| View previous topic :: View next topic |
| Author |
Message |
xiaoy312
How do I cheat?
![]() Reputation: 0
Joined: 09 Mar 2010
Posts: 1
|
 Posted: Sun Mar 14, 2010 2:56 pm Post subject: Memory Scanner |
 |
|
Hi DarkByte
Im working on a projet and I need to find an address of Unicode String. Ive tried few mem scan method in C# but the time that it takes in terrible. Im really amazed by ur cheatengine efficacy.
I was asking if there is any method that let me use ur mem scan outside of CheatEngine.
Ive looked over ur code (memscan.pas). But I really have no idea how I can use it.
So could you show me a simple exemple?
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sun Mar 14, 2010 5:12 pm Post subject: |
|
|
| what about if you just use wcscmp()
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sun Mar 14, 2010 6:32 pm Post subject: |
|
|
My guess is that he's making the same mistake as almost everyone that makes a memory scanner:
Calling ReadProcessMemory for every single byte
So, first my usual answer:
First find out the memory regions of the application. Do that using VirtualQueryEx, then either allocate a buffer that's big enough to hold the biggest contiguos region, or split it up into smaller chunks (when splitting up, take into mind of overlap, so then always allocate the stringsize*2 extra)
Then go through that region list and call ReadProcessMemory for the whole block (+overlap if required) and write it to the buffer
Then scan the buffer
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 10:44 am Post subject: |
|
|
| Dark Byte wrote: | My guess is that he's making the same mistake as almost everyone that makes a memory scanner:
Calling ReadProcessMemory for every single byte
So, first my usual answer:
First find out the memory regions of the application. Do that using VirtualQueryEx, then either allocate a buffer that's big enough to hold the biggest contiguos region, or split it up into smaller chunks (when splitting up, take into mind of overlap, so then always allocate the stringsize*2 extra)
Then go through that region list and call ReadProcessMemory for the whole block (+overlap if required) and write it to the buffer
Then scan the buffer |
Cool,in my first time to make a simple mem scan i do the thing like you said,get the size and address of region,copy it to a buffer,and the scan the buffer.
The only problem is to get what regions i can scan or not,because i get some access violation...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 11:59 am Post subject: |
|
|
VirtualQuery(Ex)
As for the access violation, is it a dll?
If so, protect every read with a try/except because the game might free a block even while you're still reading it
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 1:17 pm Post subject: |
|
|
| Dark Byte wrote: | VirtualQuery(Ex)
As for the access violation, is it a dll?
If so, protect every read with a try/except because the game might free a block even while you're still reading it |
I was trying to use virtualquery in my own .exe...
| Code: | currentBaseAddress:=startaddress;
while (Virtualqueryex(processhandle,pointer(currentBaseAddress),mbi,sizeof(mbi))<>0) and (currentBaseAddress<stopaddress) and ((currentBaseAddress+mbi.RegionSize)>currentBaseAddress) do //last check is done to see if it wasn't a 64-bit overflow.
begin
if (not (not scan_mem_private and (mbi.type_9=mem_private))) and (not (not scan_mem_image and (mbi.type_9=mem_image))) and (not (not scan_mem_mapped and (mbi.type_9=mem_mapped))) and (mbi.State=mem_commit) and ((mbi.Protect and page_guard)=0) and ((mbi.protect and page_noaccess)=0) then //look if it is commited
begin
if dword(mbi.BaseAddress)<startaddress then
begin
dec(mbi.RegionSize, startaddress-dword(mbi.BaseAddress));
mbi.BaseAddress:=pointer(startaddress);
end;
if dword(mbi.BaseAddress)+mbi.RegionSize>=stopaddress then
mbi.RegionSize:=stopaddress-dword(mbi.BaseAddress);
if //no cache check
(Skip_PAGE_NOCACHE and ((mbi.AllocationProtect and PAGE_NOCACHE)=PAGE_NOCACHE))
or
//no readonly check
((not readonly) and (not ((((mbi.AllocationProtect) and (page_readonly or page_execute_read))=0) and
(((mbi.Protect) and (page_readonly or PAGE_EXECUTE_READ))=0))))
then
begin
//skip it
currentBaseAddress:=dword(mbi.BaseAddress)+mbi.RegionSize;
continue;
end;
//still here, so valid
try
if memRegionPos>0 then
begin
//check if it can be appended to the previous region
if memRegion[memRegionPos-1].BaseAddress+memRegion[memRegionPos].MemorySize=dword(mbi.baseaddress) then //yes, append
begin
//yes, so append
memRegion[memRegionPos-1].MemorySize:=memRegion[memRegionPos-1].MemorySize+mbi.RegionSize;
continue;
end;
end;
//still here, so a new region
memRegion[memRegionPos].BaseAddress:=dword(mbi.baseaddress); //just remember this location
memRegion[memRegionPos].MemorySize:=mbi.RegionSize;
memRegion[memRegionPos].startaddress:=pointer(totalProcessMemorySize); //starts from 0, for unknown scans
inc(memRegionPos);
if (memRegionPos mod 16)=0 then //add another 16 to it
setlength(memRegion,length(memRegion)+16);
finally
inc(totalProcessMemorySize,mbi.RegionSize); //add this size to the total
end;
end;
currentBaseAddress:=dword(mbi.baseaddress)+mbi.RegionSize;
end; |
Is that i need to study to know how to use virtual query?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 1:38 pm Post subject: |
|
|
I see used the ce source
have you allocated (setlength) the memRegion array yet (to at least 16) and also initialized the memRegionPos variable to 0 ?
memregionpos holds the current free index of the memRegion array (should be 0 at first run)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 2:09 pm Post subject: |
|
|
| Dark Byte wrote: | I see used the ce source
have you allocated (setlength) the memRegion array yet (to at least 16) and also initialized the memRegionPos variable to 0 ?
memregionpos holds the current free index of the memRegion array (should be 0 at first run) |
Yeah...
In this code you used 4 flags...I will show:
Skip_PAGE_NOCACHE,readonly,scan_mem_mapped,ScanMemPrivate...
I am using this code:
| Code: | Function GetRegions: Boolean;
Var
currentBaseAddress: dword;
mbi : TMemoryBasicInformation;
SystemInfo : SYSTEM_INFO;
Begin
Scan_Mem_Mapped := True;
ScanMemPrivate := True;
GetSystemInfo(SystemInfo);
StartAddress := Cardinal(SystemInfo.lpMinimumApplicationAddress);
currentBaseAddress := startaddress;
StopAddress := Cardinal(SystemInfo.lpMaximumApplicationAddress);
setlength(memRegion,16);
memRegionPos := 0;
Result := True;
while (Virtualquery(pointer(currentBaseAddress),mbi,sizeof(mbi))<>0) and (currentBaseAddress<stopaddress) and ((currentBaseAddress+mbi.RegionSize)>currentBaseAddress) do //last check is done to see if it wasn't a 64-bit overflow.
begin
if (not (not ScanMemPrivate and (mbi.type_9=mem_private))) and (not (not ScanMemPrivate and (mbi.type_9=mem_image))) and (not (not scan_mem_mapped and (mbi.type_9=mem_mapped))) and (mbi.State=mem_commit) and ((mbi.Protect and page_guard)=0) and ((mbi.protect and page_noaccess)=0) then //look if it is commited
begin
if dword(mbi.BaseAddress)<startaddress then
begin
dec(mbi.RegionSize, startaddress-dword(mbi.BaseAddress));
mbi.BaseAddress:=pointer(startaddress);
end;
if dword(mbi.BaseAddress)+mbi.RegionSize>=stopaddress then
mbi.RegionSize:=stopaddress-dword(mbi.BaseAddress);
if //no cache check
(Skip_PAGE_NOCACHE and ((mbi.AllocationProtect and PAGE_NOCACHE)=PAGE_NOCACHE))
or
//no readonly check
((not readonly) and (not ((((mbi.AllocationProtect) and (page_readonly or page_execute_read))=0) and
(((mbi.Protect) and (page_readonly or PAGE_EXECUTE_READ))=0))))
then
begin
//skip it
currentBaseAddress:=dword(mbi.BaseAddress)+mbi.RegionSize;
continue;
end;
//still here, so valid
try
if memRegionPos>0 then
begin
//check if it can be appended to the previous region
if memRegion[memRegionPos-1].BaseAddress+memRegion[memRegionPos].MemorySize=dword(mbi.baseaddress) then //yes, append
begin
//yes, so append
memRegion[memRegionPos-1].MemorySize:=memRegion[memRegionPos-1].MemorySize+mbi.RegionSize;
continue;
end;
end;
//still here, so a new region
memRegion[memRegionPos].BaseAddress:=dword(mbi.baseaddress); //just remember this location
memRegion[memRegionPos].MemorySize:=mbi.RegionSize;
memRegion[memRegionPos].startaddress:=pointer(totalProcessMemorySize); //starts from 0, for unknown scans
inc(memRegionPos);
if (memRegionPos mod 16)=0 then //add another 16 to it
setlength(memRegion,length(memRegion)+16);
finally
inc(totalProcessMemorySize,mbi.RegionSize); //add this size to the total
end;
end;
currentBaseAddress:=dword(mbi.baseaddress)+mbi.RegionSize;
end;
if MemRegionPos = 0 then
Result := false;
End; |
I need to put true in Scan_Mem_Mapped,ScanMemPrivate because if i dont the code dont will get any region...
For what is need this flags?
And two more flags... Skip_PAGE_NOCACHE, readonly,for what i will use this flags?
More one quesiton( ) ,this code that i show will in this post work cool?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 2:19 pm Post subject: |
|
|
you probably want to have scan_mem_image and scan_mem_image to true, and scan_mem_mapped to false since mapped memory is useless most of the time anyhow
as for your rewrite of the if condition, I recommend just splitting ity apart so it's something you want
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 2:29 pm Post subject: |
|
|
| Dark Byte wrote: | you probably want to have scan_mem_image and scan_mem_image to true, and scan_mem_mapped to false since mapped memory is useless most of the time anyhow
as for your rewrite of the if condition, I recommend just splitting ity apart so it's something you want |
Its the problem,i dont know how work to get the most regions of the game that have the values...
i just wanted to put in this if the regions what i can scan or not...
Thanks Darkbyte.
Edit: I get 197 regions O.o
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 3:24 pm Post subject: |
|
|
that's a normal amount yes
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 3:38 pm Post subject: |
|
|
| Dark Byte wrote: | | that's a normal amount yes |
When trying to copy the memory to buffer,i get some access violation...its normal?i am doing it on a dll(thats i use like dll injection).
After get the regions,what address i use to get copy from memory to my buffer?Region.StartAddress or region.BaseAddress?
Thanks Again
Ps: I am using the virtual protect to get the buffer from memory,i think that the function thats get the regions are wrong...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 3:46 pm Post subject: |
|
|
Just implement your own memory scanner from scratch, it'll be a lot easier than trying to get pieces of ce slapped together to work
anyhow, place the copy code between a try/except since as I have said, the game might have freed the memory
as for the startaddress and baseaddress:
startaddress is the offset in the allocated block of memory that contains the whole game's memory. E.g first region will always be 0, second one will be 0+firstregionssize, etc...
the baseaddress is just the baseaddress that region starts at in the game's location
for dll's this method can be different since you don't really need to copy the memory to scan
Also, the big problem with dll memory scanning is that it also scans it's own memory, which is why i'm scrapping hyperscan from ce, it's useless
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
CristoferMartins
Newbie cheater
![]() Reputation: 0
Joined: 18 Dec 2009
Posts: 22
|
| Posted: Sat Mar 20, 2010 3:53 pm Post subject: |
|
|
| Dark Byte wrote: | Just implement your own memory scanner from scratch, it'll be a lot easier than trying to get pieces of ce slapped together to work
anyhow, place the copy code between a try/except since as I have said, the game might have freed the memory
as for the startaddress and baseaddress:
startaddress is the offset in the allocated block of memory that contains the whole game's memory. E.g first region will always be 0, second one will be 0+firstregionssize, etc...
the baseaddress is just the baseaddress that region starts at in the game's location
for dll's this method can be different since you don't really need to copy the memory to scan
Also, the big problem with dll memory scanning is that it also scans it's own memory, which is why i'm scrapping hyperscan from ce, it's useless |
Yes,i will try to play more with the regions and the best thing...
I put in the try/execept,but i think that i scanning a wrong region...
For me copy the memory is cool and easy to play with the things...
Dll memory scanning can have some problems but there have some advantages like no detection...
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Mar 20, 2010 7:25 pm Post subject: |
|
|
| Quote: |
Dll memory scanning can have some problems but there have some advantages like no detection...
|
That's completely wrong. It's not detected because your program/dll is new so there's no detection code for it, but after a few patches the anti cheat will have the code signature of your dll in it as well and detect it
It's only an easy way out for anti cheats that hook apis like writeprocessmemory and you don't know how to bypass/write an equivalent function
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
