Memory Address Hunters WANTED

[metalo]

I'd like to start a thread here and get some like minds together on hunting down memory locations. I'm using WinHex 1.7 with Forensic Tools, and I thought I actually had a memory address that contained the Chat line, but it seems to be off. Is there someone else out there, running in Windower mode, with WinHex looking at the same stuff im looking at? I'm kind of upset that FFXI didn't safe guard my account password worth a damn because its freely visible in memory. But then again I'm the only one with access to that part of my memory ^^.

In anycase lets track down some memory addresses while the games running.

I see stuff like Unique ID's wondering what thats all about. You're name, Items you have. Haven't found MP HP stuff still goofing off looking around.

Metalo

[TinyTerror]

Im with you on this. See my post in the C++ thread under AutoIT. I have the beginings of what might be an alternative to FFACT going. What I need are offsets. Anything you have would be greatly appreciated.

[metalo]

LoL yeah I did a fresh on 10 most newest posts and there was yours talking about your offsets with talisman code.

I was hunting around and found some addresses perviously check this out next time you're in game

Address 0011F6DC is the start of Chat line.

The Hex looks like this
Block looks like this
30612C30302C30302C38306130373036302C30303030303035362C30303030303035362C303036312C30302C30312C30312C3030

Text is this:
0a,00,00,80a07060,00000056,00000056,0061,00,01,01,00

After playing with FFACT im sure we all know

01 // = received a Say
04 // = my Tell to someone else
05 // = my msg to Party
06 // = my outgoing linkshell text
07 // = Emote1
09 // = echo? or say?
0a // = Shout
0c // = received a Tell
0d // = received party text -- Thanks to AcidFang for this value (v1.5.4)
0e // = incoming linkshell text
0f // = Emote2
2c // = somebody "defeats the" river crab or whatever
6f // = xyz effect wears off
79 // = you throw away a rusty subligar or whatever
7b // = your tell was not received
81 // = you fishing skill rises 0.1 points
8a // = item sold
94 // = fishing result including:
// -You didn't catch anything,
// -You lost your catch,
// -Whatever caught the hook was too small to catch,
// -Obtained: rust subligar or whatever
// -Your line broke
98 // = something caught on hook
9d // = A command error occurred
9f // = you release the ripped cap regretfully
a1 // = regional conquest update message
c8 // = notice of upcoming server maintenance
ce // = echo


Does that Offset coincide with you?

Metalo

[TinyTerror]

I havent had a chance to look at game memory yet. I'll give it a try when I get home from work. Do you know if using the windower skews memory offsets at all? I assume it doesnt, but im not positive.

[metalo]

Yeah, I'm pretty sure windower doesn't mess with the memory address of FFXI, if it did, the entire game would be skewed and FFXI would just crash and burn. Good question though, definately something to keep in mind while hunting addresses.

I'm pretty sure this is how Starhawk is grabbing his stuff. He's got the edge though, he knows based on previous experience what to look for. We have no Idea. It's sad he wont release his source, and has a limited development group of 4 people that hunt addresses.


Metalo

[TinyTerror]

The offsets for the entire game wouldnt be skewed because the DLL hooks the windower uses inject themselves into the dll memory space as it's being loaded. I don't think this is going to be a problem though, because windows should still report the right starting memory address for the DLL. After all, FFACT worked fine with the windower.

[TinyTerror]

After having spoken to StarHawk, I think it might be a good idea to assist the FFACT project with whatever results we come up with. If you have any thoughts on this, post away.

[metalo]

100% Agree absolutely Starhawk and FFACT are the bomb. I'd either be lvling in Boydah or hunting address if they weren't doing Maintenance right now.. Argg!!

[Talisman]

It is important to remember to subtract the base address of FFXiMain.dll from any offsets you find or they won't be usable. FFXiMain.dll isn't always loaded at the same offset, so if you report offsets from the beginning of the pol.exe process they won't be correct the next time you run FFXI. I generally use a program I'm working on to report FFXiMain.dll's base address, but you can find it with ollydbg as well. Attach to the pol.exe process, then open up the memory map and find the first block of memory belonging to FFXiMain.dll. The offset that this first block of memory is at is FFXiMain.dll's base address. You need to check this value every time you run FFXI if you plan on fidning offsets.
When you find an offset, subtract FFXiMain.dll's base address from it. This way a program can determine FFXiMain.dll's base address, and then add it to the offset you provided to find the correct address in memory.
The scientific view of the calculator that comes with windows has a radio button for switching it to hexidecimal. All offsets are reported in hex, so you will need to do any calculations keeping that in mind. 10 in decimal and 10 in hex are two different numbers.

[metalo]

When you use ollydb, and attach to the pol.exe process do you need to be fully logged in ie. in windower mode. I would assume so, oh btw your post is definately good eats.. Once I get that base address, I can then go hunting with winhex? subtracting the base address from any offsets I find?

Metalo

[metalo]

Oh Duh, lol it started up paused.

[Talisman]

Yes, you will want to have a character logged in to find any meaningful values. I'm not familiar with winhex, but I imagine it should work fine. Just subtract the base address as described above. You might consider using ollydbg if you need to run it anyway. I use tsearch to find numerical values and ollydbg to find strings. You can right click on the memory map and pick search to search through memory for a particular string.
Yes, ollydbg will pause the process when it attaches. You can push the play button to unpause it. Leave it paused for too long and it will time out from the server when you unpause it.
If you look at the FFXIOffsets.h file in the example code I posted there are a few offsets there to get you started. I found the hp/mp offsets using tsearch by searching for my hp, then changing subs and subsearching for the new value. I found the name offset by searching through memory with ollydbg.
I noticed that there was some sort of an offset tool posted on the FFACT forum. I imagine it jut determines FFXiMain.dll's base address and does the subtraction for you. Might save you some work.

[metalo]

Very Kewl, Very Kewl and Very late at the moment. I really like ollydbg. I'm hunting away hopefully next time we'll be able to help out Starhawk with snagging the new locations for him.

Metalo

[metalo]

Could someone check this out, I might have found the Fishing Skill Level offset.

Using Tsearch
Address 2E563CFF
Offset 2BE33CFF

Fish I could post my Tsearch table.

Would love to have my base skill in my bot logs as well as the skill ups.

Metalo

[bubbagump]

I think your offset is bunk...or you just found a 'dead' value I guess you could call it..

How did you get your offset? Simple tool to find em is to use StarHawk's FFXi Offset maker (or do some math in your favorite hex supporting calc program ^^

www.ffact.botanybay.net/ccount/click.php?id=22