PDA

View Full Version : How to find offsets



wxh
07-18-2018, 03:43 PM
Okay...there have been a few requests for a writeup on how to find offsets, so I threw something together. I'm sure this can be improved upon, but it works.


Preparation:

To prepare to find your own offsets, you'll need to start with correct offsets the first time. Run the
debug version of the server, click the icon in the upper left of the server.exe window, and select
"properties". Select the "Layout" tab, and in the "Screen Buffer Size" box, change "Height" to 3000.
Use the "es" command to display info about yourself. Then, go through all of the secondary offsets and
find what values are stored at the indicated addresses (for example, the secondary offset "NameOffset" is
0xa4, so at 0xa4, you should see your character's first name). Write down the values you find at each
of the secondary offsets listed below- this will help you know what to search for when trying to find
your own offsets later on. For HideOffset, do this with some form of invisibility on your character, and
remember what form of invisibility you used.

HideOffset (4 bytes): (invis type: )
LevelOffset (1 byte):
ClassOffset (2 bytes):
RaceOffset (2 bytes):
PrimaryOffset (4 bytes):
OffhandOffset (4 bytes):

Note that you can also target an NPC that always has the same items equipped in their main and off hand,
and use the values you get from the "et" command to find all of the secondary offsets except OwnerID and
Hide. Also note that it might be useful to get some cheap items that you can keep in your bank and
equip in your primary and off hands during offset search, since if you upgrade your equipment, the values
you'll need to search for will probably change.


Finding offsets:

0: A starting note: After identifying each of the offsets we'll be looking for and updating it in the
MySEQ config file, use the "r" command in the debug server to reload the offsets.

1: Click the icon in the upper left of the debug server window, and select "properties". Select the "Layout"
tab, and in the "Screen Buffer Size" box, change "Height" to 3000. (This could be something that you only
have to do once, since the setting may be sticky.)

2: Go to the guild lobby

3: In the debug server window, type "fz guildlobby". Note the returned values. Try each as the value for
ZoneAddr. The most likely candidate will be the one whose value is closest to the previous value for ZoneAddr.

4: Target Guardian Rooksis, at the end of the hall leading to the Plane of Knowledge closest to the throne.
In the debug server window, type "ft Guardian_Rooksis00". Note the returned values. Try each as the value
for TargetAddr. The most likely candidate will be the one whose value is closest to the previous value for
TargetAddr.

5: Target yourself (hit F1 in game). In the debug server window, type "ft " followed by your first name
(for example, if your character's name is "Flyboy Sopwith", you would type "ft Flyboy"). Note the returned
values. Some of the returned values will be identical to the values you got in step 4, above, and can be
discarded. Try each of the others as the value for both CharInfo and SpawnHeaderAddr. The most likely
candidate is the one whose value relative to the one you settled on in step 4 is closest to the previous
difference between CharInfo and TargetAddr.

6: In the debug server window, type "es" (or "et" with the appropriate NPC targeted if you did your prep
using an NPC). For the next few pointers, you'll use the "find" function in the debug server window. To do
this, click the icon in the upper-left corner, select "Edit ->", and then "Find...". Type the hexadecimal
value for which you want to search into the text box in the Find... window. For multi-byte values, separate
the bytes with a space and order the bytes from least significant to most significant (for example, to search
for the hex value 0x1234, you would type "34 12" into the search box. Find the offsets below by searching
for the values you found for them during preparation. Note that most of these offsets will be even numbers
(numbers that end in 0, 2, 4, 6, 8, a, c, or e). The only exception I've seen in the last 5 years is
LevelOffset, which doesn't have that restriction.
6a: Your level (LevelOffset)
6b: Your race (RaceOffset)
6c: Your class (ClassOffset)
6d: The item you have equipped in your primary hand (PrimaryOffset)
6e: The item you have equipped in your off hand (OffhandOffset)

7: Place the same type of invisibility on yourself as you had during your prep. In the debug server window,
type "es". Search for the 4-byte value that corresponds to the invis type you recorded during prep, and use
the offset you find as HideOffset. Note that it will be on a 32-bit-aligned offset (an offset that ends in
0, 4, 8, or c).

8: Find and target a pet class player who has a pet up. In the debug server window type "et". Go to the
offset specified by SpawnIDOffset and note the value stored there. Target the player's pet and, in the debug
server window, type "et". Search for the value you recorded for SpawnIDOffset for the pet's owner.
This is OwnerIDOffset. Note that because you'll have two "et" dumps in the same window, you're going to get
at least two hits here - one for the SpawnID of the pet's owner, which will obviously be at SpawnIDOffset,
and one for the OwnerID of the pet. Just make sure that when you get a hit, the offset at which the hit was
found makes sense.

9: Go to Plane of Knowledge. In the server debug window, type "sg". Note the returned pointers. One or more
should be of the form "ITnnnnn_ACTORDEF". Try each of these as the value for ItemsAddr. The best candidate
will be the one whose value is closest to the previous value for ItemsAddr.

10: In game, type "/time". Note the game date. In the debug server window, type "sfw mm/dd/yyyy", where
mm is the month that was returned for game time, dd is the date, and yyyy is the year. For example, if
/ti returned "Game Time: Monday, December 7, 3141 - 3 AM", you would type "/sfw 12/07/3141". In all
likelihood, only one pointer will be returned, and this should be used as WorldAddr.

One thing to note: the amount of data displayed by the "es" and "et" commands is 2048 bytes, which is less than
the current size of the spawn structure. As a result, some offsets might not be easy to find using just the stock
debug server (in particular, the current values for ClassOffset, RaceOffset, PrimaryOffset and OffhandOffset fall
outside the range of data displayed by es and et, and the values for ClassOffset and RaceOffset are in danger of
being pushed outside the displayed range). I suggest that the distro be updated so that the debug server displays
8192 bytes for es and et to address this issue, or, even better, those commands would take a parameter, allowing
the user to request how many bytes are to be displayed.

Insedeel
07-18-2018, 05:04 PM
Awesome! Thanks for writing this up.

Roads
07-19-2018, 09:22 PM
ahh perfect! thank you so much.. i just started playing on test and the offsets changed today :)

Roads
07-20-2018, 05:39 AM
Okay...there have been a few requests for a writeup on how to find offsets, so I threw something together. I'm sure this can be improved upon, but it works.


Preparation:

To prepare to find your own offsets, you'll need to start with correct offsets the first time. Run the
debug version of the server, click the icon in the upper left of the server.exe window, and select
"properties". Select the "Layout" tab, and in the "Screen Buffer Size" box, change "Height" to 3000.
Use the "es" command to display info about yourself. Then, go through all of the secondary offsets and
find what values are stored at the indicated addresses (for example, the secondary offset "NameOffset" is
0xa4, so at 0xa4, you should see your character's first name). Write down the values you find at each
of the secondary offsets listed below- this will help you know what to search for when trying to find
your own offsets later on. For HideOffset, do this with some form of invisibility on your character, and
remember what form of invisibility you used.

HideOffset (4 bytes): (invis type: )
LevelOffset (1 byte):
ClassOffset (2 bytes):
RaceOffset (2 bytes):
PrimaryOffset (4 bytes):
OffhandOffset (4 bytes):

Note that you can also target an NPC that always has the same items equipped in their main and off hand,
and use the values you get from the "et" command to find all of the secondary offsets except OwnerID and
Hide. Also note that it might be useful to get some cheap items that you can keep in your bank and
equip in your primary and off hands during offset search, since if you upgrade your equipment, the values
you'll need to search for will probably change.




So what do you do if you don't know any of the offsets to start with? On test the only offset that the normal server finds is the one that loads the map. When i try finding offsets following above and use ES i get:
> es
Display Raw Memory from 0x340000 to 0x340800
Failed to obtain valid memory pointer for offset pSelf
?) display main menu

wxh
07-20-2018, 07:05 AM
Well, then it gets trickier. The reason for starting with pointers you already know is to find out what the values you need to search for to get the secondary offsets are. The first five steps should all work, and will get you the primary offsets you need to at least get skittles, but of course you won't have previous offsets to give you any hints as to which returned values are most likely to be the correct ones for each step.

Once that's done, LevelOffset is pretty easy to find, since you know your level, and you can get second- or third-target verification because you know the level of any NPC you /con anymore, so you can search for those.

For invis, what I would do is get an invis potion, then, while visible, do an "es" and search for 00 00 00 00. Then, invis yourself and search for 01 00 00 00. You'll probably only find one offset where you found 00 00 00 00 while visible and 01 00 00 00 while invis, and that's HideOffset. Note that it may be important to use an invis potion to become invisible, because there are different types of invisibility (invis, invis to animals, invis to undead, hide, and so on), so there are a bunch of different possible values that can show up at HideOffset - I know the value that shows up when you invis using a potion is 01 00 00 00, but I don't know for sure what it would be if you cast invisibility or camouflage on yourself.

For ClassOffset and RaceOffset, you can search for those pretty easily, and to find the values you need to look for, look in the \cfg folder in your ShowEQ directory. In the file "Classes.txt" is a list of what each value for class translates into, starting with 0 on the first line (so, warrior=1, cleric=2, paladin=3, and so on). In the file "Races.txt" is a list of what each value for race translates into, again starting with 0 on the first line (so, human=1, barbarian=2, erudite=3, and so on).

For PrimaryOffset and OffhandOffset, you need to do some looking up of things. Go to lucy.allakhazam.com and look up the item you equip in your main hand. Click on "raw" in the upper-right corner, and scroll down to see what the value for "idfile" is (it will be in the format "ITxxxxx", where xxxxx is a number). Convert that number to hexadecimal, and search for that, making sure to put the least significant byte first (for example, if you're equipping Fabled Fiery Staff of Zha, the value for idfile is IT10506...10506 in hex is 290a, so you'd search for 0a 29). Do the same for the item in your offhand.

The process for finding OwnerIDOffset is unchanged.

Bear in mind that you won't get valid hits for some these if you're using the debug server that comes stock with the distro as of this writing, because some of the offsets (ClassOffset, RaceOffset, PrimaryOffset, and OffHandOffset) are outside the range of data that is displayed by the unmodified debug server that comes in the distro.

As for the "failed to obtain valid memory pointer" error - did you reload the offsets using the "r" command after you put in the primary offset for CharInfo? If not, you may want to try again. If so, maybe try targeting yourself and use "et" rather than "es". If that fails too, there may be a problem using the "es" and "et" against the test client.

Roads
07-20-2018, 08:15 AM
Sorry, i meant to post back.. i used the built in offset finder in the server and it found me the Zoneaddr and from there i followed the instructions in the ini..(just cause i was in there at the time) But this write up is great, i will use it in the future:) today was the first time i ever found my own offsets.. kinda happy inside:)

Roads
07-20-2018, 10:45 AM
wow.. it has been too long since i tried to use what little brains i have :( So.. "Once that's done, LevelOffset is pretty easy to find, since you know your level, and you can get second- or third-target verification because you know the level of any NPC you /con anymore, so you can search for those."

so i target say a guard.. lvl 55 do es in server.. ctrl-f to search am i searching for 55 in hex or dec? or am i just wrong totally...

And now to show my limited understand of memory and hex..

CharInfo=0xe5c8f0 So this is the offset for charinfo obviously.. i look in es in server and i see my toons name at the 5th byte of 0xe0 so that i assume i where you get 0xe5 BUT.. what is the c8f0 after that?

P.S. thank you. i love learning but feel stupid as hell with this:)

wxh
07-21-2018, 12:34 AM
You're searching for hex values, so if the guard is level 55, you'll want to search for 37 hex.

And actually, the e5 in 0xe5c8f0 doesn't point to your character's name...that's just a coincidence. That whole number (0xe5c8f0, or 15059184 decimal) is the offset from the start of EQ's allocated RAM where the pointer to the structure that describes your character is stored. When you do es (or et or ew or ez), each line of output is formatted something like this:

0000: 11 11 11 11 11 11 11 11 11 42 11 11 11 11 11 11 .........B......

In this case, the 0000 on the left represents the offset from the start of the data structure being examined that the data on this line represents. The next 16 2-digit numbers are the hex values stored starting at that offset, and the dots to the right are the ASCII representation of those hex values (assuming that a given value has an associated printable ASCII character - lots don't). In this case, all 16 bytes stored starting at offset 0 of the structure being examined have a value of 0x11, except for the one at offset 0x09, which has a value of 0x42.

Lemony
10-24-2018, 03:30 PM
I am so trying to get my head around this and would enjoy working this out but have spent a few hours and cannot get passed this part:



Then, go through all of the secondary offsets andfind what values are stored at the indicated addresses (for example, the secondary offset "NameOffset" is0xa4, so at 0xa4, you should see your character's first name). Write down the values you find at eachof the secondary offsets listed below- this will help you know what to search for when trying to findyour own offsets later on. For HideOffset, do this with some form of invisibility on your character, andremember what form of invisibility you used.HideOffset (4 bytes): (invis type: )LevelOffset (1 byte):ClassOffset (2 bytes):RaceOffset (2 bytes):PrimaryOffset (4 bytes):OffhandOffset (4 bytes):


For instance Leveloffset currently says LevelOffset=0x1b0 so I look at 0x1b0

0x1b0) 42 0b 00 00 00 00 00 00 00 ff ff ff ec 7a 60 00

I am currently 60 and see a 60. I have no idea what to do next. Write down what part? Search for what? All the levels of mobs and myself are wrong currently and I have tried changing the 0x1b? with ? being 0 all way up to F and nothing.

Hope someone pops new ones up as I am clueless =)

Hafgraz
12-14-2018, 07:12 AM
How exactly do you open up the debug verison of the tool?

Hidron
12-14-2018, 11:29 AM
You launch it with the debug argument/parameter. The easiest way (at least what I did) is probably to create a 2nd shortcut to the server.exe file. Then right click, and select properties for that shortcut. In the target box is the full path to the executable file. Just add a space to the end, then the word debug. As an example, my debug shortcut has the following in the target box (your pathing is probably different):


C:\Games\MySEQ\server.exe debug

nitroplr
04-25-2023, 05:23 PM
Well, then it gets trickier. The reason for starting with pointers you already know is to find out what the values you need to search for to get the secondary offsets are. The first five steps should all work, and will get you the primary offsets you need to at least get skittles, but of course you won't have previous offsets to give you any hints as to which returned values are most likely to be the correct ones for each step.


Is there a better way to find offsets? Recently there is a good chance for even the first five steps to have out of range values that this method does not pick up.

Hidron
04-25-2023, 07:32 PM
Would be nice if the built in offset finder could be fixed. Was a standalone offset finder at one point, but it eventually broke too.