Delicioso!!!!!

dont_know_at_all · Post by **dont_know_at_all** » Fri Jun 27, 2003 11:53 pm

Thanks to Wes, we have a matching testeqgame.exe and testeqgame.map. For a couple of hours on the 24th, they really screwed up by putting the map file out there. In this map file are function names and prototypes.

http://macroquest2.com/downloads/map/

Play nice, kids.

See also undname.exe from VS to undecorate the types.

This is unfreakin' believable.

wassup · Post by **wassup** » Fri Jun 27, 2003 11:59 pm

What happened to the map? SoE already get it nuked?

Darkhearted_Wizard · Post by **Darkhearted_Wizard** » Sat Jun 28, 2003 12:14 am

Wassup wrote:What happened to the map? SoE already get it nuked?

SoE patches a dummy testeqgame.map to make sure anyone who's got it lost it. Dummy is just an empty file, to overwrite. If I had known that a .map would be something useful I woulda posted the file when I got it. *makes a note to announce and save any curious looking files in the future*

Edit: DKAA. Link is not working, gives a nice big fat internal server error.

iluvseq · Post by **iluvseq** » Sat Jun 28, 2003 12:20 am

Apparantly .map is an extension recognized as some sort of server parsed file on that apache server. You should re-name the file, or remove the Apache module that is trying to parse it.

dont_know_at_all · Post by **dont_know_at_all** » Sat Jun 28, 2003 3:01 am

Sorry, renamed the map file to testeqgame.txt.

wassup · Post by **wassup** » Sat Jun 28, 2003 3:45 am

Whoa... Quite a bit of interesting stuff in there.

I surely hope it helps you devs to figure out some missing info.

Wonder who made the blunder of posting this on the test patch server.

Valerian · Post by **Valerian** » Sat Jun 28, 2003 9:36 am

wow... I particularly like the part about the LMouseDown, LMouseUp, RMouseDown, RMouseUp... I bet I could figure a way to use those funcs for a non-detoured click.... heh

compuboy · Post by **compuboy** » Sun Jun 29, 2003 2:42 pm

sounds like they'll be paying for this for a while hehe

sprite · Post by **sprite** » Sun Jun 29, 2003 9:27 pm

Amazing =) Looks like devs are gonna have to be extra busy now.

sprite · Post by **sprite** » Sun Jun 29, 2003 9:50 pm

0001:0007df5e ?BitchCanTrain@EQ_PC@@QAEHHHH@Z 0047ef5e f EQ_PC.obj

Amadeus · Post by **Amadeus** » Mon Jun 30, 2003 5:17 am

The thing that cracked me up the most from reading through it quick is that some of these .cpp files must be *HUGE*....lol. No wonder EQ crashes all the time...debugging it must be pure hell.

compuboy · Post by **compuboy** » Mon Jun 30, 2003 1:52 pm

so what exactially is this file contain, i am a n00b when it comes to mem addresses and c++ so could someone fill in the uninitiated.

thanks

eq_freak · Post by **eq_freak** » Mon Jun 30, 2003 2:14 pm

Function names, their parameters and offset in eqgame.exe..

Takes alot of the guesswork out of figuring out what a given function does. As an example see sprites use of the MoveMoney function(posted on general board).

And yeah definately lots of things to play around with there. I just hope my account will survive the experiments

Darkhearted_Wizard · Post by **Darkhearted_Wizard** » Tue Jul 01, 2003 5:05 am

DKAA asked for the 6-24 offsets. Assuming the .exe in the directory is the 6-24(and I'm pretty sure it is) I built up a set of offsets. I haven't checked this by hand(going to do that now) but here's the preliminary listing. Did a quick handcheck on a few, they're correct. I'm still working on my search algorithims for locating them, so lemme know if any are wrong(they damn well shouldn't be, I spent many hours tweaking them but..

it happens). Going to bed, I'll check by in the morning. Hope these help!

Code: Select all

[MacroQuest]
MacroQuestVersion=SRC-20030516
ClientName=testeqgame
ClientVersion=xxx Jun xx xx:xx:xx 2003
ClientOverride=0
MacroQuestWinClassName=__MacroQuestTray
MacroQuestWinName=MacroQuest

[Function Locations]
WriteChatColor=004e857c
GetRaceByID=004dda2b
GetClassByID=004dd3d6
GetDeityByID=004deecd
LeftClick=004e1a1f
RightClick=004efad4
ScreenItem=0045f44c
ScreenSpawn=004eff7d
NewUIINI=0044a194
MaxMana=00467636
Commands=004eee6e
CmdCleanup=
MemChecker=00501505
MemChecker2=0050504F
MemCheckAddr1=005050bd
MemCheckAddr2=00505f5
MemChecker3=005024ad

[DirectInput8]
Main=0078130c
Keyboard=00781310
Mouse=00781314

[Memory Locations]
Clicks=00703424
Zoning=00766600
Zones=0076661c
SpawnHeader=00766620
Items=00766624
Doors=00766634
SpawnFooter=00766644
Char=00766658
CharInfo=00766660
Target=00766664
Guilds=0070423c
Packs=
OldAttack=
Mouse=00781318
Attack=0070423c
Spells=00774368
CommandList=005b96b0
DoAbilityList=0073cfd8
DoAbilityAvailable=007041d8
Group=006b6a78
GroupCount=006b6930
HSliderItems=
HSliderMoney=
PackPanel1=
PackPanel2=
clsMain=
clsItems=00766688
clsSpawns=00766610
clsInvPanel=
clsMerchantPanelStatus=
clsMerchantItemBase=
clsMerchantSelectedItem=
clsMerchantSelectedSlotID=
clsMainNewUI=00781494
clsMainSpellRefresh=
clsMainSpellMemId=
clsMainSpellMemBar=
clsMainSpellMemGem=

EncryptPad=005d33c8
EncryptPad3=005d37ec
EncryptPad2=005d4250

ServerHost=0070320c

sprite · Post by **sprite** » Tue Jul 01, 2003 11:44 am

Not really a use for it anymore since .map file leaked, but an alternate way to do it (the way I found MoveMoney function). Load up EQgame disassembly in IDA (w32dasm won't tell you how many args and such a function has so it can be more confusing).

I wanted to find the function that moved my money so I added the following code to my MQ:

Code: Select all

VOID BankInfo(PSPAWNINFO pChar, PCHAR szLine)
{
	CHAR szAddr[MAX_STRING] = {0};
	PCHARINFO pCharInfo = NULL;
	pCharInfo = *EQADDR_CHAR_INFO;
	sprintf(szAddr,"Address of bank plat: %x, Address of bank gold: %x",(DWORD)&(pCharInfo->BankPlat),(DWORD)&(pCharInfo->BankGold));
	WriteChatColor(szAddr,CONCOLOR_RED);
}

This was just so I easily could get the real addresses of my bank plat and money.

Load up Debugging tools for windows.

Add the following breakpoint:
ba w4 [realaddress] "r eip;g" (Translation: break on access when a DWORD is written to the address of my plat/gold, read me the instruction pointer and continue)

After that you go to the instruction pointer in disassembly (This actually points to the next instruction that the program is to execute, so that if it's after a jump/call you need to figure out where it came from)

Once you have found the place where the plat/gold is written (or whatever function you're working on) you need to find the beginning of the function (In w32dasm just look for a referenced by call at blah blah and in IDA just look for a bunch of vars and args and SUBROUTINE in big letters).

Once you have found the beginning of the function set a breakpoint at it. Load up call stack in windbg, do your action again, such as dropping money in the bank. You can then figure out where the call came from, keep this in mind. You may also want to set a simple breakpoint at the beginning of function: bp functionaddr "r eip;g" then do anything that you think they function may be handleling to see exactly what it does, where it applies and where it does not.

Once you have figured that out you need to look at the arguments passed to it (Anything that is pushed onto stack before the call), read these in the debugger, write down the values, try to find a pattern to figure out what the different values represent. There really is no other way than experimentations to figure out what the args are (other than perhaps looking at how they are used)

Once you have figured all that out you can call the function with inline asm like I did for the MoveMoney function. Have fun messing with .map file. Hopefully I cleared up some questions that people were having.