Memory Hacking Software

Discussions Regarding Memory Hacking Software

Skip to content

EQ2 Pointer woes

Hacking Any Other Massively Multiplayer Online Role-Playing Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Post a reply

EQ2 Pointer woes

Postby Sorn » Wed Sep 19, 2007 10:48 am

Been working on a trainer "of sorts" for EQ2. I'm successful at finding values ,X location for example, and been able to move my character by manually editing the values. This value is located in a DMA area, now the fun part tracking down that elusive pointer. Grrr! I've read a few places that EQ2 uses advanced pointers. Pointer -> Pointer -> Pointer -> Pointer ... ->DMA

Now what suggestions would some of you more experienced guys/gals have for this scenario? Obviously I'm going to want to be able to find the DMA address at runtime everytime with the trainer. What methods would work the best? This is what i've been able to come up with so far. I may be on the right track I may not be. Look this work over a bit and let me know what I'm doing right or wrong here (if you have the time that is)

This is what i've found so far.

Code: Select all
    008A43C9 = MOV EAX, [EBP-20]
    008A43CC = MOV [EBP+60],EAX
    008A43CF = MOV EAX, [EBP-1C]
    008A43D2 = MOV [EBP+64],EAX
    008A43D5 = MOV EAX, [EBP-18]
    008A43D8 = MOV [EBP+68],EAX
    008A43DB = LEA EDI, [EBX+34]
    008A43DE = LEA ESI, [EBP+60]
    008A43E1 = movs dword ptr es:[edi],dword ptr [esi]


008A43E1 is the address being written to when the character moves, I set a BP on 008A43C9 and stepped through the code to find out what ESI was eventually being written to. And this is my findings

Code: Select all
    ebp+60 = 0013f490 + 60 (13F4F0)


But on line 008A43DE EBP+60 was written to ESI so ESI should be 0013F4F0 but as you can see below here it ends up being 0013f4f4.

Code: Select all
    esi = 0013f4f4
    edi = 0013f5f8
    eip = 008A43E2


I'm at a loss at this point because after adding the ESI address to CE it ends up being a constantly cycling address meaning 1sec it is 456456464 next second it's -689.5646465472 (This is the X Location) the next second it changes to something else. What would some of you more experienced members suggest I go from here? Am I even attempting this the correct way, if not how exactly should I be doing this?

Thanks
~Sorn
Sorn
I Have A Few Questions
 
Posts: 8
Joined: Sun Aug 19, 2007 6:28 am
Top

Postby L. Spiro » Wed Sep 19, 2007 10:34 pm

Now what suggestions would some of you more experienced guys/gals have for this scenario?

Tracing backwards in the Debugger or using code injection to store the pointer target somewhere where you can always access it.

I prefer the first method but the second is easier.


008A43E1 is the address being written to

From the rest of your post I assume you meant it is the address doing the writing.

I am not sure how useful this code is.
It is juggling a value between local variables inside the function and then using a few parameters passed to it it writes ESI and EDI.
The value it writes (0x0013F4F0) is on the stack.


But on line 008A43DE EBP+60 was written to ESI so ESI should be 0013F4F0 but as you can see below here it ends up being 0013f4f4.

Who knows. If you are using MHS and Auto-Hack, remember that when using hardware breakpoints with it, the registers are recorded from the next instruction after the breakpoint address.
This might be the same in Cheat Engine.

If you resumed the game and then came back to this code, and your values are from the before and after, don’t get them that way.


I'm at a loss at this point because after adding the ESI address to CE it ends up being a constantly cycling

I don’t use Cheat Engine but I know why you get this problem because you would get the same result using my software.
As mentioned above, that address is on the stack. It holds temporary data used by functions and at any given moment it can contain any random value in the game.
If the game calls the same functions every frame the values will cycle as you observed.
Every value it holds is useless. You can not use that address for anything.


You need to find the real location of your X or Y before you continue.
Once you find it, perhaps the same methods you use now will be of more use and you will have better luck.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby Sorn » Thu Sep 20, 2007 1:16 am

I appreciate the fast reply, I'll give the suggestions you gave a go round and see what i come up with. Yes finding the real location of the X location is what i'm after it is just proving more complicated then I originally anticipated. However difficulties will not hold me back I love this whole scene and the challenges it presents, it's almost like a game itself.

One more question not sure if this is by design or what, but I use a combination of tools, Been using your software more frequently here lately after finding it, but this line here puzzles me.

008A43E1 = movs dword ptr es:[edi],dword ptr [esi]

here is why Cheat Engine and your software report this line back as this

008A43E1 = movs

I had to use TSearch to see the whole line is there any reason for this or is CE and MHS abrieviating the code or is it TSearch not reading it correctly?

Thank you
Sorn
I Have A Few Questions
 
Posts: 8
Joined: Sun Aug 19, 2007 6:28 am
Top

Postby L. Spiro » Thu Sep 20, 2007 1:52 pm

View Disassembler - Options.
Mess with the Output options and you will probably see the full version of MOVS.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top
Post a reply

Return to Others (MMORPG)

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group