Video Tutorial How to Hack Any Game Tutorial C++ Trainer #1 - External

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
This beginner tutorial builds on past tutorials to teach you how to make your first C++ External Trainer. Includes FindDMAAddy for calculating multilevel pointers, GetModuleBaseAddress for finding base address of things such as server.dll, GetProcId, OpenProcess ReadProcessMemory, WriteProcessMemory etc...

This is an essential game hacking tutorial that you must do before moving to more complicated things. It basicly replicates everything that Cheat Engine does when simply modifying values via multilevel pointers. It is a remake of Fleep's original series, in my on-going effort to explain things better to you.

If you're a true noob, do this step by step guide to learning game hacking : Guide - START HERE Beginners Guide to Learning Game Hacking
You must complete Solaire's video first: Video Tutorial - Cheat Engine How To Hack Any Game [1/10 Difficulty] [Part 1/2]


We will cover:
re-learn finding multilevel pointers
Create basic external C++ trainer
Loop through running processes, find game process
GetProcessId and OpenProcess to get memory access handle
Loop through modules, find your module
GetModuleBaseAddress()
FindDMAAddy - calculate multilevel pointers
ReadProcessMemory/WriteProcessMemory

You must first do part 1 of this video series, by Solaire to get the Cheat Table and prior experience:
Video Tutorial - Cheat Engine How To Hack Any Game [1/10 Difficulty] [Part 1/2]

Here are some things referenced in this video:
Video Tutorial - Cheat Engine 6.7 Tutorial Video Guide

CreateToolhelp32Snapshot function
Taking a Snapshot and Viewing Processes

Here is an example of what the code looks like:
C++:
int main()
{
    //Get ProcId of the target process
    DWORD procId = GetProcId(L"ac_client.exe");

    //Getmodulebaseaddress
    uintptr_t moduleBase = GetModuleBaseAddress(procId, L"ac_client.exe");

    //Get Handle to Process
    HANDLE hProcess = 0;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, procId);

    //Resolve base address of the pointer chain
    uintptr_t dynamicPtrBaseAddr = moduleBase + 0x10f4f4;

    std::cout << "DynamicPtrBaseAddr = " << "0x" << std::hex << dynamicPtrBaseAddr << std::endl;

    //Resolve our ammo pointer chain
    std::vector<unsigned int> ammoOffsets = { 0x374, 0x14, 0x0 };
    uintptr_t ammoAddr = FindDMAAddy(hProcess, dynamicPtrBaseAddr, ammoOffsets);

    std::cout << "ammoAddr = " << "0x" << std::hex << ammoAddr << std::endl;

    //Read Ammo value
    int ammoValue = 0;

    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);
    std::cout << "Curent ammo = " << std::dec << ammoValue << std::endl;

    //Write to it
    int newAmmo = 1337;
    WriteProcessMemory(hProcess, (BYTE*)ammoAddr, &newAmmo, sizeof(newAmmo), nullptr);

    //Read out again
    ReadProcessMemory(hProcess, (BYTE*)ammoAddr, &ammoValue, sizeof(ammoValue), nullptr);

    std::cout << "New ammo = " << std::dec << ammoValue << std::endl;

    getchar();

    return 0;
}
Multi Level Pointer Template
Code:
Address = Value = ?

base ptr -> address + offset4 = address

base ptr -> address + offset3 = address
 
base ptr -> address + offset2 = address

static base -> address + offset1 = address



 

Attachments

Last edited:

Slluxx

Full Member
Jul 27, 2018
11
54
0
Hey, i also asked in the yt comments but i guess this is a better place.
I am trying all of this on a game called PwnAdventure3 which is intentionally made vulnerable.

With cheatengine i was able to find a pointer for the mana ( "GameLogic.dll"+00097D7C ) with the offsets 1C and 158 (screenshot).
So my part of the code looks like this (screenshot):

C++:
DWORD procId = GetProcId(L"PwnAdventure3-Win32-Shipping.exe");
uintptr_t moduleBase = GetModuleBaseAddress(procId, L"GameLogic.dll");
uintptr_t dynamicPtrBaseAddr = moduleBase + 0x00097D7C;
std::vector<unsigned int> ammoOffsets = { 0x1C, 0x158 };
but the trainer isnt finding the right adress and it looks like this screenshot.
i hope someone can point out whats wrong.

thanks for any help
 

tvojama

uz42&4fd
Meme Tier VIP
Dank Tier Donator
Apr 1, 2015
379
2,498
9
Hey, i also asked in the yt comments but i guess this is a better place.
I am trying all of this on a game called PwnAdventure3 which is intentionally made vulnerable.

With cheatengine i was able to find a pointer for the mana ( "GameLogic.dll"+00097D7C ) with the offsets 1C and 158 (screenshot).
So my part of the code looks like this (screenshot):

C++:
DWORD procId = GetProcId(L"PwnAdventure3-Win32-Shipping.exe");
uintptr_t moduleBase = GetModuleBaseAddress(procId, L"GameLogic.dll");
uintptr_t dynamicPtrBaseAddr = moduleBase + 0x00097D7C;
std::vector<unsigned int> ammoOffsets = { 0x1C, 0x158 };
but the trainer isnt finding the right adress and it looks like this screenshot.
i hope someone can point out whats wrong.

thanks for any help
Double check if you're reading from the right module
 

Slluxx

Full Member
Jul 27, 2018
11
54
0
Double check if you're reading from the right module
how? isnt what cheatengine says the module? or do you mean it as in debugging the trainer and check if that grabs the right module?
i debugged it before and it takes the GameLogic.dll as module
 
Last edited by a moderator:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
Edit: this guy solved the riddle hell yeah
Nice job man, did you have fun? How long did it take you? Upgraded your account to Nobleman for completing my little challenge!

@Slluxx hmmm I will download this tonight to test it...
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
Exactly why I am remaking the old tutorials:



 
Last edited:
  • Like
Reactions: easy2hack

Slluxx

Full Member
Jul 27, 2018
11
54
0
@Slluxx hmmm I will download this tonight to test it...
thanks mate!

EDIT: i just downloaded AC and tried it with that. doesnt work aswell.
i am getting the pointer "ac_client.exe"+0010FC84 with 0 and 2D4 offset which should result in 1210BD14 as adress but the trainer gives me 0x8120d872c as ammo adress. the DynamicPtrBaseAddr is 0x50fc84 so everything is kinda close ? i just dont get it.

EDIT2: its probably just me anyway
 
Last edited:

OlfillasOdikno

Full Member
Jul 28, 2018
48
2,238
0
Nice job man, did you have fun? How long did it take you? Upgraded your account to Nobleman for completing my little challenge!
It took me just some minutes, because I am a math fan ;) The Font was a bit confusing, but if you get the pattern you can figure it out. It was a nice, funny little challenge. Thank you.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
thanks mate!

EDIT: i just downloaded AC and tried it with that. doesnt work aswell.
i am getting the pointer "ac_client.exe"+0010FC84 with 0 and 2D4 offset which should result in 1210BD14 as adress but the trainer gives me 0x8120d872c as ammo adress. the DynamicPtrBaseAddr is 0x50fc84 so everything is kinda close ? i just dont get it.

EDIT2: its probably just me anyway
What the hell are you doing wrong lmao! If you download my source code, run as admin, it should work perfectly on assault cube. Tested it several times...ghost in the machine maybe
 
  • Haha
Reactions: malwareboy

Slluxx

Full Member
Jul 27, 2018
11
54
0
What the hell are you doing wrong lmao! If you download my source code, run as admin, it should work perfectly on assault cube. Tested it several times...ghost in the machine maybe
okay now i know for a fact that it was me. i got it working by looking at Video Tutorial - Cheat Engine How To Hack Any Game [1/10 Difficulty] [Part 1/2]
and trying to get the "player object" instead of straight finding a pointer for the ammunition. its hard to learn stuff if everyone does it differently but im glad i came across your videos and website!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
are you doing the latest version of the game 1.2.0.2? That is the correct version.

You need to suffer through trial and error, it's the only way you learn.

0288a750 is obviously the correct address, how I know this? Just experience and intuition
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
its hard to learn stuff if everyone does it differently
If everyone did everything the same way, I wouldn't even call it hacking anymore. The best thing you can do for yourself, is only follow tutorials if you can't figure it out through trial and error. That is how you grow your brain. And then anytime you get stuck on something, post here and we'll hook you up :) You seem like a smart cookie so I'm sure you'll do well
 

Slluxx

Full Member
Jul 27, 2018
11
54
0
If everyone did everything the same way, I wouldn't even call it hacking anymore. The best thing you can do for yourself, is only follow tutorials if you can't figure it out through trial and error. That is how you grow your brain. And then anytime you get stuck on something, post here and we'll hook you up :) You seem like a smart cookie so I'm sure you'll do well

haha i apprechiate that :D

i probably just have one more question for now:
when following the steps in the video i linked, it looks like this:
(50F4F4) without module name


but in your video, it looks like :
(ac_client.exe + 10F4F4)

right now i use 10f4f4 and the basename out of your video + the offsets i found with Video Tutorial - Cheat Engine How To Hack Any Game [1/10 Difficulty] [Part 1/2]

but thats wrong, isnt it? how can i see the basename + 10f4f4 with that (linked) method?
 

Icesythe7

Newbie
Nov 13, 2017
96
928
5
base for AS is always 0x400000 so ac_client.exe + 10f4f4 = same as 400000 + 10f4f4 = 50F4F4

Code:
        /// <summary>
        /// Pops up a message on the screen and in the console. 
        /// </summary>
        /// <param name="msg"></param>
        public static void PopUpMessage(string msg)
        {
            var popUpMessage = new IntPtr(0x90F0);
            Mem.Sharp[popUpMessage].Execute<int>(Binarysharp.MemoryManagement.Assembly.CallingConvention.CallingConventions.Cdecl, msg);
        }
notice the base is removed in my function since the memory library will add it automagically xd
 

Slluxx

Full Member
Jul 27, 2018
11
54
0
base for AS is always 0x400000 so ac_client.exe + 10f4f4 = same as 400000 + 10f4f4 = 50F4F4

Code:
        /// <summary>
        /// Pops up a message on the screen and in the console.
        /// </summary>
        /// <param name="msg"></param>
        public static void PopUpMessage(string msg)
        {
            var popUpMessage = new IntPtr(0x90F0);
            Mem.Sharp[popUpMessage].Execute<int>(Binarysharp.MemoryManagement.Assembly.CallingConvention.CallingConventions.Cdecl, msg);
        }
notice the base is removed in my function since the memory library will add it automagically xd
i dont think that really helps cause its not dynamic. it only applies to AC, doesnt it?
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,574
78,998
2,317
i dont think that really helps cause its not dynamic. it only applies to AC, doesnt it?
Correct, because there is no ASLR enabled on assault cube, the EXE always is at the same address. Same cannot be said about .DLLs.
 
  • Like
Reactions: dezdez and Slluxx

Slluxx

Full Member
Jul 27, 2018
11
54
0
okay. i got extremly confused for a minute but i think i got it.

the trainer wants the 0x10F4F4 but i dont know that because of my method to search for the playerobject/pointer. but i know another address because of my searches, which is 0x50f4f4. To get to 0x10F4F4, i can use (GetModuleBaseAddress - 0x50f4f4)

AC will always have a GetModuleBaseAddress of 400000 but it can be differently for other games.

can someone tell me the names of those addresses (0x10, 0x50) so i can reference them by name instead of a changing adress?
also, will this method work in other games (as GetModuleBaseAddress is dynamic)?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts