Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 40

Thread: November 7th patch

  1. #16
    Registered User
    Join Date
    Nov 2012
    Posts
    2

    Re: November 7th patch

    Oh ok, thanks. I miss understood. Thank you for the clarification and the understanding. I will wait for the new server.

    Junky

    Quote Originally Posted by iluvseq View Post
    The code I posted doesn't help get offsets. It was for Razzle to show how he could figure out the process base address, which is now a component in accessing the EQ memory. The old way was 'open process, grab data at offset', the new way is 'find out process base address, open process, grab data at offset - 0x400000 + process base address'

    I already posted all the primary offsets for the new release at the top of the thread. The issue is that they don't work without process base address and so Razzle needs to update the server with this new logic. There may be other changes as well, but this has to be modified first before we can figure the rest out.

  2. #17
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    I am able to read base address fine. Will try to make other tweaks later if I get a chance. Will get a release out soon as functional. Debug code may have to wait. It needs serious help anyways.

    Razzle

  3. #18
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    Hmmm. Tried it like you described. Didn't work. Will have to take a closer look. Will map the locations in memory and check my math. It is simple addition. That is easiest to screw up. Only spent abt 30 min on it total. Was hoping for a quick win.

    Razzle

  4. #19
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    Ok. Did it half assed. This will take me a couple hours to fix. Bah. But I know how to do it pretty easy.

  5. #20
    Registered User
    Join Date
    Feb 2002
    Posts
    50

    Re: November 7th patch

    Was the info I posted helpful?

  6. #21
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    Quote Originally Posted by iluvseq View Post
    Was the info I posted helpful?
    Yes. Thanks. They may have something sneaky going on, you never know. But i will get it going soon.

  7. #22
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    My son wouldnt go to sleep last night. He was up til almost 11:30. Silly 2 year olds. Getting up at 4:30 to head in to work makes for a long day. Needless to say, I didn't get back to it last night.

    Reading on ASLR, it doesn't sound like its supported in all versions of windows. Whats the story on this? If anyone knows.

    Razzle

  8. #23
    Registered User
    Join Date
    Feb 2002
    Posts
    50

    Re: November 7th patch

    Windows XP was the first Windows with some support for ASLR, but it's not enabled by default. Windows Vista and up have it enabled by default, as long as the application is linked with the ASLR enabled flag. After reading the patch notes that mentioned new compiler settings, I used Process Explorer (http://technet.microsoft.com/en-us/s.../bb896653.aspx) to check, and sure enough, ASLR is enabled on eqgame.exe now (on my Windows 7 system at least). I then used IDA to determine the new base offsets (posted earlier in this thread) and MemoryDumperPro to dig around in memory, and determined that IDA offset - 0x40000 + egame.exe_base resulted in the proper pointers that we used to get by just using IDA offset. Keep in mind, the values fetched from those pointers do *not* need to be adjusted in the same way, they are pointers to the actual location so you can continue to use them the same way as before.

    Here's how I validated this:

    Code:
    TargetAddr = 0xD44778  # offset determined via examination of decompiled code in IDA
    Imagebase = 0x400000  # from the PE header on the executable.  This value doesn't change from computer to computer, but may change when they recompile eqgame.exe
    BaseAddress = 0xF0000  # can vary every time eqgame.exe is run
    
    Adjusted TargetAddr = 0xA34778  # 0xD44778 - 0x400000 + 0xF0000
    Read DWORD at that location = 0x2463C9F8  # changes all the time, of course, pointer to spawn structure, same as before
    Spawn name = 0x2463CA9C  # 0x2463C9F8 + 0xA4   # spawn pointer + name offset, same as before
    I just did this live and it returns the target's name as expected.

    In three runs of eqgame.exe I had three different baseAddress locations, so ASLR is definitely active.

  9. #24
    Registered User
    Join Date
    Jun 2009
    Posts
    136

    Re: November 7th patch

    Glad to see you guys working on it.
    I'm curious, will the old offsetfinder I have been updating all the time work at all or should i just abandon it?
    Not sure if I should put in any effort anymore if it cannot handle the ASLR to find the new offsets (primary and 2ndary).

  10. #25
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    Hmmm. I know I meant my test code to use 0x400000. But I think I missed a zero. Ugh. Hate having my code at home. I might just add a check box on the server to enable/disable aslr, and make it a manual setting for now. That might be quickest fix at this point.

  11. #26
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    The offset finder should be able to work fine. It should identify offsets like normal I think. I have not started looking for new patterns yet though.

  12. #27
    Registered User
    Join Date
    Jun 2009
    Posts
    136

    Re: November 7th patch

    Ok great, then I'll work on new patterns too once you have updated the server.

  13. #28
    Developer
    Join Date
    Nov 2007
    Posts
    539

    Re: November 7th patch

    Under Windows XP SP2, process explorer shows no ASLR as expected. MySEQ works with no changes other than updating offsets.

    I will be testing on pc that runs with ASLR later.

    Just need the kiddos to go to bed early. No work tomorrow, if I don't finish up tonight.

    If people can post what OS versions dont work, I can probably do a better job at fixing it for everyone.

    I will test on 7 SP1 and Server 2008 R2 when verifying fixes.

    Razzle

  14. #29
    Registered User
    Join Date
    Dec 2001
    Posts
    78

    Re: November 7th patch

    windows 7 X64 - no workie
    I'll see if i can find some older systems to test on 7 x32 and window XP x64.
    I think i still have 2 of those running somewhere

  15. #30
    Registered User
    Join Date
    Feb 2002
    Posts
    50

    Re: November 7th patch

    The good news is that processes without ASLR enabled return 0x400000 as their baseaddress, so the same code works either way. (IDA offset - 0x400000 + 0x400000 == IDA offset) so you don't need to detect the OS or have split logic for ASLR vs. non-ASLR

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

You may post new threads
You may post replies
You may post attachments
You may edit your posts
HTML code is Off
vB code is On
Smilies are On
[IMG] code is On