November 7th patch

Oh ok, thanks. I miss understood. Thank you for the clarification and the understanding. I will wait for the new server.

Junky

Quote:

---

Originally Posted by iluvseq

The code I posted doesn't help get offsets. It was for Razzle to show how he could figure out the process base address, which is now a component in accessing the EQ memory. The old way was 'open process, grab data at offset', the new way is 'find out process base address, open process, grab data at offset - 0x400000 + process base address'

I already posted all the primary offsets for the new release at the top of the thread. The issue is that they don't work without process base address and so Razzle needs to update the server with this new logic. There may be other changes as well, but this has to be modified first before we can figure the rest out.

---

I am able to read base address fine. Will try to make other tweaks later if I get a chance. Will get a release out soon as functional. Debug code may have to wait. It needs serious help anyways.

Razzle

Hmmm. Tried it like you described. Didn't work. Will have to take a closer look. Will map the locations in memory and check my math. It is simple addition. That is easiest to screw up. Only spent abt 30 min on it total. Was hoping for a quick win.

Razzle

Ok. Did it half assed. This will take me a couple hours to fix. Bah. But I know how to do it pretty easy.

Was the info I posted helpful?

Quote:

---

Originally Posted by iluvseq

Was the info I posted helpful?

---

Yes. Thanks. They may have something sneaky going on, you never know. But i will get it going soon.

My son wouldnt go to sleep last night. He was up til almost 11:30. Silly 2 year olds. Getting up at 4:30 to head in to work makes for a long day. Needless to say, I didn't get back to it last night.

Reading on ASLR, it doesn't sound like its supported in all versions of windows. Whats the story on this? If anyone knows.

Razzle

Windows XP was the first Windows with some support for ASLR, but it's not enabled by default. Windows Vista and up have it enabled by default, as long as the application is linked with the ASLR enabled flag. After reading the patch notes that mentioned new compiler settings, I used Process Explorer (http://technet.microsoft.com/en-us/s.../bb896653.aspx) to check, and sure enough, ASLR is enabled on eqgame.exe now (on my Windows 7 system at least). I then used IDA to determine the new base offsets (posted earlier in this thread) and MemoryDumperPro to dig around in memory, and determined that IDA offset - 0x40000 + egame.exe_base resulted in the proper pointers that we used to get by just using IDA offset. Keep in mind, the values fetched from those pointers do *not* need to be adjusted in the same way, they are pointers to the actual location so you can continue to use them the same way as before.

Here's how I validated this:

Code:

---

TargetAddr = 0xD44778  # offset determined via examination of decompiled code in IDA
Imagebase = 0x400000  # from the PE header on the executable.  This value doesn't change from computer to computer, but may change when they recompile eqgame.exe
BaseAddress = 0xF0000  # can vary every time eqgame.exe is run

Adjusted TargetAddr = 0xA34778  # 0xD44778 - 0x400000 + 0xF0000
Read DWORD at that location = 0x2463C9F8  # changes all the time, of course, pointer to spawn structure, same as before
Spawn name = 0x2463CA9C  # 0x2463C9F8 + 0xA4  # spawn pointer + name offset, same as before

---

I just did this live and it returns the target's name as expected.

In three runs of eqgame.exe I had three different baseAddress locations, so ASLR is definitely active.

Glad to see you guys working on it. :D
I'm curious, will the old offsetfinder I have been updating all the time work at all or should i just abandon it?
Not sure if I should put in any effort anymore if it cannot handle the ASLR to find the new offsets (primary and 2ndary).

Hmmm. I know I meant my test code to use 0x400000. But I think I missed a zero. Ugh. Hate having my code at home. I might just add a check box on the server to enable/disable aslr, and make it a manual setting for now. That might be quickest fix at this point.

The offset finder should be able to work fine. It should identify offsets like normal I think. I have not started looking for new patterns yet though.

Ok great, then I'll work on new patterns too once you have updated the server.

Under Windows XP SP2, process explorer shows no ASLR as expected. MySEQ works with no changes other than updating offsets.

I will be testing on pc that runs with ASLR later.

Just need the kiddos to go to bed early. No work tomorrow, if I don't finish up tonight.

If people can post what OS versions dont work, I can probably do a better job at fixing it for everyone.

I will test on 7 SP1 and Server 2008 R2 when verifying fixes.

Razzle

windows 7 X64 - no workie :)
I'll see if i can find some older systems to test on 7 x32 and window XP x64.
I think i still have 2 of those running somewhere

The good news is that processes without ASLR enabled return 0x400000 as their baseaddress, so the same code works either way. (IDA offset - 0x400000 + 0x400000 == IDA offset) so you don't need to detect the OS or have split logic for ASLR vs. non-ASLR