• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 2 12 LastLast
    Results 1 to 10 of 12
    1. #1
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,677
      Thanks (-->)
      893
      Thanks (<--)
      1094

      Get Module Base Address Tutorial (Spoonfed)

      How to Call Game Functions
      dwGetModuleBaseAddress

      All .exe and .dll files when loaded into memory are referred to as "modules".

      When adding addresses to your Cheat Engine table, and especially when using pointers you will often find the address listed like this:
      Get Module Base Address Tutorial (Spoonfed)

      Or maybe like this:
      server.dll + 004EE83

      This is using relative offset from the address of a module. Too see if an address is offset from a certain module make sure you enable this:
      Get Module Base Address Tutorial (Spoonfed)

      Then in memory viewer use "Go To Address" to the address. Regardless of if it is data or code, this will tell you what module it is offset from.

      To view all the modules loaded by the process in Cheat Engine and view their addresses do this:
      Get Module Base Address Tutorial (Spoonfed)

      Also you can use Dissect PE Headers to view relative information:
      Get Module Base Address Tutorial (Spoonfed)
      MZ-Start is the address of the module as it is currently loaded into memory. Preferred ImageBase is parsed straight from the PE Header and is the location that it prefers to be loaded into. If this memory address is already taken, it will relocate.

      When an .exe is executed, the windows loader create a process for it and give it it's own virtual memory space. The loader loads the executable into memory and then any .dlls that are called by the process. The PE header for the .dll defines a ImageBase address. The windows loader will try to load the .dll into the virtual memory space of the process that requires it. If that space is already occupied, it will be loaded into a different location. If this happens hardcodes addresses in our hacks will not work.

      Now let's say we have a pointer:
      ac_client.exe + 109B74

      Now the ImageBase pulled from the PE header of ac_client.exe is "00400000"
      We can only have one executable for each process which is an empty memory space until ac_client.exe is loaded. There is nothing blocking ac_client.exe from loading into it's ImageBase. So the base address of a .exe is always the same.

      The ONLY time when a .exe isn't loaded into the imagebase stored in the PE headers is when ASLR(Address Space Layout Randomization) is enabled on the OS and the DynamicBase flag is set to enable the OS to randomize virtual address of the module.

      We can just evaluate this before placing it in the code.
      ac_client.exe + 109B74
      00400000 + 109B74
      509B74

      This is the definition of a static address, it may be relative to the base address of an executable in the binary on disk, but it is always static in memory after relocations have occured.

      But for .DLL's that can be relocated:

      "server.dll + 004EE83" works in Cheat Engine because Cheat Engine evaluates the address of server.dll. CE will get the address of server.dll and replace it with the adress that the module is loaded.
      So lets say the address of module server.dll is 0x10000000, cheat Engine will evaluate:

      server.dll + 004EE83
      0x10000000 + 004EE83
      1004EE83

      The above evaluation is done by cheat engine while the program is running.

      But when you are trying to use this in an external trainer you need to evaluate "server.dll" + 004EE83 yourself. There are multiple ways of doing this and we will discuss one of them now.

      To do this externally you can use this function that has been widely used named dwGetModuleBaseAddress.

      Basically it uses the windows API CreateToolhelp32Snapshot to get a snapshot of all loaded modules for the given process, it then iterates through all the loaded modules and finds the module with the module name you give it. It returns a DWORD_PTR to the module address. You input the ProcessID and the name of the module and it ouputs the address of the module.

      Includes:
      //Place these with your other includes
      #include <tlhelp32.h>
      #include <tchar.h>


      Function Prototype:
      //Place this in the global namespace anywhere before the function is defined and called.
      DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName);


      Function Definition:
      //Place this anywhere in the global namespace
      DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)
      {
      DWORD_PTR dwModuleBaseAddress = 0;
      HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
      if (hSnapshot != INVALID_HANDLE_VALUE)
      {
      MODULEENTRY32 ModuleEntry32;
      ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
      if (Module32First(hSnapshot, &ModuleEntry32))
      {
      do
      {
      if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
      {
      dwModuleBaseAddress = (DWORD_PTR)ModuleEntry32.modBaseAddr;
      break;
      }
      } while (Module32Next(hSnapshot, &ModuleEntry32));
      }
      CloseHandle(hSnapshot);
      }
      return dwModuleBaseAddress;
      }


      The Function Call

      DWORD_PTR serverdllBaseAddress = 0;
      serverdllBaseAddress = dwGetModuleBaseAddress(dwProcId, _T("server.dll"));




      1) You will need to FindWindow() to get the HANDLE to the window and pass it to GetWindowThreadProcessId() to get the dwProcId.
      You can see this in Fleep's Hack Any Game Tutorial

      You can learn more about ToolHelp32Snapshot:
      https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx
      https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

      I explain how all this works in this tutorial at ?t=665
      https://youtu.be/jLfPdujSuRA?t=665


      Spoiler: Credits
      I'm using the exact code from [email protected], I have found similar sources from [email protected] in 2010 and [email protected] in 2009.
      And Syperus was kind enough to post this code on GuidedHacking.com, there is also a similar function in NuBtiK's HackProcess.h
      and ofcourse FindDmaAddy is from Fleep
      Last edited by [GH]Rake; 05-26-2015 at 03:03 PM. Reason: Update!

    2. #2
      Respected Hacker
      PRAISE THE SUUUUUUUUUUUUUUN
       
      Coding
       
      Solaire's Avatar
      Join Date
      Dec 2013
      Location
      Undead Burg
      Posts
      1,096
      Thanks (-->)
      364
      Thanks (<--)
      591
      Very useful, thanks!
      Get Module Base Address Tutorial (Spoonfed)

      [02-02, 21:50] AnomanderRake: jeans, skinny jeans, MC hammer pants, yoga pants & hot pants
      [02-02, 21:50] AnomanderRake: Only one of them isn't gay
      [02-02, 21:51] Krampus: MC hammer pants, duh
      [02-02, 21:54] Krampus: Actually, trick pants. All questions are gay, duh
      [02-02, 21:56] AnomanderRake: aight now I know you're hitting the bong :P
      [02-02, 21:58] Krampus: Trick bong, there is no spoon

    3. #3
      Newbie
      [](){}
       
      Coding
       
      zepixx's Avatar
      Join Date
      Aug 2014
      Posts
      27
      Thanks (-->)
      6
      Thanks (<--)
      2
      Thanks pal, very useful! I'm sure others will appreciate this too.

    4. #4
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,677
      Thanks (-->)
      893
      Thanks (<--)
      1094
      I updated this tutorial making it alot easier to understand. While doing so I had a question:

      When an .exe is executed, the windows loader create a process for it and give it it's own virtual memory space. The loader loads any .dlls that are called by the process. The PE header for the .dll defines a ImageBase address. The windows loader will try to load the .dll into the virtual memory space of the process that requires it. If that space is already occupied, it will be loaded into a different location. If this happens hardcodes addresses in our hacks will not work.

      Now let's say we have a pointer:
      ac_client.exe + 109B74

      Now the ImageBase pulled from the PE header of ac_client.exe is "00400000"
      We can only have one executable for each process which is an empty memory space until ac_client.exe is loaded. There is nothing blocking ac_client.exe from loading into it's ImageBase.

      We can just evaluate this before placing it in the code.
      ac_client.exe + 109B74
      00400000 + 109B74
      509B74

      This is the definition of a static address.
      So is there anytime when an .exe is not loaded into it's imagebase?


      Interesting Article: Why is 0x00400000 the default imagebase?
      Last edited by [GH]Rake; 05-26-2015 at 08:16 PM.

    5. Thanks Solaire thanked for this post
    6. #5
      Hacker
      shell toes yes
       
      Lagging
       
      squeenie's Avatar
      Join Date
      Mar 2013
      Posts
      717
      Thanks (-->)
      599
      Thanks (<--)
      222
      Quote Originally Posted by AnomanderRake View Post
      I updated this tutorial making it alot easier to understand. While doing so I had a question:

      When an .exe is executed, the windows loader create a process for it and give it it's own virtual memory space. The loader loads any .dlls that are called by the process. The PE header for the .dll defines a ImageBase address. The windows loader will try to load the .dll into the virtual memory space of the process that requires it. If that space is already occupied, it will be loaded into a different location. If this happens hardcodes addresses in our hacks will not work.

      Now let's say we have a pointer:
      ac_client.exe + 109B74

      Now the ImageBase pulled from the PE header of ac_client.exe is "00400000"
      We can only have one executable for each process which is an empty memory space until ac_client.exe is loaded. There is nothing blocking ac_client.exe from loading into it's ImageBase.

      We can just evaluate this before placing it in the code.
      ac_client.exe + 109B74
      00400000 + 109B74
      509B74

      This is the definition of a static address.
      So is there anytime when an .exe is not loaded into it's imagebase?


      Interesting Article: Why is 0x00400000 the default imagebase?
      Nice tut, should help people grasp the what's going on behind the scenes. btw your link is broken

    7. #6
      Respected Hacker
      PRAISE THE SUUUUUUUUUUUUUUN
       
      Coding
       
      Solaire's Avatar
      Join Date
      Dec 2013
      Location
      Undead Burg
      Posts
      1,096
      Thanks (-->)
      364
      Thanks (<--)
      591
      Just thought I'd add to the thread by going step by step through grabbing a module's base address function. Mine slightly differs from Anomander's, but they do the same exact thing.

      DWORD GetModuleBase(const wchar_t * ModuleName, DWORD ProcessId){
      // This structure contains lots of goodies about a module
      MODULEENTRY32 ModuleEntry = { 0 };
      // Grab a snapshot of all the modules in the specified process
      HANDLE SnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessId);

      if (!SnapShot)
      return NULL;

      // You have to initialize the size, otherwise it will not work
      ModuleEntry.dwSize = sizeof(ModuleEntry);

      // Get the first module in the process
      if (!Module32First(SnapShot, &ModuleEntry))
      return NULL;

      do{
      // Check if the module name matches the one we're looking for
      if (!wcscmp(ModuleEntry.szModule, ModuleName)){
      // If it does, close the snapshot handle and return the base address
      CloseHandle(SnapShot);
      return (DWORD)ModuleEntry.modBaseAddr;
      }
      // Grab the next module in the snapshot
      } while (Module32Next(SnapShot, &ModuleEntry));

      // We couldn't find the specified module, so return NULL
      CloseHandle(SnapShot);
      return NULL;
      }


      MSDN links to all of the functions and the struct. I recommend you read them for a better understanding of what's going on.

      MODULEENTRY32
      CreateToolhelp32Snapshot
      Module32First
      Module32Next
      wcscmp
      CloseHandle
      Get Module Base Address Tutorial (Spoonfed)

      [02-02, 21:50] AnomanderRake: jeans, skinny jeans, MC hammer pants, yoga pants & hot pants
      [02-02, 21:50] AnomanderRake: Only one of them isn't gay
      [02-02, 21:51] Krampus: MC hammer pants, duh
      [02-02, 21:54] Krampus: Actually, trick pants. All questions are gay, duh
      [02-02, 21:56] AnomanderRake: aight now I know you're hitting the bong :P
      [02-02, 21:58] Krampus: Trick bong, there is no spoon

    8. Thanks Tyler Durden thanked for this post
    9. #7
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,677
      Thanks (-->)
      893
      Thanks (<--)
      1094
      small update:

      Quote Originally Posted by [GH] Rake View Post
      So is there anytime when an .exe is not loaded into it's imagebase?
      The ONLY time when a .exe isn't loaded into the imagebase stored in the PE headers is when ASLR(Address Space Layout Randomization) is enabled on the OS and the DynamicBase flag is set to enable the OS to randomize virtual address of the module.

    10. Thanks c5 thanked for this post
    11. #8
      Coder
      Still noob
       
      Raging
       
      MasterG's Avatar
      Join Date
      Mar 2015
      Location
      Idk.
      Posts
      103
      Thanks (-->)
      15
      Thanks (<--)
      14
      Bookmarked.. will be useful for my own memoryclass..

    12. #9
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      ChickenWeed's Avatar
      Join Date
      Jan 2017
      Posts
      9
      Thanks (-->)
      0
      Thanks (<--)
      0
      Do you need this for like Rainbow Six Siege, because the offsets/pointer goes rainbowsix.exe +.... and Battleye blocks normal RPM/WPM

    13. #10
      Global Moderator
      Certified Asshole
       
      CodenzHub
       
      Traxin's Avatar
      Join Date
      Aug 2015
      Posts
      679
      Thanks (-->)
      139
      Thanks (<--)
      209
      Advertise on GuidedHacking
      Quote Originally Posted by ChickenWeed View Post
      Do you need this for like Rainbow Six Siege, because the offsets/pointer goes rainbowsix.exe +.... and Battleye blocks normal RPM/WPM
      You'll have to do this with any game that has ASLR enabled.

      Quote Originally Posted by ChickenWeed View Post
      and Battleye blocks normal RPM/WPM
      Yes, that's what it's supposed to do...

    Page 1 of 2 12 LastLast

    Similar Game Hacker Threads

    1. [Help] How to get WoW base address?
      By tyguy in forum Hacking Help
      Replies: 4
      Last Post: 02-20-2016, 08:05 PM
    2. [Help] Memory Address - Not in a module [Screenshot Provided]
      By Aleksander in forum Hacking Help
      Replies: 8
      Last Post: 11-20-2015, 01:30 PM
    3. [Help] Help me to beat a dynamic module base
      By Icew0lf in forum Hacking Help
      Replies: 14
      Last Post: 09-04-2015, 11:21 AM
    4. [Help] DLL - How to get address of module?
      By zepixx in forum Hacking Help
      Replies: 1
      Last Post: 10-29-2014, 04:56 AM
    5. [Help] Address to Module BaseName
      By Freak in forum C/C++
      Replies: 7
      Last Post: 04-04-2014, 10:49 AM

    Tags for this Thread