| View previous topic :: View next topic |
| Author |
Message |
zeion
How do I cheat?
![]() Reputation: 0
Joined: 31 Aug 2013
Posts: 5
|
 Posted: Sat Aug 31, 2013 7:14 pm Post subject: How to get base address of process after dll injection? |
 |
|
Hi,
After I've successfully injected my dll into my target process, say "target.exe", how do I get the base address of "target.exe"? I used the pointer scan from CE to get the static multi level pointer for a value I want to change, but the first address is "target.exe" + offset + offset .. and I think I need to find the address for "target.exe" which I think should be different each time?
I've tried GetModuleHandle(0) but I'm not sure how to work it?
Thanks
|
|
| Back to top |
|
 |
TsTg
Master Cheater
 Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Sun Sep 01, 2013 4:47 am Post subject: |
|
|
Since you injected the dll of yours inside the target executable, GetModuleHandle(0) will give you the base address of the 'target.exe'.
Next, you need to add it to the offset address of yours, say base address is 0x400000 and my address is 0x412345, so this equivalent to "target.exe" + 0x12345.
|
|
| Back to top |
|
|
zeion
How do I cheat?
![]() Reputation: 0
Joined: 31 Aug 2013
Posts: 5
|
| Posted: Sun Sep 01, 2013 8:55 am Post subject: |
|
|
Okay so it seems like my base address for "target.exe" is the same every time I start the game.. is this right? I was expecting it to be different each time otherwise what's the point of having the offsets?
Also it seems that when I read the pointer in CE the address is different each time so I thought that was because "target.exe" has a different address each time. But when I use GetModuleHandle(0) in my DLL and print it it gives the same address. But when I try to calculate it manually from what CE tells me (by subtracting the first offset) I get a different value for "target.exe" each time?
|
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Sun Sep 01, 2013 10:51 pm Post subject: |
|
|
yeah if the game doesn't use ASLR, the image base should be static, you can also go to cheat engine's memory view window, then go to 'View->Enumerate DLL's and Symbols' and find the target.exe name, the number beside it is the image base.
if you say it changes, can you upload a picture to show me your calculations ?
|
|
| Back to top |
|
|
zeion
How do I cheat?
![]() Reputation: 0
Joined: 31 Aug 2013
Posts: 5
|
| Posted: Mon Sep 02, 2013 11:01 am Post subject: |
|
|
Hmm it won't let me post urls? I've left out the http in front of the links :/
From this:
img198.imageshack.us/img198/6113/hz8z.png
Would mean that "target.exe" = E189660 - 12D90D4 = CEB058C correct?
Then I restart the game and get this:
img818.imageshack.us/img818/3951/j48e.png
Which would mean that "target.exe" = E13E070 - 12D90D4 = CE64F9C?
Although it is true that when I go to View->Enumerate DLL's and Symbols it does always show 0x40000000, so I am confused.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon Sep 02, 2013 12:55 pm Post subject: |
|
|
You can get the game executables base using Module32First as the processes executable is always the first module listed in the loop. Assuming you have issues with GetModuleHandle( NULL ).
| Code: | DWORD GetProcessBaseAddress()
{
MODULEENTRY32 me32 = { sizeof( MODULEENTRY32 ) };
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );
if (hSnapshot == INVALID_HANDLE_VALUE)
return 0;
if (Module32First( hSnapshot, &me32 ))
{
CloseHandle( hSnapshot );
return (DWORD)me32.modBaseAddr;
}
CloseHandle( hSnapshot );
return 0;
} |
_________________
- Retired. |
|
| Back to top |
|
|
TsTg
Master Cheater
Reputation: 5
Joined: 12 Dec 2012
Posts: 340
Location: Somewhere....
|
| Posted: Mon Sep 02, 2013 6:25 pm Post subject: |
|
|
| zeion wrote: | | Would mean that "target.exe" = E189660 - 12D90D4 = CEB058C correct? |
i'll explain in this pic:
| Quote: | | http://img198.imageshack.us/img198/6113/hz8z.png |
no, not correct, "target.exe" is 0x400000 image base, 0x12D90D4 is the static offset value to be added to it(0x400000 + 0x12D90D4 = 0x16D90D4), this is the pointer start, then, 0xE189660 is the address value stored in address 0x16D90D4, the offsets are static, but just the address inside changes.
| Code: |
inside [target.exe+0x12D90D4] = inside [0x16D90D4] = 0x0E189660
inside [0x0E189660 + 0x44] = inside [0x0E1896A4] = 0x0E1893E0
inside [0x0E1893E0 + 0x1C] = inside [0x0E1893FC] = 0x3853D320
and so on....
|
to get the pointer programatically:
1- Call GetModuleHandle(0) or Wiccaan's method, to get the base
2- Add 0x12D90D4 to it to get the static address of the pointer start
3- Start reading values for each offset using ReadProcessMemory, or use direct assembly codes.
4- when you reach the the final address, use WriteProcessMemory or asm instructions to modify the value
|
|
| Back to top |
|
|
zeion
How do I cheat?
![]() Reputation: 0
Joined: 31 Aug 2013
Posts: 5
|
| Posted: Tue Sep 03, 2013 7:19 pm Post subject: |
|
|
I got it to work!!!
Thanks so much for your help and explanation, I understand it a little more now 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
