Stuff Needed for Doing Offsets / Hacking in General

[WickedMofo]

I have decided to write a guide on how to FIND OFFSETS, but first I would like to point out the tools of the trade. In my next post I will put these utilities to work and show both a SIMPLE, and a FRESH FROM START way of finding offsets. These are a hackers bread and butter. There are other programs out there, please feel free to add more links.

First try to get a copy of IDA PRO, or if you don't have the $500++ dollars, use the DEMO and if it expires just set your computer date back a few months:
http://www.datarescue.be/idademo/idademo50.exe .

IDA PRO alone is awesome, in and of itself. But I also prefer another one for doing Hex or Text searches, XVI32:
http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip

Other programs that as you get better are possible to learn how to find DEFINES, and OFFSETS from scratch I am going to upload:

PERMEDIT--"GRANT PERMISSIONS" to other programs like Tsearch & WinHack
Tsearch--Handy for finding the entry code, Searching Memory, Breakpoints.
WinHack--This is much like GHU, tests memory locations.

 

[WickedMofo]

Install IDA PRO. Make sure to have a DESKTOP ICON of it, so you can DRAG - AND - DROP EXE's ontop of it.

Next step, would be to make a subdirectory called OLD EQGAME EXE, and put whatever you have into there, but to make things easier name them like EQGAME20060315.EXE, EQGAME20060419.EXE, etc etc.

Now open this directory and drop EQGAME20060315.EXE (last patch before this one). Basically you want to hit Enter, and not worry about the DLL stuff. Let it load for a good 10 - 15 minutes if it is the DEMO version (Registered version will save the data so don't have to wait as long each time). Repeat this for EQGAME20060419.EXE so you will have 2 versions decompiling at once. Make a note which is which, so you can toggle back and forth.

While you are waiting, goto the EQ directory and open up eqstr_us.txt (there are some that look similar, so be careful -- also never write anything to this file, it has a checksum). This file is basically a good place to start, and contains strings that EQ sends to you like this one :

12693 %1 is too far away, canceling auto-follow.

Guess what that is? That is Farfollow. However, we need to first convert the DECIMAL to HEX. So, using CALC, and making sure you have VIEW set to SCIENTIFIC. Put in 12693 in decimal, then click HEX. You should get 3195. That is what we are going to look up first. Lets look at it in the 3/15 version first. Since we know that :

[FarFollow]
Description="/follow someone from any distance"
Version="2006.03.15"
address0=4E56A4
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"

Now type in "G" from IDA PRO (the one with 3/15 EXE loaded). You should see a little window pop up asking you where you want it to JUMP to. Type in 4E56A4 (the ADDRESS0 above). You should see this :

.text:004E56A4                 jnz     loc_4E572C <---- LONG JUMP
.text:004E56AA                 mov     eax, dword_966194
.text:004E56AF                 cmp     dword_966180, eax
.text:004E56B5                 jz      short loc_4E56E3   <-----SHORT JUMP
.text:004E56B7                 mov     ecx, [eax+0DA4h]
.text:004E56BD                 test    ecx, ecx
.text:004E56BF                 jz      short loc_4E56E3   <-----SHORT JUMP
.text:004E56C1                 push    0
.text:004E56C3                 push    0
.text:004E56C5                 push    0
.text:004E56C7                 push    0
.text:004E56C9                 push    0
.text:004E56CB                 push    0
.text:004E56CD                 push    0
.text:004E56CF                 push    0
.text:004E56D1                 call    sub_4EE320
.text:004E56D6                 push    eax
.text:004E56D7                 push    3195h   <------ Ok this is one, another below also 
.text:004E56DC                 lea     eax, [esp+144h+var_100]
.text:004E56E0                 push    eax
.text:004E56E1                 jmp     short loc_4E5705
.text:004E56E3
.text:004E56E3 loc_[COLOR="Red"]4E56E3[/COLOR]:                             ; CODE XREF: sub_4E55F0+C5j
.text:004E56E3                                         ; sub_4E55F0+CFj
.text:004E56E3                 push    0
.text:004E56E5                 push    0
.text:004E56E7                 push    0
.text:004E56E9                 push    0
.text:004E56EB                 push    0
.text:004E56ED                 push    0
.text:004E56EF                 push    0
.text:004E56F1                 push    0
.text:004E56F3                 mov     ecx, esi
.text:004E56F5                 call    sub_4EE320
.text:004E56FA                 push    eax
.text:004E56FB                 push    3195h <----BINGO
.text:004E5700                 lea     ecx, [esp+144h+var_100]
.text:004E5704                 push    ecx

00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 [COLOR="Red"]0F 85 82 00-00 00[/COLOR] A1 94 61 96 00 39

Ok This looks very complex and it is to the first time viewer. Let me explain a bit about JUMPS, and such.

Usually you see 74, 75, 76, 77 -- These are short jumps, based on conditions like <, >, = etc etc

Also you will see EB <-- very handy --- Jump no matter what conditions
and even better 90 <-- NOP ---- NO OPERATION, Don't do shit

We want to REALLY avoid 4E56E3 like the plague, so nothing JUMPS there, or we screwed up. So we are trying to actually go UP higher, before we get those 2 short jumps to a jump that is above them, that bypasses this push.

0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.

Now open the 4/19 version of the EXE and type in "ALT-T", and "PASTE" in the above (ALT-V). Make sure to have "All OCCURANCES" checked, and run it. Let it go for a few minutes, then click cancel. Should see :

.text:004E5D37                 push    3195h 
.text:004E5D5B                 push    3195h

So we want to avoid the 2 short jumps and take the long one EXACTLY like we did before :

.text:0[COLOR="Red"]04E5D04[/COLOR]                 jnz     loc_4E5D8C <--Offset we need
.text:004E5D0A                 mov     eax, dword_966194
.text:004E5D0F                 cmp     dword_966180, eax
.text:004E5D15                 jz      short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D17                 mov     ecx, [eax+0DA4h]
.text:004E5D1D                 test    ecx, ecx
.text:004E5D1F                 jz      short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D21                 push    0
.text:004E5D23                 push    0
.text:004E5D25                 push    0
.text:004E5D27                 push    0
.text:004E5D29                 push    0
.text:004E5D2B                 push    0
.text:004E5D2D                 push    0
.text:004E5D2F                 push    0
.text:004E5D31                 call    sub_4EEAA0
.text:004E5D36                 push    eax
.text:004E5D37                 push    3195h <--- want to avoid this
.text:004E5D3C                 lea     eax, [esp+144h+var_100]
.text:004E5D40                 push    eax
.text:004E5D41                 jmp     short loc_4E5D65
.text:004E5D43 ; ---------------------------------------------------------------------------
.text:004E5D43
.text:004E5D43 loc_4E5D43:                             ; CODE XREF: sub_4E5C50+C5j
.text:004E5D43                                         ; sub_4E5C50+CFj
.text:004E5D43                 push    0
.text:004E5D45                 push    0
.text:004E5D47                 push    0
.text:004E5D49                 push    0
.text:004E5D4B                 push    0
.text:004E5D4D                 push    0
.text:004E5D4F                 push    0
.text:004E5D51                 push    0
.text:004E5D53                 mov     ecx, esi
.text:004E5D55                 call    sub_4EEAA0
.text:004E5D5A                 push    eax
.text:004E5D5B                 push    3195h <--- want to avoid this
.text:004E5D60                 lea     ecx, [esp+144h+var_100]
.text:004E5D64                 push    ecx

00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 [COLOR="Red"]0F 85 82 00-00 00[/COLOR] A1 94 61 96 00 39

Hmm anything look Familiar? This is EXACTLY the same code as before. We found the OFFSET that we can use now for 4/19 -- 4E5D04

so you get :

[FarFollow]
Description="/follow someone from any distance"
Version="2006.04.19"
address0=4E5D04
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"

Now make a note some place FarFollow found by looking for 3195h, so next time it is easier.

I will do more of these to try and make them easier to follow, etc. This one was not a easy one. Also will try and explain better how jumps work, and when you want to use unconditional jumps vs NOP'ing out code.

 

[JTPlayah]

E X C E L L E N T Thread WickedMoFo.

I found this Freeware version of IDA, it's only 4.3, but seems to work just fine, so I'll post the zip for it here. It never expires.

freeida43.zip

 

[sonofcycle]

Yar, you should get 100 points just for that post.

 

[Psycotic]

Very nicely done WickedMofo. Heck, this could be Chapter 1 in offset hacking for your new best-selling book. (I'd buy a copy)

Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90"

I'd love to see more about this. I have a basic understanding of why we need to take off 5 here, but to the new hacker, this is very cryptic. From what I understand, this is because with assembly being very linear, the function is being executed at the last byte in the function, not the first.. (4E56A4 is the beginning of the function, 4E56A9 is the end, with 4E56AA being the beginning of the next line). So if you use that logic and subtract 4E56A9 from 4E572C, you get the 0x83 you're looking for.

Again, this is a basic understanding and might not be 100% accurate.

 

[WickedMofo]

Here might be a better example.....

Lets find NoAnon from scratch. With that in mind we open eqstr_us.TXT, so we can find the proper TEXT to find/block and that would be this one here :

3122 ANONYMOUS

Ok load EQGAME20060419.EXE by dumping it onto the IDA PRO icon, and let it start melting away (decompiling). Ok we are going to be looking for a PUSH C32 (HEX of the DECIMAL number 3122), but we need to adjust for the spacing that is VERY WEIRD to say the least between "PUSH" and "XYX", so find anything with a "PUSH XYZ" and COPY it, so you can just paste it in, now count how many spaces there are in between H and X, it should be 4. Now we are going to do a SEARCH (ALT T) for PUSH____C32 (where ____ = 4 spaces), so put it in that way. One more thing to add, and that is GENERALLY when doing a search for something HEX keep in mind that HEX needs 2 (pairs of) characters (in this case) so we are actually looking for "PUSH 0C32". Do the search with FIND ALL OCCURANCES (This starts from the beginning - 400000). Ok you should see this :

.text:004B674A loc_4B674A:                             ; CODE XREF: sub_4B5D00+A27j
.text:004B674A                 mov     eax, [esp+0E28h+var_E10]
.text:004B674E                 test    eax, eax
.text:004B6750                 jnz     loc_4B68A2
.text:004B6756                 mov     al, [esi+140h]
.text:004B675C                 test    al, al
.text:004B675E                 jnz     loc_4B6980
.text:004B6764                 mov     eax, [esi+394h]
.text:004B676A                 test    eax, eax
[COLOR="Red"].text:004B676C                 jz      short loc_4B67E7 <--- Jump that could by pass the push below[/COLOR]
.text:004B676E                 mov     edi, [esp+0E28h+var_E14]
.text:004B6772                 lea     edx, [esp+0E28h+var_D54]
.text:004B6779                 push    edx
.text:004B677A                 lea     eax, [esp+0E2Ch+var_C80]
.text:004B6781                 push    eax
.text:004B6782                 lea     ecx, [esi+74h]
.text:004B6785                 push    ecx
.text:004B6786                 mov     ecx, edi
.text:004B6788                 call    sub_4AA2E0
.text:004B678D                 mov     ecx, dword_966140
.text:004B6793                 push    eax
.text:004B6794                 push    0
[COLOR="Red"].text:004B6796                 push    0C32h  <--- What we want to avoid[/COLOR]
.text:004B679B                 call    sub_5EE780
.text:004B67A0                 push    eax
.text:004B67A1                 lea     edx, [esp+0E38h+var_D24]
.text:004B67A8                 push    edx
.text:004B67A9                 lea     eax, [esp+0E3Ch+var_D34]
.text:004B67B0                 push    eax
.text:004B67B1                 lea     ecx, [esp+0E40h+var_D44]
.text:004B67B8                 push    ecx
.text:004B67B9                 lea     edx, [esp+0E44h+var_DFC]
.text:004B67BD                 push    edx
.text:004B67BE                 lea     eax, [esp+0E48h+var_D00]
.text:004B67C5                 push    offset aSSSSSSSS ; "%s%s%s%s[%s] %s %s%s"
.text:004B67CA                 push    eax
.text:004B67CB                 call    sub_66960E
.text:004B67D0                 add     esp, 28h
.text:004B67D3                 push    1
.text:004B67D5                 push    119h
.text:004B67DA                 lea     eax, [esp+0E30h+var_D00]
.text:004B67E1                 push    eax
.text:004B67E2                 jmp     loc_4B6975

Now lets view this in HEX VIEW A :

................00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
.text:004B6760  1C 02 00 00 8B 86 94 03-00 00 85 C0 [COLOR="Red"]74 79[/COLOR] 8B 7C

Notice that below the 0C is where the JUMP actually is Hence we get 4B676C as the OFFSET. Now what do we do with the 74 79? 74 is a CONDITION, 79 is how FAR it will jump (A SHORT JUMP). BUT in this case we want it to bypass the PUSH, so we want an UNCONDITIONAL JUMP -- JUMP NO MATTER WHAT PAST THE PUSH 0C32. So instead of using a 74, we put in an EB. So we get this :

[NoAnon]
Description="No Anon on /who"
Version="2006.04.19"
address0=4B676C
normal0="74"
crack0="EB"

Why was 79 not put in? Well it is redundant, meaning you could put it in but it would go in both places like this :

[NoAnon]
Description="No Anon on /who"
Version="2006.04.19"
address0=4B676C
normal0="74 79"
crack0="EB 79"

However if nothing is changing why put it in? 79 in this case is a constant, in a sense. We are jumping 79 no matter what. BOTH offsets above will work, the second one is just redundant and most hackers will wonder why you left the 79 there. Any way that concludes lesson #2, hope it shows how you determine when to use EB, next I will tackle how and when to NOP something out.

 

[WickedMofo]

NOP NOP NOP when to use NOP

Ok here is a good example of when to use NOP. Lets find the OFFSET that corresponds to this 12392 You are encumbered!.

So take out CALC again and put in 12392 and click HEX. You should get 3068. So we want to search for "PUSH____3068" (____ = 4 spaces). Ok so lets search in IDA for this. Should see this:

.text:004275A8 loc_4275A8:                             ; CODE XREF: sub_4274A0+9Ej
.text:004275A8                                         ; sub_4274A0+AEj ...
.text:004275A8                 fld     [esp+18h+var_8]
.text:004275AC                 fcomp   [esp+18h+var_10]
.text:004275B0                 fnstsw  ax
.text:004275B2                 test    ah, 41h
.text:004275B5                 mov     eax, dword_983F84
.text:00[COLOR="Red"]4275BA[/COLOR]                 jp      short loc_4275F9 <---[COLOR="Red"]This is our OFFSET that goes to PUSH    3068.[/COLOR]
.text:004275BC                 test    eax, eax
.text:004275BE                 jl      short loc_4275E6
.text:004275C0                 cmp     eax, 1
.text:004275C3                 jnz     short loc_4275F0
.text:004275C5                 mov     ecx, dword_966140
.text:004275CB                 push    eax
.text:004275CC                 push    0Dh
.text:004275CE                 push    0
.text:004275D0                 push    3067h
.text:004275D5                 call    sub_5EE780
.text:004275DA                 mov     ecx, dword_9E95A8
.text:004275E0                 push    eax
.text:004275E1                 call    sub_4B0820
.text:004275E6
.text:004275E6 loc_4275E6:                             ; CODE XREF: sub_4274A0+11Ej
.text:004275E6                 mov     dword_983F84, 0
.text:004275F0
.text:004275F0 loc_4275F0:                             ; CODE XREF: sub_4274A0+123j
.text:004275F0                                         ; sub_4274A0+19Cj
.text:004275F0                 fld     [esp+18h+var_14]
.text:004275F4                 pop     esi
.text:004275F5                 add     esp, 14h
.text:004275F8                 retn
.text:004275F9 ; ---------------------------------------------------------------------------
.text:004275F9
.text:004275F9 loc_4275F9:                             ; CODE XREF: sub_4274A0+11Aj
.text:004275F9                 test    eax, eax
.text:004275FB                 jl      short loc_4275FF
.text:004275FD                 jnz     short loc_42762B
.text:004275FF
.text:004275FF loc_4275FF:                             ; CODE XREF: sub_4274A0+15Bj
.text:004275FF                 mov     ecx, dword_966140
.text:00427605                 push    1
.text:00427607                 push    0Dh
.text:00427609                 push    0
.text:0042760B                 push    3068h    [COLOR="Red"]<--- What we want to avoid.[/COLOR]
.text:00427610                 mov     dword_983F84, 1
.text:0042761A                 call    sub_5EE780
.text:0042761F                 mov     ecx, dword_9E95A8
.text:00427625                 push    eax
.text:00427626                 call    sub_4B0820
.text:0042762B

Ok as you can see 4275BA is the OFFSET we are going to focus on. Hex view of this offset:

................00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
.text:004275B0  DF E0 F6 C4 41 A1 84 3F-98 00 [COLOR="Red"]7A 3D[/COLOR] 85 C0 7C 26

Ok we get "7A 3D" but what do we want to do with this? Well you don't want to force a jump here, because that in fact would put you exactly where you do NOT want to be (PUSH____3068). In this case you could do a few things, but at this stage in our programming careers we will "NOP" (You could FORCE a jump some place else, or have it RETN also).

This is the end result:

[NoEncumber]
Description="Allows for no encumberance"
Version="2006.04.19"
address0=4275BA
normal0="7A 3D"
crack0="90 90"

We want the OFFSET to perform NO OPERATION when it gets here, simple continue as if nothing happened. And in fact what ends up happening is it will hit a RETN. How else could this have been done? In theory you could FORCE a jump to 4275F0. 4275F0 minus 4275BA = 31.

[NoEncumber]
Description="Allows for no encumberance"
Version="2006.04.19"
address0=4275BA
normal0="7A 3D"
crack0="EB 31"

This would force a jump. Be sure if you do something like this to test it, because you could actually be skipping something you need. (I am not sure if this will work correct, just showing an example of a Forced Jump.)

 

[Rubtub]

Install IDA PRO. Make sure to have a DESKTOP ICON of it, so you can DRAG - AND - DROP EXE's ontop of it.

Next step, would be to make a subdirectory called OLD EQGAME EXE, and put whatever you have into there, but to make things easier name them like EQGAME20060315.EXE, EQGAME20060419.EXE, etc etc.

Now open this directory and drop EQGAME20060315.EXE (last patch before this one). Basically you want to hit Enter, and not worry about the DLL stuff. Let it load for a good 10 - 15 minutes if it is the DEMO version (Registered version will save the data so don't have to wait as long each time). Repeat this for EQGAME20060419.EXE so you will have 2 versions decompiling at once. Make a note which is which, so you can toggle back and forth.

While you are waiting, goto the EQ directory and open up eqstr_us.txt (there are some that look similar, so be careful -- also never write anything to this file, it has a checksum). This file is basically a good place to start, and contains strings that EQ sends to you like this one :

12693 %1 is too far away, canceling auto-follow.

Guess what that is? That is Farfollow. However, we need to first convert the DECIMAL to HEX. So, using CALC, and making sure you have VIEW set to SCIENTIFIC. Put in 12693 in decimal, then click HEX. You should get 3195. That is what we are going to look up first. Lets look at it in the 3/15 version first. Since we know that :

[FarFollow]
Description="/follow someone from any distance"
Version="2006.03.15"
address0=4E56A4
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"

Now type in "G" from IDA PRO (the one with 3/15 EXE loaded). You should see a little window pop up asking you where you want it to JUMP to. Type in 4E56A4 (the ADDRESS0 above). You should see this :

.text:004E56A4                 jnz     loc_4E572C <---- LONG JUMP
.text:004E56AA                 mov     eax, dword_966194
.text:004E56AF                 cmp     dword_966180, eax
.text:004E56B5                 jz      short loc_4E56E3   <-----SHORT JUMP
.text:004E56B7                 mov     ecx, [eax+0DA4h]
.text:004E56BD                 test    ecx, ecx
.text:004E56BF                 jz      short loc_4E56E3   <-----SHORT JUMP
.text:004E56C1                 push    0
.text:004E56C3                 push    0
.text:004E56C5                 push    0
.text:004E56C7                 push    0
.text:004E56C9                 push    0
.text:004E56CB                 push    0
.text:004E56CD                 push    0
.text:004E56CF                 push    0
.text:004E56D1                 call    sub_4EE320
.text:004E56D6                 push    eax
.text:004E56D7                 push    3195h   <------ Ok this is one, another below also 
.text:004E56DC                 lea     eax, [esp+144h+var_100]
.text:004E56E0                 push    eax
.text:004E56E1                 jmp     short loc_4E5705
.text:004E56E3
.text:004E56E3 loc_[COLOR="Red"]4E56E3[/COLOR]:                             ; CODE XREF: sub_4E55F0+C5j
.text:004E56E3                                         ; sub_4E55F0+CFj
.text:004E56E3                 push    0
.text:004E56E5                 push    0
.text:004E56E7                 push    0
.text:004E56E9                 push    0
.text:004E56EB                 push    0
.text:004E56ED                 push    0
.text:004E56EF                 push    0
.text:004E56F1                 push    0
.text:004E56F3                 mov     ecx, esi
.text:004E56F5                 call    sub_4EE320
.text:004E56FA                 push    eax
.text:004E56FB                 push    3195h <----BINGO
.text:004E5700                 lea     ecx, [esp+144h+var_100]
.text:004E5704                 push    ecx

00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 [COLOR="Red"]0F 85 82 00-00 00[/COLOR] A1 94 61 96 00 39

Ok This looks very complex and it is to the first time viewer. Let me explain a bit about JUMPS, and such.

Usually you see 74, 75, 76, 77 -- These are short jumps, based on conditions like <, >, = etc etc

Also you will see EB <-- very handy --- Jump no matter what conditions
and even better 90 <-- NOP ---- NO OPERATION, Don't do shit

We want to REALLY avoid 4E56E3 like the plague, so nothing JUMPS there, or we screwed up. So we are trying to actually go UP higher, before we get those 2 short jumps to a jump that is above them, that bypasses this push.

0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.

Now open the 4/19 version of the EXE and type in "ALT-T", and "PASTE" in the above (ALT-V). Make sure to have "All OCCURANCES" checked, and run it. Let it go for a few minutes, then click cancel. Should see :

.text:004E5D37                 push    3195h 
.text:004E5D5B                 push    3195h

So we want to avoid the 2 short jumps and take the long one EXACTLY like we did before :

.text:0[COLOR="Red"]04E5D04[/COLOR]                 jnz     loc_4E5D8C <--Offset we need
.text:004E5D0A                 mov     eax, dword_966194
.text:004E5D0F                 cmp     dword_966180, eax
.text:004E5D15                 jz      short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D17                 mov     ecx, [eax+0DA4h]
.text:004E5D1D                 test    ecx, ecx
.text:004E5D1F                 jz      short loc_4E5D43 <-- ByPass this by using a jump above here that goes past the pushs below
.text:004E5D21                 push    0
.text:004E5D23                 push    0
.text:004E5D25                 push    0
.text:004E5D27                 push    0
.text:004E5D29                 push    0
.text:004E5D2B                 push    0
.text:004E5D2D                 push    0
.text:004E5D2F                 push    0
.text:004E5D31                 call    sub_4EEAA0
.text:004E5D36                 push    eax
.text:004E5D37                 push    3195h <--- want to avoid this
.text:004E5D3C                 lea     eax, [esp+144h+var_100]
.text:004E5D40                 push    eax
.text:004E5D41                 jmp     short loc_4E5D65
.text:004E5D43 ; ---------------------------------------------------------------------------
.text:004E5D43
.text:004E5D43 loc_4E5D43:                             ; CODE XREF: sub_4E5C50+C5j
.text:004E5D43                                         ; sub_4E5C50+CFj
.text:004E5D43                 push    0
.text:004E5D45                 push    0
.text:004E5D47                 push    0
.text:004E5D49                 push    0
.text:004E5D4B                 push    0
.text:004E5D4D                 push    0
.text:004E5D4F                 push    0
.text:004E5D51                 push    0
.text:004E5D53                 mov     ecx, esi
.text:004E5D55                 call    sub_4EEAA0
.text:004E5D5A                 push    eax
.text:004E5D5B                 push    3195h <--- want to avoid this
.text:004E5D60                 lea     ecx, [esp+144h+var_100]
.text:004E5D64                 push    ecx

00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 [COLOR="Red"]0F 85 82 00-00 00[/COLOR] A1 94 61 96 00 39

Hmm anything look Familiar? This is EXACTLY the same code as before. We found the OFFSET that we can use now for 4/19 -- 4E5D04

so you get :

[FarFollow]
Description="/follow someone from any distance"
Version="2006.04.19"
address0=4E5D04
normal0="0F 85 82 00 00 00"
crack0="E9 83 00 00 00 90"

Now make a note some place FarFollow found by looking for 3195h, so next time it is easier.

I will do more of these to try and make them easier to follow, etc. This one was not a easy one. Also will try and explain better how jumps work, and when you want to use unconditional jumps vs NOP'ing out code.

Ok I was trying to find offsets for todays eq's patch... Couple Question about The write up..

First Question


text:004E56A4 jnz loc_4E572C <---- LONG JUMP
text:004E56B5 jz short loc_4E56E3 <-----SHORT JUMP
.text:004E56BF jz short loc_4E56E3 <-----SHORT JUMP
How Do you know that them are the jumps? If .text:004E56E3 loc_4E56E3: Is the Code your looking for what makes you even look at the others?

2nd:, 3rd , 4th , 5th question

00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F
-----------------------------------------------
E0 F6 C4 41 [COLOR="Red"]0F 85 82 00-00 00[/COLOR] A1 94 61 96 00 39

Ok This looks very complex and it is to the first time viewer. Let me explain a bit about JUMPS, and such. ( It is )

Usually you see 74, 75, 76, 77 -- These are short jumps, based on conditions like <, >, = etc etc

Also you will see EB <-- very handy --- Jump no matter what conditions
and even better 90 <-- NOP ---- NO OPERATION, Don't do shit



We want to REALLY avoid 4E56E3 like the plague, so nothing JUMPS there, or we screwed up. So we are trying to actually go UP higher, before we get those 2 short jumps to a jump that is above them, that bypasses this push.

0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.

###
Could someone explain just a bit more about jumps.. Where exactly does the 74, 75, 76, 77 come from? where are they?

0F 85, and 0F 84 are longer jumps, and E9 is a longer version of EB above. So in this case we are going to jump unconditionally from 4E56A4 to 4E572C. Now get those HEX calculators out again, substract 4E56A4 FROM 4E572C, you get HEX 88, but we need to take 5 off here, so we must use 83 HEX. So this becomes crack0="E9 83 00 00 00 90". The 90 at the end actually is there to NOP that spot (we had six before and we shortened to 5). Before we go further we need to "COPY" the "PUSH 3195h" EXACTLY as it is. So highlight it and ALT-C.

0F 85 , 0F 84? Could someone show me them, E9? ... What makes 4E572C the one to jump to? Do you always subtract 5??

Sorry for so many questions. Just want to help out some.. If you could answer em would be must help for me. Or PM me. Thanks.

 

[rapierguy]

Dumb Question in regards to using EQGame.exe
Is it necessary to make use of the immediate previous exe from teh current one or can I use an older one say from like sometime in may 2006 cause that is the most recent previous I have on my comp from a hydra account that I've not used since then

Thans in advance

 

[Anon456]

You need to use the .exe's from the current patch and the last patch.

 

[rapierguy]

You need to use the .exe's from the current patch and the last patch.

OKies thanks

Anyone got a copy of the previous exe i can snag?

THanks

 

[WickedMofo]

OKies thanks

Anyone got a copy of the previous exe i can snag?

THanks

Yeah get used to saving them. I have almost all of them dating back to like 2004. I usually save them in the format as such "EQGAMEYYYYMMDD". If I still have them all I will upload them to my FTP. Might be missing the last 1 or 2 since I quit playing. However I think FRY might have them on one already perhaps.

 

[rapierguy]

I already had that in mind for saving them =)

Thanks WickedMofo for the input

I wanna se ifI can help find offets in the future.


Which reminds me the link posted for Ida Pro demo pulls up a thank you for trying out this demo after about a half hour while i'm doing a search of jumps/etc any clue as to why it does this?

Thanks in advance for any and all help

 

[WickedMofo]

I already had that in mind for saving them =)

Thanks WickedMofo for the input

I wanna se ifI can help find offets in the future.


Which reminds me the link posted for Ida Pro demo pulls up a thank you for trying out this demo after about a half hour while i'm doing a search of jumps/etc any clue as to why it does this?

Thanks in advance for any and all help

http://www.datarescue.com/idabase/index.htm is their main site, maybe my links are old? It is a very nice decompiler to use. If it is expired just roll back your date on your computer to like 1/1/2005 or something and try that. I forget when they had it expire, but there was a date it just stopped working. Yeah having another hacker would be kewl!

It does have a 1/2 hour limit each use, which sucks. Get a hacked copy

 

[rapierguy]

It does have a 1/2 hour limit each use, which sucks. Get a hacked copy

OKies and where do I get one of those?

 

[Anon456]

A full working version of 5.0 is available, if you search long enough.

 

[rapierguy]

DOH!!!

Been working on a crap load of graphics for my sister today in between surfing the forums so my brain is kinda in a state of jello mode atm. I found what I was looking for. Google is good to have in your favorites folder =)

 

[rapierguy]

OKies NEWB hacker question here


When looking for offsets I did a search for "push 13b9"

Came up with 2 instances that gave "push 13b9h" but no "jz short loc-" type of thing before hand as indicated in the second lesson that WickedMoFo showed. Is this something to look for in regards to getting offsets?

 

[rapierguy]

NM I figured out what I SHOULD look for, I think

 

[Zulan]

E X C E L L E N T Thread WickedMoFo.

I found this Freeware version of IDA, it's only 4.3, but seems to work just fine, so I'll post the zip for it here. It never expires.

freeida43.zip

Link was corrupted or no longer found, i forget which one it was... here is another link.

http://www.dirfile.com/downloadnow_ida-pro-freeware-version_freeware.html

Freeware Ftw.