| View previous topic :: View next topic |
| Author |
Message |
ddano
How do I cheat?
![]() Reputation: 0
Joined: 03 Feb 2011
Posts: 4
|
 Posted: Thu Feb 03, 2011 7:17 pm Post subject: Discrepancy between Cheat Engine and GetModule handles? |
 |
|
Hey folks,
I've recently been taking what I know about C++ and applying it to gamehacking by using Cheat Engine to find offets and then creating C++ trainers.
One thing that's giving me trouble is coding in a base address into C++. Cheat Engine makes this trivial since I just write something like '"jvm.dll"+002712D4' and CE pretty much runs with it.
However, according to Cheat Engine, jvm.dll is located at 0x00905A4D while some C++ code I found linked from here returns a different handle.
The code is a helper function designed to take a pID and return the base address of a specified module, in my case I'm accessing Minecraft and running a search on jvm.dll to find its base address which I can use as my "starting point".
| Code: |
#include <Windows.h>
#include <Tlhelp32.h>
DWORD GetModuleBase(LPSTR lpModuleName, DWORD dwProcessId)
{
MODULEENTRY32 lpModuleEntry = {0};
HANDLE hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
if(!hSnapShot)
return NULL;
lpModuleEntry.dwSize = sizeof(lpModuleEntry);
BOOL bModule = Module32First( hSnapShot, &lpModuleEntry );
while(bModule)
{
if(!strcmp( lpModuleEntry.szModule, lpModuleName ) )
{
CloseHandle( hSnapShot );
return (DWORD)lpModuleEntry.modBaseAddr;
}
bModule = Module32Next( hSnapShot, &lpModuleEntry );
}
CloseHandle( hSnapShot );
return NULL;
}
|
I'm using that piece of code inside my trainer's main function, here provided as a snippet.
| Code: |
HWND hWnd = FindWindow(NULL,"Minecraft"); // Find the Minecraft window
if (!hWnd) { // Window not found
printf("Couldn't find Minecraft!\n");
cin.get();
return 1;
} else {
DWORD pID; // We found the window, now we need to fetch the process ID (pID)
GetWindowThreadProcessId(hWnd, &pID);
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pID);
if (!hProc) {
printf("Error opening Minecraft process!\n");
cin.get();
return 1;
} else {
// Process opened
DWORD *dwStaticPointer = (DWORD*)GetModuleBase("jvm.dll", pID); // Grab base address of process
DWORD *actionBarPointer = dwStaticPointer + ACTION_BAR_BASE;
printf("Address: %x\n", dwStaticPointer); |
dwStaticPointer is not the same as Cheat Engine's base address of jvm.dll.
What could explain this discrepancy? Why is GetModuleBase returning me the wrong address?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Thu Feb 03, 2011 8:07 pm Post subject: |
|
|
are you sure that ce says the ADDRESS of jvm.dll is 0x00905A4D ?
because this looks more like the VALUE at the base address of jvm.dll
and replace (DWORD*) with just DWORD
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
Last edited by Dark Byte on Thu Feb 03, 2011 8:08 pm; edited 1 time in total |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Thu Feb 03, 2011 8:07 pm Post subject: |
|
|
| Code: | DWORD *dwStaticPointer = (DWORD*)GetModuleBase("jvm.dll", pID); // Grab base address of process
DWORD *actionBarPointer = dwStaticPointer + ACTION_BAR_BASE; |
Your code to create the address is invalid. Using pointers outside the memory space of the program doesn't work. And you are are attempting to deference the module which is also incorrect.
Just use normal DWORDs and you should get a proper result.
| Code: | DWORD dwStaticPointer = GetModuleBase("jvm.dll", pID);
DWORD actionBarPointer = dwStaticPointer + ACTION_BAR_BASE;
|
You'll have to use WriteProcessMemory / ReadProcessMemory to do anything with this address then.
If you want direct access, inject your code with a DLL.
_________________
- Retired. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Thu Feb 03, 2011 8:09 pm Post subject: |
|
|
also see this topic: http://forum.cheatengine.org/viewtopic.php?t=531394
you're using openprocess, I really doubt GetModuleBase will work for you
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
ddano
How do I cheat?
![]() Reputation: 0
Joined: 03 Feb 2011
Posts: 4
|
| Posted: Thu Feb 03, 2011 8:42 pm Post subject: |
|
|
| Dark Byte wrote: | are you sure that ce says the ADDRESS of jvm.dll is 0x00905A4D ?
because this looks more like the VALUE at the base address of jvm.dll
and replace (DWORD*) with just DWORD |
Perhaps I'm not well-versed with the features in CE, but how could I otherwise check the base address of the module?
I've attached a screenshot of the pointer window for one of my results. I may very well be looking at it incorrectly, but hopefully you'll see from where I pulled the number.
As for GetModuleBase, it's invoking CreateToolhelp32Snapshot, Module32First, and Module32Next to find the library I'm after. It seems as though this is what's been recommended in the link you posted. Could you elaborate?
Wiccaan - It's perhaps better convention to do it your way. I was never actually dereferencing pointers. I just had it in my head "oh, that's an address, it goes into a pointer variable". I was still calling ReadProcessMemory. However, I do agree that it doesn't make sense to use a pointer if you never intend to deference it. Blame my education for that one.
EDIT: I'm obviously looking at it wrong because the math doesn't even add up.
| Description: |
|
| Filesize: |
58.57 KB |
| Viewed: |
10807 Time(s) |
|
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Thu Feb 03, 2011 9:42 pm Post subject: |
|
|
to get the address of ce's jvm.dll go to the memory view window rightclick and choose goto address. There type in jvm.dll and click ok
It will now be at the base address of jvm.dll
as for the difference between address and value and how to use a pointer: http://forum.cheatengine.org/viewtopic.php?t=422516
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
hcavolsdsadgadsg
I'm a spammer
![]() Reputation: 26
Joined: 11 Jun 2007
Posts: 5801
|
| Posted: Fri Feb 04, 2011 2:22 am Post subject: |
|
|
on another note, you are in for pain and anguish if you are trying to hunt down addresses in minecraft / java.
they will change every single time.
|
|
| Back to top |
|
|
ddano
How do I cheat?
![]() Reputation: 0
Joined: 03 Feb 2011
Posts: 4
|
| Posted: Fri Feb 04, 2011 6:19 pm Post subject: |
|
|
| slovach wrote: | on another note, you are in for pain and anguish if you are trying to hunt down addresses in minecraft / java.
they will change every single time. |
Yeah, it gets messy. Nearly everything Java does is via references and so right now I'm counting on having objects already allocated that I can edit. It would be nice to code a hack that can call a specified constructor with my own arguments, but that's a few steps beyond my scope of learning. Still, I'm having good success with my trainer thanks to the replies in this thread. I hope to soon have a friend test it on his computer.
|
|
| Back to top |
|
|
hcavolsdsadgadsg
I'm a spammer
![]() Reputation: 26
Joined: 11 Jun 2007
Posts: 5801
|
| Posted: Fri Feb 04, 2011 8:11 pm Post subject: |
|
|
I wanted to create a way to fly so I ended up writing a simple byte array search that would look for the player struct. The difficult part was when monsters got introduced and it was possible to end up using their info instead. For whatever reason I couldn't think of a way to prove it was always the player so...
I then ended up with some comically overcomplicated mess of a DLL that I would inject to the process which allocated a block of memory and patched a chunk of the physics code to jump to this space and write out the pointer to the struct that I assumed was the player based off which struct it was trying to access at the time. If it was the 1st in the array it was probably the player.
The address changed so incredibly often that it was really easy to get the wrong pointer even if I wrote out the correct one unless I was polling for the address hundreds of times per second. I had what I thought was a better solution for this but I never bothered.
It was a clusterfuck but it totally did work until the paid version where I couldn't be assed
http://bit .ly/dZ31er
Now the client itself seems to do little in way of protection so if you know java you can just edit the actual source code to the game. It's all obfuscated but most of it is documented and may just be the easiest way to go about things.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
