Video Tutorial How to Hack Any Game Tutorial C++ Trainer #3 - First Internal

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,101
78,998
2,374
Game Name
Assault Cube
Anticheat
None
How long you been coding/hacking?
7 years
Coding Language
C++
What you need
Visual Studio Community
What is an internal hack?
Internal hacks are created by injecting a dynamic link library or DLL into the game process, when you do this you have direct access to the process's memory which means fast performance and simplicity. Normally a DLL is used to export functions and to be used like a lib, accessing the functions from the lib when necessary. But in our case, we're just going to use them to get our code to run in a target process. Injected DLL's can be made more sneaky by using different injection methods such as Manual Mapping.


My tutorials are meant to be done in a specific order, if you follow the guide each tutorial will build on the knowledge you learned in the last video. It is very important that you do the previous videos so you don't have stupid questions that have been answered previously. It is very thorough and highly recommended. Everyone that does the guide has become a successful game hacker and so can you.

Start Here Beginner's Guide To Game Hacking



View the GuidedHacking Injector thread for more info about injector methods.

When you are internal you create pointers to objects, typecast them and point them to objects in memory. Then you can access variables of that object easily through the pointer. ReClass is a great tool for generating classes from memory and we will cover that in the next video

Internal vs External Hack what's the difference?

What you'll learn in this tutorial
  • Creating a thread
  • ModuleBaseAddress = GetModuleHandle()
  • Attaching a Console
  • Use pointer to validate game is hackable
  • Typecasting addresses to pointers, changing their value
  • Nop() Internal
  • Patch() internal
  • Freeze values like cheat engine
  • Ejecting the DLL so you don't have to restart the game during debugging

You must download the attachment from the previous tutorial if you're following along in the video



How to Hack Any Game Tutorial C++ Trainer #3 - First Internal


MSDN Guides & Windows APIs referenced in the video:
Sample code from dllmain.cpp:
C++:
#include "stdafx.h"
#include <iostream>
#include "mem.h"

DWORD WINAPI HackThread(HMODULE hModule)
{
    //Create Console
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "OG for a fee, stay sippin' fam\n";

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"ac_client.exe");

    //calling it with NULL also gives you the address of the .exe module
    moduleBase = (uintptr_t)GetModuleHandle(NULL);

    bool bHealth = false, bAmmo = false, bRecoil = false;

    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }

        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
            bHealth = !bHealth;

        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            bAmmo = !bAmmo;
        }

        //no recoil NOP
        if (GetAsyncKeyState(VK_NUMPAD3) & 1)
        {
            bRecoil = !bRecoil;

            if (bRecoil)
            {
                mem::Nop((BYTE*)(moduleBase + 0x63786), 10);
            }

            else
            {
                //50 8D 4C 24 1C 51 8B CE FF D2 the original stack setup and call
                mem::Patch((BYTE*)(moduleBase + 0x63786), (BYTE*)"\x50\x8D\x4C\x24\x1C\x51\x8B\xCE\xFF\xD2", 10);
            }
        }

        //need to use uintptr_t for pointer arithmetic later
        uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x10F4F4);

        //continuous writes / freeze

        if (localPlayerPtr)
        {
            if (bHealth)
            {

                //*localPlayerPtr = derference the pointer, to get the localPlayerAddr
                // add 0xF8 to get health address
                //cast to an int pointer, this pointer now points to the health address
                //derference it and assign the value 1337 to the health variable it points to
                *(int*)(*localPlayerPtr + 0xF8) = 1337;
            }

            if (bAmmo)
            {
                //We aren't external now, we can now efficiently calculate all pointers dynamically
                //before we only resolved pointers when needed for efficiency reasons
                //we are executing internally, we can calculate everything when needed
                uintptr_t ammoAddr = mem::FindDMAAddy(moduleBase + 0x10F4F4, { 0x374, 0x14, 0x0 });
                int* ammo = (int*)ammoAddr;
                *ammo = 1337;

                //or just
                *(int*)mem::FindDMAAddy(moduleBase + 0x10F4F4, { 0x374, 0x14, 0x0 }) = 1337;
            }

        }
        Sleep(5);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
 

Attachments

Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,101
78,998
2,374
Internal vs. External?

External
External Hacks use WriteProcessMemory(WPM) and ReadProcessMemory(RPM) to interact with the game process's memory. To do this you need to ask the kernel to give you a handle to the process by using OpenProcess() with the Process Access Rights you require, typically PROCESS_ALL_ACCESS. The handle is a required parameter for RPM/WPM. Kernel mode anticheats can easily block external hacks by using ObjRegisterCallbacks to block handle creation. Info from DouggemHacks. RPM/WPM is slow because you have the overhead of the API calls into the kernel. You should limit the frequency of these calls and store as much information locally as possible to increase the performance of your external hack. If the game has no method of detecting RPM making an overlay ESP is a good way of making an undetected external ESP because you only need RPM to be undetected.

Pros of external:
  • In my opinion none compared to internal unless you just want to super quickly patch some bytes and then close the hack

Cons of external:
  • Super easy to detect because of the open process handle
  • Harder to use especially for beginners (WPM/RPM, getting the PID, blalba) though easy to master because it has no potential
  • Less potential
  • Slow

Internal
Internal hacks are created by injecting DLLs into the game process, when you do this you have direct access to the process's memory which means fast performance and simplicity. Injected DLL's can be made more sneaky by using different injection methods such as Manual Mapping. View the GuidedHacking Injector thread for more info
Try a simple DLL hack source code for Assault Cube for learning purposes.
When you are internal you create pointers to objects, typecast them and point them to objects in memory. Then you can access variables of that object easily through the pointer. ReClass is a great tool for generating classes from memory. This is an example of how to typecast variables in memory and modify them in an internal cheat:

C++:
DWORD* localPlayerAddress = (DWORD*)(0x509B74);
int * health = (int*)(*localPlayerAddress + 0xf8);
*health = 1337;
Pros of internal:
  • Sick performance
  • Easy to start off with
  • Much potential
  • Can be super sneaky and almost impossible to detect if done properly

Cons of internal:
  • Hard to master
  • Easier to detect when you don't know what you're doing

*Information compiled/copied from forum posts, mostly Broihon
 
Last edited:
  • Love
Reactions: Kreeps

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,101
78,998
2,374
THank you so much! can you please teach us how to unhook a present hook properly with DetourRemove? Thank you!
Save the bytes before you overwrite them, when you want to unhook, write the bytes back
 

taien

Newbie
Full Member
May 20, 2015
5
278
0
i did do that but when I was debugging I realize my present hook was still looping, and the point where i crash was when I try to free the library. detour remove didn't return 1,

Code:
DWORD FindDevice(DWORD Len)
{
    DWORD dwObjBase = 0;

    dwObjBase = (DWORD)LoadLibrary("d3d9.dll");
    while (dwObjBase++ < dwObjBase + Len)
    {
        if ((*(WORD*)(dwObjBase + 0x00)) == 0x06C7
            && (*(WORD*)(dwObjBase + 0x06)) == 0x8689
            && (*(WORD*)(dwObjBase + 0x0C)) == 0x8689
            ) {
            dwObjBase += 2;
            break;
        }
    }
    return(dwObjBase);
}

DWORD GetDeviceAddress(int VTableIndex)
{
    PDWORD VTable;
    *(DWORD*)&VTable = *(DWORD*)FindDevice(0x128000);
    return VTable[VTableIndex];
}

HRESULT WINAPI Hooked_Present(DWORD Device, CONST RECT *pSrcRect, CONST RECT *pDestRect, HWND hDestWindow, CONST RGNDATA *pDirtyRegion) {


    if (bRunThreads)
    {
        if (!bInit) {
            Functions.DrawCircle = (Typedefs::fnDrawCircle)((DWORD)GetModuleHandle(NULL) + oDrawCircle);



        if (me->IsAlive()) {
            auto color = createRGB(0, 255, 0);
            Functions.DrawCircle(&Engine::GetMouseWorldPosition(), 650, &color, 0, 0.0f, 0, 0.5f);

        }
    }
    //std::cout << "loop hooked\n";
    return Original_Present(Device, pSrcRect, pDestRect, hDestWindow, pDirtyRegion);



}

DWORD WINAPI Start(HMODULE hModule) {
    //DisableThreadLibraryCalls(hModule);

    AllocConsole();
    FILE * f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "OG\n";
    Functions.DrawCircle = (Typedefs::fnDrawCircle)((DWORD)GetModuleHandle(NULL) + oDrawCircle);
    Original_Present = (Prototype_Present)DetourFunction((PBYTE)GetDeviceAddress(17), (PBYTE)Hooked_Present);


        while (true)
        {
            if (GetAsyncKeyState(VK_END) & 1)
            {
                break;
            }
        }
        std::cout << "exiting thread\n";
        auto detour = DetourRemove(reinterpret_cast<PBYTE>(Original_Present), reinterpret_cast<PBYTE>(Hooked_Present));
        std::cout << "detour: %b\n", detour;
        //DetourRemove((PBYTE)Original_Present, (PBYTE)Hooked_Present);
        std::cout << "termination start thread\n";
        TerminateThread(Start, 0);
        fclose(f); //Close console
        FreeConsole();
        Sleep(1000);
        FreeLibraryAndExitThread(hModule,0);
        return 0;
       
    }
   

        while (true)
        {
            if (GetAsyncKeyState(VK_END) & 1)
            {
                break;
            }
        }

   }
Do you mean this ?
Original_Present = (Prototype_Present)DetourFunction((PBYTE)GetDeviceAddress(17), (PBYTE)Hooked_Present);
and this:
auto detour = DetourRemove(reinterpret_cast<PBYTE>(Original_Present), reinterpret_cast<PBYTE>(Hooked_Present));

that part where it crashes is the freelibraryandexitthread. A side note is the detourremove didn't return true.
 

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
346
6,318
23
Nice tut, but...i can not detach (VS). :confused:
bla.png

PS:
After this line "FreeLibraryAndExitThread(hModule, 0);" dll is not unloaded.
 
Last edited:

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
346
6,318
23
Are you using my exact code and using it on assault cube?
Yeah.
Copy/Pasta from first post and tested on AC and CS1.6 (with new offsets/addresses).
Also i try injecting empty dll (without cheats, only end key for break/exit) with notepad++ (x32 & x64) and firefox.
When i attach CE to the game (after "ejecting") my DLL is still there.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,101
78,998
2,374
Yeah.
Copy/Pasta from first post and tested on AC and CS1.6 (with new offsets/addresses).
Also i try injecting empty dll (without cheats, only end key for break/exit) with notepad++ (x32 & x64) and firefox.
When i attach CE to the game (after "ejecting") my DLL is still there.
I will check it out tonight, thanks for the bug report
 
  • Like
Reactions: lellek and Chucky

Chucky

Newbie
Meme Tier VIP
Trump Tier Donator
Jan 23, 2018
346
6,318
23
I will check it out tonight, thanks for the bug report
No problem
Waiting for fix

EDIT:
After updating VS and Windows the problem is gone.
All works great. :cool:
 
Last edited:
  • Like
Reactions: Rake
Sep 30, 2019
4
24
0
Hey, I just finished this tutorial and I was crashing after trying to change health and ammo value. I debugged and the problem was localPlayerPtr pointing to an invalid address. I removed moduleBase and it started working.
What's the importance of moduleBase and why am I getting an invalid offset using moduleBase + offset
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x4f32f8);
instead of
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(0x4f32f8);
Thanks in advance.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,101
78,998
2,374
Hey, I just finished this tutorial and I was crashing after trying to change health and ammo value. I debugged and the problem was localPlayerPtr pointing to an invalid address. I removed moduleBase and it started working.
What's the importance of moduleBase and why am I getting an invalid offset using moduleBase + offset
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(moduleBase + 0x4f32f8);
instead of
C++:
uintptr_t* localPlayerPtr = (uintptr_t*)(0x4f32f8);
Thanks in advance.
this is not the correct address:
0x4f32f8

the correct address in in the source code and in the tutorial.

if it worked when you removed modulebase, then what you have is not a relative offset, it is an address. You were adding a address to the module base, instead of adding a relative offset. The reason we use relative offsets is explained in the beginner's guide
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods