Cheat Engine

[Quibbs]

I've been banging my head against this problem for a bit now, so I've finally decided to sign up for an account here to see if you guys can help me out


I'm trying to calculate my base pointer I've gotten for a game called "Brawlhalla". I've gotten this base pointer via CE already; "Adobe AIR.dll"+01315500 + 8 more levels of offsets. I've confirmed this is indeed a base pointer, it works across multiple gamemodes and across application restarts. However, this is about the only thing that's working as you'd expect.

I want to use this pointer in an external Python application; so I of course need to get the base address for "Adobe AIR.dll". After writing most of it manually I switched over instead to the much simpler hackManager Python library which can get the base address and module base addresses for applications. The problem? There is no "Adobe AIR.dll" module under "Brawlhalla.exe". This stopped me in my tracks for a while, until I made a discovery; in CE, a pointer that is just entered as "Adobe AIR.dll" and a pointer that is just entered as "Brawlhalla.exe" actually points towards the same address - at the moment, 0x00905A4D. So I assume this means the base address for Brawlhalla.exe is the same as Adobe AIR.dll. Problem solved, right? Well... not quite.

In my Python program I'm able to get the base address of Brawlhalla.exe, check memory, and get the same address CE has for it (0x00905A4D). However, no matter how many variations I've tried, I have not been able to properly get the first offset in the pointer ("Adobe AIR.dll"+01315500) to match what CE shows as the first offset address; I get the base address for the application, add the offset to it, then read for another address from memory (effectively read_dword(base+offset1). Instead of getting the next step shown in CE (in this case, 0x0451B088), though, I simply get a 0. Even stranger, despite "Adobe AIR.dll" and "Brawlhalla.exe" pointing to the same address in CE, "Adobe AIR.dll"+01315500 and "Brawlhalla.exe"+01315500 DON'T point to the same CE address; the Brawlhalla.exe one shows all 0's/???'s. So I don't know if I'm simply trashing the math for the first offset (I've confirmed my code for all offsets after the first work if I simply hard-code the first step shown in CE) or if the Brawlhalla.exe base address isn't actually the same as Adobe AIR.dll's despite CE seeming to think they are? Is the solution to this to somehow find a base address for Adobe AIR.dll (and if so, how? It's not listed as a module!) I dunno. Help is much appreciated <3

[ParkourPenguin]

[Quibbs]

I assumed Adobe AIR was a module/part of Brawlhalla.exe due to the fact that the game's written in AIR, that there's no Adobe AIR process, and that the pointer was found from scanning the Brawlhalla process. If I try to directly target an "Adobe AIR.dll" for getting a base address, I simply get an error saying that no such process exists. And since it's not any of the DLLs listed as modules of Brawlhalla, I'm at a loss at how else I'm supposed to get it's base address.

This is the code I'm using:

[ParkourPenguin]

"Adobe AIR.dll" isn't a process - it's a dll file that was loaded by a process.

[Quibbs]

I've tried module_base_dict before, Adobe AIR.dll is not among the list. The output is:

{'wow64.dll': 2004287488L, 'ntdll.dll': 140707013066752L, 'wow64win.dll': 2003763200L, 'wow64cpu.dll': 2004680704L}

This is why I'm confused as to what to do at this point. If it's not a process, Brawlhalla.exe is a separate thing, and it's not in the module list... what's left for me to do?

[ParkourPenguin]

There should be a hell of a lot more than just the wow64 emulator dlls. It's probably a bug with a library you're using.

You can try to find a better library out there that actually works, or just make it yourself (e.g. Stack Overflow).

[Quibbs]

Using the specific script you linked (which I think was the same one I was working with before switching to the Python library), I get only five outputs: Brawlhalla.exe and the same four DLLs from before.

[ParkourPenguin]

Oh, now I see the problem. Try passing TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32 to CreateToolhelp32Snapshot.
(TH32CS_SNAPMODULE32 = 0x00000010)

PS: Chrome works because it's 64-bit.