 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
 Posted: Sat Sep 17, 2016 5:43 am Post subject: How to find the base address using a 3 level pointer |
 |
|
Ok, I am very beginner in cheat engine and addresses, memories etc. and I am warning you, proceed with caution, this might be the most just an stupid question.
So, I am trying to find the base static memory address of the ammo in the Counter Strike 1.6.
In order to achieve this i tried the pointer scan method, with which i got a 3 level pointer(which is consisted of 3 addresses and 3 offsets).
I restarted the game several times and I noticed that it was all good and find and that that pointer was the "static" which doesn't change every time you open the game.
But how am I going to use this in my code? I mean I know that I'll use the 3 offsets in an array but what address will I choose using the 3 level pointer which I found earlier? The problem here is that the 3rd address of the pointer started with "hw.dll"+[address] instead of just the address which got me confused.
Any help would be much appreciated. |
|
| Back to top |
|
 |
mgostIH
Expert Cheater
 Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sat Sep 17, 2016 6:05 am Post subject: |
|
|
You can use the EnumProcessModules function from winAPI, here's the details:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682631(v=vs.85).aspx
Anyway, it's strange that there's no .exe static address for ammo, sure the pointer scanner doesn't have results relying on it?
_________________
|
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sat Sep 17, 2016 7:54 am Post subject: |
|
|
I still didn't understand how to get the static base address of a 3 level pointer.
However here is a screenshot of the pointer scan: |
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4293
|
| Posted: Sat Sep 17, 2016 8:19 am Post subject: |
|
|
Try reading what the EnumProcessModules function does. Or just use Google... that's a very frequently asked question with many explanations and examples to learn from.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sat Sep 17, 2016 8:39 am Post subject: |
|
|
| ParkourPenguin wrote: | | Try reading what the EnumProcessModules function does. Or just use Google... that's a very frequently asked question with many explanations and examples to learn from. |
Hello,
I read the documentation for the function you mentioned and also googled it but I did not understand exactly what this does and how it is related to the base address. As i said before, I am very new to things like addresses, offsets etc. |
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4293
|
| Posted: Sat Sep 17, 2016 8:53 am Post subject: |
|
|
Just Google "get module base address" or something similar.
Note that there's also CreateToolhelp32Snapshot:
http://forum.cheatengine.org/viewtopic.php?t=563414
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sat Sep 17, 2016 1:53 pm Post subject: |
|
|
It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that.
_________________
|
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sat Sep 17, 2016 2:23 pm Post subject: |
|
|
Hi,
I am very beginner in addresses and stuff like that so I cant really understand how to do it even if I google it. It all seem very weird and I would like you the whole process of how to find the address of the "hw.dll"+[address] like I am 5 years old.  |
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sun Sep 18, 2016 4:33 am Post subject: |
|
|
| mgostIH wrote: | It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that. |
Hello,
I searched how to iterate through all the modules of a process, so I got copied and pasted a function that prints all the modules in the specified process. i ran the program and then it started spamming various stuff. Then I pressed ctrl + f and searched for the "hw.dll". It got me in something like 0x04A20000. So i guess that's the static address of the "hw.dll". So what I did is go to a website which adds 2 hex numbers, entered as first the hw.dll one which is 04A20000 and the second one which is the "hw.dll"+[ADDRESS] ( the address one ), I added them and it resulted in 51092AC. So then i gone to cheat engine and replaced the "hw.dll"+[address] with 51092AC and it had the same result! So, what am I going to do now? I feel that I am so close! |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sun Sep 18, 2016 6:58 am Post subject: |
|
|
| PanagiotisIatrou wrote: | | mgostIH wrote: | It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that. |
Hello,
I searched how to iterate through all the modules of a process, so I got copied and pasted a function that prints all the modules in the specified process. i ran the program and then it started spamming various stuff. Then I pressed ctrl + f and searched for the "hw.dll". It got me in something like 0x04A20000. So i guess that's the static address of the "hw.dll". So what I did is go to a website which adds 2 hex numbers, entered as first the hw.dll one which is 04A20000 and the second one which is the "hw.dll"+[ADDRESS] ( the address one ), I added them and it resulted in 51092AC. So then i gone to cheat engine and replaced the "hw.dll"+[address] with 51092AC and it had the same result! So, what am I going to do now? I feel that I am so close! |
Make the process of getting that address automatic.
While iterating, you can use functions to check the right dll string and get it's address.
After that, just do the pointer operations you need to do, I hope you know what I am talking about (Read from address, add offset, read again...)
_________________
|
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sun Sep 18, 2016 7:49 am Post subject: |
|
|
| mgostIH wrote: | | PanagiotisIatrou wrote: | | mgostIH wrote: | It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that. |
Hello,
I searched how to iterate through all the modules of a process, so I got copied and pasted a function that prints all the modules in the specified process. i ran the program and then it started spamming various stuff. Then I pressed ctrl + f and searched for the "hw.dll". It got me in something like 0x04A20000. So i guess that's the static address of the "hw.dll". So what I did is go to a website which adds 2 hex numbers, entered as first the hw.dll one which is 04A20000 and the second one which is the "hw.dll"+[ADDRESS] ( the address one ), I added them and it resulted in 51092AC. So then i gone to cheat engine and replaced the "hw.dll"+[address] with 51092AC and it had the same result! So, what am I going to do now? I feel that I am so close! |
Make the process of getting that address automatic.
While iterating, you can use functions to check the right dll string and get it's address.
After that, just do the pointer operations you need to do, I hope you know what I am talking about (Read from address, add offset, read again...) |
Ok, I understood the first 2 sentences but not the 3rd one... What do you mean here? do you mean to do something in code or in cheat engine? |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sun Sep 18, 2016 8:26 am Post subject: |
|
|
| PanagiotisIatrou wrote: | | mgostIH wrote: | | PanagiotisIatrou wrote: | | mgostIH wrote: | It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that. |
Hello,
I searched how to iterate through all the modules of a process, so I got copied and pasted a function that prints all the modules in the specified process. i ran the program and then it started spamming various stuff. Then I pressed ctrl + f and searched for the "hw.dll". It got me in something like 0x04A20000. So i guess that's the static address of the "hw.dll". So what I did is go to a website which adds 2 hex numbers, entered as first the hw.dll one which is 04A20000 and the second one which is the "hw.dll"+[ADDRESS] ( the address one ), I added them and it resulted in 51092AC. So then i gone to cheat engine and replaced the "hw.dll"+[address] with 51092AC and it had the same result! So, what am I going to do now? I feel that I am so close! |
Make the process of getting that address automatic.
While iterating, you can use functions to check the right dll string and get it's address.
After that, just do the pointer operations you need to do, I hope you know what I am talking about (Read from address, add offset, read again...) |
Ok, I understood the first 2 sentences but not the 3rd one... What do you mean here? do you mean to do something in code or in cheat engine? |
So let's say you have this pointer: [[[game.exe+0x30000]+0xFC]+0xE0]
You get game.exe address (in your case, hw.dll), sum the offset 0x30000 and read from that address.
You need to read 4 bytes from that address, and consider it as a DWORD or PVOID in your code.
Now, we continue with the next offset 0xFC.
You take the value you read before, add 0xFC and read again the new value you got from that address (You might do this with ReadProcessMemory function)
Now same thing for 0xE0, you get the address you got before, add 0xE0 to it and finally read the value you get.
When you complete all the offsets, you'll be left with a final address. That's the one you were looking for with Cheat Engine.
Hope I explained myself better this time.
_________________
|
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sun Sep 18, 2016 9:01 am Post subject: |
|
|
| mgostIH wrote: | | PanagiotisIatrou wrote: | | mgostIH wrote: | | PanagiotisIatrou wrote: | | mgostIH wrote: | It doesn't matter if it's a 3 level pointers, you want to find the address of hw.dll .
To do so, you have to iterate thru the modules of the cs:go process and find the address of that. |
Hello,
I searched how to iterate through all the modules of a process, so I got copied and pasted a function that prints all the modules in the specified process. i ran the program and then it started spamming various stuff. Then I pressed ctrl + f and searched for the "hw.dll". It got me in something like 0x04A20000. So i guess that's the static address of the "hw.dll". So what I did is go to a website which adds 2 hex numbers, entered as first the hw.dll one which is 04A20000 and the second one which is the "hw.dll"+[ADDRESS] ( the address one ), I added them and it resulted in 51092AC. So then i gone to cheat engine and replaced the "hw.dll"+[address] with 51092AC and it had the same result! So, what am I going to do now? I feel that I am so close! |
Make the process of getting that address automatic.
While iterating, you can use functions to check the right dll string and get it's address.
After that, just do the pointer operations you need to do, I hope you know what I am talking about (Read from address, add offset, read again...) |
Ok, I understood the first 2 sentences but not the 3rd one... What do you mean here? do you mean to do something in code or in cheat engine? |
So let's say you have this pointer: [[[game.exe+0x30000]+0xFC]+0xE0]
You get game.exe address (in your case, hw.dll), sum the offset 0x30000 and read from that address.
You need to read 4 bytes from that address, and consider it as a DWORD or PVOID in your code.
Now, we continue with the next offset 0xFC.
You take the value you read before, add 0xFC and read again the new value you got from that address (You might do this with ReadProcessMemory function)
Now same thing for 0xE0, you get the address you got before, add 0xE0 to it and finally read the value you get.
When you complete all the offsets, you'll be left with a final address. That's the one you were looking for with Cheat Engine.
Hope I explained myself better this time. |
Hello,
I read what you say and I have some questions:
1) When you say "[[[game.exe+0x30000]+0xFC]+0xE0] " you mean that there is a pointer with 1 address and 3 offsets? If so, I am sorry that I didn't know it so I did not clarify it. My pointer is this:
Address | Offset
06B78F60 | CC
0C4D9AF8 | 5D8
"hw.dll"+006E92AC | 7C ( where I know how to get the address of "hw.dll" and add it to 006E92AC)
2) By saying: "read from that address" and/or "read 4 bytes from that address" what exactly do you mean? |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sun Sep 18, 2016 12:11 pm Post subject: |
|
|
| PanagiotisIatrou wrote: | | - |
First of all [[[game.exe + 0xsuboffset] + 0xoffset1] + offset2] ...] is a notation you should really learn about and use when talking about pointers.
The "game.exe" parenthesis is the one representing your static address, as a sum of the base address of your .DLL or .EXE and a suboffset (I call it suboffset because you don't really consider it in the pointer level count, and neither you see it on CE).
Using some images:
"ac_client.exe"+ 0xsomething is your static address, 0x0 is the first offset and 0xF4 is the second offset.
So, in our pointer notation, the final address would look like this:
[[["ac_client.exe" + 0xsomething] + 0x0] + 0xF4]
Now, since you wrote you are using C++, I'll write here a code that gets you your final address:
| Code: |
DWORD final_addr;
DWORD temp_addr;
ReadProcessMemory(handle, (LPVOID)(base_addr + 0xsomething), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(handle, (PVOID)(temp_addr + 0xoffset1), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(handle, (PVOID)(temp_addr + 0xoffset2), &final_addr, 4, NULL);
//Now final_addr will be your desired address, you can write on it with WPM
DWORD value = 30;
WriteProcessMemory(handle, (PVOID)final_addr, &value, sizeof(value), NULL);
|
Of course now it's your job to put the right offsets and variables there.
_________________
|
|
| Back to top |
|
|
PanagiotisIatrou
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2016
Posts: 13
|
| Posted: Sun Sep 18, 2016 1:02 pm Post subject: |
|
|
| mgostIH wrote: | | PanagiotisIatrou wrote: | | - |
First of all [[[game.exe + 0xsuboffset] + 0xoffset1] + offset2] ...] is a notation you should really learn about and use when talking about pointers.
The "game.exe" parenthesis is the one representing your static address, as a sum of the base address of your .DLL or .EXE and a suboffset (I call it suboffset because you don't really consider it in the pointer level count, and neither you see it on CE).
"ac_client.exe"+ 0xsomething is your static address, 0x0 is the first offset and 0xF4 is the second offset.
So, in our pointer notation, the final address would look like this:
[[["ac_client.exe" + 0xsomething] + 0x0] + 0xF4]
Now, since you wrote you are using C++, I'll write here a code that gets you your final address:
| Code: |
DWORD final_addr;
DWORD temp_addr;
ReadProcessMemory(handle, (LPVOID)(base_addr + 0xsomething), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(handle, (PVOID)(temp_addr + 0xoffset1), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(handle, (PVOID)(temp_addr + 0xoffset2), &final_addr, 4, NULL);
//Now final_addr will be your desired address, you can write on it with WPM
DWORD value = 30;
WriteProcessMemory(handle, (PVOID)final_addr, &value, sizeof(value), NULL);
|
Of course now it's your job to put the right offsets and variables there. |
Ok, so I replaced the offsets, addresses etc. but now it just doesn't work...
Here is the code:
| Code: | DWORD final_addr;
DWORD temp_addr;
ReadProcessMemory(processHandle, (LPVOID)(0x04920000 + 0x006E92AC), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(processHandle, (PVOID)(temp_addr + ammoOffsets[0]), &final_addr, 4, NULL);
temp_addr = final_addr;
ReadProcessMemory(processHandle, (PVOID)(temp_addr + ammoOffsets[1]), &final_addr, 4, NULL);
//Now final_addr will be your desired address, you can write on it with WPM
DWORD value = 30;
WriteProcessMemory(processHandle, (PVOID)final_addr, &value, sizeof(value), NULL); |
just saying 0x04920000 is the current base address of the hw.dll. I'll look for how to actual get automatically the base base dll address in future when I see this works |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
