 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Special11
Cheater
![]() Reputation: 0
Joined: 20 Dec 2009
Posts: 28
|
 Posted: Thu Aug 26, 2010 2:59 pm Post subject: Static address? |
 |
|
Hello all, well I found pointer that is working every time i run the game, but it isn't address in format like:
[module+offset] ex. [Game.exe+0x4c3]
But like this one in screenshot. ( 069F190 )
Well, i tried to find a real static address like in [module+offset] format but i think that anti-cheat blocks these addresses from scanning.
And my question. Can I use pointer like this one in screenshot to my trainer? Or how can I find the real static address? I tried both method ( pointer scanner and debugger ). And I'm using kernel mode debugger and Read/Write process memory.
| Description: |
|
| Filesize: |
26.85 KB |
| Viewed: |
12179 Time(s) |
|
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25284
Location: The netherlands
|
| Posted: Thu Aug 26, 2010 3:48 pm Post subject: |
 |
|
if it falls in the .exe's region of memory then yes, it'll stay static
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
Special11
Cheater
![]() Reputation: 0
Joined: 20 Dec 2009
Posts: 28
|
| Posted: Thu Aug 26, 2010 4:12 pm Post subject: |
|
|
Thank's for help, but why it isn't in static address format? And yes, it is in .exe's memory region, but i can't make it working in C++. (I'm sure that this address work's in CE)
| Code: |
UINT_PTR DeRef( UINT_PTR _uiptrPointer ) {
UINT_PTR uiptrRet;
if ( !::ReadProcessMemory( hProcess, reinterpret_cast<LPVOID>(_uiptrPointer), &uiptrRet, sizeof( uiptrRet ), NULL ) ) { return 0UL; }
return uiptrRet;
}
void multiPointer(unsigned int speed) {
UINT_PTR uiptrFinal = DeRef( DeRef( 0x69F190 ) + 0xA20 ) + 0x9BA;
::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL );
}
void CMyHackDlg::SpeedButtonOn()
multiPointer(16666);
}
void CMyHackDlg::SpeedButtonOff()
{
multiPointer(16230);
}
|
|
|
| Back to top |
|
|
justa_dude
Grandmaster Cheater
 Reputation: 23
Joined: 29 Jun 2010
Posts: 891
|
| Posted: Thu Aug 26, 2010 5:29 pm Post subject: |
|
|
| Is your game crashing when you try to use your snippet? I wonder if you're trying to write to null. It should be pretty easy to debug - just look at the locations your trainer is trying to read / write.
|
|
| Back to top |
|
|
Special11
Cheater
![]() Reputation: 0
Joined: 20 Dec 2009
Posts: 28
|
| Posted: Thu Aug 26, 2010 7:15 pm Post subject: |
|
|
Umm well no, when I'm using my trainer just nothing happens. I tested writing memory process by doing this:
| Code: |
UINT_PTR DeRef( UINT_PTR _uiptrPointer ) {
UINT_PTR uiptrRet;
if ( !::ReadProcessMemory( hProcess, reinterpret_cast<LPVOID>(_uiptrPointer), &uiptrRet, sizeof( uiptrRet ), NULL ) ) { return 0UL; }
return uiptrRet;
}
void multiPointer(unsigned int speed) {
UINT_PTR uiptrFinal = DeRef( DeRef( 0x69F190 ) + 0xA20 ) + 0x9BA;
if(!::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &speed, sizeof(speed), NULL )) {
MessageBox(NULL,"Error!","4Story",MB_OK);
}
else {
MessageBox(NULL,"Memory written successfully","4Story",MB_OK);
}
}
void CMyHackDlg::SpeedButtonOn()
multiPointer(16666);
}
void CMyHackDlg::SpeedButtonOff()
{
multiPointer(16230);
}
|
Well but it always show error. Well I tested it on Saper: (pointer on screenshot)
| Code: |
void multiPointer(unsigned int mines) {
UINT_PTR uiptrFinal = DeRef( DeRef( 0x14A4818 ) + 0x160 ) + 0x0;
if(!::WriteProcessMemory( hProcess, reinterpret_cast<LPVOID>(uiptrFinal), &mines, sizeof(mines), NULL )) {
MessageBox(NULL,"Error!","Saper",MB_OK);
}
else {
MessageBox(NULL,"Memory written successfully","Saper",MB_OK);
}
}
|
And it work's! Well i think that when I'm trying to hack 4Story, my trainer is blocked by Hackshield from changing adresses. How can I bypass that? :/
| Description: |
|
| Filesize: |
19.64 KB |
| Viewed: |
12150 Time(s) |
|
|
|
| Back to top |
|
|
XaLeX
Expert Cheater
![]() Reputation: 0
Joined: 19 Aug 2008
Posts: 226
|
| Posted: Thu Aug 26, 2010 8:21 pm Post subject: |
|
|
Correct me if i'm wrong, but i thought that any address could be transcribed in the [region+offset] format (e.g. something allocated at address X (say 73cab8) in a region R ("xxx.dll") whose allocbase is Y (700000) would be [R + X-Y] -> [xxx.dll + (73cab8 - 700000)] -> [xxx.dll + 3cab8]).
| Special11 wrote: | | when I'm trying to hack 4Story, my trainer is blocked by Hackshield from changing adresses. How can I bypass that? :/ |
Welcome to hell. No way to hack server sided values with CE; try looking into WPE.
|
|
| Back to top |
|
|
Special11
Cheater
![]() Reputation: 0
Joined: 20 Dec 2009
Posts: 28
|
| Posted: Thu Aug 26, 2010 9:19 pm Post subject: |
|
|
I'm not sure because CE is blocked by Hackshield, even when I'm trying to check .exe base address i can't (look at screenshot) or I'm doing something wrong?
And this address is not server-side value, it work's when changing value in CE, but in my trainer memory writing is blocked by Hackshield.
However, I tried to do basic HS Bypass:
This code should tell HS that everything is right.
| Code: |
UINT MyThreadProc( LPVOID pParam ) {
for (;;){
int EhSvc = (long)GetModuleHandleA("EhSvc.dll");
if(EhSvc !=0){
DWORD OldProtect;
int EhPtr = (0xD1E44);
int Memory1 =(EhSvc+0xD4328);//HS-Addy
int Memory2 =(EhSvc+0xD4334);//Hs-Addy-Jump
int Memory3 =(EhSvc+0xD5A88);//Hs-Addy-Jump
int Memory4 =(EhSvc+0xD5AD4);//Hs-Addy-Jump
int Memory5 =(EhSvc+0xD5B04);//Hs-Addy-Jump
int Memory6 =(EhSvc+0xCA2EC);//Hs-Addy-Jump
int Memory7 =(EhSvc+0xC92F8);//Hs-Addy-Jump
int Memory8 =(EhSvc+0xD0AC8);//Hs-Addy-Jump
int Memory9 = (EhSvc+0xCA2EC);//Hs-Addy-Jump
int Memory10 =(EhSvc+0xD5B04);//Hs-Addy-Jump
int Memory11 =(EhSvc+0xD5B0C);//Hs-Addy-Jump
int Memory12 =(EhSvc+0xC92FC);//Hs-Addy-Jump
int Memory13 =(EhSvc+0xC92F4);//Hs-Addy-Jump
int Memory14 =(EhSvc+0xD4340);//Hs-Addy-Jump
int Memory15 =(EhSvc+0xD0680);//Hs-Addy-Jump
int Memory16 =(EhSvc+0xD3E28);//Hs-Addy-Jump
int Memory17 =(EhSvc+0xD3E48);//Hs-Addy-Jump
int Memory18 =(EhSvc+0xD691C);//Hs-Addy-Jump
int Memory19 =(EhSvc+0xCA2EC);//Hs-Addy-Jump
int Memory20 =(EhSvc+0xD5ACC);//Hs-Addy-Jump
int Memory21 =(EhSvc+0xD43C4);//Hs-Addy-Jump
int Memory22 =(EhSvc+0xD4334);//Hs-Addy-Jump
VirtualProtect((void*)(Memory1),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory1) = 4;
VirtualProtect((void*)(Memory2),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory2) = 4;
VirtualProtect((void*)(Memory3),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory3) = 4;
VirtualProtect((void*)(Memory4),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory4) = 4;
VirtualProtect((void*)(Memory5),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory5) = 4;
VirtualProtect((void*)(Memory6),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory6) = 4;
VirtualProtect((void*)(Memory7),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory7) = 4;
VirtualProtect((void*)(Memory8),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory8) = 4;
VirtualProtect((void*)(Memory9),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory9) = 4;
VirtualProtect((void*)(Memory10),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory10) = 4;
VirtualProtect((void*)(Memory11),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory11) = 4;
VirtualProtect((void*)(Memory12),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory12) = 4;
VirtualProtect((void*)(Memory13),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory13) = 4;
VirtualProtect((void*)(Memory14),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory14) = 4;
VirtualProtect((void*)(Memory15),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory15) = 4;
VirtualProtect((void*)(Memory16),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory16) = 4;
VirtualProtect((void*)(Memory17),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory17) = 4;
VirtualProtect((void*)(Memory18),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory18) = 4;
VirtualProtect((void*)(Memory19),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory19) = 4;
VirtualProtect((void*)(Memory20),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory20) = 4;
VirtualProtect((void*)(Memory21),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory21) = 4;
VirtualProtect((void*)(Memory22),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)(Memory22) = 4;
//VirtualProtect((void*)(Memory23),0x6,PAGE_EXECUTE_READWRITE,&OldProtect);
}
Sleep(5);
}
}
|
But it's does not matter, my hack still not work's and Writeprocessmemory fail's, how can I use VirtualProtect method to write something in a memory? Or any other way to unlock Read/Writeprocessmemory?
E: Again I tested this bypass and this code is not applied because my program can't get base address of EhSvc.dll module :/
| Description: |
|
| Filesize: |
27.56 KB |
| Viewed: |
12134 Time(s) |
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
