I'll keep this short and sweet...I'm trying to figure out how to find DoCrack offsets. I have a working copy of IDA and also w32dasm. I'm hoping someone here can point me in the right direction as to a guide, or what to look for when updating DoCrack offsets. From what I can tell, all the guides and links to guides here on RG are broken when it comes to finding offsets. It seems like the people here that know how to do it, do it very fast and very efficiently. Any help would be greatly appreciated.
-
You've discovered RedGuides 📕 an EverQuest multi-boxing community 🛡️🧙🗡️. We want you to play several EQ characters at once, come join us and say hello! 👋 -
IS THIS SITE UGLY? Change the look. To dismiss this notice, click the X --->
Offset Help (1 Viewer)
- Thread starter Jmo
- Start date
I only use IDA, so i'll do it based on that. open up eqstr_en.txt and look for any line you want.
4030 You cannot shield yourself!
is an example
change 4030 to hex.
which now changes to FBE
disassemble eqgame.exe in ida and search for FBEh
you should find a line that says PUSH FBEh
thats the part where the game actually outputs that text.
Now for the tricky part, its all guessing which jump is the one you want to either no-op or make always jump.
here are the different jump types
http://webster.cs.ucr.edu/AoA/Windows/HTML/LowLevelControlStructs.html#999101
Unfortunately I didn't have as much time as I wanted to make this, so here's a fast one
4030 You cannot shield yourself!
is an example
change 4030 to hex.
which now changes to FBE
disassemble eqgame.exe in ida and search for FBEh
you should find a line that says PUSH FBEh
thats the part where the game actually outputs that text.
Now for the tricky part, its all guessing which jump is the one you want to either no-op or make always jump.
here are the different jump types
http://webster.cs.ucr.edu/AoA/Windows/HTML/LowLevelControlStructs.html#999101
Unfortunately I didn't have as much time as I wanted to make this, so here's a fast one
jmo1985 said:
Jumps are like playing leap frog if you want a visual. Lets say for example that in order for a command take place you MUST jump over something (also know as a forced jump). Well in coding it can be done by using "EB" or "E9" depending if it is a LONG jump or a SHORT jump. What is the difference? Lets look at a sample of an offset that does this :
Rich (BB code):
[NoAnon]
Description="No Anon on /who"
Version="2007.08.13"
Address0=47dcc7
Normal0="74"
Crack0="EB"This is an example, now let me show you how we arrive at his -- I wrote this about 1 year ago on another MMO board :
Lets find NoAnon from scratch. With that in mind we open eqstr_us.TXT, so we can find the proper TEXT to find/block and that would be this one here :
Rich (BB code):
3122 ANONYMOUSOk load EQGAME20060419.EXE by dumping it onto the IDA PRO icon, and let it start melting away (decompiling). Ok we are going to be looking for a PUSH C32 (HEX of the DECIMAL number 3122), but we need to adjust for the spacing that is VERY WEIRD to say the least between "PUSH" and "XYX", so find anything with a "PUSH XYZ" and COPY it, so you can just paste it in, now count how many spaces there are in between H and X, it should be 4. Now we are going to do a SEARCH (ALT T) for PUSH____C32 (where ____ = 4 spaces), so put it in that way. One more thing to add, and that is GENERALLY when doing a search for something HEX keep in mind that HEX needs 2 (pairs of) characters (in this case) so we are actually looking for "PUSH 0C32". Do the search with FIND ALL OCCURANCES (This starts from the beginning - 400000). Ok you should see this :
Rich (BB code):
.text:004B674A loc_4B674A: ; CODE XREF: sub_4B5D00+A27j
.text:004B674A mov eax, [esp+0E28h+var_E10]
.text:004B674E test eax, eax
.text:004B6750 jnz loc_4B68A2
.text:004B6756 mov al, [esi+140h]
.text:004B675C test al, al
.text:004B675E jnz loc_4B6980
.text:004B6764 mov eax, [esi+394h]
.text:004B676A test eax, eax
.text:004B676C jz short loc_4B67E7 <--- Jump that could by pass the push below
.text:004B676E mov edi, [esp+0E28h+var_E14]
.text:004B6772 lea edx, [esp+0E28h+var_D54]
.text:004B6779 push edx
.text:004B677A lea eax, [esp+0E2Ch+var_C80]
.text:004B6781 push eax
.text:004B6782 lea ecx, [esi+74h]
.text:004B6785 push ecx
.text:004B6786 mov ecx, edi
.text:004B6788 call sub_4AA2E0
.text:004B678D mov ecx, dword_966140
.text:004B6793 push eax
.text:004B6794 push 0
.text:004B6796 push 0C32h <--- What we want to avoid
.text:004B679B call sub_5EE780
.text:004B67A0 push eax
.text:004B67A1 lea edx, [esp+0E38h+var_D24]
.text:004B67A8 push edx
.text:004B67A9 lea eax, [esp+0E3Ch+var_D34]
.text:004B67B0 push eax
.text:004B67B1 lea ecx, [esp+0E40h+var_D44]
.text:004B67B8 push ecx
.text:004B67B9 lea edx, [esp+0E44h+var_DFC]
.text:004B67BD push edx
.text:004B67BE lea eax, [esp+0E48h+var_D00]
.text:004B67C5 push offset aSSSSSSSS ; "%s%s%s%s[%s] %s %s%s"
.text:004B67CA push eax
.text:004B67CB call sub_66960E
.text:004B67D0 add esp, 28h
.text:004B67D3 push 1
.text:004B67D5 push 119h
.text:004B67DA lea eax, [esp+0E30h+var_D00]
.text:004B67E1 push eax
.text:004B67E2 jmp loc_4B6975Now lets view this in HEX VIEW A :
Rich (BB code):
................00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
.text:004B6760 1C 02 00 00 8B 86 94 03-00 00 85 C0 74 79 8B 7CNotice that below the 0C is where the JUMP actually is Hence we get 4B676C as the OFFSET. Now what do we do with the 74 79? 74 is a CONDITION, 79 is how FAR it will jump (A SHORT JUMP). BUT in this case we want it to bypass the PUSH, so we want an UNCONDITIONAL JUMP -- JUMP NO MATTER WHAT PAST THE PUSH 0C32. So instead of using a 74, we put in an EB. So we get this :
Rich (BB code):
[NoAnon]
Description="No Anon on /who"
Version="2006.04.19"
address0=4B676C
normal0="74"
crack0="EB"Why was 79 not put in? Well it is redundant, meaning you could put it in but it would go in both places like this :
Rich (BB code):
[NoAnon]
Description="No Anon on /who"
Version="2006.04.19"
address0=4B676C
normal0="74 79"
crack0="EB 79"However if nothing is changing why put it in? 79 in this case is a constant, in a sense. We are jumping 79 no matter what. BOTH offsets above will work, the second one is just redundant and most hackers will wonder why you left the 79 there. Any way that concludes lesson #1, hope it shows how you determine when to use EB, next I will tackle how and when to NOP something out.
Hope this is a good start. I will explain short and far jumps next time I get a chance.
Ok like above this was also about a year ago. I might be able to find the old EXE's and make them available -- don't play EQ any more :P
Install IDA PRO. Make sure to have a DESKTOP ICON of it, so you can DRAG - AND - DROP EXE's ontop of it.
Next step, would be to make a subdirectory called OLD EQGAME EXE, and put whatever you have into there, but to make things easier name them like EQGAME20060315.EXE, EQGAME20060419.EXE, etc etc.
Now open this directory and drop EQGAME20060315.EXE (last patch before this one). Basically you want to hit Enter, and not worry about the DLL stuff. Let it load for a good 10 - 15 minutes if it is the DEMO version (Registered version will save the data so don't have to wait as long each time). Repeat this for EQGAME20060419.EXE so you will have 2 versions decompiling at once. Make a note which is which, so you can toggle back and forth.
While you are waiting, goto the EQ directory and open up eqstr_us.txt (there are some that look similar, so be careful -- also never write anything to this file, it has a checksum). This file is basically a good place to start, and contains strings that EQ sends to you like this one :
12693 %1 is too far away, canceling auto-follow.
Guess what that is? That is Farfollow. However, we need to first convert the DECIMAL to HEX. So, using CALC, and making sure you have VIEW set to SCIENTIFIC. Put in 12693 in decimal, then click HEX. You should get 3195. That is what we are going to look up first. Lets look at it in the 3/15 version first. Since we know that :
Now type in "G" from IDA PRO (the one with 3/15 EXE loaded). You should see a little window pop up asking you where you want it to JUMP to. Type in 4E56A4 (the ADDRESS0 above). You should see this :
Ok This looks very complex and it is to the first time viewer. Let me explain a bit about JUMPS, and such.
Usually you see 74, 75, 76, 77 -- These are short jumps, based on conditions like <, >, = etc etc
Also you will see EB <-- very handy --- Jump no matter what conditions
and even better 90 <-- NOP ---- NO OPERATION, Don't do shit
We want to REALLY avoid 4E56E3 like the plague, so nothing JUMPS there, or we screwed up. So we are trying to actually go UP higher, before we get those 2 short jumps to a jump that is above them, that bypasses this push.
0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.
Now open the 4/19 version of the EXE and type in "ALT-T", and "PASTE" in the above (ALT-V). Make sure to have "All OCCURANCES" checked, and run it. Let it go for a few minutes, then click cancel. Should see :
So we want to avoid the 2 short jumps and take the long one EXACTLY like we did before :
Hmm anything look Familiar? This is EXACTLY the same code as before. We found the OFFSET that we can use now for 4/19 -- 4E5D04
so you get :
Now make a note some place FarFollow found by looking for 3195h, so next time it is easier.
I will do more of these to try and make them easier to follow, etc. This one was not a easy one. Also will try and explain better how jumps work, and when you want to use unconditional jumps vs NOP'ing out code.
Install IDA PRO. Make sure to have a DESKTOP ICON of it, so you can DRAG - AND - DROP EXE's ontop of it.
Next step, would be to make a subdirectory called OLD EQGAME EXE, and put whatever you have into there, but to make things easier name them like EQGAME20060315.EXE, EQGAME20060419.EXE, etc etc.
Now open this directory and drop EQGAME20060315.EXE (last patch before this one). Basically you want to hit Enter, and not worry about the DLL stuff. Let it load for a good 10 - 15 minutes if it is the DEMO version (Registered version will save the data so don't have to wait as long each time). Repeat this for EQGAME20060419.EXE so you will have 2 versions decompiling at once. Make a note which is which, so you can toggle back and forth.
While you are waiting, goto the EQ directory and open up eqstr_us.txt (there are some that look similar, so be careful -- also never write anything to this file, it has a checksum). This file is basically a good place to start, and contains strings that EQ sends to you like this one :
12693 %1 is too far away, canceling auto-follow.
Guess what that is? That is Farfollow. However, we need to first convert the DECIMAL to HEX. So, using CALC, and making sure you have VIEW set to SCIENTIFIC. Put in 12693 in decimal, then click HEX. You should get 3195. That is what we are going to look up first. Lets look at it in the 3/15 version first. Since we know that :
Rich (BB code):
[FarFollow]
Description="/follow someone from any distance"
Version="2006.03.15"
address0=4E56A4
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"Now type in "G" from IDA PRO (the one with 3/15 EXE loaded). You should see a little window pop up asking you where you want it to JUMP to. Type in 4E56A4 (the ADDRESS0 above). You should see this :
Rich (BB code):
.text:004E56A4 jnz loc_4E572C <---- LONG JUMP
.text:004E56AA mov eax, dword_966194
.text:004E56AF cmp dword_966180, eax
.text:004E56B5 jz short loc_4E56E3 <-----SHORT JUMP
.text:004E56B7 mov ecx, [eax+0DA4h]
.text:004E56BD test ecx, ecx
.text:004E56BF jz short loc_4E56E3 <-----SHORT JUMP
.text:004E56C1 push 0
.text:004E56C3 push 0
.text:004E56C5 push 0
.text:004E56C7 push 0
.text:004E56C9 push 0
.text:004E56CB push 0
.text:004E56CD push 0
.text:004E56CF push 0
.text:004E56D1 call sub_4EE320
.text:004E56D6 push eax
.text:004E56D7 push 3195h <------ Ok this is one, another below also
.text:004E56DC lea eax, [esp+144h+var_100]
.text:004E56E0 push eax
.text:004E56E1 jmp short loc_4E5705
.text:004E56E3
.text:004E56E3 loc_4E56E3: ; CODE XREF: sub_4E55F0+C5j
.text:004E56E3 ; sub_4E55F0+CFj
.text:004E56E3 push 0
.text:004E56E5 push 0
.text:004E56E7 push 0
.text:004E56E9 push 0
.text:004E56EB push 0
.text:004E56ED push 0
.text:004E56EF push 0
.text:004E56F1 push 0
.text:004E56F3 mov ecx, esi
.text:004E56F5 call sub_4EE320
.text:004E56FA push eax
.text:004E56FB push 3195h <----BINGO
.text:004E5700 lea ecx, [esp+144h+var_100]
.text:004E5704 push ecx
Rich (BB code):
00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 0F 85 82 00-00 00 A1 94 61 96 00 39Ok This looks very complex and it is to the first time viewer. Let me explain a bit about JUMPS, and such.
Usually you see 74, 75, 76, 77 -- These are short jumps, based on conditions like <, >, = etc etc
Also you will see EB <-- very handy --- Jump no matter what conditions
and even better 90 <-- NOP ---- NO OPERATION, Don't do shit
We want to REALLY avoid 4E56E3 like the plague, so nothing JUMPS there, or we screwed up. So we are trying to actually go UP higher, before we get those 2 short jumps to a jump that is above them, that bypasses this push.
0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.
Now open the 4/19 version of the EXE and type in "ALT-T", and "PASTE" in the above (ALT-V). Make sure to have "All OCCURANCES" checked, and run it. Let it go for a few minutes, then click cancel. Should see :
Rich (BB code):
.text:004E5D37 push 3195h
.text:004E5D5B push 3195hSo we want to avoid the 2 short jumps and take the long one EXACTLY like we did before :
Rich (BB code):
.text:004E5D04 jnz loc_4E5D8C <--Offset we need
.text:004E5D0A mov eax, dword_966194
.text:004E5D0F cmp dword_966180, eax
.text:004E5D15 jz short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D17 mov ecx, [eax+0DA4h]
.text:004E5D1D test ecx, ecx
.text:004E5D1F jz short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D21 push 0
.text:004E5D23 push 0
.text:004E5D25 push 0
.text:004E5D27 push 0
.text:004E5D29 push 0
.text:004E5D2B push 0
.text:004E5D2D push 0
.text:004E5D2F push 0
.text:004E5D31 call sub_4EEAA0
.text:004E5D36 push eax
.text:004E5D37 push 3195h <--- want to avoid this
.text:004E5D3C lea eax, [esp+144h+var_100]
.text:004E5D40 push eax
.text:004E5D41 jmp short loc_4E5D65
.text:004E5D43 ; ---------------------------------------------------------------------------
.text:004E5D43
.text:004E5D43 loc_4E5D43: ; CODE XREF: sub_4E5C50+C5j
.text:004E5D43 ; sub_4E5C50+CFj
.text:004E5D43 push 0
.text:004E5D45 push 0
.text:004E5D47 push 0
.text:004E5D49 push 0
.text:004E5D4B push 0
.text:004E5D4D push 0
.text:004E5D4F push 0
.text:004E5D51 push 0
.text:004E5D53 mov ecx, esi
.text:004E5D55 call sub_4EEAA0
.text:004E5D5A push eax
.text:004E5D5B push 3195h <--- want to avoid this
.text:004E5D60 lea ecx, [esp+144h+var_100]
.text:004E5D64 push ecx
Rich (BB code):
00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 0F 85 82 00-00 00 A1 94 61 96 00 39Hmm anything look Familiar? This is EXACTLY the same code as before. We found the OFFSET that we can use now for 4/19 -- 4E5D04
so you get :
Rich (BB code):
[FarFollow]
Description="/follow someone from any distance"
Version="2006.04.19"
address0=4E5D04
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"Now make a note some place FarFollow found by looking for 3195h, so next time it is easier.
I will do more of these to try and make them easier to follow, etc. This one was not a easy one. Also will try and explain better how jumps work, and when you want to use unconditional jumps vs NOP'ing out code.
Wow, thanks man. this is definitely a good start and starting to make at least a little sense to me. I'm starting to figure a bit of it out thanks to Siddin as well. I was able to find the NoAnon docrack the other night, so now it's just trying to find everything else.