Simplest offset to find, ever (Warp offset)

[TeachersPet]

Note: This is a very unorthodox offset find but hell, it's easy.

Get IDA Pro (you could probably find it warez easily, or do the right thing and buy it, I suggest the former).

Load your file as a Portable executable for IBM PC (PE).

If you get an error relating to DSETUP, just hit cancel and ignore it, it doesn't matter.

Let it disassemble...

When it's done, go to Search, Text, and in String put,

"finished MoveLocalPlayerToSafeCoords.\n"

Go up one line from your successful search. (Below is the successful search line and 2 lines above/below it)

.text:00489207                 mov     ecx, dword_928C78
.text:0048920D                 call    sub_41D395
.text:00489212                 push    offset aFinishedMovelo ; "finished MoveLocalPlayerToSafeCoords.\n"
.text:00489217                 call    sub_55FCF0
.text:0048921C                 pop     ecx

Look familiar?

.text:0048920D                 call    sub_41D395

0x0041D395 - Tested and working.

Works every time, I've been using it since I got warp code.

 

[Cade]

Guess this makes my guide obsolete...so much for being helpful *kicks dirt*

Well, maybe not. In case someone wants do things legaly and not spend money.

 

[TeachersPet]

Yours is better if they want to actually learn how to offset hunt. Just posted it because I knew someone who doesn't understand offsetting fully (like me, sort of) would read yours and say to themselves "What the hell is this?"

 

[enigma1025]

can get the demo of ida pro here http://www.datarescue.be/idademo/idademo48.exe and it will still do everythin u want it to do, to buy it would cost like $500 :O

 

[bigmike]

say i wanted to do this with another game... how would i go about actually putting the offset to use? how do i go from "i have the offeset" to "omg im using it to cheat"

 

[bigmike]

NM i did some research and found it out myself =P

 

[Cade]

Like...bump and...yeah...

(Yes I'm bumping this one instead of my own, this one's much better )

 

[smokinghot]

Lol Just had to laugh at ya :p

 

[Cade]

Lol Just had to laugh at ya

 

[Czarman]

They really burried it deep this patch:

First had to find this ----

.rdata:0064B510 ; char aFinishedMovelo[]
.rdata:0064B510 aFinishedMovelo db 'finished MoveLocalPlayerToSafeCoords.',0Ah,0
.rdata:0064B510                                         ; DATA XREF: sub_47EB21+3BAo

Following the Ref led to the offset:

.text:0047EED6                 call    sub_442D24
.text:0047EEDB                 push    offset aFinishedMovelo ; "finished MoveLocalPlayerToSafeCoords.\n"

Hence SuccorFunc is 0x00442D24

I think it just took a lot longer to decompile than normal.

 

[whatsaname]

Is there an easy way to find the DoTheZone offset that usually needs to be paired with this?

 

[odessa]

.....................

 

[JoeK]

In IDA, do a text search for "repop". You'll like the first thing you find.

the <<< ... >>> below is my commentary, otherwise its straight from IDA Pro

.
.
push offset aRepopToHomeAtD ; "repop to home at death"
push dword ptr [ebp-24h]
call sub_0_49DE8F <<< our friendly DoTheZone was 4AB814 for 11/16 >>
mov ecx, dword_0_906258
call sub_0_442D24 <<< our friendly MPTLSC(Warp) was 43DF51 for 11/16 >>>
mov ecx, dword_0_906258
call sub_0_441A87
jmp loc_0_46358A

 

[Czarman]

Easy way to find DoTheZone is to do a search for "ZoneTransfer". I use IDA Pro, and it took some time to decompile eqgame.exe before the labels showed up so if you are using a that decompiler, I would give it a good 10 mins, just to be sure.

Then just do a search for the above and :

.text:00465227                 push    offset aZonetransfer ; "ZoneTransfer"
.text:0046522C                 push    dword ptr [ebx] ; int
.text:0046522E                 call    sub_49DE8F
.text:00465233                 jmp     loc_46559F

and course you see 0x0049DE8F 2 lines below the search.

 

[jmac]

hmm I follow TP's guide exactly but when i put in the "finished MoveLocalPlayerToSafeCoords.\n" in search-->text then in string. it goes for a while but never finds it.

 

[larry1024]

Problem I am having is what is the file to search for the offset?

Note: This is a very unorthodox offset find but hell, it's easy.

Get IDA Pro (you could probably find it warez easily, or do the right thing and buy it, I suggest the former).

Load your file as a Portable executable for IBM PC (PE).

If you get an error relating to DSETUP, just hit cancel and ignore it, it doesn't matter.

Let it disassemble...

When it's done, go to Search, Text, and in String put,

"finished MoveLocalPlayerToSafeCoords.\n"

Go up one line from your successful search. (Below is the successful search line and 2 lines above/below it)

.text:00489207                 mov     ecx, dword_928C78
.text:0048920D                 call    sub_41D395
.text:00489212                 push    offset aFinishedMovelo ; "finished MoveLocalPlayerToSafeCoords.\n"
.text:00489217                 call    sub_55FCF0
.text:0048921C                 pop     ecx

Look familiar?

.text:0048920D                 call    sub_41D395

Works every time, I've been using it since I got warp code.

 

[Cade]

Problem I am having is what is the file to search for the offset?

eqgame.exe

 

[Devlin]

Bump,

Since i'm trying to learn and this is extremely helpful.


Redcent inc!

 

[larry1024]

I'm not so sure this is easier to figure out and the program used to decompile it takes forever, I like Cade walk though much better and its realy a much faster way of finding the offset.

 

[HardOne]

I use w32dsam89 to decompile eqgame.exe when I wanna try and mess with this stuff. It dosent take much more then 2-3min to decompile. Then once you save the project, it's fast to re-open.

 

[solar]

this is why I decompile/compile on my xeon

 

[decker]

IS this still working ?