Cheat Engine

[booingthetroll]

I'm using a MacBook Air M1 running Parallels Windows 11. Some processes seem fine (for example I can open the CE process and view its cheatengine-x86_64.exe image code) but when I open a x64 game (client.exe), a lot of memory regions aren't correctly accessible. This is consistent and always happens for this game.

If I go to the address "client.exe" in memory view it correctly goes to 140000000 but the memory is all ??. In Memory Regions, it correctly shows it's an image page mapped from disk in "Commit" with "Read" access. As expected an error is thrown about inaccessible memory if I try to set an int3 breakpoint. However, most other memory regions are accessible as expected. It seems like it may be that all "Image" regions are not accessible. On my Windows desktop this isn't an issue for the exact same process. I don't have any data as to why it only affects some processes and not others.

Any idea for what could cause this behavior and how to get around it or gather more useful data? Thinking to try some experiments with calling read memory apis as stand-alone but I am genuinely surprised to see this type of issue.[/img]

[Dark Byte]

Try disabling the security option in windows (e.g no core isolation)

and try kernelmode open and readwrite process memory

[booingthetroll]

hmm I don't see it under device security so I think it's not enabled. I can't get kernelmode drivers to load for the RPM/WPM settings for seemingly opaque reasons but that may be another journey... I was going to say this makes me think this is a W11 issue and not Parallels related but it seems there's no support for W10 or older OSes so can't test that sadly

I did test a standalone little app to call ReadProcessMemory and it works fine on affected pages (tiny C program)

[booingthetroll]

This seems to be a bug but I am not sure if it's a CE bug, a pascal wrapper bug, a Windows 11 bug or some ARM obscure detailed but opened issue https://github.com/cheat-engine/cheat-engine/issues/2504