How to find OWNPOSITION: Part 2

Disclaimer
Using any of the above tools will probably break the FFXI ToS, use them at your own risk. You will also probably crash FFXI many times while using these tools, get used to it. Oh, and if you break something, not my fault, you should have known better ;)

The good Stuff
This part will be much more technical than the last part and it is recommended that you understand assembly. We will be looking for the offsets for FFXI in this part. The reason we need the offsets is because every time FFXI loads, the coordinates of your character are stored in a diffrent location in the memory. This offset also changes whenever SE updates the game, so it's important that people know how to find them again.

We will start where we left off, you have just ported yourself for the first time using OllyDbg, Ethereal and ArtMoney. Now, you need to know the address of the value you changed that allowed you to teleport. Switch back to OllyDbg and go to that address is the memory (View->Memory). Right click in the top left corner where the memory is showing your coordinate. Place a "Breakpoint->Memory, on write." Soon it will say Paused in the bottom right. Right click on the memory and take the breakpoint off, then press f9, without closing the window that poped up.

Now switch back to the CPU window, it shows you where the assembly was trying to modify our coordinates. You will see from the "MOV DWORD PTR DS:[ECX],EDX" that the memory location is stored in ECX. ECX is loaded from the stack, "MOV ECX,DWORD PTR SS:[ESP+4]." So now we need to find where the memory location got put in the stack since the location of the coordinates changes after every FFXI load. To do this we put the breakpoint back on the memory at the same location and "View->Call Stack." You will probably see 2 or 3 entries under call stack, if you only see 2 press f9 untill there are more. When there are more remove your breakpoint and press f9.

Now we want to see what function called the function that is modifying the memory. So in call stack, we double click the top right value under "called from." Here we see that there are two values being pushed to the stack, we care about the second, EAX, since the stack is First In Last Out (filo) and also pushes a return address when you use the CALL function. Just above the call, we see that 34h was added to EAX and before that EAX was loaded from memory [ESI+90].

Now we know that [ESI+90] is a pointer to a pointer to our coordinates. So lets find out what ESI is, since the memory at [ESI+90] changes every FFXI load. We would scroll up untill we see a "mov esi," or "lea esi," but I've already done it and it's at the very top of this very long function, right beneath "PUSH ESI." At this time you should write down the value of ESI because we are going to track it by value. However the value (ECX) that is being loaded into ESI isn't specific, so we must go back to the call stack. If yours blanked out, then repeat the process we did before, except this time double click the value right under the top value (in the screenshot it is FFXiMain.0292B783).

Remember that ESI was loaded from ECX just after it was pushed in the last function, so now we are going to see when ECX was last modified. To do this, just scroll up a little untill you see an instruction that starts with "MOV ECX." The first one I see is "MOV ECX,ESI" right above the call, so once again we are looking for something to modify ESI. If we scroll up some more we can see [EDI] is being MOVed to ESI, and two lines up, a direct memory location is being MOVed to EDI. So we will go back to our Dump window and press ctrl-g and goto the location being put in EDI. We then put a memory breakpoint on that. If it switches to Pause and the instruction executing is "REP STOS" or something like that, press f9 untill it switches to a MOV instruction. The "REP STOS" zeros memory, thats why all the memory around this location is filled with zeros.

When you get to the MOV instruction, remove the memory breakpoint and open the call stack again. Press f9 to unfreeze FFXI. On this MOV we can see that ESI is being saved to memory location we just came from, so we now want to see what is being loaded into ESI. There is nothing untill the very top where there is a "PUSH ESI" followed by a "MOV ESI, ECX." So in the call stack, click on the one in the top right. We are going to track what gets loaded into ECX. If you scroll up, you will see that ECX gets messed with a lot, so now we have to track the flow of the data.

Remember when I told you to write down the value of ESI? Here's where you need it. You are going to be placing a breakpoint right after every time ECX gets modified. To do that click on a line and press f2 (f2 also removes a breakpoint). Press f9 a couple times and see if ECX is ever equal to the old value of ESI, if it is, then that is an intruction you want to keep in mind. The reason we are doing this is because many of the instructions will just skip over our call, notice the "JE SHORT" right above it. When ECX is equal to the old ESI, then we know it has a possibility of making it to our call. Also, if you are getting tired of pressing f9 all the time, you can try a conditional breakpoint by right clicking on a line and selecting Breakpoints->Conditional. Then for the expression type, "ecx == <old esi>."

After finding a couple that work and a couple that don't, you will notice that a few of them are loaded from the same memory offset (in my screenshot, 2C5FDE0). This is actualy one of the offsets used in POS and the others, it is NPCMAP. However there is another part to the memory address, which is some register being multiplied by 4. Most of the times that ECX was being modified was in a loop, but there is one time, not to far from the call, where EAX is loaded from a memory location (my screen it is 2c625FA). This is what we have been searching for ladies and gentelmen, OWNPOSITION.

Ok, if you are looking at the addresses in your own mrargus.ini and saying that they don't look the same, you are correct. The last step is to actualy make these values offsets. In my screenshot, the base address is 02890000h, so we simply subtract that value from NPCMAP to get the offset (02C5FDE0 - 02890000 = 3CFDEO). You can do the same with OWNPOSITION, however this value will not line up with the published values, however they do work correctly (I even restarted and tried on diff computers with the same result). If you must have the published numbers, then check what's stored at the position you found, do a search for that in ArtMoney, go into a different area and filter so only the numbers that changed are shown, the top one is the one that is published.