| View previous topic :: View next topic |
| Author |
Message |
nammidd
How do I cheat?
![]() Reputation: 0
Joined: 10 Apr 2020
Posts: 2
|
 Posted: Fri Apr 10, 2020 1:40 pm Post subject: Getting the base address |
 |
|
Hello, i need to read values from another program using C++, practically i use cheat engine for the first time. For example, take the heroes 3.
I found a static pointer through "Pointer scan for this address".
imgurdotcom/a/WRLYYeo
Could you please tell me, what does it means "Heroes3 HD.exe"+0029CCFC? Is this the base address from which the program is running or what?
And how do i must get this address? I googled that i can get the base address through EnumProcessModules, GetModuleFileNameEx and GetModuleInformation in C++, but i don’t know how to calculate the obtained values to get the pointer i need.
| Quote: | Module name: C:\Users\user\Downloads\Heroes of Might and Magic III Complete\Heroes3 HD.exe
Load address: 0x400000
Entry point: 0x61a884
Size of image: 2936832
Module name: C:\Windows\SYSTEM32\ntdll.dll
Load address: 0x77af0000
Entry point: 0x0
Size of image: 1699840
Module name: C:\Windows\SYSTEM32\wow64.dll
Load address: 0x75320000
Entry point: 0x7534e0d8
Size of image: 258048
Module name: C:\Windows\SYSTEM32\wow64win.dll
Load address: 0x752c0000
Entry point: 0x752ff90c
Size of image: 376832
Module name: C:\Windows\SYSTEM32\wow64cpu.dll
Load address: 0x752b0000
Entry point: 0x752b20f8
Size of image: 32768 |
|
|
| Back to top |
|
 |
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Fri Apr 10, 2020 3:41 pm Post subject: |
|
|
"executable.exe" is the image_base_address (a.k.a. preferred_load_address)
+123ABC is the offset from image base address / preferred load address
in your case:
- "Heroes3 HD.exe" is 00400000h
- +0029CCFCh
equal to:
- 0069CCFC
0069CCFC is a memory location that points to 06014B30 according to the picture you provided.
however you should not assume that the image base address will not change nor it will be loaded at it preferred address each time.
there are two variables that change the preferred load address each time you launch the executable:
- relocations
- ASLR
thus, you should always obtain the address using the win32 apis.
and its a good reason why CE display image base as a symbol + offset to image data (i.e. fixed / static data sections that resides within the raw executable)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
nammidd
How do I cheat?
![]() Reputation: 0
Joined: 10 Apr 2020
Posts: 2
|
| Posted: Sat Apr 11, 2020 2:01 am Post subject: |
|
|
Thank you very much, i understood it quite well, except that
| OldCheatEngineUser wrote: | 0069CCFC is a memory location that points to 06014B30 according to the picture you provided.
|
using "ReadProcessMemory" for this address 0069CCFC, i am getting 68E3AC90. Am I doing something wrong?
| Code: | LPVOID buffer;
ReadProcessMemory(handle, LPCVOID(0x400000 + 0x0029CCFC), buffer, sizeof(buffer), NULL); |
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sat Apr 11, 2020 6:27 am Post subject: |
|
|
assuming 68E3AC90 resides in a region thats allocated during runtime, then it should be valid although its high for a 32-bit process.
you will have to re-read 68E3AC90 + offset B4 and treat the value read as an int/dword, and see if it make sense it you.
again you should not hardcode the image base address, and it would be better if you implement it in a loop and having an array of offsets to add and read from. (instead of multiple RPMs and hardcoded offsets)
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
vityaschel
How do I cheat?
![]() Reputation: 0
Joined: 17 Jun 2022
Posts: 2
Location: Russia, Samara
|
| Posted: Fri Jun 17, 2022 10:04 pm Post subject: |
|
|
| OldCheatEngineUser wrote: |
"executable.exe" is the image_base_address (a.k.a. preferred_load_address)
+123ABC is the offset from image base address / preferred load address
in your case:
- "Heroes3 HD.exe" is 00400000h
- +0029CCFCh
equal to:
- 0069CCFC
0069CCFC is a memory location that points to 06014B30 according to the picture you provided.
however you should not assume that the image base address will not change nor it will be loaded at it preferred address each time.
there are two variables that change the preferred load address each time you launch the executable:
- relocations
- ASLR
thus, you should always obtain the address using the win32 apis.
and its a good reason why CE display image base as a symbol + offset to image data (i.e. fixed / static data sections that resides within the raw executable) |
Thank you for your help and sorry for bumping this thread. Can you help me with getting image_base_address / preferred load address?
|
|
| Back to top |
|
|
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Sat Jun 18, 2022 8:12 pm Post subject: |
|
|
| the easiest API way to get the process executable's base address, is by calling GetModuleHandleA(0) function, just pass parameter zero and Windows will grab the base address of your "game.exe", and that will be the function's return value, or zero in case of error.
|
|
| Back to top |
|
|
vityaschel
How do I cheat?
![]() Reputation: 0
Joined: 17 Jun 2022
Posts: 2
Location: Russia, Samara
|
| Posted: Sun Jun 19, 2022 3:38 am Post subject: |
|
|
| TsTg wrote: | | the easiest API way to get the process executable's base address, is by calling GetModuleHandleA(0) function, just pass parameter zero and Windows will grab the base address of your "game.exe", and that will be the function's return value, or zero in case of error. |
Interesting approach 🤔
But I already found a better way to achieve my goal. I didn't realize I could use LpBaseDll as executable name (which is base address alias I think?). Anyways, I found this because I accidentally wrote executable name in address field in cheat engine and in bottom list it showed the real hex address instead of executable name. I wrote detailed answer here: stackoverflow/a/72674927/13689893
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
