Page 1 of 2 12 LastLast
Results 1 to 15 of 28

Thread: DEVS: Locating offsets - part 2

  1. #1
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910

    Post DEVS: Locating offsets - part 2

    How to Locate EverQuest Offsets
    ===============================

    This is the beginners guide to offset tracking and reverse engineering.
    I'm using EverQuest as the basis to this example.

    Programs needed: EQ (Running and in the world), Memory Sniffer, Hex Calculator


    I will be using WinHack 2.00 demo version and Windows Calc in Scentific Mode.

    1) Open a DOS prompt
    2) Type: Calc{Enter}
    3) This will launch Windows Calculator (if not locate it and launch it)
    4) Type: at 15:00 /interactive "C:\Program Files\WinHack v2.00\WinHack2.exe"{Enter}

    Note: 15:00 represents 3 PM in this example. If your locale time is 7:29 PM then
    add 1 minute (or 2 minutes if slow typer) this would say launch WinHack at 7:30 PM.
    Replace the 15:00 to 19:30 for it to launch at 7:30 PM. The /interactive switch is
    the key to launching WinHack so it has access at the System Level, making it able
    to connect to all Processes in memory. AT command: use at /? to get help.
    If WinHack doesn't launch at the time you choose type AT{Enter} an ut will show you
    when it was suppose to launch. More than likey it will say tomorrow, use AT /delete
    to remove it. This happened becaue the time that was set was to close to the launch
    time and the OS didn't get it registered in time, so redo it and change the time to
    maybe 2 minutes ahead.

    5) Select eqgame.exe in the Process dropdown list.
    6) Select the Edit Memory tab

    The next few steps are the main things to remember when trying to reverse engineer anything.

    Finding patterns:
    1) In Search Now type: {Your character's name}{Enter}

    Congrats you have found the first offset needed.

    Code:
    Zone Offset:
     ======== 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
     ===========================================
     006C91D0 00 00 00 00 00 00 00 00 00 00 00 00 53 63 72 65
     006C91E0 77 45 51 00 00 00 00 00 00 00 00 00 00 00 00 00
     006C91F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     006C9200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     006C9210 00 00 00 00 00 00 00 00 00 00 00 00 42 61 7A 61
     006C9220 61 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     006C9230 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20
     006C9240 42 61 7A 61 61 72 00 00 00 00 00 00 00 00 00 00
    2) Write down the location of the first letter of your charcters name.

    In this eaxmple the Zone Structure starts Memory Address 006C91DC

    006C91DC CharacterName[0x40] // 64 Bytes
    006C921C ZoneShortName[0x20] // 32 Bytes
    006C923C ZoneLongName[0x80] // 128 Bytes

    For more of the Zone Structure look in the MQ2 file EQData.h for struct _ZONEINFO

    3) Click Find Next (Repeat until you see the blue progress bar take a few seconds)

    Congrats you have found the next offset needed. This is the most important offset to find.

    Code:
    Character Data Offset:
     ======== 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
     ===========================================
     063D18D0 00 00 53 63 72 65 77 45 51 00 00 00 00 00 00 00
     063D18E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     063D18F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     063D1900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     063D1910 00 00 48 61 63 6B 65 72 73 52 75 6C 65 73 00 00
     063D1920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     063D1930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     063D1940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    In this eaxmple the CharacterData Structure starts Memory Address 063D18D0

    063D18D0 Unknown01 // 1 Byte
    063D18D1 Unknown02 // 1 Byte
    063D18D2 CharacterName[0x40] // 64 Bytes
    063D1912 LastName[0x20] // 32 Bytes

    For more of the CharacterData Structure look in the MQ2 file EQData.h for struct _CHARINFO

    We are looking for the CharacterData Structure starting Memory Address, this will
    allow us to backtrack to the to the Calling Memory Address.

    The Calling Memory Address is a static location everytime the program is launched.
    The Calling Memory Address stores the memory location of the the Actual Data we are
    looking for to populate the structure.
    The Actual Data is located in a dynamic location, this means it could move around
    everytime the program is launched.

    In this example we are looking for 063D18D0. We need to do a search for anything
    calling this location. Do to this we need to reverse the hex number to D0183D06,
    the reason why is when storing jump locations it uses the First In Last Out (FILO) method.

    4) Select Hex String
    5) In Search Now type: D0183D06{Enter}

    Congrats you have found the Calling Memory Address for the CharacterData Structure.

    Code:
    Calling Memory Address Offset:
     ======== 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
     ===========================================
     0072B7A0 30 BB 3D 06 00 00 00 00 D0 18 3D 06 30 BB 3D 06
     0072B7B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0072B7C0 00 00 00 00 00 00 00 00 00 00 00 00 80 6F 98 02
     0072B7D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    This is the main area for most of the Calling Memory Addresses for the structures we need.

    6) Write down the location: 0072B7A8

    For MQ2 this Address is in EQGame.h
    #define pinstCharData 0x0072B7A8

    For MySEQ this Address is in MySEQServer.Ini
    CharAddr=7518120

    0x0072B7A8 hex = 7518120 decimal

    7) Write down the location: 0072B7AC

    For MQ2 this Address is in EQGame.h
    #define pinstTarget 0x0072B7AC

    For MySEQ this Address is in MySEQServer.Ini
    TargetAddr=7518124

    0x0072B7AC hex = 7518124 decimal

    Now you should be getting the drift of how to search and to locate things in memory.

    Let's look for the Guilds now. This will be pretty easy becuase we will start at the
    memory location 0072B7A8.

    8) In the Go to Address type: $0072B7A8{Enter}
    9) Click the Page Down button (it has the 2 arrows pointing down) (Repeat about 60 or so times)

    You will start to see Guild names in a pattern. Scroll to the first one in the
    list of Guild names.

    Congrats you have found the Guild Structure

    Code:
    Calling Memory Address Offset:
     ======== 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
     ===========================================
     0072FE40 00 00 00 00 00 00 00 00 00 00 00 00 4D 79 53 45
     0072FE50 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0072FE60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0072FE70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0072FE80 00 00 00 00 00 00 00 00 00 00 00 00 4D 61 63 72
     0072FE90 6F 51 75 65 73 74 00 00 00 00 00 00 00 00 00 00
     0072FEA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    10) Write down the location: 0072FE4C

    For MQ2 this Address is in EQGame.Ini
    Guilds=0x0072FE4C

    For MySEQ this Address is in MySEQServer.Ini
    GuildsAddr=7536204

    0x0072FE4C hex = 7536204 decimal

    11) In the Go to Address type: $0072B7A8{Enter}
    12) Click the Up Arrow (Single Up Arrow) (4 times)

    Congrats you have found the Calling Memory Address for the SpawnInfo Structure.

    13) Write down the location: 0072B768

    For MQ2 this Address is in EQGame.h
    pinstSpawnList=0x0072B768

    For MySEQ this Address is in MySEQServer.Ini
    SpawnHeaderAddr=7518056

    0x0072B768 hex = 7518056 decimal

    Move over 4 Bytes

    Congrats you have found the Calling Memory Address for the Items Structure.

    14) Write down the location: 0072B76C

    For MQ2 this Address is in EQGame.h
    pinstEQItemList=0x0072B76C

    For MySEQ this Address is in MySEQServer.Ini
    ItemsAddr=7518060

    0x0072B76C hex = 7518060 decimal

    The next area of memory we need to locate is the Group members. The best way to do this
    is to get in a group with atleast 3 folks. This will allow you to see the pattern.

    15) Select Ascii String
    16) In Search Now type: {1st Group member ie. F2 person}{Enter}

    Congrats you have found the Group List

    You should see the folks in your group.

    Code:
    Group Offset:
     ======== 0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
     ===========================================
     00729CF0 01 01 00 00 00 53 63 72 65 77 45 51 45 55 4C 41
     00729D00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00729D10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00729D20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00729D30 00 00 00 00 00 4C 65 61 72 4E 54 6F 50 72 6F 67
     00729D40 72 61 6D 00 00 00 00 00 00 00 00 00 00 00 00 00
     00729D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00729D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    In this example the GroupMemberF2 starts at location 00729CF5.
    The structure actually starts of 5 bytes before this at location 00729CF0.

    Here is the structure I have worked out.

    00729CF0 BYTE Unknown00 // 1 Byte
    00729CF1 BYTE Unknown01 // 1 Byte
    00729CF2 BYTE Unknown02 // 1 Byte
    00729CF3 BYTE Unknown03 // 1 Byte
    00729CF4 BYTE Unknown04 // 1 Byte
    00729CF5 CHAR GroupMemberF2[0x40] // 64 Bytes
    00729D35 CHAR GroupMemberF3[0x40] // 64 Bytes
    00729D75 CHAR GroupMemberF4[0x40] // 64 Bytes
    00729DB5 CHAR GroupMemberF5[0x40] // 64 Bytes
    00729DF5 CHAR GroupMemberF6[0x40] // 64 Bytes
    00729E35 BYTE Unknown03 // 1 Byte
    00729E36 BYTE Unknown03 // 1 Byte
    00729E37 BYTE Unknown03 // 1 Byte
    00729E38 DWORD GroupMemberF2Address // 4 Bytes
    00729E3C DWORD GroupMemberF3Address // 4 Bytes
    00729E40 DWORD GroupMemberF4Address // 4 Bytes
    00729E44 DWORD GroupMemberF5Address // 4 Bytes
    00729E48 DWORD GroupMemberF6Address // 4 Bytes
    00729E4C CHAR GroupLeader[0x40] // 64 Bytes
    00729EBC

    That's it for Part 1 of How to Locate EverQuest Offsets.

    Future documents will be how to get the the Struxture Offsets but for now use EQData.h from MQ2.

    PS. Since I used live data please don't decipher the stuff and post my characters name.
    Last edited by Ratt; 08-20-2004 at 10:29 PM.

  2. #2
    Registered User
    Join Date
    May 2002
    Posts
    92
    HAHA!...

    edit == 8*)
    Last edited by sauron; 12-22-2003 at 06:45 AM.

  3. #3
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    You not suppose to post it

  4. #4
    Registered User
    Join Date
    Dec 2003
    Posts
    5

    WinHack

    I am looking for some place to download Win Hack 2.0

    The author has passed on to that great byte dump in the sky and his site no longer exists.

    Anyone have it?

  5. #5
    Registered User
    Join Date
    Jun 2002
    Posts
    41
    Very cute MQSEQ2 /winks


    MQSEQ2 wrote this in another post as well:

    MySEQSneakPreview 2.0 Server and MySEQTester will give you the visual information and makes it very clear if the data has been shifted and helps quickly reset the structure location.
    /tosses a bone

    WinHack 2.0 download from FH

    Bob
    Last edited by Bob the builder; 12-23-2003 at 08:34 PM.

  6. #6
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    Hey Bob I guess you liked the easter eggs in the tutorial?

  7. #7
    Registered User
    Join Date
    Dec 2003
    Posts
    5
    Originally posted by Bob the builder
    Very cute MQSEQ2 /winks


    MQSEQ2 wrote this in another post as well:



    /tosses a bone

    WinHack 2.0 download from FH

    Bob
    I found this link earlier and it was dead.
    Now it is working.
    Weird.

    Thanks

  8. #8
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    It's not strange, FH has a very poor connection and goes up and down all the time.

  9. #9
    Registered User
    Join Date
    Dec 2002
    Posts
    55

    Question Help?

    I seem to be having some problems trying to find the offsets. I created a new character to play around with in the hopes that less info might make everything easier for me. I found my Zone Offset without a problem. It was the same as what you have in the tutorial for character name, zone short and zone long. The problem is finding the character offset. I did the search next and founf only one other instance of my name at location 0072B6C0. This is the only other instance of my name. if I do a reverse lookup for C0B67200 I get 00491358. I know I've missed something. Any ideas on where I'm screwing up?

  10. #10
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    Try going to the CharAddr=7518120 and see what address it points to then go to that address.

    The easiest way I found was once you go to the address 7518120 you will see 4 bytes of data in reverse order, instead of reversing them you can copy the content from the DWORD box (which has been reversed and converted to decimal, so don't add the $) and then paste it in the Go To box.

    Give that a try and see what you come up with, once you do it a couple of times you will see the patterns.

  11. #11
    Registered User
    Join Date
    Dec 2002
    Posts
    55

    question

    I noticed something while I've been working with the offsets. Everyones eqgame.exe should be slightly different but shouldn't they be roughly the same size? The range of my exe is 00400000 to 01000000 roughly. I noticed yours is much larger. Is there a reason for that?

  12. #12
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    Yes, the reason is the area of memory that holds the Character Data is in Dynamic Memory which will change all the time when you launch the eqgame.exe. If I have alot of stuff open then mine will be alot higher in range.

    The static memory location are always in the same spot so that's why we go there to get the dynamic location.

  13. #13
    Registered User
    Join Date
    Dec 2002
    Posts
    55
    edited!
    Last edited by MQSEQ2; 07-17-2004 at 07:58 PM.

  14. #14
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    Good Job NovaUSC.

    I will try out WinHex to see if I like it better than WinHack (not hard to do hehe) or should I just right my own.

  15. #15
    Registered User MQSEQ2's Avatar
    Join Date
    Oct 2003
    Posts
    910
    I bought a copy of WinHex tonight so I will write a How To based on WinHex.

    A single copy cost me $57 US so if you want to stat a nice set of tools then this is a very cheap way to start.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

You may post new threads
You may post replies
You may post attachments
You may edit your posts
HTML code is Off
vB code is On
Smilies are On
[IMG] code is On