Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Getting the base address

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
nammidd
How do I cheat?
Reputation: 0

Joined: 10 Apr 2020
Posts: 2

PostPosted: Fri Apr 10, 2020 1:40 pm    Post subject: Getting the base address Reply with quote

Hello, i need to read values from another program using C++, practically i use cheat engine for the first time. For example, take the heroes 3.
I found a static pointer through "Pointer scan for this address".
imgurdotcom/a/WRLYYeo
Could you please tell me, what does it means "Heroes3 HD.exe"+0029CCFC? Is this the base address from which the program is running or what?
And how do i must get this address? I googled that i can get the base address through EnumProcessModules, GetModuleFileNameEx and GetModuleInformation in C++, but i don’t know how to calculate the obtained values to get the pointer i need.
Quote:
Module name: C:\Users\user\Downloads\Heroes of Might and Magic III Complete\Heroes3 HD.exe
Load address: 0x400000
Entry point: 0x61a884
Size of image: 2936832
Module name: C:\Windows\SYSTEM32\ntdll.dll
Load address: 0x77af0000
Entry point: 0x0
Size of image: 1699840
Module name: C:\Windows\SYSTEM32\wow64.dll
Load address: 0x75320000
Entry point: 0x7534e0d8
Size of image: 258048
Module name: C:\Windows\SYSTEM32\wow64win.dll
Load address: 0x752c0000
Entry point: 0x752ff90c
Size of image: 376832
Module name: C:\Windows\SYSTEM32\wow64cpu.dll
Load address: 0x752b0000
Entry point: 0x752b20f8
Size of image: 32768
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Fri Apr 10, 2020 3:41 pm    Post subject: Reply with quote

nammidd wrote:
...
https://imgur.com/a/WRLYYeo


"executable.exe" is the image_base_address (a.k.a. preferred_load_address)
+123ABC is the offset from image base address / preferred load address

in your case:
- "Heroes3 HD.exe" is 00400000h
- +0029CCFCh
equal to:
- 0069CCFC

0069CCFC is a memory location that points to 06014B30 according to the picture you provided.

however you should not assume that the image base address will not change nor it will be loaded at it preferred address each time.

there are two variables that change the preferred load address each time you launch the executable:
- relocations
- ASLR

thus, you should always obtain the address using the win32 apis.
and its a good reason why CE display image base as a symbol + offset to image data (i.e. fixed / static data sections that resides within the raw executable)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
nammidd
How do I cheat?
Reputation: 0

Joined: 10 Apr 2020
Posts: 2

PostPosted: Sat Apr 11, 2020 2:01 am    Post subject: Reply with quote

Thank you very much, i understood it quite well, except that
OldCheatEngineUser wrote:
0069CCFC is a memory location that points to 06014B30 according to the picture you provided.

using "ReadProcessMemory" for this address 0069CCFC, i am getting 68E3AC90. Am I doing something wrong?
Code:
LPVOID buffer;
ReadProcessMemory(handle, LPCVOID(0x400000 + 0x0029CCFC), buffer, sizeof(buffer), NULL);
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Sat Apr 11, 2020 6:27 am    Post subject: Reply with quote

assuming 68E3AC90 resides in a region thats allocated during runtime, then it should be valid although its high for a 32-bit process.

you will have to re-read 68E3AC90 + offset B4 and treat the value read as an int/dword, and see if it make sense it you.

again you should not hardcode the image base address, and it would be better if you implement it in a loop and having an array of offsets to add and read from. (instead of multiple RPMs and hardcoded offsets)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
vityaschel
How do I cheat?
Reputation: 0

Joined: 17 Jun 2022
Posts: 2
Location: Russia, Samara

PostPosted: Fri Jun 17, 2022 10:04 pm    Post subject: Reply with quote

OldCheatEngineUser wrote:
nammidd wrote:
...


"executable.exe" is the image_base_address (a.k.a. preferred_load_address)
+123ABC is the offset from image base address / preferred load address

in your case:
- "Heroes3 HD.exe" is 00400000h
- +0029CCFCh
equal to:
- 0069CCFC

0069CCFC is a memory location that points to 06014B30 according to the picture you provided.

however you should not assume that the image base address will not change nor it will be loaded at it preferred address each time.

there are two variables that change the preferred load address each time you launch the executable:
- relocations
- ASLR

thus, you should always obtain the address using the win32 apis.
and its a good reason why CE display image base as a symbol + offset to image data (i.e. fixed / static data sections that resides within the raw executable)


Thank you for your help and sorry for bumping this thread. Can you help me with getting image_base_address / preferred load address?
Back to top
View user's profile Send private message
TsTg
Master Cheater
Reputation: 5

Joined: 12 Dec 2012
Posts: 334
Location: Somewhere....

PostPosted: Sat Jun 18, 2022 8:12 pm    Post subject: Reply with quote

the easiest API way to get the process executable's base address, is by calling GetModuleHandleA(0) function, just pass parameter zero and Windows will grab the base address of your "game.exe", and that will be the function's return value, or zero in case of error.
Back to top
View user's profile Send private message
vityaschel
How do I cheat?
Reputation: 0

Joined: 17 Jun 2022
Posts: 2
Location: Russia, Samara

PostPosted: Sun Jun 19, 2022 3:38 am    Post subject: Reply with quote

TsTg wrote:
the easiest API way to get the process executable's base address, is by calling GetModuleHandleA(0) function, just pass parameter zero and Windows will grab the base address of your "game.exe", and that will be the function's return value, or zero in case of error.


Interesting approach 🤔
But I already found a better way to achieve my goal. I didn't realize I could use LpBaseDll as executable name (which is base address alias I think?). Anyways, I found this because I accidentally wrote executable name in address field in cheat engine and in bottom list it showed the real hex address instead of executable name. I wrote detailed answer here: stackoverflow/a/72674927/13689893
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites