Solved Addresses of the type "mygame.exe"+0010F4F8

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

St. Ansen

Newbie
Full Member
Aug 4, 2017
8
52
0
Hello experts,

after some pointer scanning I have found the base addresses for both the player and the enemies. Yet their address format is different and I have little understanding of the internals of programs.

The player base is an absolute address 00509B74, whereas the enemy base pointer is "ac_client.exe"+0010F4F8 (see snapshop below).



What is the difference between those address types and how do I utilize the latter format when I'm writing to process memory in C++? (WriteProcessMemory(...)).

Thank you!
 

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
Hello experts,

after some pointer scanning I have found the base addresses for both the player and the enemies. Yet their address format is different and I have little understanding of the internals of programs.

The player base is an absolute address 00509B74, whereas the enemy base pointer is "ac_client.exe"+0010F4F8 (see snapshop below).



What is the difference between those address types and how do I utilize the latter format when I'm writing to process memory in C++? (WriteProcessMemory(...)).

Thank you!
00509B74 is a virtual address, and 0010F4F8 is a relative virtual address. The difference is that for the RVA ("ac_client.exe"+0010F4F8) you need to add the base address of the module with the relative address, hence ac_client.exe + address. So essentially, RVA is just an offset, just like entitybase + healthOffset. To utilize this, all you need to do is get the base address of the module and then add 0010F4F8 to it, which gives you the VA. Getting the module base is different depending on whether you are internal or external. For internal, you simply call GetModuleHandle(). For external, you have to do a little bit more work. You can see Rake's tutorial on how to do that.

Also explained in this video
 
Last edited by a moderator:

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
Also as a note, you do not need to go and get the module base in this case (I just wanted to explain how to get it). Since it's the main exe and you already know the module base address is 0x400000, you can just do the calculation outside of you code. 0010F4F8 + 400000 = 0050F4F8. That is the virtual address, so you just treat it the same way as 00509B74
 

St. Ansen

Newbie
Full Member
Aug 4, 2017
8
52
0
Hey wolf22j,

thank you very much, that'll keep me going for the moment. May I kindly ask you to elaborate on two things you mentioned:

Since it's the main exe and you already know the module base address is 0x400000...
Why is this?

you need to add the base address of the module ...
Getting the module base is different depending on whether you are internal or external ...
How are programs split up into modules and what does 'internal'/'external' refer to?

Apparently my model of application's memory organization is far too simplistic. My questions might be referring to pertinent standard knowledge and I'd be just as happy, if you showed me a wikipedia article to check out, since I frankly don't know what to look for. Need some help with my baby steps.

Cheers,
Stan
 
Last edited:

Teuvin

now I am become Death
Dank Tier VIP
Trump Tier Donator
Dec 8, 2016
403
10,388
65
Hey wolf22j,

thank you very much, that'll keep me going for the moment. May I kindly ask you to elaborate on two things you mentioned:


Why is this?


How are programs split up into modules and what does 'internal'/'external' refer to?

Apparently my model of application's memory organization is far too simplistic. My questions might be referring to pertinent standard knowledge and I'd be just as happy, if you showed me a wikipedia article to check out, since I frankly don't know what to look for. Need some help with my baby steps.

Cheers,
Stan
LETS GO

Since it's the main exe and you already know the module base address is 0x400000...
  • In executables produced for Windows NT, the default image base is 0x10000. For DLLs, the default is 0x400000. In Windows 95, the address 0x10000 can't be used to load 32-bit EXEs because it lies within a linear address region shared by all processes. Because of this, Microsoft has changed the default base address for Win32 executables to 0x400000.



How are programs split up into modules
He's referring to the modules the program uses as in .dll's, libraries
  • (1) In software, a module is a part of a program. Programs are composed of one or more independently developed modules that are not combined until the program is linked. A single module can contain one or several routines.
In your case the address is inside the "ac_client.exe" module, so you need to do "ac_client.exe"+0x123456, in counter-strike global offensive for example the local player is stored inside the "client.dll" address space, which then you would access with "client.dll"+0213456.


and what does 'internal'/'external' refer to?
Internal/External refers to the way you are accessing the game/program memory, if you are loading a module into the program (injecting a .dll) then you are INTERNALLY accessing the program, but if you are accessing the program/game via another program that is not inside the game/program address space or loaded into the program then you are accessing it EXTERNALLY. Accessing the game/program internally or externally has it's pros and cons for each.
 

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
To add onto Teuvin's post, cheat engine will tell you the base of each module and all the PE info about them:
 

St. Ansen

Newbie
Full Member
Aug 4, 2017
8
52
0
In executables produced for Windows NT, the default image base is 0x10000. For DLLs, the default is 0x400000. In Windows 95, the address 0x10000 can't be used to load 32-bit EXEs because it lies within a linear address region shared by all processes. Because of this, Microsoft has changed the default base address for Win32 executables to 0x400000.

That's far above my level of understanding, I'll have to take your word for it, thanks ;)

In software, a module is a part of a program. Programs are composed of one or more independently developed modules that are not combined until the program is linked. A single module can contain one or several routines.
So modules are referring to object files and/or .dlls, aye?

Internal/External refers to the way you are accessing the game/program memory, if you are loading a module into the program (injecting a .dll) then you are INTERNALLY accessing the program, but if you are accessing the program/game via another program that is not inside the game/program address space or loaded into the program then you are accessing it EXTERNALLY. Accessing the game/program internally or externally has it's pros and cons for each.
I use some some basic things from the Windows API (Visual Studio, C++) to read and write the application's memory (that's AssaultCube in my case). Would that not be considered external access, since my program is clearly not inside the game's address space? I'm just fine using the basic 0x400000 offset, without doing more complex work as wolf22j inferred I'd have to.

To add onto Teuvin's post, cheat engine will tell you the base of each module and all the PE info about them..
That's very helpful. Are the bases of all the modules constant or do they change everytime I start the application? I haven't yet checked out Rake's tutorial, it might be answering my question.

Thanks for all the support!
Stan
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,151
78,998
2,395
Modules = Portable Executable File Format files in memory, DLL & EXE yeah. When you have your own process doing RPM/WPM it's external. when you inject your code into the game, you're internal and don't need to use RPM/WPM. Read the post I linked.
 

wolf22j

Coder
Full Member
Nobleman
Mar 19, 2014
133
1,778
20
That's very helpful. Are the bases of all the modules constant or do they change everytime I start the application? I haven't yet checked out Rake's tutorial, it might be answering my question.

Thanks for all the support!
Stan
The windows loader has to rebase most of the modules, however windows will typically do the same order, so they will remain the same unless new modules are added to the game. The exception is system modules, such as USER32.dll, they are always loaded in the same order and located at the same base addresses
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods