7512116

Just have to verify these and get guilds and groups addresses. :)

Doesn't work for me :( ZoneAddr is correct, but the rest isn't, unfortunately.

Going to bed now, will try and fiddle with it in the morning.

Damn Beta patch broke EQW too :mad:

The Zone Structure starts at the Toons name but for the 1.x stuff we don't use the whole Zone structure so we add 64 bytes to the base Zone Address to locate the Short Zone Name. One we move to the 2.x stuff we will only use the Base Zone Address since it uses the Zone Structure.

For the Ini file you must change it to testeqgame instead of eqgame. I will make it look for both so the Ini doesnt have to be modified all the time.

I will post some more in a few once I get more info.

For Server 2.0.0
==============
ZoneAddr=7144564

For Server 1.x
==============
ZoneAddr=7144628


Time to load up your offsets and verify them as well and see if I can locate anything.

Good Job so far keep it up.

OK. I was messing around on test in the wee hours of this morning and tried to verify the following addresses with the 2.x server...

ZoneAddr=7109540
CharAddr=7512176
TargetAddr=7512180
SpawnHeaderAddr=7512112
ItemsAddr=7512116
GuildsAddr=7512316

Zone name comes up with the 1.x programs and loads correct map. :)

Char info comes up. Only problem is the player coordinates don't change with movement. Apparently, the structs have changed. This is why that offset doesn't seem to work with the 1.x programs. I have verified that player name, stats, etc come up fine using 2.x. Fatigue level doesn't show anything, I think the practice points are way off, and 2 of the resist stats are swapped. I'll try to check live and figure out how the coordinates are stored and find the new location for test.

Target is correct.

SpawnHeaderAddr. Mob spawns aren't showing at all. Something else to learn. ;)

Items. Ground Spawns (this is what ItemsAddr points to, right?) showing.

Guilds. This got moved awfully close to Char info from where it used to be. Hopefully not too many structures were fubar'd...

Hope this helps. :D

I noticed they moved stuff around last night but I didn't get a chance to look at everything.

I will look at the ZoneAddr that you posted but I think it's not the correct one one since there are several location to get the short zone name at.

I tried the ones I posted and the map loaded fine with the 1.x stuff.

You must be talking about Fire/Cold being reversed. Just switch the numbers in the Ini file in the Tester directory. That was a issue with MQ being incorrect structures.

Should be:

SaveColdOffset=3644
SaveFireOffset=3648

I will continue to research the Test Servers Offsets as well.

OK. There are 2 different test executables... ;)

Could somebody with more experience with the offsets than me confirm that the non-beta testeq offsets are as follows?

ZoneAddr=7144564 (for the 2.x server)
CharAddr=7547264
TargetAddr=7547268
GuildsAddr=7565948
SpawnAddr=7547200
ItemsAddr=7547204

And that the player coordinates are located at...
zoffset=53596
yoffset=53600
xoffset=53608
from the address kept in CharAddr location?

Yeah, I know, there's 4 bytes skipped between y & x, it was empty. And it took me forever to find those numbers. I need a beer. :D

Iwannasee I split the thread since this part is more R&D for the Test servers which is always gonna be changing. Once we can get a handle on the searching logic we can create a How to locate offsets on the Test server.

I've been having issues getting logged into the test servers the past few days, as soon as I start to enter the World I get kicked to desktop. So I will delete some EQ files and have them push down new ones to me to see if that works.

Keep up the good work, keep the nose clean and start sniffing the memory ;)

Thanks for splitting it out. I was feeling a bit guilty that the thread length was getting so long. But, I figure if I can find the offsets for the test server, I can find the offsets for the live server when they change. :D

OK. A question. If I plug the player coordinate offsets into the 2.x server .ini as they are, will the 2.x server choke on those numbers since the .ini says the structure ends way before those locations? ie. PlayerInfoEndOffset=7659 vs zoffset=53596

Is there a reason the 2.x tester has more offsets than the server?

The server really only cares about the Starting and ending offsets for the structures. There are a few structures that we need some additional information so the Server can locate the next location to go to for example. The server will gather the data block and send it to the Client without processing it.

The Client receives the dat block and then uses the Structure Offsets to break the data block down into the appropreiate areas of the structure.

The server can send more data than what the Client uses but the Client needs atleast the proper amount of data so it doesn't error out. I will make sure the the Client code is setup with error checking to prevent errors.

This allows us to Dynamically change the Offsets without recompiling the code so if something changes all we need to to do is modify the Ini file. As you see with the reversed Cold/Fire Resist it's very easy to correct without code changes.

As for the EQ Test server I wished I could login to help you verify the offsets you are finding. You are doing great in learning the process and it will help out greatly on Patch day.

MQ, Test and Beta are running on DirectX9 now, make sure ya got 9.0b and the newest vid drivers possible. Had a buncha friends on beta having the same issue, that couldn't log on.

Oh yeah, and EQW won't work, either. Guess it chokes on DX9.

Still not having any luck personally with the offsets. Dunno if I'm doing this wrong or I'm just a retard :p Maybe I'll just stick to the mapping for now.

They must have just changed it cause 2 nights ago I was able to get on Test with one box but not the other but I will check it out. I should be on the latest DX. I can't remember if I was in EQW or not the other night, I think I was but will verify.

They changed the executable again for test...

ZoneAddr=7152964
CharAddr=7555664
TargetAddr=7555668
GuildsAddr=7574556
SpawnAddr=7555600
ItemsAddr=7555604

I'm having the same problems seeing a changing player coordinate and spawns, ground spawns and most of the player stats show correctly (using Server 2.x to see it)

For future reference, if Z coordinate is ahead of X/Y coordinates, it's wrong. :) I did find myself in the spawns though. :D I found my coordinates at the proper offset, verified that they changed when I moved, but still cannot get an update in the tester to show. Not sure what is going on. Wish I could save a memory dump...

I can dump the memory read from the tester and I think WinHex can dump as well (not sure tho).

WinHex will save a dump to disk as long as you've paid for a license. Since I'm a poor student, I'm using the trial. :)

And I could swear the first time I used it, it was updating the memory info (while I was looking at TargetAddr) but hasn't done it since. I have to load memory again to look for changes. :(

Oh well, nobody ever promised it would be easy. :D

hehe I know I never promised it.

I bought my copy of WinHex for $57 bucks, now lets see thats 10 cases of beer and 10,000 brain cells you would save if you bought WinHex ;)

I am really starting to think they aren't updating player location coordinates in test they same way they do in live. I've seen the correct numbers in the correct offset location, but they aren't changing. I suspect they are put there when you do a /loc.

But, I think they are being updated in the players spawn info like any other spawn. I may be wrong, but if I'm right, this may be something that gets to the live servers. How hard would it be to pull player spawn info to get the needed information?

I've realized that I've gone way beyond finding offsets and am looking at data structures instead. And in doing so, I've come up with a new idea for a tool to make it easier. If a program could be given a starting location in memory and a range, it could display the memory dynamically allowing you to see changes instantly. Does such a program exist? Time for google, I guess. :)

It's called Server 2.0.0 hehe. I've been wanting to make the Server into another lil util that would allow you to have a sliding window. This would allow you to view data as Floats, Int, Bytes, Strings (Values) all together and then you can adjust the memory area you want to look at by sliding the slider and have it update the different Values all at the same time so you can try and figure stuff out.

That sounds perfect. Can't wait to see it. :)