Video Tutorial How to Hack Any Game Tutorial C++ Trainer #3 - First Internal

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
The much anticipated internal hack tutorial is here!


My tutorials are meant to be done in a specific order, if you follow the guide each tutorial will build on the knowledge you learned in the last video. It is very important that you do the previous videos so you don't have stupid questions that have been answered previously. It is very thorough and highly recommended. Everyone that does the guide has become a successful game hacker and so can you.

Start Here Beginner's Guide To Game Hacking



What is an internal hack?

Internal hacks are created by injecting a dynamic link library or DLL into the game process, when you do this you have direct access to the process's memory which means fast performance and simplicity. Normally a DLL is used to export functions and to be used like a lib, accessing the functions from the lib when necessary. But in our case, we're just going to use them to get our code to run in a target process. Injected DLL's can be made more sneaky by using different injection methods such as Manual Mapping.

View the GuidedHacking Injector thread for more info about injector methods.

When you are internal you create pointers to objects, typecast them and point them to objects in memory. Then you can access variables of that object easily through the pointer. ReClass is a great tool for generating classes from memory and we will cover that in the next video

Internal vs External Hack what's the difference?

What you'll learn in this tutorial
  • Creating a thread
  • ModuleBaseAddress = GetModuleHandle()
  • Attaching a Console
  • Use pointer to validate game is hackable
  • Typecasting addresses to pointers, changing their value
  • Nop() Internal
  • Patch() internal
  • Freeze values like cheat engine
  • Ejecting the DLL so you don't have to restart the game during debugging

You must download the attachment from the previous tutorial if you're following along in the video




MSDN Guides & Windows APIs referenced in the video:


https://docs.microsoft.com/en-us/cpp/build/dlls-in-visual-cpp?view=vs-2017

https://docs.microsoft.com/en-us/cp...using-a-dynamic-link-library-cpp?view=vs-2017

Sample code from dllmain.cpp:
C++:
#include "stdafx.h"
#include <iostream>
#include "mem.h"

DWORD WINAPI HackThread(HMODULE hModule)
{
    //Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "OG for a fee, stay sippin' fam\n";

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"ac_client.exe");

    //calling it with NULL also gives you the address of the .exe module
    moduleBase = (uintptr_t)GetModuleHandle(NULL);

    bool bHealth = false, bAmmo = false, bRecoil = false;

    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }

        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
            bHealth = !bHealth;

        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            bAmmo = !bAmmo;
        }

        //no recoil NOP
        if (GetAsyncKeyState(VK_NUMPAD3) & 1)
        {
            bRecoil = !bRecoil;

            if (bRecoil)
            {
                mem::Nop((BYTE*)(moduleBase + 0x63786), 10);
            }

            else
            {
                //50 8D 4C 24 1C 51 8B CE FF D2 the original stack setup and call
                mem::Patch((BYTE*)(moduleBase + 0x63786), (BYTE*)"\x50\x8D\x4C\x24\x1C\x51\x8B\xCE\xFF\xD2", 10);
            }
        }

        //need to use uintptr_t for pointer arithmetic later
        uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x10F4F4);

        //continuous writes / freeze

        if (localPlayerPtr)
        {
            if (bHealth)
            {

                //*localPlayerPtr = derference the pointer, to get the localPlayerAddr
                // add 0xF8 to get health address
                //cast to an int pointer, this pointer now points to the health address
                //derference it and assign the value 1337 to the health variable it points to
                *(int*)(*localPlayerPtr + 0xF8) = 1337;
            }

            if (bAmmo)
            {
                //We aren't external now, we can now efficiently calculate all pointers dynamically
                //before we only resolved pointers when needed for efficiency reasons
                //we are executing internally, we can calculate everything when needed
                uintptr_t ammoAddr = mem::FindDMAAddy(moduleBase + 0x10F4F4, { 0x374, 0x14, 0x0 });
                int* ammo = (int*)ammoAddr;
                *ammo = 1337;

                //or just
                *(int*)mem::FindDMAAddy(moduleBase + 0x10F4F4, { 0x374, 0x14, 0x0 }) = 1337;
            }

        }
        Sleep(5);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
 

Attachments

Last edited:

taien

Newbie
Full Member
May 20, 2015
6
124
0
THank you so much! can you please teach us how to unhook a present hook properly with DetourRemove? Thank you!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
THank you so much! can you please teach us how to unhook a present hook properly with DetourRemove? Thank you!
Save the bytes before you overwrite them, when you want to unhook, write the bytes back
 

taien

Newbie
Full Member
May 20, 2015
6
124
0
i did do that but when I was debugging I realize my present hook was still looping, and the point where i crash was when I try to free the library. detour remove didn't return 1,

Code:
DWORD FindDevice(DWORD Len)
{
    DWORD dwObjBase = 0;

    dwObjBase = (DWORD)LoadLibrary("d3d9.dll");
    while (dwObjBase++ < dwObjBase + Len)
    {
        if ((*(WORD*)(dwObjBase + 0x00)) == 0x06C7
            && (*(WORD*)(dwObjBase + 0x06)) == 0x8689
            && (*(WORD*)(dwObjBase + 0x0C)) == 0x8689
            ) {
            dwObjBase += 2;
            break;
        }
    }
    return(dwObjBase);
}

DWORD GetDeviceAddress(int VTableIndex)
{
    PDWORD VTable;
    *(DWORD*)&VTable = *(DWORD*)FindDevice(0x128000);
    return VTable[VTableIndex];
}

HRESULT WINAPI Hooked_Present(DWORD Device, CONST RECT *pSrcRect, CONST RECT *pDestRect, HWND hDestWindow, CONST RGNDATA *pDirtyRegion) {


    if (bRunThreads)
    {
        if (!bInit) {
            Functions.DrawCircle = (Typedefs::fnDrawCircle)((DWORD)GetModuleHandle(NULL) + oDrawCircle);



        if (me->IsAlive()) {
            auto color = createRGB(0, 255, 0);
            Functions.DrawCircle(&Engine::GetMouseWorldPosition(), 650, &color, 0, 0.0f, 0, 0.5f);

        }
    }
    //std::cout << "loop hooked\n";
    return Original_Present(Device, pSrcRect, pDestRect, hDestWindow, pDirtyRegion);



}

DWORD WINAPI Start(HMODULE hModule) {
    //DisableThreadLibraryCalls(hModule);

    AllocConsole();
    FILE * f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "OG\n";
    Functions.DrawCircle = (Typedefs::fnDrawCircle)((DWORD)GetModuleHandle(NULL) + oDrawCircle);
    Original_Present = (Prototype_Present)DetourFunction((PBYTE)GetDeviceAddress(17), (PBYTE)Hooked_Present);


        while (true)
        {
            if (GetAsyncKeyState(VK_END) & 1)
            {
                break;
            }
        }
        std::cout << "exiting thread\n";
        auto detour = DetourRemove(reinterpret_cast<PBYTE>(Original_Present), reinterpret_cast<PBYTE>(Hooked_Present));
        std::cout << "detour: %b\n", detour;
        //DetourRemove((PBYTE)Original_Present, (PBYTE)Hooked_Present);
        std::cout << "termination start thread\n";
        TerminateThread(Start, 0);
        fclose(f); //Close console
        FreeConsole();
        Sleep(1000);
        FreeLibraryAndExitThread(hModule,0);
        return 0;
       
    }
   

        while (true)
        {
            if (GetAsyncKeyState(VK_END) & 1)
            {
                break;
            }
        }

   }
Do you mean this ?
Original_Present = (Prototype_Present)DetourFunction((PBYTE)GetDeviceAddress(17), (PBYTE)Hooked_Present);
and this:
auto detour = DetourRemove(reinterpret_cast<PBYTE>(Original_Present), reinterpret_cast<PBYTE>(Hooked_Present));

that part where it crashes is the freelibraryandexitthread. A side note is the detourremove didn't return true.
 

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
338
5,318
23
Nice tut, but...i can not detach (VS). :confused:
bla.png

PS:
After this line "FreeLibraryAndExitThread(hModule, 0);" dll is not unloaded.
 
Last edited:

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
338
5,318
23
Are you using my exact code and using it on assault cube?
Yeah.
Copy/Pasta from first post and tested on AC and CS1.6 (with new offsets/addresses).
Also i try injecting empty dll (without cheats, only end key for break/exit) with notepad++ (x32 & x64) and firefox.
When i attach CE to the game (after "ejecting") my DLL is still there.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Yeah.
Copy/Pasta from first post and tested on AC and CS1.6 (with new offsets/addresses).
Also i try injecting empty dll (without cheats, only end key for break/exit) with notepad++ (x32 & x64) and firefox.
When i attach CE to the game (after "ejecting") my DLL is still there.
I will check it out tonight, thanks for the bug report
 
  • Like
Reactions: lellek and Chucky

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
338
5,318
23
I will check it out tonight, thanks for the bug report
No problem
Waiting for fix

EDIT:
After updating VS and Windows the problem is gone.
All works great. :cool:
 
Last edited:
  • Like
Reactions: Rake
Sep 30, 2019
4
24
0
Hey, I just finished this tutorial and I was crashing after trying to change health and ammo value. I debugged and the problem was localPlayerPtr pointing to an invalid address. I removed moduleBase and it started working.
What's the importance of moduleBase and why am I getting an invalid offset using moduleBase + offset
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x4f32f8);
instead of
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(0x4f32f8);
Thanks in advance.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Hey, I just finished this tutorial and I was crashing after trying to change health and ammo value. I debugged and the problem was localPlayerPtr pointing to an invalid address. I removed moduleBase and it started working.
What's the importance of moduleBase and why am I getting an invalid offset using moduleBase + offset
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x4f32f8);
instead of
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(0x4f32f8);
Thanks in advance.
this is not the correct address:
0x4f32f8

the correct address in in the source code and in the tutorial.

if it worked when you removed modulebase, then what you have is not a relative offset, it is an address. You were adding a address to the module base, instead of adding a relative offset. The reason we use relative offsets is explained in the beginner's guide
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts