| |
|
 |
 |
| Author |
Working Offsets (Mem/Hacks)![]() |
Tault_lostsox
In Training
Premium Member
Joined: 21 Feb 2005
Posts: 12
0 TUBucks
|
 Posted: Sun Feb 27, 2005 4:52 pm Post subject:
|
|
Since I cant see any member area index on EQ2Unleashed map is there any news as to when we will be getting this?
|
|
Back to top
|
|
 |
Tault_rphister
In Training
Premium Member
Joined: 22 Feb 2005
Posts: 10
0 TUBucks
|
| Posted: Mon Feb 28, 2005 3:57 pm Post subject:
|
|
Hi, i have a question about winhack.. I opened up winhack and selected everquest2.exe process. I do see a "Search Now" button in the lower left corner but when i do a search, say for $0048C9AE, nothing changes at all.. However, when i select "Go to Address" and put in $0048C9AE it takes me to the address and lights up "83" which is in the E column, but I dont understand what needs to be done to change the offset.. isn't the offset like six characters.. (three sets of two)? Where do i find these at? Sorry if this is a really dumb question, but i though it would be obvious to change, or im just missing something as a nOOb! Also, is there anyway we can as a group get a program to identify all the new offsets after each patch, such as is done with Myseq?
Thanks
|
|
Back to top
|
|
|
tault_sirusdv
Moderator
Premium Member
Joined: 22 Aug 2004
Posts: 262
Location: Seattle
10 TUBucks
|
| Posted: Tue Mar 01, 2005 2:58 pm Post subject:
|
|
offsets are usually 4 sets of 2 and $0048C9AE is an offset ;] all an offset is a position in the applications allocated memory where assembly code is stored.
_________________
All spelling mistakes, grammatical errors and stupid comments are intentional.
|
|
Back to top
|
|
|
Tault_rphister
In Training
Premium Member
Joined: 22 Feb 2005
Posts: 10
0 TUBucks
|
| Posted: Thu Mar 03, 2005 7:03 pm Post subject:
Offsets |
|
I have been trying to figure this out without luck.. Perhaps the offsets have changed with a patch..
In winhack when you got to the address, only one pair is highlighted. In the example on the previous post, when i "goto" that address, only two digits in the "E" colunm are highlighted and in my case the number is 83.. So if i need to replace the offsets.. What do i replace. Where do i start and where do i end? I can see that i can replace the number 83 but that is only one pair of numbers, the offset if like four sets of paired numbers?
Also, can anyone verifty if any of the previously posted offsets are still correct?
Thanks in advance for any assistance
|
|
Back to top
|
|
|
Tault_pickled
Typical User
Premium Member
Joined: 22 Nov 2004
Posts: 190
2 TUBucks
|
| Posted: Fri Mar 04, 2005 2:29 am Post subject:
|
|
http://www.emu8086.com/Help/ - Basic Assembly for Beginners
http://www.win32asm.cjb.net/ - Advanced Assembly Language
http://www.ghu.as.ro/ - Game Hacking Tutorials
http://www.gamehacking.com/ - Game Hacking Tutorials
http://www.dvshacking.com/ - Game Hacking Tutorials
http://hax-studios.net/main.php - Misc Tutorials
http://pc.nanobot2k.org/?action=articles - Misc Tutorials
http://www.protools.cjb.net/ - Reverse Engineering Tools
|
|
Back to top
|
|
|
Tault_pickled
Typical User
Premium Member
Joined: 22 Nov 2004
Posts: 190
2 TUBucks
|
| Posted: Fri Mar 04, 2005 3:00 am Post subject:
|
|
Just thought I would clear up some of the info posted above
The offset is actually the position in memory from the base address stored on the register at that time.
eg. Base Address [0x1] + Offset [0x1] = Address [0x2]
The Op Codes are the byte values that change the Assembly language instructions at the address.
(No operation = 90 (1 x byte instruction))
Example of NOP at Address[0x1] + Offset[0x1]:
Address[0x2] = 90 <- Would NOP the instruction at address 0x2
Also note the above example would apply had that address been 1x byte long, in most cases you may have to set multiple NOP depending on the Orginal size of the instruction (see example below).
Applications will normally fail as a result if the byte size changes incorrectly, if they happen to be set to read x byte length. Or if they have some sort of CRC check on the code size.
Orginal Instruction
Example of Orginal Address [0x2] = E8E6080000 (Original Instruction: call 0x010038ED x 5 byte long)
Modified Instruction
Example of NOP at Modified Address[0x2] = 9090909090 (Modified Instruction: NOP x 5 byte long).
Note: I used basic example of an unreal address 0x2 to make it easier to understand, normally a real address may look something like 0x123456A. So if you added offset 0x1 to that address you would arrive at address 0x123456B.
All of the above values are in HEX of course (base 16).
HEX Value chart
| Code: |
Base 10 Base 16
[Decimal] [Hex]
0 0
1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 8
9 9
10 A
11 B
12 C
13 D
14 E
15 F
Example:
FF = 255 Decimal because FF: (F*16^1)+(F*16^0) == (15*16^1=240)+(15*16^0=15) == 255 -> (for your information 16^0 = 1)
|
That was fun 
Last edited by Tault_pickled on Fri Mar 04, 2005 7:56 am; edited 1 time in total
|
|
Back to top
|
|
|
Tault_rphister
In Training
Premium Member
Joined: 22 Feb 2005
Posts: 10
0 TUBucks
|
| Posted: Fri Mar 04, 2005 7:46 am Post subject:
|
|
So what I should do then is just make a trainer and poke the code offset with my op codes? LOL. that sounded good, but i have no idea what im talking about.
Thanks for all the info Pickled, i understand the Hex and am starting to get a feel for Assembly. With the links you provided, I am sure Ill be able to learn the rest.
Appreciate your time!
|
|
Back to top
|
|
|
Tault_pickled
Typical User
Premium Member
Joined: 22 Nov 2004
Posts: 190
2 TUBucks
|
| Posted: Fri Mar 04, 2005 7:53 am Post subject:
|
|
Providing the memory address you are poking aren't using DMA, then you are right - you could just make a simple trainer to do so.
Otherwise you may need to make a hook and some code cave space to catch the addresses stored on the registers, but I don't think it's all that easy to do with the security in EQ2. I've never tried.
|
|
Back to top
|
|
|
Tault_spartan139
In Training
Premium Member
Joined: 18 Feb 2005
Posts: 11
0 TUBucks
|
| Posted: Mon Mar 07, 2005 9:35 am Post subject:
Idea for Website. |
|
Would it not be a good idea to keep up to date offsets in an easy to access section from within the website instaed of trawling through the boards? Or develop a program thats kept upto date that switches on/off the offsets?
|
|
Back to top
|
|
|
Tault_pickled
Typical User
Premium Member
Joined: 22 Nov 2004
Posts: 190
2 TUBucks
|
| Posted: Mon Mar 07, 2005 10:04 am Post subject:
|
|
Yep I'm sure it would. If anyone was 'contributing' regularly the latest offsets.
However the game structure is consistently changing and there is no-one here releasing these offsets to the public on a 'daily basis'.
Therefore offset hacking is something you should probably learn to do yourself using the following guides above to keep up to date with the new patches.
|
|
Back to top
|
|
|
Tault_pretzel
In Advanced Training
Regular Member
Joined: 31 Jan 2005
Posts: 77
2 TUBucks
|
| Posted: Tue Mar 08, 2005 10:31 am Post subject:
|
|
Haven't been playing much lately so I haven't been checking this thread, looks like several people are getting into memory hacking now though The great thing about it is once you learn the process, you can really use it on any client-server game.. and most games tend to be far easier to manipulate then MMO's
|
|
Back to top
|
|
|
Tault_pickled
Typical User
Premium Member
Joined: 22 Nov 2004
Posts: 190
2 TUBucks
|
| Posted: Tue Mar 08, 2005 11:18 am Post subject:
|
|
I was bored and started learning how to make a c++ trainer, here it is if anyone is interested in how to do it.
| Code: |
#include <iostream>
#include <windows.h>
using namespace std;
int main(int argc, char *argv[])
{
//Game Window Handle, Id
char windowTitle[] = "Minesweeper";
HWND gWindow;
HANDLE gHandle;
DWORD procId;
//Read - Write Memory
DWORD read;
DWORD written;
//Base address to act on
long base_address = 0x100579C;
long base_address_nop = 0x1002FF5;
//Storage Buffer (1 x BYTE long)
DWORD rBuffer = 0;
DWORD wBuffer = 0;
cout << "Looking for " << windowTitle << " ....\n";
do
{
gWindow = FindWindow(NULL, windowTitle);
} while (!gWindow);
cout << "Got " << windowTitle << " Attaching to process...\n";
GetWindowThreadProcessId(gWindow, &procId);
gHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId);
if(!gHandle)
{
cerr << "Failed to attach to process!\n";
return 0;
}
ReadProcessMemory(gHandle, (void*)base_address, &rBuffer, sizeof(rBuffer), &read);
if(!read)
{
cerr << "Could not read memory!\n";
return 0;
}
printf("Read Value: 0x%X, Size of Read(%d bytes)\n", rBuffer, sizeof(rBuffer));
WriteProcessMemory(gHandle, (void*)base_address, &wBuffer, sizeof(wBuffer), &written);
ReadProcessMemory(gHandle, (void*)base_address, &rBuffer, sizeof(rBuffer), &read);
printf("Read Value: 0x%X, Size of Read(%d bytes) -> After Write!\n", rBuffer, sizeof(rBuffer));
//Write array of Bytes - NOP to timer..
BYTE byteArray[6] = {0x90,0x90,0x90,0x90,0x90,0x90};
WriteProcessMemory(gHandle, (void*)base_address_nop, &byteArray, sizeof(byteArray), &written);
CloseHandle(gHandle);
return 0;
}
|
For minesweeper  , You could use this rough templat for EQ2 though I guess.
|
|
Back to top
|
|
|
Tault_nazeroth
Moderator
Premium Member
Joined: 18 Nov 2004
Posts: 1444
682 TUBucks
|
| Posted: Tue Mar 08, 2005 8:24 pm Post subject:
|
|
haha Pickled, a minesweeper trainer. Good stuff heh.
|
|
Back to top
|
|
|
tault_sirusdv
Moderator
Premium Member
Joined: 22 Aug 2004
Posts: 262
Location: Seattle
10 TUBucks
|
| Posted: Tue Mar 08, 2005 9:10 pm Post subject:
|
|
I figured if there were any other C# monkeys out there ;] I would drop my part in this too:
made the same thing as above only in C# (.NET) with a simple class that I use to fondle other process' memory space.
| Code: |
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace SweepMine
{
/// <summary>
/// Summary description for Class1.
/// </summary>
class Class1
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
Console.Write("Looking for \"winmine\"...");
//find the process and if we dont find it exit.
Process[] pArray = Process.GetProcessesByName("winmine");
if (pArray.Length == 0)
return;
Console.WriteLine("Found!");
// Create memory reader
ProcessMemoryReader pReader = new ProcessMemoryReader();
// Take the first process found
pReader.ReadProcess = pArray[0];
//Open the process for reading/writing
pReader.OpenProcess();
//something to count the number of bytes we read (-1 to mean error if we fail)
int aout=-1;
//write the the damn hack at 0x1002FF5 with the NOP bytes 'new byte [] {0x90,0x90,0x90,0x90,0x90,0x90}'
pReader.WriteProcessMemory(((IntPtr)0x1002FF5),new byte[] {0x90,0x90,0x90,0x90,0x90,0x90},out aout);
//output the number of bytes we wrote
Console.WriteLine("Wrote {0} bytes to memory!",aout);
//close the handle
pReader.CloseHandle();
//wait for user input
Console.Read();
}
public class ProcessMemoryReader
{
public class ProcessMemoryAPI
{
//API calls (this is what lets us call native win32 apis)
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll")]
public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll")]
public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);
//Process access flags
[Flags]
public enum ProcessAccessType
{
PROCESS_TERMINATE = (0x0001),
PROCESS_CREATE_THREAD = (0x0002),
PROCESS_SET_SESSIONID = (0x0004),
PROCESS_VM_OPERATION = (0x0008),
PROCESS_VM_READ = (0x0010),
PROCESS_VM_WRITE = (0x0020),
PROCESS_DUP_HANDLE = (0x0040),
PROCESS_CREATE_PROCESS = (0x0080),
PROCESS_SET_QUOTA = (0x0100),
PROCESS_SET_INFORMATION = (0x0200),
PROCESS_QUERY_INFORMATION = (0x0400)
}
}
//Simple class for managing processes and make it look clean
public ProcessMemoryReader()
{
}
//public place to read processes from
public Process ReadProcess
{
get
{
return m_ReadProcess;
}
set
{
m_ReadProcess = value;
}
}
//private process ALL MINE MINEEE!!!
private Process m_ReadProcess = null;
//default PID
private IntPtr m_hProcess = IntPtr.Zero;
//Opens the process for read/write
public void OpenProcess()
{
//sets what type of access we want; in this care Read/Write
ProcessMemoryAPI.ProcessAccessType access;
access = ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_READ
| ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_WRITE
| ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_OPERATION;
//calls the API and actually opens up the process
m_hProcess = ProcessMemoryAPI.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
}
//closes the process from whatever we were doing.
public void CloseHandle()
{
int iRetValue;
iRetValue = ProcessMemoryAPI.CloseHandle(m_hProcess);
if (iRetValue == 0)
throw new Exception("CloseHandle failed");
}
//reads that perdy memory AND outs the number of bytes read.
public byte[] ReadProcessMemory(IntPtr MemoryAddress, uint bytesToRead, out int bytesRead)
{
byte[] buffer = new byte[bytesToRead];
IntPtr ptrBytesRead;
ProcessMemoryAPI.ReadProcessMemory(m_hProcess,MemoryAddress,buffer ,bytesToRead,out ptrBytesRead);
bytesRead = ptrBytesRead.ToInt32();
return buffer;
}
//even better than the top function, writes things to the memory and returns number of bytes written.
public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite ,out int bytesWritten)
{
IntPtr ptrBytesWritten;
ProcessMemoryAPI.WriteProcessMemory(m_hProcess,MemoryAddress,bytesToWrite,(uint)bytesToWrite.Length,out ptrBytesWritten);
bytesWritten = ptrBytesWritten.ToInt32();
}
}
}
}
|
_________________
All spelling mistakes, grammatical errors and stupid comments are intentional.
|
|
Back to top
|
|
|
Tault_rphister
In Training
Premium Member
Joined: 22 Feb 2005
Posts: 10
0 TUBucks
|
| Posted: Tue Mar 08, 2005 9:16 pm Post subject:
|
|
Is there a file in eq2 similar to the eqstr_en.txt file in eq 1 that gives you a line number that you can change to Hex to help locate the location of an event in memory..
Example:
EQST0002
0 7690
1 %1 %2 %3 %4 %5 %6 %7 %8 %9
100 Your target is out of range, get closer!
101 Target player not found.
102 Duplicate Lore Item deleted.
103 Duplicate Lore Item deleted. There was one already in your bank.
104 Trade cancelled, duplicated Lore Items would result.
105 You cannot seem to develop an affinity for this place. Try a city.
106 This spell does not work here.
107 This spell does not work on this plane.
108 You cannot see your target.
109 All ability timers reset.
110 Your body rushes with courage as you hear the war cry!
111 You must hold an item on your cursor from which bone can be created.
|
|
Back to top
|
|
|
|
|
 |
 |
|
 |
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You can vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Site and Contents Copyright 2003-2009 All Rights Reserved All information is for intellectual information If you are associated with any gaming company please leave now. Be sure to visit some of our other Sites
TaultUnleashedxunleashed
|
[ Time: 0.5976s ][ Queries: 20 (0.0210s) ][ GZIP on ] |
|
|
Forum index » EverQuest 2 » EverQuest 2 Nerfed Info
