I understand that since we only receive "1/330th" updates that we can't calculate the absolute ZEM values directly.

Has anyone done any work to get approximate updated ZEM values for the PoP zones, Veksar, and other zones?

I know *someone* has to have done a little digging into this. A lot of you are number crunchers who wouldn't be caught dead in a zone that wasn't maximizing your XP.

KaL

Saw some indications here and there in the past that ZEMS can be found in the active memory, no clue at which memory locations and/or if they are still kept clientside.

It is stored in active memory. Currently, it is a float value at memory location 006fd73c+0x1e8.

If you're using windbg.exe, simply open up a memory dump or attach it to EQ and you will see it by typing "df 006fd73c+0x1e8 L 1" in the command window.


Note: 0.75 is "No Experience Modifyer". 0.85 would be 10% bonus, 0.65 would be -10% against .....etc....

Any chance someone knows the new PoP ZEM and could post it? I'm at work and KaL has made me curious... If not I'll just check it out when I get home.

Outstanding, Amadeus. I'll have to start cataloging ZEMs now :)

Thank you!

The ZEM for PoS and PoV is 1.19.

I agree with KaL.. great job Amadeus!

--Jeeves

It's nothing :) ...if you guys lose the offset after a patch and can't find it..just send me a PM over at the MQ boards (I check that more frequently than here).

Oh...and for the effort...I think most (if not all) of the LoY zones have a 10% modifier (0.85).

Originally posted by Amadeus
It's nothing :) ...

So PoS and PoV do 'not' have a bonus or were you refering to the first post? Sorry.. i'm confused. :)

PoS/PoV (and all other PoP zones) used to be 1.45 ZEM.
They are now 1.19 ZEM.

Alfred, he means finding the location is "nothing" and not "the bonus".

All in all this is good. Approx 56 percent more exp in a 6 person group, when you only lose 26 percent. That is a net gain of 30 percent.

I checked these today.

BoT, PoS, PoV, PoN, PoI, PoJ, PoD, CoD, PoTorment: 1.19

HoH: 1.105

Veksar, Ssra: 1.00

Umbral Plains, Acrylia Caverns: 0.899

Cazic Thule, Velketor's Labyrinth, Akheva Ruins, Sebilis, Howling Stones: 0.85

Netherbian Lair, Grimling Forest, Skyfire: 0.80

Of note:
The Grey: 0.649
LoIO: 0.60

My next question is, of course, where is the new 'sweet spot'?

It used to be (your level - 5) where the XP just about doubled from (your level - 6), and XP gains for mobs higher than that were marginal. This meant mobs at (your level - 5) were the best bang for your buck to kill.

Is this still true, or did they make the sweet spot larger? Like say -10?

If anyone has done any preliminary work on this, it would be appreciated.

I know I get a little over a blue of aa at level 65 soloing golems in PoV after the patch.

I don't think this can be determined until experience is working again.

Maybe experience is stored at a location in memory also and can be checked for 100% accuracy instead of having to zone after each mob.

Any insight, Ama?

Good point.. would be good to find the exact XP on the mobs we kill. Even if you have to zone, you only need 1 per mob level if you're soloing to see what they give.

No...experience is not stored in memory as a number, it is only stored as a x of 330 in the same way that the packet information is sent to SEQ.

However, I can give you the location of AA exp as a value of x of 330 if you're interested...as I don't think that's a part of SEQ yet.

For those interested...this is the entire CHARINFO struct as stored in active memory. I'm using a dll extension to read it and spout out information. ...I have changed personal information, of course.



0:010> dd 00760ff4 L 1
00760ff4 059ff4f8
0:010> !c:\games\macroquest-dev\mqext\release\mqext.pchar 059ff4f8

Name = Amadeus (offset 0x2)
Lastname = (offset 0x42)
Gender = 0 (offset 0x88)
Race = 4 (offset 0x8c)
Class = 6 (offset 0x90)
Level = 65 (offset 0x98)
Exp = 32 (offset 0x9c)
PracticePoints = 33 (offset 0xa0)
Mana = 4108 (offset 0xa4)
BaseHP = 2131 (offset 0xa8)
Stunned = 0 (offset 0xac)
BaseSTR = 70 (offset 0xb0)
BaseSTA = 85 (offset 0xb4)
BaseCHA = 75 (offset 0xb8)
BaseDEX = 80 (offset 0xbc)
BaseINT = 75 (offset 0xc0)
BaseAGI = 95 (offset 0xc4)
BaseWIS = 105 (offset 0xc8)
Face = 4 (offset 0xcc)
EquipType = 13606448 (offset 0xd0)
emptyforexpansion = 13606456 (offset 0xd8)
EquipColor = 13606460 (offset 0xdc)
Equipment = 13606492 (offset 0xfc)
InventoryBagIDs = 13606580 (offset 0x154)
languages = 13606616 (offset 0x178)
Buff = 13607144 (offset 0x388)
InventoryBag1 = 13607384 (offset 0x478)
InventoryBag2 = 13607424 (offset 0x4a0)
InventoryBag3 = 13607464 (offset 0x4c8)
InventoryBag4 = 13607504 (offset 0x4f0)
InventoryBag5 = 13607544 (offset 0x518)
InventoryBag6 = 13607584 (offset 0x540)
InventoryBag7 = 13607624 (offset 0x568)
InventoryBag8 = 13607664 (offset 0x590)
InventoryBag9 = 13607704 (offset 0x5b8)
SpellBook = 13609184 (offset 0xb80)
MemorizedSpells = 13611232 (offset 0x1380)
y = -802.999634 (offset 0x13c4)
x = 89.087608 (offset 0x13c8)
z = 4.126000 (offset 0x13cc)
heading = 166.426529 (offset 0x13d0)
standstate = 100 (offset 0x13d4)
Plat = 611 (offset 0x13d8)
Gold = 14 (offset 0x13dc)
Silver = 5 (offset 0x13e0)
Copper = 0 (offset 0x13e4)
BankPlat = 82531 (offset 0x13e8)
BankGold = 8 (offset 0x13ec)
BankSilver = 15 (offset 0x13f0)
BankCopper = 26 (offset 0x13f4)
Skill = 13611384 (offset 0x1418)
UnknownFlag0x160c = 65280 [256 512 1024 2048 4096 8192 16384 32768 ] (Offset: 0x160c)
UnknownFloat0x1610 = 5.000000 (offset 0x1610)
UnknownFloat0x1614 = 3.000000 (offset 0x1614)
UnknownFloat0x1618 = 2.500000 (offset 0x1618)
UnknownFloat0x161c = 5.500000 (offset 0x161c)
AutoSplit = 0 (offset 0x1668)
UnknownFlag0x1688 = 106365 [1 4 8 16 32 64 256 512 1024 2048 4096 32768 65536 ] (Offset: 0x1688)
UnknownFlag0x16a8 = 31 [1 2 4 8 16 ] (Offset: 0x16a8)
UnknownFlag0x16b0 = 1612766537 [1 8 64 256 1024 2048 4096 16384 32768 2097152 536870912 1073741824 ] (Offset: 0x16b0)
hungerlevel = 4778 (offset 0x16c0)
thirstlevel = 4442 (offset 0x16c4)
zoneId = 151 (offset 0x16dc)
pSpawn = 94383936 (offset 0x16e0)
Inventory = 13612100 (offset 0x16e4)
Cursor = 94479632 (offset 0x175c)
STR = 119 (offset 0x1764)
STA = 164 (offset 0x1768)
CHA = 88 (offset 0x176c)
DEX = 118 (offset 0x1770)
INT = 112 (offset 0x1774)
AGI = 128 (offset 0x1778)
WIS = 280 (offset 0x177c)
UnknownData0x1780 = 368 (offset 0x1780)
SaveMagic = 98 (offset 0x1784)
SaveFire = 119 (offset 0x1788)
SaveCold = 112 (offset 0x178c)
SavePosion = 52 (offset 0x1790)
SaveDisease = 56 (offset 0x1794)
CurrWeight = 92 (offset 0x1798)
UnknownData0x17a0 = 573 (offset 0x17a0)
UnknownData0x17e0 = 257 (offset 0x17e0)
ShortBuff = 13612356 (offset 0x17e4)
UnknownData0x18d8 = 0 (offset 0x18d8)
UnknownData0x1950 = 235 (offset 0x1950)
UnknownData0x19a4 = 0 (offset 0x19a4)
UnknownData0x19ec = 618 (offset 0x19ec)
UnknownData0x1a5c = 100 (offset 0x1a5c)
UnknownData0x1a6c = 100 (offset 0x1a6c)
ZoneBoundId = 224 (offset 0x1be0)
ZoneBoundX = -2076.250000 (offset 0x1bf4)
ZoneBoundY = 1683.000000 (offset 0x1c08)
ZoneBoundZ = -51.249001 (offset 0x1c1c)
UnknownFloat0x1c20 = 9.000000 (offset 0x1c20)
UnknownFloat0x1c24 = 9.000000 (offset 0x1c24)
UnknownFloat0x1c28 = 9.000000 (offset 0x1c28)
UnknownFloat0x1c2c = 9.000000 (offset 0x1c2c)
UnknownFloat0x1c30 = -1.000000 (offset 0x1c30)
GuildStatus = 65535 (offset 0x2a20) // WRONG
Diety = 215 (offset 0x2bc0)
GuildID = 80 (offset 0x2bc4)
UnknownFloat0x2bc8 = 0.013465 (offset 0x2bc8)
UnknownFloat0x2bcc = 0.450664 (offset 0x2bcc)
Anon = 2 (offset 0x2bd2)
AAExp = 51 (offset 0x2da0)
AAPoints = 0 (offset 0x2f50)
UnknownFloat0x3284 = 0.427611 (offset 0x3284)
Server = yourserver (offset 0x3908)
Bank = 13621052 (offset 0x39dc)


You'll notice that my AAExp value is 51 ..which means I'm at 51/330 percent to AA ding. AAPoints is the number of points unspent ....I don't think spent AAPoints is stored anywhere.

Oh..and some of these like Bank, Buffs, etc.. won't make sense unless you have the c struct to look at for reference...

Although all of this may be sequential in memory it isn't in the same order when it is sent from the server to the client. The raw exp value is sent when you zone and the client calculates the x/330 value. After that the server only tells the client to add ticks to the calculated value.

The raw aaxp used to be sent to the client. It may still be, but I don't see it in the initial packet. I don't see that the x/330 value is being sent either, but I haven't investigated it too much.

It amazes me how that every time I post on this board someone has to point out the obvious fact that memory structures are different than packet structures.

Welcome to the thread man, we havn't been talking about SEQ or packets :) ....yea, it's offtopic from the board as a whole, but it's related in a roundabout type of way ;)

However, on a related note, we've found in our travels in SEQ/MQ world that almost always the memory structs and the packet structs tend to have the same information...just ordered very differently. And, if you think about it...it makes complete sense :)

It's always just a matter of finding the information in the packet structures....which is a lot harder to decypher than memory structures.

It's always just a matter of finding the information in the packet structures....which is a lot harder to decypher than memory structures.


IMO they go hand in hand. You can find the structs easier in active memory. Then, when you know what's the contents of the struct, it's much easier to unravel the contents of the packets. I'd even say that first looking at the mem structure and then working on the packet nets faster results then solelly looking at the packets and trying to see what the contents are.

What program are you using to scan memory for the ZEM? I'd love to get a ZEM for some of the zones I visit.

MacroQuest would be the most logical...but you'd have to write your own function for doing it.

I use windbg to build structs and so forth..but it takes a "snapshot" of memory really...so, it wouldn't be worthwhile for cataloging ZEMs

What program are you using to scan memory for the ZEM?

Own made, look at the _old_ programs, that were used to scan the EQ memory for the Decrypt key "back when that was needed still", to get the general idea of how to scan memory. As long as you know the structure and the adress where it can be found you'll be able to pull out out of mem.

ThanosOfTitan wrote on 06-22-2003 11:25 PM:

Own made, look at the _old_ programs, that were used to scan the EQ memory for the Decrypt key "back when that was needed still", to get the general idea of how to scan memory. As long as you know the structure and the adress where it can be found you'll be able to pull out out of mem.
Would it be possible to get a copy? I have a character who is flagged up to everything but time, I'd love to explore and record to post.


I'll post it here after I've removed some Server/character/guild related code from it. Just the .cpp and .h file should be enough. It's not pretty code, but should be quite understandable for the layman (it was for me =P)

I use OllyDbg (http://home.t-online.de/home/Ollydbg/).

Here it is, simple, easy to see what it does, but very inefficiently code wise =P

included:

mobgrab.h
mobgrab.cpp

I used it in the past to capture item data, but unfortunally I've been unable to find the memory locations of items (or at least, the offset that points to the memory location)

I know items are somehow managed like mobs: 1st mob found on Mem location X (adress can be found in a "adress register", hey, I'm old skool Assembler) and following mobs are at adresses X + offset found in current mob structure. As said: I haven't been able to find how this works for items. If anyone has the first adress for the first item data, please feel free to share your knowledge.

I am very interested in finding out ZEMs in EQ but I know absolutely nothing about programming. I downloaded 'ollydbg' but can't figure out how to find the floating memory address referenced here where ZEM info is supposedly stored.

Could anyone give me a basic step by step on how to find the ZEM using this ollydbg program?

Thanks

I don't know anything about the program you downloaded, but the instructions on how to find this were clearly described early in this thread.

However, with the patch I would be surprised if they are in the same memory location (I haven't checked).