Easiest Offset to find (at the moment)

[WickedMofo]

Ok I am going to show you how I found the offset for NoMountModels. This is probably one of the easiest ones to find IMHO. THings you will need are Calc, and IDA Pro Demo :http://www.datarescue.be/idademo/idademo49.exe .

Install IDA so we can use it first.

Drag and drop eqgame.exe ontop of IDA Pro Icon on the desktop. A Box will pop up, click OK, then another will pop, just click cancel. Now let IDA disassemble the EXE for a good bit of time, and move on to the next part.

First we need to open a file in the EQ directory called eqstr_us.txt using Notepad or a text editor. This contains a bunch of text to things like "You have been Summoned", etc. Now look for this text inside there "horse models". You should get a line that contains "5524" and text that you would see if you didn't have horse models enabled. Now lets open CALC first make sure you change VIEW to Scientific so we can use both Hex and Dec. Ok make sure DEC is checked and put in 5524, now click HEX and what number to we get? 1594. Write this down.

Now after you have let the EXE disassemble for a good 10 minutes, we are going to go back to IDA Pro. Make sure you let it decompile for a bit, otherwise it won't have everything, and your search will be no good. Now click on search on the top, then click text. Now put in "Push 1594h" and make sure "all occurences" is NOT checked. Hit Enter.

You should see something like this and your cursor will be on 4BA16F:

.text:004BA163
.text:004BA163 loc_4BA163:                             ; CODE XREF: sub_4B9F9D+E4j
.text:004BA163                 call    sub_47F55A
.text:004BA168                 test    al, al
.text:004BA16A                 jz      short loc_4BA1B5
.text:004BA16C                 push    ebx
.text:004BA16D                 push    0Dh
.text:004BA16F                 push    1594h
.text:004BA174
.text:004BA174 loc_4BA174:                             ; CODE XREF: sub_4B9F9D+B1j
.text:004BA174                 mov     eax, dword_908218
.text:004BA179                 mov     ecx, eax
.text:004BA17B                 add     eax, 0C388h
.text:004BA180                 neg     ecx
.text:004BA182                 sbb     ecx, ecx
.text:004BA184                 and     ecx, eax
.text:004BA186                 push    ecx
.text:004BA187                 call    sub_468B4C
.text:004BA18C                 mov     ecx, dword_908218
.text:004BA192                 add     esp, 10h
.text:004BA195                 push    ebx
.text:004BA196                 add     ecx, 0C388h
.text:004BA19C                 push    71h
.text:004BA19E                 call    sub_413729
.text:004BA1A3                 mov     ecx, dword_908218
.text:004BA1A9                 add     ecx, 0C388h
.text:004BA1AF                 push    eax
.text:004BA1B0                 call    sub_416C4F

Well now look up to where what is called a JUMP is (4BA16A). This is where the offset you want to modify is located. Generally it is a JUMP you want to change and this is it. So look at this in HEX :

---------------- 0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F --------
.text:004BA160  FF EB 52 E8 F2 53 FC FF  84 C0 74 49 53 6A 0D 68   dRF=Sn ä+tISjh
.text:004BA170  94 15 00 00 A1 18 82 90  00 8B C8 05 88 C3 00 00  ö§..íéÉ.ï+ê+..
.text:004BA180  F7 D9 1B C9 23 C8 51 E8  C0 E9 FA FF 8B 0D 18 82  ˜++#+QF+T· ïé
.text:004BA190  90 00 83 C4 10 53 81 C1  88 C3 00 00 6A 71 E8 86  É.â-Sü-ê+..jqFå
.text:004BA1A0  95 F5 FF 8B 0D 18 82 90  00 81 C1 88 C3 00 00 50  ò) ïéÉ.ü-ê+..P
.text:004BA1B0  E8 9A CA F5 FF

Hence we get :

[NoMountModels]
Description="No Mount Models"
Version="2005.12.15"
address0=4BA16A
normal0="74"
crack0="EB"

Will try to make future ones more graphical, but I hope people can sorta follow this.

 

[Darg]

Here is the tutorial for IDA Pro I used to get started.

http://kenetixeq.com/guides/pflo.htm

 

[Psycotic]

Ok, I've been trying to be a do-it-yourselfer and trying to find a new offset. This is awesome information you guys posted BTW. Exactly what I was looking for.. I was looking at the /stopcast command and the ability to use it while on a mount. This is where I'm at..

.text:0046E657 sub_46E657      proc near               ; CODE XREF: sub_465BB1+E60p
.text:0046E657                 mov     eax, dword_908218
.text:0046E65C                 mov     ecx, [eax+0C390h]
.text:0046E662                 test    ecx, ecx
.text:0046E664                 jz      short loc_46E6AA
.text:0046E666                 call    sub_60E520
.text:0046E66B                 test    eax, eax
.text:0046E66D                 jnz     short loc_46E6AA
.text:0046E66F                 mov     eax, dword_908218
.text:0046E674                 mov     ecx, [eax+0C390h]
.text:0046E67A                 cmp     byte ptr [ecx+0E35h], 8
.text:0046E681                 jnz     short loc_46E691
.text:0046E683                 push    0
.text:0046E685                 lea     ecx, [eax+0C388h]
.text:0046E68B                 call    sub_41461F
.text:0046E690                 retn
.text:0046E691 ; ---------------------------------------------------------------------------
.text:0046E691
.text:0046E691 loc_46E691:                             ; CODE XREF: sub_46E657+2Aj
.text:0046E691                 push    1
.text:0046E693                 push    0
.text:0046E695                 push    0
.text:0046E697                 push    4839h
.text:0046E69C                 push    offset dword_9081D8
.text:0046E6A1                 call    sub_48474B
.text:0046E6A6                 add     esp, 14h
.text:0046E6A9                 retn
.text:0046E6AA ; ---------------------------------------------------------------------------
.text:0046E6AA
.text:0046E6AA loc_46E6AA:                             ; CODE XREF: sub_46E657+Dj
.text:0046E6AA                                         ; sub_46E657+16j
.text:0046E6AA                 mov     ecx, dword_9081E8
.text:0046E6B0                 push    1
.text:0046E6B2                 push    0Dh
.text:0046E6B4                 push    0
.text:0046E6B6                 push    0DE6h
.text:0046E6BB                 call    sub_5DFA60
.text:0046E6C0                 mov     ecx, dword_98B650
.text:0046E6C6                 push    eax
.text:0046E6C7                 call    sub_48B70B
.text:0046E6CC                 retn
.text:0046E6CC sub_46E657      endp
.text:0046E6CC

push 0DE6h seems to be where it's saying "You cannot /stopcast while mounted" or whatever it says. So I figured jump offset was somewhere either jz short loc_46E6AA (Offset 46E664) or jnz short loc_46E6AA (Offset 46E66D).. Can anyone tell me first off, if I'm anywhere close to being on the right track, and two, if this is close, how do you know what to change it to? I see in the INI most seem to use "EB" or "90" as the crack. What do these symbolize? Thanks for any help..

I figure I'm on the right track since when I turn on the crack, I CTD when I try to use it. That should mean I found the right area of the code, just not sure what to change. Thanks again!

 

[WickedMofo]

To give you hint, look above where you are for 2 jumps that jump to where you are. Those 2 jump probably you want to NOP out, so that you never go to that address they are stating or you will get that message.

46E664 and 46E66D are the adjustment areas.

--------------------------------------------------------------------------
Ok ....Here is a short version....

Most Common:

74 = JE = Jump if values are Equal (will only jump IF equal)
75 = JNE = Jump if values are Not Equal (meaning it will only jump if NOT equal)
EB = JMP = Jump unconditionally (will jump nomatter what)
90 = NOP = No Operation (kills an action from happening)

Other, less common:

7C = JL = Jump if second value was Less than the first value
7D = JGE = Jump if the second value was Greater than or Equal to the first value
7E = JLE = Jump if the second value was Less than or Equal to the first value
7F = JG = Jump if second value was Greater than the first value

Small example :

Ok lets say you want to skip over something. In that case you would want a EB, to make sure you jump over it no matter what conditions. Now lets say you DON'T want it to skip over the data, you would NOP it out with 90. Basically those 2 will be use 99.99% of the time. I will post a more detailed tutorial on how to actually make it skip down to the next area, or even skip/jump more.

Take a look at this for instance, This is a very good example of me using EB's and 90's.

[DetriBuffsXXX]
description="Briefly Click off Detrimental Buffs"
version=2005.12.15"
address0=41A13B
normal0="75 2A"
crack0="90 90"
address1=41A869
normal1="0F 84 7D FE FF FF"
crack1="90 90 90 90 90 90"
address2=44816D
normal2="EB 02 "
crack2="EB 3F"
address3=4AE760
normal3="74 48"
crack3="90 90"
address4=4AE774
normal4="74 34"
crack4="90 90"
address5=4AE781
normal5="75 27"
crack5="90 90"
address6=4AE789
normal6="74 1F"
crack6="90 90"
address7=4F2C74
normal7="74 0B"
crack7="90 90"
address8=504754
normal8="7E"
crack8="EB"

First off do a search for "push 89h" (watch the spacing it is critical)

Keep in mind that above I am trying to avoid this message: 137 You cannot remove this effect. Which is 89h (Push 89h).

Should give you an idea of what I am doing by looking this over.

 

[WickedMofo]

Try this

[StopCast]
Description="/Stopcast while mounted"
Version="2005.12.15"
address0=46E664
normal0="74 44"
crack0="90 90"
address1=46E66D
normal1="75 3B"
crack1="90 90"
address2=46E681
normal2="75 0E"
crack2="EB 0E"

Hmm ok not working, let me examine this closer on my PC :O

 

[Psycotic]

That's the same thing I came up with, but haven't had a chance to test it. I guess I don't have to now. I'm not even sure if it's possible.. I've yet to see this offset published, but I figured I'd tackle something different, and at least for me, useful. Thanks Wicked

 

[WickedMofo]

Actually it was published in May on Redguides. I found it, but the coding has changed. Here is the May Version if it will help. I will look this over when I get home tonight, am at work.

[Stopcast]
Description="Use /stopcast on a mount"
Version="2005.05.18"
address0=46FB46
normal0="74 3B"
crack0="90 90"
address1=46FB50
normal1="74 31"
crack1="90 90"
address2=46FB58
normal2="75 29"
crack2="90 90"

They have added a check in the 12/15 version for #define pinstCharData 0x908218 which appears only once in the area this is in back in May. So this will be a nice offset to find.

 

[Psycotic]

Interesting...

[StopCast]
Description="/Stopcast while mounted"
Version="2005.12.15"
address0=46E664
normal0="74 44"
crack0="90 90"
address1=46E66D
normal1="75 3B"
crack1="90 90"
address2=46E681
normal2="75 0E"
crack2="90 90"

This will actually stop the spellbar, but the spell will continue to cast. It looks like this is very close though. Thanks for all the help.. I'll keep hashing away at it.

 

[WickedMofo]

A few things of NOTE here that are probably throwing us off.....

.text:0046E666                 call    sub_60E520

.text:0060E520 ; ---------------------------------------------------------------------------
.text:0060E520
.text:0060E520 loc_60E520:                             ; CODE XREF: .text:004129B0p
.text:0060E520                                         ; .text:004129BCp ...
.text:0060E520                 mov     eax, [ecx+0FCh]
.text:0060E526                 retn
.text:0060E526 ; ---------------------------------------------------------------------------

Now look at Eqdata.h

/*0x00fc*/ struct  _SPAWNINFO *Mount; //NULL if no mount present

I believe this is another check for Mount in this subroutine that is called. So might have to do something with this as well.

 

[WickedMofo]

Another thing we can look for to see if we Nop'd this out by accident:

Eqdata.h

/*0x17C*/ DWORD		spellstate;// 1 = cast in progress or refreshtime not met 2 means we ducked or aborted cast, 0 means its ok to cast

Also look for

12477 Your casting has been interrupted!

This is 30DBh. Perhaps we are by passing this too. I want to find this crap!

Heheh, any way hard to find it at work, getting interrrupted like I wanna be in the code....

 

[Psycotic]

Hmm.. Haven't tested this yet, but what about just trying to bypass the test at 46E66B, right after that sub call..

[StopCast]
Description="/Stopcast while mounted"
Version="2005.12.15"
address0=46E664
normal0="74 44"
crack0="90 90"
address1=46E66D
normal1="75 3B"
crack1="90 90"
address2=46E681
normal2="75 0E"
crack2="90 90"
address3=46E66B
normal3="85 C0"
crack3="40 90"

Maybe crack3="90 90" instead? Or do you think we have to go into that sub and change that mov?

I'm sure you've got better things to do than babysit a newbie, but I do appreciate all the help you've given me for this..

 

[WickedMofo]

I was thinking along the lines of this.....

If you could purposefully make it so that anything you cast is interrupted by altering "Your spell is interrupted" to ALWAYS happen. Hence make a hotkey that would be turn this plugin on and off as you needed it -- in a sense it would be a /stopcast. Problem I am seeing is that now I am thinking that interrupted spells are serverside....unless we can figure out how to get a standstate_ducked to work while on horse, or a keypress D to work. Also will look into these as an option..

 

[Psycotic]

I was thinking along the lines of this.....

If you could purposefully make it so that anything you cast is interrupted by altering "Your spell is interrupted" to ALWAYS happen. Hence make a hotkey that would be turn this plugin on and off as you needed it -- in a sense it would be a /stopcast. Problem I am seeing is that now I am thinking that interrupted spells are serverside....unless we can figure out how to get a standstate_ducked to work while on horse, or a keypress D to work. Also will look into these as an option..

_text:00482660                 push    1B6h
_text:00482665                 push    offset off_0_64C740
_text:0048266A                 mov     ecx, esi
_text:0048266C                 call    sub_0_480154
_text:00482671                 push    edi
_text:00482672                 push    1B7h              <---------  "439 Your spell is interrupted."
_text:00482677                 push    offset off_0_64C73C
_text:0048267C                 mov     ecx, esi
_text:0048267E                 call    sub_0_480154
_text:00482683                 push    edi

and

_text:004918AB
_text:004918AB loc_0_4918AB:                           ; CODE XREF: sub_0_491488+353j
_text:004918AB                                         ; DATA XREF: _text:00494464o
_text:004918AB                 push    ebx
_text:004918AC                 push    ebx
_text:004918AD                 push    ebx
_text:004918AE                 push    ebx
_text:004918AF                 push    ebx
_text:004918B0                 push    ebx
_text:004918B1                 push    ebx
_text:004918B2                 push    ebx
_text:004918B3                 lea     eax, [ebp+var_44]
_text:004918B6                 push    eax
_text:004918B7                 lea     eax, [ebp+var_104]
_text:004918BD                 push    30DAh
_text:004918C2                 push    eax
_text:004918C3                 mov     [ebp+var_88C], 1Ch
_text:004918CD                 call    sub_0_471819
_text:004918D2                 push    ebx
_text:004918D3                 push    ebx
_text:004918D4                 push    ebx
_text:004918D5                 push    ebx
_text:004918D6                 push    ebx
_text:004918D7                 push    ebx
_text:004918D8                 push    ebx
_text:004918D9                 lea     eax, [ebp+var_84]
_text:004918DF                 push    eax
_text:004918E0                 lea     eax, [ebp+var_44]
_text:004918E3                 push    eax
_text:004918E4                 push    30DBh            <---------  "12477 Your casting has been interrupted!"
_text:004918E9                 jmp     loc_0_492EB0

I'll play around with these as well when I can run the client..

 

[WickedMofo]

Try This....

Am at work so can't really try this......

#include "../MQ2Plugin.h"
PreSetup("MQ2TheStand");
void Standup(PSPAWNINFO pChar, PCHAR szLine);

PLUGIN_API VOID InitializePlugin(VOID)
{
AddCommand("/standup",Standup);
}

void Standup(PSPAWNINFO pChar, PCHAR szLine)
{
if(!strcmp(szLine,"up"))
{
   pChar->StandState = 0x64;
WriteChatColor("Now forcing you to stand.",CONCOLOR_GREEN);
}
if(!strcmp(szLine,"down"))
{
   pChar->StandState = 0x6E;
WriteChatColor("Now forcing you to sit and chill.",CONCOLOR_GREEN);
}
if(!strcmp(szLine,"duck"))
{
   pChar->StandState = 0x6F;
WriteChatColor("Now ducking down.",CONCOLOR_GREEN);
}
else
if(!strcmp(szLine,"help"))
{
   WriteChatColor("Command usage: /stand up: Forces you to stand.",CONCOLOR_BLUE);
   WriteChatColor("Command usage: /stand down: Forces you to sit.",CONCOLOR_BLUE);
   WriteChatColor("Command usage: /stand duck: Forces you to duck.",CONCOLOR_BLUE);
   WriteChatColor("Command usege: /stand help: Brings up this window",CONCOLOR_BLUE);
   WriteChatColor("Note: When forcing yourself to sit, you must also force yourself back up again.",CONCOLOR_BLUE);
   WriteChatColor("Need help? Concern? Want more? KenetixEQ.com",CONCOLOR_BLUE);
}
}

PLUGIN_API VOID ShutdownPlugin(VOID)
{
RemoveCommand("/standup");
}

The commands are inside, what I am wondering is will this work on a mount? Try it.

 

[WickedMofo]

Ok snuck on and tried this, didn't work. Back to the drawing boards.......

 

[dust]

You guys are the shit...LOL

Ok snuck on and tried this, didn't work. Back to the drawing boards.......

I haven't had time to play with this myself yet; too many other pans in the fire, but Jesus this is just what I have been looking for. GL with this and God bless you for your efferts.

 

[Pepper]

Resurecting this thread....

Ive spent the past 3 hours viewing this and another thread trying to learn some of this stuff, and to my surprise i actually cant wait for the patch atm haha (hell has froze over here). I am ready to start tring to find some of the basic docrack stuff.

I have a question though, for the life of me I cant find the awnser to (probably over looking it im sure), but how the hell do you come up with the "EB" or the "90" or the "EB EB" or "90 90" ect at the end of the cracks? I still dont get that point yet really.

 

[WickedMofo]

Resurecting this thread....

Ive spent the past 3 hours viewing this and another thread trying to learn some of this stuff, and to my surprise i actually cant wait for the patch atm haha (hell has froze over here). I am ready to start tring to find some of the basic docrack stuff.

I have a question though, for the life of me I cant find the awnser to (probably over looking it im sure), but how the hell do you come up with the "EB" or the "90" or the "EB EB" or "90 90" ect at the end of the cracks? I still dont get that point yet really.

ok

74 and 75 are jump if more than, jump if less than kinda conditions (mostly what we replace here and there).

EB = Jump down no matter what (unconditional) to where I tell ya. (EB 54 - jump down 54 hex from this point)
90 = Don't do shit, just by pass any command NO OPERATIONS (NOP)
E9 = A FAR JUMP of EB, meaning it is going to be pretty far (used in place of 0F 84 or 0F 85)
C2 or C3 are Returns (so C2 08 means return with an 08) like in envirofall
(C2-C3 are used in subs)

Basically those above are what you are using 99%.

Ok use EB if you want to SKIP over something like this for example:

"12381 You must be sitting to apply the poison." Hex is 305D

(/*0x01e6*/ BYTE     StandState*/)
(ties into eqdata.h -- #define STANDSTATE_SIT              0x6E)

.text:004B0E27 loc_4B0E27:                             ; CODE XREF: sub_4B0DF0+28j
.text:004B0E27                 cmp     byte ptr [ecx+1E6h], 6Eh <-- standstate = sitting
.text:004B0E2E                 jz      short loc_4B0E39 <-- 74 09
.text:004B0E30                 push    0
.text:004B0E32                 push    305Dh <---- jump around this with EB
.text:004B0E37                 jmp     short loc_4B0EA0
.text:004B0E39 ; ---------------------------------------------------------------------------
.text:004B0E39
.text:004B0E39 loc_4B0E39:                             ; CODE XREF: sub_4B0DF0+3Ej

Here you would want to force this to jump no matter what so EB would be used. There is no need for the 09, but you could put it in optional.

[AtkPoison]
Description="Apply poison while attacking"
Version="2006.02.23"
address0=4B0E2E
normal0="74"
crack0="EB"

If you put in "90 90" instead of "74 09" you would be telling it that you want it to go past this offset and that is not what you want here.

An example of "90 90" :

"12391 You are no longer encumbered." 3067 Hex is the magic number

.text:004271F2        test    ah, 41h
.text:004271F5                 mov     eax, dword_983F84
.text:004271FA                 jp      short loc_427239
.text:004271FC                 test    eax, eax
.text:004271FE                 jl      short loc_427226
.text:00427200                 cmp     eax, 1
.text:00427203                 jnz     short loc_427230
.text:00427205                 mov     ecx, dword_966140
.text:0042720B                 push    eax
.text:0042720C                 push    0Dh
.text:0042720E                 push    0
.text:00427210                 push    3067h <-- No encumber
.text:00427215                 call    sub_5EE520
.text:0042721A                 mov     ecx, dword_9E95A8
.text:00427220                 push    eax
.text:00427221                 call    sub_4AFF30
.text:00427226
.text:00427226 loc_427226:

[NoEncumber]
Description="Allows for no encumberance"
Version="2006.02.23"
address0=4271FA
normal0="7A 3D"
crack0="90 90"

Hope that helps a bit.

 

[Pepper]

Thanks for the help. Atm its not alot of help but im sure once i get to sit down and play with it in IDA with some hands on, it will make more sense. It will help alot at that point.

Again thanks for the help, and if i end up geting really interested in this you will see some more questions im sure

 

[Pepper]

[SeeInvis]
Description="See Invisible"
Version="2006.03.15"
address0=4EF4E7
normal0="E8 34 EE F3 FF"
crack0="B0 01 90 90 90"


This question involves this offset. First off let me say i can find the offset no problem at all, thats not a issue. Im still having problems understanding the normal and crack values of some of these offsets.

When you open up IDA in hex view on this address you see

.text:004EF230  02 00 00 00 5E C2 04 00-[B]81 C6 EC 01 00 00 [/B]33 C9

So my question is from looking at that how do you come up with

normal0="E8 34 EE F3 FF"
crack0="B0 01 90 90 90"

Im having a hell of a time understanding this part of about any crack to be honest. Some are more simple than others though.