Solved Can use RPM to find a value but can't use WPM to edit it

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

thatnoobkid

Newbie
May 23, 2016
3
32
0
Hello Guided Hacking! Recently I've tried to create my own game hack to try and learn the basics of game hacking. I have run into a problem that I can't figure out on my own through the use of google and this site's search bar. The problem I am having is I can use RPM to view a value stored inside of a game's address but I don't know how to use WPM to edit it. I tried experimenting on my own by trying to write to multiple addresses but had no success. The problem is on line 32:
C++:
printf("\n%d", WriteProcessMemory(ac_game, (LPVOID) offset, (LPCVOID) &magAmmount, sizeof(DWORD), NULL));
I can't for the life of me find the correct address to write to. I am hoping someone can explain how to use my hack to WPM to my base address + offsets.

C++:
#include <windows.h>
#include <stdio.h>
#include "GetModBaseAddress.h"

int main()
{
	int pid = 2252;
	
	HANDLE ac_game = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION |	
	PROCESS_VM_WRITE | PROCESS_VM_READ, 0, pid);
	
	DWORD ac_game_address = getModBaseAddress(pid, "ac_client.exe");
	printf("\nBase address: 0x%x\nIf 0 then module could not be found.\n", ac_game_address);

	DWORD MagBaseAddress = { 0x109B74 };
	DWORD MagOffsets[] = { 0x36c, 0x18, 0x1e4, 0x50, 0x40 };
	int magAmmount = 1000;
	
	DWORD offset = MagBaseAddress + ac_game_address;
	printf("%d", ReadProcessMemory(ac_game, (LPCVOID) offset, (LPVOID) &offset, sizeof(DWORD), NULL));
	printf("\noffset: 0x%x", offset);
	
	int i;
	for(i=0; i<5; i++)
	{
		offset += MagOffsets[i];
		printf("\n%d", ReadProcessMemory(ac_game, (LPCVOID) offset, (LPVOID) &offset, sizeof(DWORD), NULL));
		printf("\noffset: 0x%x", offset);
	}
	
	printf("\nammo: %d", offset);
	printf("\n%d", WriteProcessMemory(ac_game, (LPVOID) offset, (LPCVOID) &magAmmount, sizeof(DWORD), NULL));
	printf("\nlast error: %d", GetLastError());
	
	CloseHandle(ac_game);
}
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,164
78,998
2,399
thatnoobkid I rewrote it with code that I know works, I hope it is helpful:

C++:
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdio.h>


//credits to Solaire for his sexy function
DWORD GetProcessID(const wchar_t * ExeName) {
    PROCESSENTRY32 ProcEntry = { 0 };
    HANDLE SnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

    if (!SnapShot)
        return NULL;

    ProcEntry.dwSize = sizeof(ProcEntry);

    if (!Process32First(SnapShot, &ProcEntry))
        return NULL;

    do {
        if (!wcscmp(ProcEntry.szExeFile, ExeName)) {
            CloseHandle(SnapShot);
            return ProcEntry.th32ProcessID;
        }
    } while (Process32Next(SnapShot, &ProcEntry));

    CloseHandle(SnapShot);
    return NULL;
}

DWORD CalculateMultiLevelPointer(HANDLE hProcHandle, int NumberOfOffsets, DWORD Offsets[], DWORD FirstAddressOfPointer)
{
    DWORD Pointer = FirstAddressOfPointer;
    DWORD TempBuffer;
    DWORD EndAddressOfPointer;
    for (int i = 0; i < NumberOfOffsets; i++)
    {
        if (i == 0)
        {
            ReadProcessMemory(hProcHandle, (LPCVOID)Pointer, &TempBuffer, 4, NULL);
        }
        EndAddressOfPointer = TempBuffer + Offsets[i];
        ReadProcessMemory(hProcHandle, (LPCVOID)EndAddressOfPointer, &TempBuffer, 4, NULL);
    }
    return EndAddressOfPointer;
}

int main()
{
    int pid    = GetProcessID(L"ac_client.exe");

    HANDLE ac_game = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);

    DWORD MagBaseAddress = { 0x509B74 };
    DWORD MagOffsets[] = { 0x36c, 0x18, 0x1e4, 0x50, 0x40 };
    int magAmmount = 1000;

    DWORD offset;
    printf("%d", ReadProcessMemory(ac_game, (LPCVOID)MagBaseAddress, (LPVOID)&offset, sizeof(DWORD), NULL));
    printf("\noffset: 0x%x", offset);

    DWORD DynamicAmmoAddress = CalculateMultiLevelPointer(ac_game, 5, MagOffsets, MagBaseAddress);

    printf("\nammo: %d", DynamicAmmoAddress);
    printf("\n%d", WriteProcessMemory(ac_game, (LPVOID)DynamicAmmoAddress, (LPCVOID)&magAmmount, sizeof(DWORD), NULL));
    printf("\nlast error: %d", GetLastError());

    Sleep(50000);
    CloseHandle(ac_game);
}
 
Last edited:

thatnoobkid

Newbie
May 23, 2016
3
32
0
Thank you for the reply and the code. I was wondering how it works because I've noticed that you have a different base address from me. Where did it come from? Also I noticed that you do not need to get the module base address. I thought you needed to find this address every time the game relaunches because it always changes where you need to write values to? I hope I am not being a bother and I look forward to any answers that you can give to me.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,164
78,998
2,399
I've noticed that you have a different base address from me. Where did it come from? Also I noticed that you do not need to get the module base address. I thought you needed to find this address every time the game relaunches because it always changes where you need to write values to?.
All executables will have the same image base address everytime, unless ASLR is enabled. Therefore you can hardcode the address

Read this https://guidedhacking.com/showthread.php?5781-Get-Module-Base-Address-Tutorial
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods