Also, hopefully by teaching others maybe I can get better at it myself, and I don't make a complete idiot of myself.
Finding Offsets Guide
Moderator: MacroQuest Developers
-
SingleServing
- a hill giant
- Posts: 195
- Joined: Tue Dec 17, 2002 11:00 pm
Finding Offsets Guide
I have a pretty good idea on how to teach people to find offsets, and I can write a quick and dirty guide on how to do it. If your interested go ahead and vote.
Also, hopefully by teaching others maybe I can get better at it myself, and I don't make a complete idiot of myself.
Also, hopefully by teaching others maybe I can get better at it myself, and I don't make a complete idiot of myself.
[color=DarkBlue]Everything,[/color] [color=DarkBlue][b]is[/b][/color] [color=black]black[/color] [color=DarkBlue]and[/color] [color=white]white[/color][color=DarkBlue], when you zoom out it looks[/color] [color=gray]grey[/color][color=DarkBlue].[/color]
-
SingleServing
- a hill giant
- Posts: 195
- Joined: Tue Dec 17, 2002 11:00 pm
As promised
1. What you need is a disassembler.
http://forever-hacking.net/?p=files
Here you can download a copy of "WDasm 32/16 8.9"
Do that...and I suggest you avoid the news section of that web site, I've have had peanut butter jelly time in my head for a week! Damn you Tux!
2. You must prepare for the future now! Make a backup copy of your current eqgame.exe. After you backup your file I suggest you rename it to something you can easily identify the version with like "02-07-03 eqgame.exe.bak". Then place it in a new directory easily locatable in the future. Now backup your eqgame.ini (assuming you have the correct offsets) file from the MQ directory also, and place it in the same directory as your backup file. (Not everything in this step is vital but it is convenient, so once you get the hang of things do it how you like)
3. Enjoy MQ until the next patch, use all the features you can to test your current offsets to make sure they are correct and working.
4. Patch day. Patch your game, now you have a new eqgame.exe, this is where step 1 comes in. Open up Wdasm and decompile your eqgame.exe located in your everquest folder ie. "C:\Program Files\Everquest\eqgame.exe". Open up another copy of Wdasm and decompile your old eqgame.exe backup file (the one you have offsets for). Now you should have 2 copies of Wdasm running, I will now refer to the Wdasm with the backup version of eqgame.exe in it as "old" and the other as "new". In the old copy do a text search for the first offset in your old eqgame.ini file like WriteChatColor=0054164C (this is from Jan 4th patch so I can use real examples)
now the first thing your going to see is something like...
:00404944 E8EBCA1300 call 00541434
:00404949 50 push eax
:0040494A 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00404950 68B9050000 push 000005B9
:00404955 50 push eax
:00404956 E877410F00 call 004F8AD2
:0040495B 8B0DBC448500 mov ecx, dword ptr [008544BC]
:00404961 83C42C add esp, 0000002C
:00404964 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:0040496A 50 push eax
:0040496B E83ECE1300 call 005417AE
:00404970 381DAE4F8300 cmp byte ptr [00834FAE], bl
:00404976 742C je 004049A4
:00404978 53 push ebx
:00404979 B9F85E7D00 mov ecx, 007D5EF8
:0040497E E84ADE1400 call 005527CD
:00404983 8B0D40748300 mov ecx, dword ptr [00837440]
:00404989 6A01 push 00000001
:0040498B 6A0D push 0000000D
:0040498D 53 push ebx
:0040498E 68BA050000 push 000005BA
:00404993 E8D9721500 call 0055BC71
:00404998 8B0DBC448500 mov ecx, dword ptr [008544BC]
:0040499E 50 push eax
:0040499F E8A8CC1300 call 0054164C
Tada you just found your old offset, now study the code in this area noticing how far down in code you are and any landmark type code ie. String references.
Now switch back to your new wdasm and look for this code, ignore the addresses and numbers and look for the same push, pull, call, jump, mov, commands.
:0040499F E8F6CB1300 call 0054159A
:004049A4 50 push eax
:004049A5 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:004049AB 68B9050000 push 000005B9
:004049B0 50 push eax
:004049B1 E86A430F00 call 004F8D20
:004049B6 8B0DC4448500 mov ecx, dword ptr [008544C4]
:004049BC 83C42C add esp, 0000002C
:004049BF 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:004049C5 50 push eax
:004049C6 E849CF1300 call 00541914
:004049CB 381DB64F8300 cmp byte ptr [00834FB6], bl
:004049D1 742C je 004049FF
:004049D3 53 push ebx
:004049D4 B9005F7D00 mov ecx, 007D5F00
:004049D9 E855DF1400 call 00552933
:004049DE 8B0D48748300 mov ecx, dword ptr [00837448]
:004049E4 6A01 push 00000001
:004049E6 6A0D push 0000000D
:004049E8 53 push ebx
:004049E9 68BA050000 push 000005BA
:004049EE E890741500 call 0055BE83
:004049F3 8B0DC4448500 mov ecx, dword ptr [008544C4]
:004049F9 50 push eax
:004049FA E8B3CD1300 call 005417B2
Wow this text looks familiar doesn't it! You will also notice the memory addresses are not very far apart, 91 bytes is all different in this case. Now you will see a new value where your old offset was, there you go... that’s your new offset.
If anyone has any additional tips or whatever lemme know.
http://forever-hacking.net/?p=files
Here you can download a copy of "WDasm 32/16 8.9"
Do that...and I suggest you avoid the news section of that web site, I've have had peanut butter jelly time in my head for a week! Damn you Tux!
2. You must prepare for the future now! Make a backup copy of your current eqgame.exe. After you backup your file I suggest you rename it to something you can easily identify the version with like "02-07-03 eqgame.exe.bak". Then place it in a new directory easily locatable in the future. Now backup your eqgame.ini (assuming you have the correct offsets) file from the MQ directory also, and place it in the same directory as your backup file. (Not everything in this step is vital but it is convenient, so once you get the hang of things do it how you like)
3. Enjoy MQ until the next patch, use all the features you can to test your current offsets to make sure they are correct and working.
4. Patch day. Patch your game, now you have a new eqgame.exe, this is where step 1 comes in. Open up Wdasm and decompile your eqgame.exe located in your everquest folder ie. "C:\Program Files\Everquest\eqgame.exe". Open up another copy of Wdasm and decompile your old eqgame.exe backup file (the one you have offsets for). Now you should have 2 copies of Wdasm running, I will now refer to the Wdasm with the backup version of eqgame.exe in it as "old" and the other as "new". In the old copy do a text search for the first offset in your old eqgame.ini file like WriteChatColor=0054164C (this is from Jan 4th patch so I can use real examples)
now the first thing your going to see is something like...
:00404944 E8EBCA1300 call 00541434
:00404949 50 push eax
:0040494A 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:00404950 68B9050000 push 000005B9
:00404955 50 push eax
:00404956 E877410F00 call 004F8AD2
:0040495B 8B0DBC448500 mov ecx, dword ptr [008544BC]
:00404961 83C42C add esp, 0000002C
:00404964 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:0040496A 50 push eax
:0040496B E83ECE1300 call 005417AE
:00404970 381DAE4F8300 cmp byte ptr [00834FAE], bl
:00404976 742C je 004049A4
:00404978 53 push ebx
:00404979 B9F85E7D00 mov ecx, 007D5EF8
:0040497E E84ADE1400 call 005527CD
:00404983 8B0D40748300 mov ecx, dword ptr [00837440]
:00404989 6A01 push 00000001
:0040498B 6A0D push 0000000D
:0040498D 53 push ebx
:0040498E 68BA050000 push 000005BA
:00404993 E8D9721500 call 0055BC71
:00404998 8B0DBC448500 mov ecx, dword ptr [008544BC]
:0040499E 50 push eax
:0040499F E8A8CC1300 call 0054164C
Tada you just found your old offset, now study the code in this area noticing how far down in code you are and any landmark type code ie. String references.
Now switch back to your new wdasm and look for this code, ignore the addresses and numbers and look for the same push, pull, call, jump, mov, commands.
:0040499F E8F6CB1300 call 0054159A
:004049A4 50 push eax
:004049A5 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:004049AB 68B9050000 push 000005B9
:004049B0 50 push eax
:004049B1 E86A430F00 call 004F8D20
:004049B6 8B0DC4448500 mov ecx, dword ptr [008544C4]
:004049BC 83C42C add esp, 0000002C
:004049BF 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:004049C5 50 push eax
:004049C6 E849CF1300 call 00541914
:004049CB 381DB64F8300 cmp byte ptr [00834FB6], bl
:004049D1 742C je 004049FF
:004049D3 53 push ebx
:004049D4 B9005F7D00 mov ecx, 007D5F00
:004049D9 E855DF1400 call 00552933
:004049DE 8B0D48748300 mov ecx, dword ptr [00837448]
:004049E4 6A01 push 00000001
:004049E6 6A0D push 0000000D
:004049E8 53 push ebx
:004049E9 68BA050000 push 000005BA
:004049EE E890741500 call 0055BE83
:004049F3 8B0DC4448500 mov ecx, dword ptr [008544C4]
:004049F9 50 push eax
:004049FA E8B3CD1300 call 005417B2
Wow this text looks familiar doesn't it! You will also notice the memory addresses are not very far apart, 91 bytes is all different in this case. Now you will see a new value where your old offset was, there you go... that’s your new offset.
If anyone has any additional tips or whatever lemme know.
Last edited by SingleServing on Mon Feb 10, 2003 9:53 am, edited 1 time in total.
[color=DarkBlue]Everything,[/color] [color=DarkBlue][b]is[/b][/color] [color=black]black[/color] [color=DarkBlue]and[/color] [color=white]white[/color][color=DarkBlue], when you zoom out it looks[/color] [color=gray]grey[/color][color=DarkBlue].[/color]
very well explained SingleServing, now if someone could make this sticky we would get the offsets faster after next patch.
I myself are usually available for answering questions about finding offsets and decompiling and so on, on irc.trifocus.net #MacroQuest on patchdays. (as well as working on the offsets myself) Last time was a blast as we where 3 people doing them, and posted as we went so we didnt do doublework, I suggest this method for next patch say a few people do a couple offsets each, we will have the new ones before patch is over!
/EQMule00
I myself are usually available for answering questions about finding offsets and decompiling and so on, on irc.trifocus.net #MacroQuest on patchdays. (as well as working on the offsets myself) Last time was a blast as we where 3 people doing them, and posted as we went so we didnt do doublework, I suggest this method for next patch say a few people do a couple offsets each, we will have the new ones before patch is over!
/EQMule00
Scanner
I'm just downloaded the decompiler and am planning on cross-checking the old offsets I got with the new version once they update it. Now since this is my first time I got a quick question for those that have done this before. Would it be worth my time to write up a quick C script to scan thru the decompiled file (maybe copied to a txt file) comparing charecter by charecter to the new one and then creating a log of any changes? What I'm wondering is if the file changes in wholesale or if it's just a few places that are changed.
-Mig
Just change the font in the wadsm program. I think the option is under the FILE or EDIT submenus.I tried using WADSM from foreverhacking... and when I disassemble anything I don't get one readable character. Just a bunch of strange symbols... makes me think you need a certain font installed on your machine to use it, one that isn't native to WinXP. Any ideas?
