
Originally Posted by
258456
It returns the address of the entry point of the selected module. The number itself isn't really significant, and you can't just use iostream and expect a console to show up in a dll. To make a console you need to call AllocConsole(); then you need to write to the console using WriteConsole(); . But this is detected by cf unless you have a bypass, which you don't, so you will have better using the fstream header file and just write the number to a text file. or you can just use sprintf to put the number in a buffer then use MessageBoxA(); to put the number into the messagebox.
no! it returns the base address, not the entry point, you can get the entrypoint by using ZwQueryProcessInformation...
@
kmanev073
to be more obvious, when you load CShell in ollydbg, you will see 10A69120 as a pointer and the base address is 10000000
(Press the E button in ollydbg)
but crossfire.exe loads it at different base address (lets imagine it is 20000000) so
the pointer becomes 20A69120
so we do the following:
1-convert the pointer to offset by subtracting 10000000 (it becomes A69120)
2-in the hack we use GetModuleHandleA to get the new base (will return 20000000 in this case)
and add the result to A69120
i hope you understand!