How to find OWNPOSITION: Part 1

Tools
You can use alternates to any of these tools, these are the tools that will be explained though. All these tools are freeware or shareware and they will work even if you don't buy them. However I strongly suggest you purchace the software and support the developers.

• Debugger: OllyDbg
• Packet Sniffer: Ethereal
• Alt-Tab: Windower
• Hex Editor: WinHex
• Memory Locker: ArtMoney

The good Stuff
I'm gonna try and explain this with a lot of pictures and a lot of spelling errors. If you have any questions, feel free to email me.

So the first thing you will want to do is install all the tools. Then open FFXI up with Windower. Make sure it says "Windower Enabled" in the title or your gonna have problems (x64 users should use loader64). Log in to your char as you normaly would and then alt-tab out and launch Ethereal. The reason we are starting with Ethereal is so we can see what FFXI is sending to our good friends at SE.

In Ethereal, go to Capture->Interfaces and select your network card. After it's gotten a few UDP packets, you can stop the capture. Click on any of the UDP packets coming from your IP. Then in the middle section, click data. Repeat this process on a few packets and you will notice that the top always seems to be changing and the bottom looks encrypted. So after looking at a few packets, find the part that seems to stay the same in all the packets. I would recommend finding a part that has 4 consecutive nonzero digits. The reason we want numbers that arn't changing a lot is because we are going to have to search for these numbers in the memory. If we searched for a number that changed a lot we wouldn't get anywhere because we are too slow.

Now write that number down and close Ethereal. Open up ArtMoney. Set the process as the FFXI window (probably some random text). Now search for the number, but in reverse order. My number was FA E0 03 63, so I would search for 6303E0FA. It should then find about 6 results if you found the right part in ethereal, which is very manageable.

Now we are going to see what else is at those addresses, so we are going to open OllyDbg. To view the FFXI memory, we first have to attach to it.To do that, you can go to File->Attach and then select POL under the name column. As soon as the bottom right corner turns yellow, press f9. This will make sure you don't get kicked off FFXI for being unresponcive. As a general rule of thumb, you should not keep it paused for more than 30 seconds.

Once you are attached goto View->Memory. It will give you a list of base addresses. We will click on the part that says "stack of main thread" since it's address is right below the first address found by ArtMoney. Right click anywhere in the memory and say Hex->Hex/ASCII(16 bytes), then press ctrl-g and goto the first address ArtMoney displayed. It looks exactly like the data displayed in ethereal, but doesn't give us any new data, so try the next address from ArtMoney.

The second address has the same top and middle section as it did in the packets we found Ethereal, but the bottom part looks a lot less cluttered. This is probably the data sent to SE, but unencrypted. Thats a good thing ^^

Note: It is recommended that you are in your moghouse for this part

If you click around in the memory dump, you will notice that some of the values change, some stay the same, and some flip between one value and another. So once again, it is time to look for the values that don't change. Most of the values in this part that don't change arn't that interesting, so move around in game and see what happens when you switch back to OllyDbg. Three of the values (values = 4 bytes) that are flipping back and forth have changed. If you keep moving, then they keep changing. These values are your coordinates. My values start at 13BB34. Sadly, if you try and change these values, they will just flip right back. That means that the program probably keeps track of these coordinates somewhere else in the program.

So back to ArtMoney. This time we will search for the coordinates we have just found (still in reverse order). If you are lost right now, I'll give you a hint. When you walk into your moghouse your coordinates are X: 00 00 08 31 Y: 00 D7 23 BC Z: 00 00 00 00, the moghouse in S. Sandy anyways. So then I will search ArtMoney for 31080000h (h at the end means hexidecimal, must type it if there are no letters in the value) and I find 41 results. Then press the green arrow to monitor those 41 values. To make this list a little more manageable, move around in-game a little and then see what values change in ArtMoney. A lot of them will change to the same number. So press Filter and type in the number most of them changed too. My list went down to 13. Press clear on the bottom then the green arrow again.

Now that we have our coordinates and locations, we can try our first teleport. First double click on the first value and change it to 0. It will most likely either change back or your character won't move, teleport failed. But we have 12 more values to change, so go down the list and change them, see what happens. When you change one of the values, the rest will change also, if you check in game, you have been teleported somewhere else inside the MH, (Congratulations!)

Now if all has gone smoothly, you should be able to teleport without using any of the major tools. If you would like to keep reading, you will learn how to find the OWNPOSITION for POS and the others. Note that you should know some basic assembly if you are going to attempt this.

How to find OWNPOSITION: Part 2>>