Question MQ2DoCracks + Cheat Engine

Cage9d9

Member
Joined
Aug 26, 2008
Messages
210
Reaction score
5
Points
18
Hey Folks! I spoke with Fry briefly and he suggested I post here. I was a bit hesitant at first but with his blessing I'm going to go ahead :)

I'm mainly a .NET C# developer and I've typically always used the compiles from here. Lately I've been itching to learn a bit more about the process of how MacroQuest in general achieves many of its functions with EverQuest. I'm not the type to ask "how do I do this" without first explaining what I've done. So I'll give you my problem statement, what I've done so far, and what my request is :)

Problem Statement:
I wanted to essentially learn more about Offsets & Memory Addresses using something completely external to MacroQuest, such as Cheat Engine. I figured the first thing I would try is make my level 1, brand new character, have Enduring Breath.

What I've Tried:
I've downloaded Cheat Engine and played a bit trying to identify my Hit Points etc, using multiple scans, casting buffs/taking damage, etc to isolate down the possible addresses. I get down to approximately 10 addresses but I get stuck here. So I decided to take a different approach, why not take some information readily available to me and try to work with that? I opened MQ2DoCrack.ini file, went to the EB section and took out the Address0 part.

Now in my mind, I had all the information I needed. I had the Memory Address, I had the Normal value and the Crack value. All I had todo was Add the address manually into Cheat Engine and change the value from 48 to 90 (crack value).

When I added the address manually, Cheat Engine shows the value as ?? instead of anything remotely interesting.

Here is the address in MQ2DoCrack.ini: Address0=5C5DB4
The address I tried to include manually was:
0x005C5DB4

I'm curious if I'm missing a key piece, such as the pointer to the address which I may need to find/manipulate or if there is a static offset that I need to add to the Address value?

Anyway, not sure if anyone out there has some experience with Cheat Engine or the Offsets but if you do please hit me up!

Thanks,
 
Hey Folks! I spoke with Fry briefly and he suggested I post here. I was a bit hesitant at first but with his blessing I'm going to go ahead :)

I'm mainly a .NET C# developer and I've typically always used the compiles from here. Lately I've been itching to learn a bit more about the process of how MacroQuest in general achieves many of its functions with EverQuest. I'm not the type to ask "how do I do this" without first explaining what I've done. So I'll give you my problem statement, what I've done so far, and what my request is :)

Problem Statement:
I wanted to essentially learn more about Offsets & Memory Addresses using something completely external to MacroQuest, such as Cheat Engine. I figured the first thing I would try is make my level 1, brand new character, have Enduring Breath.

What I've Tried:
I've downloaded Cheat Engine and played a bit trying to identify my Hit Points etc, using multiple scans, casting buffs/taking damage, etc to isolate down the possible addresses. I get down to approximately 10 addresses but I get stuck here. So I decided to take a different approach, why not take some information readily available to me and try to work with that? I opened MQ2DoCrack.ini file, went to the EB section and took out the Address0 part.

Now in my mind, I had all the information I needed. I had the Memory Address, I had the Normal value and the Crack value. All I had todo was Add the address manually into Cheat Engine and change the value from 48 to 90 (crack value).

When I added the address manually, Cheat Engine shows the value as ?? instead of anything remotely interesting.

Here is the address in MQ2DoCrack.ini: Address0=5C5DB4
The address I tried to include manually was:
0x005C5DB4

I'm curious if I'm missing a key piece, such as the pointer to the address which I may need to find/manipulate or if there is a static offset that I need to add to the Address value?

Anyway, not sure if anyone out there has some experience with Cheat Engine or the Offsets but if you do please hit me up!

Thanks,

Are you trying to find a pointer, or are you just trying to use a direct address. From my experience using CheatEngine I've found that typically that means that it's a changing address and you need a pointer instead of a fixed address. I haven't tried these things, nor do I choose to go through the trouble of creating an account to try changing something like that. I used to be pretty good at cracking games with changing offsets using pointers. Typically when I get down to 10 and couldn't get it to drop anymore it meant that there was a pointer needed.

I'm sure there are youtube videos to explain the process, but I recommend using their tutorials which should be located in the fold that cheatengine is saved to. I believe step 5 and 6 are specifically the ones you are looking for. But I still recommend doing all of the steps to fully understand the uses of cheatengine.
 

Attachments

  • Arx.png
    Arx.png
    184.2 KB · Views: 36
Last edited:
Hey Chat, thanks for the reply. Would anyone be able to comment on what is the address stored in MQ2DoCrack.ini file then? Is that an address to a pointer or a static memory location?
 
Find the image (eqgame.exe) base address in memory. E.g., via proc explorer, or w/e. Let's say that's 0x120000

Then add the AddressX you want to see the data at. E.g., let's use AFewMountSkills from current release from 2017.06.20, which is 0x47074b. Add that to your previous result. Then subtract 0x400000 from that. Read that memory for however many bytes (array) and see the data, in this case, 0F 87 3D 25 00 00 (for 6 bytes). If you change that to E9 0F 00 00 00 90, you now have a few mount skills enabled.

So (all in hex): TargetAddress = ImageBaseAddress + CrackAddress - 0x400000


Edit: I don't use CE much, but put it on so I could see if you can show the base address easily with that - and yeah, you can. One way at least, is after loading the process (eqgame.exe), then click the "Memory View" button, then click Tools menu, and Disect PE Headers. The MZ-Start address is what you are after.

htw
 
Last edited:
Exactly what htw said. I was able to achieve my goal by using the above formula. It's also worth noting that you can find this calc in MQ2Globals as well if you are interested in seeing it there.

Thanks to htw/chat/brainiac for the info, this has been awesome :)
 
Exactly what htw said. I was able to achieve my goal by using the above formula. It's also worth noting that you can find this calc in MQ2Globals as well if you are interested in seeing it there.

Thanks to htw/chat/brainiac for the info, this has been awesome :)

In cheat engine the pointers point to an address when it changes it's location in the memory every time it starts, or if it changes randomly while the process is running. However pointers are pointing to something, that may be pointing to something, that is also pointing to something. Step 8 of the tutorial is one of the more difficult ones to find the final static address for something. Additionally there is code injection, hooking and other various features. Static addresses are shown in green on the address finder window and that should be how you tell that you've located the final address. This video shows how that works.

[ame]https://www.youtube.com/watch?v=0icOYSjBNUA[/ame]

It might be interesting to note that with code injection you can allocate a lot of memory and create a jump where it inserts specific code that you typed into the program that generates a desired outcome. IE: if you can find the memory address that affects being hit you can change that code or remove that code in theory. You could change it to make it so that when you get hit nothing happens. You could also change it so that when you get hit you gain health instead of losing it. You can set a specific ammo to be infinite (Endless Quiver). And various other things. Keep in mind that doing things like this will likely draw attention to you and should not be done on a primary account. Testing should always be done on something you aren't worried about losing.
 
Last edited: