Working Offsets (Mem/Hacks) - Page 8

Posted: February 27th, 2005, 8:52 am

Quote

tault_lostsox

Since I cant see any member area index on EQ2Unleashed map is there any news as to when we will be getting this?

Posted: February 28th, 2005, 7:57 am

Quote

tault_rphister

Hi, i have a question about winhack.. I opened up winhack and selected everquest2.exe process. I do see a "Search Now" button in the lower left corner but when i do a search, say for $0048C9AE, nothing changes at all.. However, when i select "Go to Address" and put in $0048C9AE it takes me to the address and lights up "83" which is in the E column, but I dont understand what needs to be done to change the offset.. isn't the offset like six characters.. (three sets of two)? Where do i find these at? Sorry if this is a really dumb question, but i though it would be obvious to change, or im just missing something as a nOOb! Also, is there anyway we can as a group get a program to identify all the new offsets after each patch, such as is done with Myseq?

Thanks

Posted: March 1st, 2005, 6:58 am

Quote

tault_sirusdv

offsets are usually 4 sets of 2 and $0048C9AE is an offset ;] all an offset is a position in the applications allocated memory where assembly code is stored.

Posted: March 3rd, 2005, 11:03 am

Quote

tault_rphister

I have been trying to figure this out without luck.. Perhaps the offsets have changed with a patch..

In winhack when you got to the address, only one pair is highlighted. In the example on the previous post, when i "goto" that address, only two digits in the "E" colunm are highlighted and in my case the number is 83.. So if i need to replace the offsets.. What do i replace. Where do i start and where do i end? I can see that i can replace the number 83 but that is only one pair of numbers, the offset if like four sets of paired numbers?

Also, can anyone verifty if any of the previously posted offsets are still correct?

Thanks in advance for any assistance

Posted: March 3rd, 2005, 6:29 pm

Quote

tault_pickled

http://www.emu8086.com/Help/ - Basic Assembly for Beginners
http://www.win32asm.cjb.net/ - Advanced Assembly Language
http://www.ghu.as.ro/ - Game Hacking Tutorials
http://www.gamehacking.com/ - Game Hacking Tutorials
http://www.dvshacking.com/ - Game Hacking Tutorials
http://hax-studios.net/main.php - Misc Tutorials
http://pc.nanobot2k.org/?action=articles - Misc Tutorials
http://www.protools.cjb.net/ - Reverse Engineering Tools

Posted: March 3rd, 2005, 7:00 pm

Quote

tault_pickled

Just thought I would clear up some of the info posted above

The offset is actually the position in memory from the base address stored on the register at that time.

eg. Base Address [0x1] + Offset [0x1] = Address [0x2]

The Op Codes are the byte values that change the Assembly language instructions at the address.

(No operation = 90 (1 x byte instruction))

Example of NOP at Address[0x1] + Offset[0x1]:

Address[0x2] = 90 <- Would NOP the instruction at address 0x2

Also note the above example would apply had that address been 1x byte long, in most cases you may have to set multiple NOP depending on the Orginal size of the instruction (see example below).

Applications will normally fail as a result if the byte size changes incorrectly, if they happen to be set to read x byte length. Or if they have some sort of CRC check on the code size.

Orginal Instruction
Example of Orginal Address [0x2] = E8E6080000 (Original Instruction: call 0x010038ED x 5 byte long)

Modified Instruction
Example of NOP at Modified Address[0x2] = 9090909090 (Modified Instruction: NOP x 5 byte long).

Note: I used basic example of an unreal address 0x2 to make it easier to understand, normally a real address may look something like 0x123456A. So if you added offset 0x1 to that address you would arrive at address 0x123456B.

All of the above values are in HEX of course (base 16).

HEX Value chart

Code: Select all

Base 10     Base 16
[Decimal]  [Hex]
0         0
1         1
2         2
3         3
4         4
5         5
6         6
7         7
8         8
9         9
10         A
11         B
12         C
13         D
14         E
15         F

Example:

FF = 255 Decimal because FF: (F*16^1)+(F*16^0) == (15*16^1=240)+(15*16^0=15) == 255 -> (for your information 16^0 = 1)

That was fun

Last edited by Guest on March 3rd, 2005, 11:56 pm, edited 1 time in total.

Posted: March 3rd, 2005, 11:46 pm

Quote

tault_rphister

So what I should do then is just make a trainer and poke the code offset with my op codes? LOL. that sounded good, but i have no idea what im talking about.
Thanks for all the info Pickled, i understand the Hex and am starting to get a feel for Assembly. With the links you provided, I am sure Ill be able to learn the rest.
Appreciate your time!

Posted: March 3rd, 2005, 11:53 pm

Quote

tault_pickled

Providing the memory address you are poking aren't using DMA, then you are right - you could just make a simple trainer to do so.

Otherwise you may need to make a hook and some code cave space to catch the addresses stored on the registers, but I don't think it's all that easy to do with the security in EQ2. I've never tried.

Posted: March 7th, 2005, 1:35 am

Quote

tault_spartan139

Would it not be a good idea to keep up to date offsets in an easy to access section from within the website instaed of trawling through the boards? Or develop a program thats kept upto date that switches on/off the offsets?

Posted: March 7th, 2005, 2:04 am

Quote

tault_pickled

Yep I'm sure it would. If anyone was 'contributing' regularly the latest offsets.

However the game structure is consistently changing and there is no-one here releasing these offsets to the public on a 'daily basis'.

Therefore offset hacking is something you should probably learn to do yourself using the following guides above to keep up to date with the new patches.

Posted: March 8th, 2005, 2:31 am

Quote

tault_pretzel

Total Posts: 73
Joined: January 31st, 2005, 12:38 pm

Haven't been playing much lately so I haven't been checking this thread, looks like several people are getting into memory hacking now though

The great thing about it is once you learn the process, you can really use it on any client-server game.. and most games tend to be far easier to manipulate then MMO's

Posted: March 8th, 2005, 3:18 am

Quote

tault_pickled

I was bored and started learning how to make a c++ trainer, here it is if anyone is interested in how to do it.

Code: Select all

#include <iostream>
#include <windows.h>
using namespace std;

int main(int argc, char *argv[])
{
   //Game Window Handle, Id
   char windowTitle[] = "Minesweeper"; 
   HWND gWindow;
   HANDLE gHandle;
   DWORD procId;
   //Read - Write Memory
   DWORD read;
   DWORD written;
   //Base address to act on
   long base_address = 0x100579C;
   long base_address_nop = 0x1002FF5;
   //Storage Buffer (1 x BYTE long)
   DWORD rBuffer = 0;
   DWORD wBuffer = 0;
      
   cout << "Looking for " << windowTitle << " ....\n";

   do
   {
      gWindow = FindWindow(NULL, windowTitle);
   } while (!gWindow);

   cout << "Got " << windowTitle << " Attaching to process...\n";

   GetWindowThreadProcessId(gWindow, &procId);
    gHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId);
   
   if(!gHandle) 
   {
      cerr << "Failed to attach to process!\n";
      return 0;
   }
   
   ReadProcessMemory(gHandle, (void*)base_address, &rBuffer, sizeof(rBuffer), &read);
   
   if(!read) 
   {
      cerr << "Could not read memory!\n";
      return 0;
   }

   printf("Read Value: 0x%X, Size of Read(%d bytes)\n", rBuffer, sizeof(rBuffer));

   WriteProcessMemory(gHandle, (void*)base_address, &wBuffer, sizeof(wBuffer), &written);
   
   ReadProcessMemory(gHandle, (void*)base_address, &rBuffer, sizeof(rBuffer), &read);
   
   printf("Read Value: 0x%X, Size of Read(%d bytes) -> After Write!\n", rBuffer, sizeof(rBuffer));
   

   //Write array of Bytes - NOP to timer..
   BYTE byteArray[6] = {0x90,0x90,0x90,0x90,0x90,0x90};

   WriteProcessMemory(gHandle, (void*)base_address_nop, &byteArray, sizeof(byteArray), &written);

   CloseHandle(gHandle); 

   return 0;
}

For minesweeper

, You could use this rough templat for EQ2 though I guess.

Posted: March 8th, 2005, 12:24 pm

Quote

tault_nazeroth

Total Posts: 1390
Joined: November 17th, 2004, 5:16 pm

haha Pickled, a minesweeper trainer. Good stuff heh.

Posted: March 8th, 2005, 1:10 pm

Quote

tault_sirusdv

I figured if there were any other C# monkeys out there ;] I would drop my part in this too:

made the same thing as above only in C# (.NET) with a simple class that I use to fondle other process' memory space.

Code: Select all

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace SweepMine
{
   /// <summary>
   /// Summary description for Class1.
   /// </summary>
   class Class1
   {
      /// <summary>
      /// The main entry point for the application.
      /// </summary>
      [STAThread]
      static void Main(string[] args)
      {

         Console.Write("Looking for \"winmine\"...");


         //find the process and if we dont find it exit.
         Process[] pArray = Process.GetProcessesByName("winmine");
         if (pArray.Length == 0)
            return;

         Console.WriteLine("Found!");

         // Create memory reader
         ProcessMemoryReader pReader = new ProcessMemoryReader();

         // Take the first process found
         pReader.ReadProcess = pArray[0];

         //Open the process for reading/writing
         pReader.OpenProcess();

         //something to count the number of bytes we read (-1 to mean error if we fail)
         int aout=-1;

         //write the the damn hack at 0x1002FF5 with the NOP bytes 'new byte [] {0x90,0x90,0x90,0x90,0x90,0x90}'
         pReader.WriteProcessMemory(((IntPtr)0x1002FF5),new byte[] {0x90,0x90,0x90,0x90,0x90,0x90},out aout);

         
         //output the number of bytes we wrote
         Console.WriteLine("Wrote {0} bytes to memory!",aout);
         
         //close the handle
         pReader.CloseHandle();

         //wait for user input
         Console.Read();



      }


      public class ProcessMemoryReader
      {
         public class ProcessMemoryAPI 
         {
         
            //API calls (this is what lets us call native win32 apis)
            [DllImport("kernel32.dll")]
            public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
            [DllImport("kernel32.dll")]
            public static extern Int32 CloseHandle(IntPtr hObject);
            [DllImport("kernel32.dll")]
            public static extern Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);
            [DllImport("kernel32.dll")]
            public static extern Int32 WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,[In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesWritten);


            //Process access flags
            [Flags]
               public enum ProcessAccessType
            {
               PROCESS_TERMINATE         = (0x0001),
               PROCESS_CREATE_THREAD      = (0x0002), 
               PROCESS_SET_SESSIONID      = (0x0004), 
               PROCESS_VM_OPERATION      = (0x0008), 
               PROCESS_VM_READ            = (0x0010), 
               PROCESS_VM_WRITE         = (0x0020), 
               PROCESS_DUP_HANDLE         = (0x0040), 
               PROCESS_CREATE_PROCESS      = (0x0080), 
               PROCESS_SET_QUOTA         = (0x0100), 
               PROCESS_SET_INFORMATION      = (0x0200), 
               PROCESS_QUERY_INFORMATION   = (0x0400) 
            }
         }


         //Simple class for managing processes and make it look clean
         public ProcessMemoryReader()
         {
         }

         //public place to read processes from 
         public Process ReadProcess
         {
            get
            {
               return m_ReadProcess;
            }
            set
            {
               m_ReadProcess = value;
            }
         }


         //private process ALL MINE MINEEE!!!
         private Process m_ReadProcess = null;

         //default PID
         private IntPtr m_hProcess = IntPtr.Zero;


         //Opens the process for read/write
         public void OpenProcess()
         {
      
            //sets what type of access we want; in this care Read/Write
            ProcessMemoryAPI.ProcessAccessType access;
            access = ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_READ 
               | ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_WRITE 
               | ProcessMemoryAPI.ProcessAccessType.PROCESS_VM_OPERATION;
      
            //calls the API and actually opens up the process
            m_hProcess = ProcessMemoryAPI.OpenProcess((uint)access, 1, (uint)m_ReadProcess.Id);
         }

         //closes the process from whatever we were doing.
         public void CloseHandle()
         {
            int iRetValue;
            iRetValue = ProcessMemoryAPI.CloseHandle(m_hProcess);
            if (iRetValue == 0)
               throw new Exception("CloseHandle failed");
         }

         //reads that perdy memory AND outs the number of bytes read.
         public byte[] ReadProcessMemory(IntPtr MemoryAddress, uint bytesToRead, out int bytesRead)
         {
            byte[] buffer = new byte[bytesToRead];
         
            IntPtr ptrBytesRead;
            ProcessMemoryAPI.ReadProcessMemory(m_hProcess,MemoryAddress,buffer ,bytesToRead,out ptrBytesRead);
         
            bytesRead = ptrBytesRead.ToInt32();

            return buffer;
         }

         //even better than the top function, writes things to the memory and returns number of bytes written.
         public void WriteProcessMemory(IntPtr MemoryAddress, byte[] bytesToWrite ,out int bytesWritten)
         {
            IntPtr ptrBytesWritten;
            ProcessMemoryAPI.WriteProcessMemory(m_hProcess,MemoryAddress,bytesToWrite,(uint)bytesToWrite.Length,out ptrBytesWritten);
         
            bytesWritten = ptrBytesWritten.ToInt32();
         }
      }

   }
}

Posted: March 8th, 2005, 1:16 pm

Quote

tault_rphister

Is there a file in eq2 similar to the eqstr_en.txt file in eq 1 that gives you a line number that you can change to Hex to help locate the location of an event in memory..

Example:
EQST0002
0 7690
1 %1 %2 %3 %4 %5 %6 %7 %8 %9
100 Your target is out of range, get closer!
101 Target player not found.
102 Duplicate Lore Item deleted.
103 Duplicate Lore Item deleted. There was one already in your bank.
104 Trade cancelled, duplicated Lore Items would result.
105 You cannot seem to develop an affinity for this place. Try a city.
106 This spell does not work here.
107 This spell does not work on this plane.
108 You cannot see your target.
109 All ability timers reset.
110 Your body rushes with courage as you hear the war cry!
111 You must hold an item on your cursor from which bone can be created.

Who is online
Users browsing this forum: No registered users and 22 guests

Working Offsets (Mem/Hacks) : EverQuest 2 Nerfed Info