Source Code Assault Cube C++ Trainer

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
Hello there,

like Rake suggested me I started with the "easy" stuff and figured out how to make a trainer in C++.

Im going to work on it a bit more and then do the same for other games until I fully understand what I'm doing in each of them.

Just wanted to share the source code for other newbies like me and to get feedback on what I could change ^^

C++:
#include <Windows.h>
#include <stdio.h>

int main(){

    HWND hwnd = 0;

    while (hwnd == NULL){    //Waiting until the game window was found
       
        system("cls");
        printf("Waiting for the game...");
        hwnd = FindWindow(NULL, "AssaultCube");
        Sleep(1000);
    }

    system("cls");
    printf("Game was found!\n\n");

    DWORD pId = -1;

    GetWindowThreadProcessId(hwnd, &pId);    //Getting the process id of Assault Cube

    if (pId == -1){

        printf("ERROR: Process ID not found...");
    }

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pId);    //Opening the process of Assault Cube

    if (!handle){

        printf("ERROR: Failed to open process...");
    }

    //Memory Addresses I want to change
    DWORD adr_iHealth = 0x0042CA5E;        //Players Health
    DWORD adr_iAmmo = 0x004637E9;        //Players Ammo
    DWORD adr_iGrenades = 0x00463378;    //Players Grenades

    //Bytes that I will use to rewrite the games memory
    BYTE mod_iAmmo[2] = { 0x90, 0x90 };                                //2x nop
    BYTE mod_iHealth[6] = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };    //6x nop
    BYTE mod_iGrenades[2] = { 0x90, 0x90 };                            //2x nop

    //Changing the code that's decreasing my ammo with nothing (2x nop)
    WriteProcessMemory(handle, (LPVOID)adr_iAmmo, mod_iAmmo, sizeof(mod_iAmmo), NULL);

    //Changing the code that's writing my health with nothing (6x nop)
    WriteProcessMemory(handle, (LPVOID)adr_iHealth, mod_iHealth, sizeof(mod_iHealth), NULL);

    //Changing the code that's decreasing my grenade count with nothing (2x nop)
    WriteProcessMemory(handle, (LPVOID)adr_iGrenades, mod_iGrenades, sizeof(mod_iGrenades), NULL);   

    printf("FINISHED\n\n");

    system("PAUSE");
}
}

C++:
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <tchar.h>

DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName);

    DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)    //Function to get a modules base address (useful for pointers)
    {
        DWORD_PTR dwModuleBaseAddress = 0;
        HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
        if (hSnapshot != INVALID_HANDLE_VALUE)
        {
            MODULEENTRY32 ModuleEntry32;
            ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
            if (Module32First(hSnapshot, &ModuleEntry32))
            {
                do
                {
                    if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
                    {
                        dwModuleBaseAddress = (DWORD_PTR)ModuleEntry32.modBaseAddr;
                        break;
                    }
                } while (Module32Next(hSnapshot, &ModuleEntry32));
            }
            CloseHandle(hSnapshot);
        }
        return dwModuleBaseAddress;
    }


int main(){

    HWND hwnd = 0;

    while (hwnd == NULL){    //Searching for the games window

        hwnd = FindWindow(0, "AssaultCube");
        Sleep(10);
    }

    printf("Found Game!\n\n");

    DWORD pID = -1;

    GetWindowThreadProcessId(hwnd, &pID);    //Getting the games process id

    if (pID == -1){

        printf("ID ERROR");
    }

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);    //Opening the process with full rights

    if (handle == INVALID_HANDLE_VALUE){

        printf("ERROR HANDLE");
    }

    DWORD ac_client_BaseAddress = 0;
    DWORD ofs_ac_client_BaseAddress = 0x00109B74;    //Offset of the module 'ac_client.exe'
    DWORD ac_client_Address;    //Baseaddress + Offset

    ac_client_BaseAddress = dwGetModuleBaseAddress(pID, "ac_client.exe");    //Getting the Baseaddress of 'ac_client.exe'
    ReadProcessMemory(handle, (LPCVOID)(ac_client_BaseAddress + ofs_ac_client_BaseAddress), &ac_client_Address, sizeof(&ac_client_Address), NULL); // Baseaddress and Offset in 'ac_client_Address'

    //Creating offsets
    DWORD ofs_iRifleAmmo = 0x150;
    DWORD ofs_iPistolAmmo = 0x13C;
    DWORD ofs_iGrenades = 0x158;
    DWORD ofs_iHealth = 0xF8;
    DWORD ofs_iArmor = 0xFC;

    //Getting pointer addresses
    DWORD ptr_iRifleAmmo = ac_client_Address + ofs_iRifleAmmo;
    DWORD ptr_iPistolAmmo = ac_client_Address + ofs_iPistolAmmo;
    DWORD ptr_iGrenades = ac_client_Address + ofs_iGrenades;
    DWORD ptr_iHealth = ac_client_Address + ofs_iHealth;
    DWORD ptr_iArmor = ac_client_Address + ofs_iArmor;

    DWORD value = 1337;    //value that will overwrite out memory

    //Writing the 1337 into every single pointer from above
    WriteProcessMemory(handle, (LPVOID)ptr_iRifleAmmo, &value, sizeof(value), NULL);
    WriteProcessMemory(handle, (LPVOID)ptr_iPistolAmmo, &value, sizeof(value), NULL);
    WriteProcessMemory(handle, (LPVOID)ptr_iGrenades, &value, sizeof(value), NULL);
    WriteProcessMemory(handle, (LPVOID)ptr_iHealth, &value, sizeof(value), NULL);
    WriteProcessMemory(handle, (LPVOID)ptr_iArmor, &value, sizeof(value), NULL);

    printf("SUCCESS\n\n");

    CloseHandle(handle);    //Closing the handle

    system("PAUSE");        //Program ends
}

I will try to stay on the road and not to give up :)

~Lostflash

====

Try the GH Video tutorial
 
Last edited by a moderator:

MasterG

Coder
Dank Tier Donator
Nobleman
Mar 14, 2015
102
888
1
You should loop the whole GetProcessByProcessID() func. Btw the Sleep(1000) is useless, I mean 1000 is too much unless you have a wooden pc and you can't afford to do more than 1 loop per second D:
Sleep(10) would be enough xd
And make sure you close your handle when your application exits. Just add CloseHandle(handle);
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
Good on you for learning mate

C++:
    //Memory Addresses I want to change
    DWORD adr_iHealth = 0x0042CA5E;     //Players Health
    DWORD adr_iAmmo = 0x004637E9;       //Players Ammo
    DWORD adr_iGrenades = 0x00463378;   //Players Grenades
Change these to offsets instead of absolute addresses, as they can change when a game restarts due to ASLR. Doesn't happen in assault cube but does in different games, so instead you'd get the base address of the module, then add the offset to get the actual address at runtime.

It's also typically not recommended to use the system() function, but i let that slide because i abuse the shit out of it myself :3

For OpenProcess, when checking the handle, its recommended to check for INVALID_HANDLE_VALUE ( -1 / 0xFFFFFFFF ) as well as 0

May as well make your address values void *s to avoid having to cast them later

And just so you're aware incase you didn't know, you don't have to declare a size for your opcode arrays, the compiler's smart, BYTE mod_iAmmo[] = { 0x90, 0x90 } would be the same as what you've currently got.

Other than that, neat stuff dude. :)
 

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
Thanks for the feedback :)

Gonna check the offset thing out :) Realized its not smart to nop out a function that subtracts health from every player :D I know how to fix it with assembly in Cheat Engine but C++... well <.<
Anyways thanks ^^
 

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
I have a question about pointers and the offset <.<

I've found a pointer for money in a game and Cheat Engine says its this address: "EtG.exe"+00F288F8 -> 64DD90B0
And the Offsets are 0x14, 0xF8, 0x1D8, 0x38, 0x194

I tried the following...

C++:
DWORD ptr_Money = 0x64DD90B0 + 0x14 + 0xF8 + 0x1D8 + 0x38 + 0x194;

	INT mod_Money = 1337;

	WriteProcessMemory(handle, (LPVOID)ptr_Money, &mod_Money, sizeof(mod_Money), NULL);
What did I do wrong because its not working. Can you give an example based on this adress and offsets?

greets Lostflash
 

MasterG

Coder
Dank Tier Donator
Nobleman
Mar 14, 2015
102
888
1
I have a question about pointers and the offset <.<

I've found a pointer for money in a game and Cheat Engine says its this address: "EtG.exe"+00F288F8 -> 64DD90B0
And the Offsets are 0x14, 0xF8, 0x1D8, 0x38, 0x194

I tried the following...

C++:
DWORD ptr_Money = 0x64DD90B0 + 0x14 + 0xF8 + 0x1D8 + 0x38 + 0x194;

	INT mod_Money = 1337;

	WriteProcessMemory(handle, (LPVOID)ptr_Money, &mod_Money, sizeof(mod_Money), NULL);
What did I do wrong because its not working. Can you give an example based on this adress and offsets?

greets Lostflash
Nah it doesn't work like that. You have to ReadProcessMemory() the base address value and then add the first offset to the returned value (scan for the address the func has returned and add the offset), then scan again in a loop. You have too loop this as much times as the number of the offsets -1. Then it will return you the DynamicMemoryAllocation of the address
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
I have a question about pointers and the offset <.<

I've found a pointer for money in a game and Cheat Engine says its this address: "EtG.exe"+00F288F8 -> 64DD90B0
And the Offsets are 0x14, 0xF8, 0x1D8, 0x38, 0x194

I tried the following...

C++:
DWORD ptr_Money = 0x64DD90B0 + 0x14 + 0xF8 + 0x1D8 + 0x38 + 0x194;

	INT mod_Money = 1337;

	WriteProcessMemory(handle, (LPVOID)ptr_Money, &mod_Money, sizeof(mod_Money), NULL);
What did I do wrong because its not working. Can you give an example based on this adress and offsets?

greets Lostflash
Look here for information about getting a module base address externally.

Afterwards, you need to continually ReadProcessMemory after adding each offset in order to continue down the pointer chain, until you get to the last one ( 0x194 ) , i'd whip you up some code for this but i think it'd confuse more than help
 

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
Copied the code from the other post going to look why it (should) work ^^ Thanks for that.
A small example would be quite though (I can be more confused than I am right now)
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
Want my code example? Sure ill whip it up.

C++:
DWORD GetMemoryAddressRecursive( HANDLE pHandle, long currentAddress, long nextOffset) // final iteration.
{
	
	return currentAddress + nextOffset;
}

template <typename ...args>
DWORD GetMemoryAddressRecursive(HANDLE pHandle,  long currentAddress, long nextOffset, args... demArgs)
{
	DWORD buf = 0;
	ReadProcessMemory( pHandle, currentAddress + nextOffset, &buf, sizeof(buf), 0);
	
	return GetMemoryAddressRecursive( pHandle, buf, demArgs);
}

template <typename ...args>
DWORD GetMemoryAddress( HANDLE pHandle,  char * moduleBase, long currentOffset, args ...arguments )
{
	DWORD buf = 0;
	ReadProcessMemory( pHandle, moduleBase + currentOffset, &buf, sizeof(buf), 0);
	
	return GetMemoryAddressRecursive( pHandle, buf, arguments... )
}
May or may not work out of the box

Usage: DWORD AmmoAddress = GetMemoryAddress( gameHandle, GetModuleBaseOf("ac_client.exe"), firstOffsetHere, all , other, offsets, go, here );
 

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
I dont get it at all... my program now finds the pointer I want it to but the value wont change <.<

C++:
	DWORD ac_client_BaseAddress = 0;
	DWORD ofs_ac_client_BaseAddress = 0x00109B74;

	DWORD ptr_ammo;
	DWORD ofs_ammo = 0x150 ;

	int value = 1337;

	ac_client_BaseAddress = dwGetModuleBaseAddress(pID, "ac_client.exe");

	ReadProcessMemory(handle, (LPCVOID)(ac_client_BaseAddress + ofs_ac_client_BaseAddress), &ptr_ammo, sizeof(&ptr_ammo), NULL);

	ReadProcessMemory(handle, (LPCVOID)(ptr_ammo + ofs_ammo), &ptr_ammo, sizeof(&ptr_ammo), NULL);

	WriteProcessMemory(handle, (LPVOID)ptr_ammo, &value, sizeof(value), NULL);
What am I doing wrong?
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,140
78,998
2,394
C++:
WriteProcessMemory(handle, (LPVOID)ptr_ammo, &value, sizeof(value), NULL);
I think you just need to change that to:

C++:
WriteProcessMemory(handle, (LPVOID)(ptr_ammo + ofs_ammo), &value, sizeof(value), NULL);
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
your last offset is not RPMed, its just added. so remove the second one and WPM(shitshitshit, ptr_ammo + offset, shitshitshit)
 

Lostflash

Newbie
Full Member
Feb 22, 2015
14
114
0
That worked <3 Thanks

So if the ammo pointer would have 2 offsets I would only RPM the first and WPM pointer + second?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
For any offset chain of size X, externally, you RPM X-1 times, then add your final value
 

MasterG

Coder
Dank Tier Donator
Nobleman
Mar 14, 2015
102
888
1
C++:
DWORD GetDynamicAddress(HANDLE hProc, ULONG_PTR BaseAddress, DWORD offsets[], int lvl)
{   
    ULONG_PTR Buffer;
    ReadProcessMemory(hProc, reinterpret_cast<void*>(BaseAddress), &Buffer, sizeof(ULONG_PTR), 0);
 
    for (int i = 0; i < (lvl - 1); ++i)
        
		if (!ReadProcessMemory(hProc, reinterpret_cast<void*>(Buffer + offsets[i]), &Buffer, sizeof(ULONG_PTR), 0))
            return 0;
   
    return (Buffer + offsets[lvl - 1]);
}
How clould it be improved?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
use templates to indicate the level or use an argument pack so you dont have to create dword arrays for everything, but thats just because i hate initializing arrays
 

basber

Newbie
Full Member
Jun 4, 2015
13
114
0
use templates to indicate the level or use an argument pack so you dont have to create dword arrays for everything, but thats just because i hate initializing arrays
i agree your solution is very flexible, thanks!
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods