View Full Version : November 7th patch
Hidron
11-07-2012, 10:44 AM
Well, todays patch royally broke the offset finder. Looking at the patch message, I think the changes that made things so fun on Test just went live. Scan results:
eqgame.exe Modified=11/1/2012
ZoneAddr Found - Offset does not match ini File.
SpawnHeaderAddr Offset Not Identified.
CharInfo Offset Not Identified.
ItemsAddr Found - Offset does not match ini File.
TargetAddr Offset Not Identified.
WorldAddr Offset Not Identified.
[Memory Offsets]
ZoneAddr=0xd51cd4
SpawnHeaderAddr=0x0
CharInfo=0x0
ItemsAddr=0xd412c8
TargetAddr=0x0
WorldAddr=0x0
Oggre
11-07-2012, 11:31 AM
Aye. I got the same thing.
This patch broke even more. One of my computers, which is several years old, won't even run everquest after this patch. Everything worked fine last night. My guess is that it has to do with video card drivers (I run an older Nvidia card with not the latest drivers, so I can still play my Thief (Garrett) games that I love). I will try on another computer with another Nvidia card but with newer drivers and see how it goes.
Maybe MyShowEQ is broken, maybe it ain't. I saw the notices on the "everquest.exe has changed" and was reminded on how every time Sony has done this in the past my game experience goes downhill.
I'm patching on the other computer so we'll see how that goes
O
iluvseq
11-07-2012, 11:41 AM
These don't get MySEQ working, but here are the new primary offsets:
[Memory Offsets]
ZoneAddr=0xd51cd4
SpawnHeaderAddr=0xdd6108
CharInfo=0xd44760
TargetAddr=0xd44778
ItemsAddr=0xd412c8
WorldAddr=0xd44730
Oggre
11-07-2012, 11:49 AM
Well the other computer patched and runs everquest just fine. I suppose I will have to update the video drivers on this machine.
However, I'm worried that maybe Sony finally one-upped us and changed the EQ.exe process so that showeq will no longer work. There has been talk of late that on Test the offsets change each time. Maybe we've been outflanked....
Hopefully the programmers here will be able to figure out what is the issue with the offset finder.
You know, it's always said that when they build a better mouse trap, you just need to send in a better mouse...
O
Razzle
11-07-2012, 11:50 AM
I wont have time to look at anything until probably friday. I started looking at fixing offset finder using test as a basis. But I discovered that I need some new code to dump patterns from the exe to make the process easier. It was very time consuming. Beta is a mess too as I understand. I will try to be prepared for the expansion when it comes out.
Razzle
Razzle
11-07-2012, 11:51 AM
Try updating your directx too. That may help if u arent using the latest of dx9.
Oggre
11-07-2012, 12:04 PM
Thanks Razzle. In the grand scheme of things I can wait for an update. In a certain way it's not all that bad to play everquest flying blind for awhile.
I doubt it is directX issue. I'm running Nvidia 56.72 drivers, and I've drunk french wines that are younger that those drivers. I knew I'd eventually have to update but I just didn't want to until it was necessary.
I look forward to hearing what you come up with.
O
Razzle
11-07-2012, 01:14 PM
Historically I never updated video drivers unless EQ quit working. I remember updating a few times causing EQ to break. I also remember that version of driver. I stayed with that version til that computer died. Work great with my agp 6800 ultra space heater. Oh the good ole days when i could piss away $500 on a video card and not sweat it.
Oggre
11-07-2012, 01:42 PM
Aye, two peas in a pod you and I. However, now it has stopped working. I found a copy of the 81.85 version which works on the other computer, so I can perhaps use that. I will have to check into how that affects Thief by going to through the looking glass at ttlg.com and see if it is still compatible. Life goes on, but I wish Sony could have given us a heads up on this.
O
Hidron
11-07-2012, 02:27 PM
I am just as guilty with updates. I only used to update DirectX & drivers during the downtime for EQ expansion launches, or the night before if I had to work that day. Now, I don't normally touch either unless I am actually experiencing a problem.
iluvseq
11-07-2012, 03:08 PM
They use ASLR now for eqgame.exe so now we have to take the offsets from IDA or whatever and subtract 0x400000 from them. Then, we have to obtain the modulebase for the currently running eqgame.exe and add that to the adjusted offsets. I'm working on code for that and will post once I have it complete.
Razzle
11-07-2012, 03:39 PM
Oh wonderful.
Thanks for any code you can put together. I guess I get to learn something new now.
Razzle
iluvseq
11-07-2012, 03:46 PM
Ok, this little commandline tool gets the base address for all running eqgame.exe processes. You should be able to easily pull in the bits that would be needed for MySEQ to obtain the info as well. It's really just a minor update to the normal method of getting the process handle.
// get_process_info.cpp : finds the base address of running eqgame.exe processes
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
bool AdjustPrivileges();
int _tmain(int argc, _TCHAR* argv[])
{
AdjustPrivileges();
DWORD dwBase = -1;
DWORD aProcesses[1024], cbNeeded, cProcesses;
WCHAR processName[MAX_PATH] = L"<Unknown";
if (!EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ))
return 0;
cProcesses = cbNeeded / sizeof(DWORD);
for (unsigned int i= 0; i < cProcesses; i++) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE,
aProcesses[i] );
if (NULL != hProcess ) {
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
GetModuleBaseName( hProcess, hMod, processName, sizeof(processName)/sizeof(WCHAR));
if (lstrcmp(processName, L"eqgame.exe") == 0) {
wprintf(L"Process: %s (PID: %u) dwBase = 0x%X\n", processName, aProcesses[i], (DWORD)hMod);
}
}
}
}
return 0;
}
bool AdjustPrivileges() {
HANDLE hToken;
TOKEN_PRIVILEGES tp;
TOKEN_PRIVILEGES oldtp;
DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
return true;
printf("OpenProcessToken() failed.");
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
printf("LookupPrivilege() failed.");
CloseHandle(hToken);
return false;
}
ZeroMemory(&tp, sizeof(tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token Privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
{
printf("AdjustTokenPrivileges() failed.");
CloseHandle(hToken);
return false;
}
return true;
}
So once you find the base address, to calculate your offsets you simply do:
newOffset = eqgame.exe + (IDAOffset - 0x400000)
For example, pTarget:
currentpTarget = eqgame.exe + 0x944778 # (0xD44778-0x400000)
So if you want to make it easy, you can keep the config files using the IDA offsets like they do now, and just find the eqgame.exe base and do the math (including subtracting 0x400000) in the MySEQ code.
junkmerchant
11-07-2012, 07:56 PM
I am really not sure what to do with this code. It looks like C++ code but I am not a programmer. Can anyone help with getting the correct offsets?
I was good with using the old style of getting the offsets with the server running in debug mode (or something like that) but now that has changed and I don't think i can get the offsets that way any longer.
Maybe I should wait until someone updates the server software?
Thanks,
Junky
Ok, this little commandline tool gets the base address for all running eqgame.exe processes. You should be able to easily pull in the bits that would be needed for MySEQ to obtain the info as well. It's really just a minor update to the normal method of getting the process handle.
// get_process_info.cpp : finds the base address of running eqgame.exe processes
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
bool AdjustPrivileges();
int _tmain(int argc, _TCHAR* argv[])
{
AdjustPrivileges();
DWORD dwBase = -1;
DWORD aProcesses[1024], cbNeeded, cProcesses;
WCHAR processName[MAX_PATH] = L"<Unknown";
if (!EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ))
return 0;
cProcesses = cbNeeded / sizeof(DWORD);
for (unsigned int i= 0; i < cProcesses; i++) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE,
aProcesses[i] );
if (NULL != hProcess ) {
HMODULE hMod;
DWORD cbNeeded;
if (EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
GetModuleBaseName( hProcess, hMod, processName, sizeof(processName)/sizeof(WCHAR));
if (lstrcmp(processName, L"eqgame.exe") == 0) {
wprintf(L"Process: %s (PID: %u) dwBase = 0x%X\n", processName, aProcesses[i], (DWORD)hMod);
}
}
}
}
return 0;
}
bool AdjustPrivileges() {
HANDLE hToken;
TOKEN_PRIVILEGES tp;
TOKEN_PRIVILEGES oldtp;
DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
return true;
printf("OpenProcessToken() failed.");
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
printf("LookupPrivilege() failed.");
CloseHandle(hToken);
return false;
}
ZeroMemory(&tp, sizeof(tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token Privileges */
if (!AdjustTokenPrivileges (hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize))
{
printf("AdjustTokenPrivileges() failed.");
CloseHandle(hToken);
return false;
}
return true;
}
So once you find the base address, to calculate your offsets you simply do:
newOffset = eqgame.exe + (IDAOffset - 0x400000)
For example, pTarget:
currentpTarget = eqgame.exe + 0x944778 # (0xD44778-0x400000)
So if you want to make it easy, you can keep the config files using the IDA offsets like they do now, and just find the eqgame.exe base and do the math (including subtracting 0x400000) in the MySEQ code.
iluvseq
11-07-2012, 08:05 PM
The code I posted doesn't help get offsets. It was for Razzle to show how he could figure out the process base address, which is now a component in accessing the EQ memory. The old way was 'open process, grab data at offset', the new way is 'find out process base address, open process, grab data at offset - 0x400000 + process base address'
I already posted all the primary offsets for the new release at the top of the thread. The issue is that they don't work without process base address and so Razzle needs to update the server with this new logic. There may be other changes as well, but this has to be modified first before we can figure the rest out.
junkmerchant
11-07-2012, 08:12 PM
Oh ok, thanks. I miss understood. Thank you for the clarification and the understanding. I will wait for the new server.
Junky
The code I posted doesn't help get offsets. It was for Razzle to show how he could figure out the process base address, which is now a component in accessing the EQ memory. The old way was 'open process, grab data at offset', the new way is 'find out process base address, open process, grab data at offset - 0x400000 + process base address'
I already posted all the primary offsets for the new release at the top of the thread. The issue is that they don't work without process base address and so Razzle needs to update the server with this new logic. There may be other changes as well, but this has to be modified first before we can figure the rest out.
Razzle
11-07-2012, 09:12 PM
I am able to read base address fine. Will try to make other tweaks later if I get a chance. Will get a release out soon as functional. Debug code may have to wait. It needs serious help anyways.
Razzle
Razzle
11-07-2012, 10:21 PM
Hmmm. Tried it like you described. Didn't work. Will have to take a closer look. Will map the locations in memory and check my math. It is simple addition. That is easiest to screw up. Only spent abt 30 min on it total. Was hoping for a quick win.
Razzle
Razzle
11-07-2012, 10:27 PM
Ok. Did it half assed. This will take me a couple hours to fix. Bah. But I know how to do it pretty easy.
iluvseq
11-07-2012, 11:46 PM
Was the info I posted helpful?
Razzle
11-08-2012, 12:25 AM
Was the info I posted helpful?
Yes. Thanks. They may have something sneaky going on, you never know. But i will get it going soon.
Razzle
11-08-2012, 08:53 AM
My son wouldnt go to sleep last night. He was up til almost 11:30. Silly 2 year olds. Getting up at 4:30 to head in to work makes for a long day. Needless to say, I didn't get back to it last night.
Reading on ASLR, it doesn't sound like its supported in all versions of windows. Whats the story on this? If anyone knows.
Razzle
iluvseq
11-08-2012, 09:49 AM
Windows XP was the first Windows with some support for ASLR, but it's not enabled by default. Windows Vista and up have it enabled by default, as long as the application is linked with the ASLR enabled flag. After reading the patch notes that mentioned new compiler settings, I used Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to check, and sure enough, ASLR is enabled on eqgame.exe now (on my Windows 7 system at least). I then used IDA to determine the new base offsets (posted earlier in this thread) and MemoryDumperPro to dig around in memory, and determined that IDA offset - 0x40000 + egame.exe_base resulted in the proper pointers that we used to get by just using IDA offset. Keep in mind, the values fetched from those pointers do *not* need to be adjusted in the same way, they are pointers to the actual location so you can continue to use them the same way as before.
Here's how I validated this:
TargetAddr = 0xD44778 # offset determined via examination of decompiled code in IDA
Imagebase = 0x400000 # from the PE header on the executable. This value doesn't change from computer to computer, but may change when they recompile eqgame.exe
BaseAddress = 0xF0000 # can vary every time eqgame.exe is run
Adjusted TargetAddr = 0xA34778 # 0xD44778 - 0x400000 + 0xF0000
Read DWORD at that location = 0x2463C9F8 # changes all the time, of course, pointer to spawn structure, same as before
Spawn name = 0x2463CA9C # 0x2463C9F8 + 0xA4 # spawn pointer + name offset, same as before
I just did this live and it returns the target's name as expected.
In three runs of eqgame.exe I had three different baseAddress locations, so ASLR is definitely active.
Fireblade
11-08-2012, 12:03 PM
Glad to see you guys working on it. :D
I'm curious, will the old offsetfinder I have been updating all the time work at all or should i just abandon it?
Not sure if I should put in any effort anymore if it cannot handle the ASLR to find the new offsets (primary and 2ndary).
Razzle
11-08-2012, 12:04 PM
Hmmm. I know I meant my test code to use 0x400000. But I think I missed a zero. Ugh. Hate having my code at home. I might just add a check box on the server to enable/disable aslr, and make it a manual setting for now. That might be quickest fix at this point.
Razzle
11-08-2012, 12:07 PM
The offset finder should be able to work fine. It should identify offsets like normal I think. I have not started looking for new patterns yet though.
Fireblade
11-08-2012, 12:13 PM
Ok great, then I'll work on new patterns too once you have updated the server.
Razzle
11-08-2012, 06:15 PM
Under Windows XP SP2, process explorer shows no ASLR as expected. MySEQ works with no changes other than updating offsets.
I will be testing on pc that runs with ASLR later.
Just need the kiddos to go to bed early. No work tomorrow, if I don't finish up tonight.
If people can post what OS versions dont work, I can probably do a better job at fixing it for everyone.
I will test on 7 SP1 and Server 2008 R2 when verifying fixes.
Razzle
Nstalkerga
11-08-2012, 07:40 PM
windows 7 X64 - no workie :)
I'll see if i can find some older systems to test on 7 x32 and window XP x64.
I think i still have 2 of those running somewhere
iluvseq
11-09-2012, 07:54 AM
The good news is that processes without ASLR enabled return 0x400000 as their baseaddress, so the same code works either way. (IDA offset - 0x400000 + 0x400000 == IDA offset) so you don't need to detect the OS or have split logic for ASLR vs. non-ASLR
Razzle
11-09-2012, 10:52 AM
The good news is that processes without ASLR enabled return 0x400000 as their baseaddress, so the same code works either way. (IDA offset - 0x400000 + 0x400000 == IDA offset) so you don't need to detect the OS or have split logic for ASLR vs. non-ASLR
Yep. I am there. I got it connecting, and it will identify the zone. Looking in to how zone spawns are done now. It does not send spawns over. So it is about making the adjustments in the places it accesses memory now. So getting close. If I can get an hour to finish this, I might be able to wrap it up.
Razzle
11-09-2012, 11:39 AM
Baby woke up. Making progress. So hopefully at naptime I can get a release finished up. It's the pointer games that become annoying making the debug code work. A simple rebase is all that is really needed to be functional. I understand ASLR pretty good now.
Razzle
11-09-2012, 11:54 AM
My bigest slow down, is my dev pc does not use ASLR. So I make changes. Copy exe and test. So going to have to switch it up and put visual studio over on other pc. I should be back at it in a few hours. Wife is off running errands, so I got the kids now.
Razzle
11-09-2012, 01:45 PM
Got it working. I did not check the debug code to make sure everything is working in it. That can wait til later. Putting together a release package now.
R
Razzle
11-09-2012, 02:14 PM
I am having sinus surgery next week. So I will be laid up for about a week or so. During that time, I will try to update the debugger code to return IDA offsets. If you have XP, it should work as normal, and everything should be good. Vista and later, where ASLR is enabled, that is where you would need to calculate what the IDA offset using the base address.
Razzle
iluvseq
11-09-2012, 02:30 PM
nice, thank you!
iluvseq
11-09-2012, 02:31 PM
I always just use IDA to figure out the offsets every patch anyway :)
Razzle
11-09-2012, 02:35 PM
I need to learn to use IDA better.
Hidron
11-09-2012, 03:05 PM
Looks good so far. Thanks for getting the update out even if it isn't fully "polished" yet.
Fireblade
11-09-2012, 04:02 PM
Got it working. I did not check the debug code to make sure everything is working in it. That can wait til later. Putting together a release package now.
R
Great job man! Working on Live, no bug as far as I can tell from a few mins testing.
Powered by vBulletin® Version 4.1.11 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.