Updating Offsets using IDA Pro

Make your own free website on Tripod.com

Updating Offsets using IDA Pro.

Guide by Pinkfloydx33 - 8/22/05

First I would like to start off by saying that IDA Pro is by far the best de-compiler I have ever used.

One of the reasons to use this method over any other is that you can find offsets while Everquest servers are still down. You DO NOT need to load the game, it straight up decompiles the executable file.

Please Note that this guide shows how to find an offset using the eqgame.exe files from July 13, 2005 and August 11, 2005. The method is the same no matter what versions of the executable have, however the starting addresses and such will obviously be different.

Before you start you will need to save a copy of the last eqgame.exe. In other words, save a copy and rename it before you patch to the next version. You need TWO (current and old). You will also need a listing of the offsets that correspond with the second eqgame.exe that you have. Keep in mind if you have Older offsets you can use the eqgame.exe that corresponds with that. The important thing to remember here is that the eqgame.exe MUST correspond to the offsets you have or they will be worthless.

For the sake of this walkthrough we are going to call the two files "eqgameold" and "eqgamenew".

Open IDA pro and select eqgameold and start the decompile. Now open a second instance and load into eqgamenew and start the decompile. At this point you can walk away for about 5 minutes. Keep in mind you can start finding the offsets within about thirty seconds, but I would recommend letting IDA do a full decompile before you begin.

This is what you will see in the bottom left hand corner of the program when it is done parsing everything out:

We are going to start off showing you how to find the most current Warp offset (CDisplay__MoveLocalPlayerToSafeCoords). For this step you only need to pay attention to the IDA that has eqgamenew open.

On the main toolbar, pick the drop down list on the left that may say 'Address' and change it to say 'Text'

Now click in the main "IDA View-A" window and scroll all the way to the top (during the decompile process it tends to scroll down a bit) and click on the very top most line. Now click in the box next to the "Text" box and begin typing. As you type IDA will process the decompile and find the first occurrence of the search string. It does that as you type each letter, so you will have to pause between each keystroke until it is done searching. What you need to do is type "repop" without the quotes. What you are going to get is this:

Nothing below this line there are several "call" statements. The second one is the one we are interested. The one that looks like this:

The number after the sub_ is the offset for CDisplay__MoveLocalPlayerToSafeCoords. The full offset in this case is 0x41D395. This is also the same offset as SuccorFunc or whatever it is your version of warp calls the variable.

Just to verify that you have the correct offset, double click the sub_41D395 and it should look something like this:

Not the 3 variables in green on the left (var_14, var_10, var_C). If you see this you have the correctly identified the function.

Congratulations you have found your first offset using IDAPro!

Now we are going to find offsets like those found in DoCrack files.

Open the IDA that read through eqgameold. At the very top, where you picked "Text" for the warp search, you are going to pick address.

Let us use the Enduring Breath crack as an example.

[EB]
Description="Automatic Enduring Breath"
Version="2005.07.13"
address0=4B510B
normal0="49"
crack0="90"

In the box next to address (where you originally typed repop) type in the address from the hack. In this case we are going to type in 4B510B (Note: you must type it in, you cannot copy/paste into the box). Hit enter. You should see something like this:

Notice the left hand column where it says .text:004B510B, that's the number you typed in the address box! If you want to make sure that this is in fact the right section, take a look at the normal0 section of the EB crack. In this case it reads "49". Click the "Hex" tab above the window and you should see this:

Notice the 49 is highlighted! Good job! We ARE looking at the correct section of the code. Now open up the eqgamenew IDA. What we are going to do is search for the offset. To start we are going to go to the address field and type in the address from the OLD crack. Make sure you selected the "Address" option and type in 4B510B. Hit Enter:

Notice this does not look anything like the same address in eqgameold. This is because when the exe is updated 99% of the time the code gets pushed forward a few addresses. So what we are actually doing is going to start searching for the code from the eqgameold and start at this point. To be safe, I normally scroll up a few lines. Make sure you click this line (or several lines up to be safe) and now chose the "Text" option. Now pick anything in the code that appears around the address in the eqgameold disassemble. For this lets use:

Keep in mind we could have used the actual line that was at the address. This isn't always feasible because the line may call a function whose name will change from exe to exe because it is called by its address. This is why I tend to always use a different line. So for this we will try using the mov statement. Make sure as you type you are putting in the spaces, because these are important. As you type the text that matches your search will highlight in yellow. Hit enter until you see text that starts to look similar. In this case (a VERY rare case) we don't see anything that resembled the code around EB. That is because the code has actually gotten pushed BACKWARDS. So we are going to start with an address before the 4B510B. In this case, lets pick any arbitrary address before it. Let us use 00444000. Type this in and hit enter (make sure you change the box back to say address). Now click in the code and change the box to text. Lets trying the mov ecx, [eax] statement again. Once again as you type the code will start to jump around. Once you have the full line typed you should see something like this:

Looks almost exactly like our EB code from eqgameold doesn't it? That's because it is! This was fairly easy to find. Keep in mind you may have to try different lines of code around your function when doing the searches because some lines of code are actually 'common' and will generate tens or hundreds of matches. So back to our example, the address line reads .text:0444DE8. This is not our address. Remember we were using a different line of code to find it! So click the dec ecx line. The address on that line says 00444DEF, in this case this IS the address for the crack. Sometimes the actual bytes you need to change will be between that line and the next, so to verify it we need to check out the hex. So let's click the HEX tab and you should see this:

The line we are dealing with is in blue on the left. Count over from the left starting at 0 and find the 49. (columns are numbered 0 1 2 3 4 5 6 7 8 9 A B C D E F). In this case the 49 is in column F. Add this on to the address that is in blue (replace the 0) and you will get 00444DEF.

Now you can update the crack for this exe.

[EB]
Description="Automatic Enduring Breath"
Version="2005.08.11"
address0=444DEF
normal0="49"
crack0="90"

Congratulations! You have just updated an offset. Now you can update all your docrack and various other offsets while you are waiting for servers to come up after a patch!