Entrypoint vs. BaseAddress?

[why06]

I want to find the base address of a DLL. I know there's a way to do this, with API functions, but I heard that some Dynamically Linked Libraries can be compiled so that they always load at the same address. So if that were the case I figure it might be easier just to open the .dll up in a debugger and see what where it starts out. However the question I had was rather the entry point of a .dll would be the same thing as the base address. I would suppose not, but I don't know for sure, which is why Im asking.

[[sheep]]

hi why.. been a bit busy myself over the last few days.. so havent had time to come around.. ok.. i think we covered this before on another thread about code shifting.. i think even HELL posted some c++ that found the base address of a dll.. my trainer engine has the ASM equivalent..( i rarely code in anything other than asm) .. the BASE and ENTRY POINT are not the same thing.. BASE is where the dll is loaded and the ENTRY point is where the code starts execution. usually 1000 bytes after the header.. not always though... can be anywhere technically. google for a util called LORDPE it will list all running processes and give u all the info u need about what dlls your game is running and the base addresses etc etc.. hope that helps.. if not just leave more feedback and ill keep talking

[why06]

Wow, that was quick. I could have swore you were not online? o_O

Anyway thanks. And yeh I know there are ways to find it in C++, I was just wondering...., so essentially it would be the first address listed in my disassembly window, if Im using a debugger or something?

[[sheep]]

heya. hehe i wasnt online.. when u sent me a PM it sent me an email which was then sent to my blackberry.. so i got it then Yeah your debugger will give u the base address of all dlls of the current process.

[Hell_Demon]

If you load up your debug target with olly(attach) it will show the base address of the DLL at runtime, if you load up the Dll only(olly uses LoadDll.exe for it) it shows as 0x10000000 range I believe.
Both can be used tho, just substract 0x10000000 from the address shown in olly and then add the return value of GetModuleHandle and you'll have the location at runtime and vice versa.

[why06]

If you load up your debug target with olly(attach) it will show the base address of the DLL at runtime, if you load up the Dll only(olly uses LoadDll.exe for it) it shows as 0x10000000 range I believe.
Both can be used tho, just substract 0x10000000 from the address shown in olly and then add the return value of GetModuleHandle and you'll have the location at runtime and vice versa.

I thought the module handle was not the same thing as the base address, however you can use GetModuleInformation, to see what the base point was.

Also I how do you attach to a process at runtime with Olly?

[Hell_Demon]

how do you attach to a process at runtime with Olly?

Run game/exe, start olly, file -> attach

[Toymaker]

All jokes aside, if you don't want to waste a ridiculous amount of time using the APIs, just run the program, attach it to OLLYDBG, go to executable modules and pick your .DLL, then scroll to the very top =\ if the addresses are 404D### the base is 40400000 and if its like 6F###### the base is 6F000000 =\ easy find =p haha.

[why06]

All jokes aside, if you don't want to waste a ridiculous amount of time using the APIs, just run the program, attach it to OLLYDBG, go to executable modules and pick your .DLL, then scroll to the very top =\ if the addresses are 404D### the base is 40400000 and if its like 6F###### the base is 6F000000 =\ easy find =p haha.

Thanks TM. I've Actually in that past few day have been looking at the PE structure and have learned to find the entry point bt using the hex veiwer in Olly. Very interesting stuff, and apparently its one of the ways they pack executables to deter nub reversers (aka. me :P)