Cheat Engine

toffler · Cheater Reputation: 0 Joined: 27 Sep 2012 Posts: 38

I wrote a C++ program that does memory search for a string.

First, it finds memory regions that are accessible and writable (because I need to change stuff), then it reads a part of the region into a buffer and uses Boyer–Moore–Horspool algorithm to search for a string inside a string.

This works but very slowly comparing to cheatengine: what cheatengine does in under 5 sec, my program does in 2 mins or so.

What I might be doing wrong and are there any tricks to how to do it faster?

Gniarf

STN · Posted: Sat May 17, 2014 12:12 am Post subject:

I wrote a lengthy response but my inet died (storm and shit) and lost it when i clicked submit. Can't be arsed to write again but

use multi-threading. That algo is for searching a needle within strings, don't use that. Just do simple byte searching, at low-level strings are nothing but hex bytes so treat them as such.

toffler · Cheater Reputation: 0 Joined: 27 Sep 2012 Posts: 38

Dark Byte · Posted: Sat May 17, 2014 5:38 am Post subject:

try skipping MEM_MAPPED memory regions. (They could point to slow device memory. E.g a file mapping to a network drive connected by a 1KB/sec modem)

cheat engine uses a very simple string scan alchoritm.
check if the current byte pointer matches the first byte of the string. If so, check the second one until all are matched
if it fails, shift the pointer 1 byte and repeat, until the end of the buffer, and then load the buffer with a new ReadProcessMemory command

Anyhow, before looking at the scan algorithm, first check how fast it scans without any algorithm at all. Just see how fast it can read the memory.
at all.

and comparing sums would be slower I think because then it will be an add operation followed by a compare, instead of just a compare

multithreading will speed up the scan if you have multiple processors (if you only have 1 processor it won't speed it up)
as an example:
thread 1 scans 00000000 to 7fffffff
thread 2 scans 80000000 to ffffffff

both threads can do string compares a the same time, so it's about 2 times faster. (or course, it depends on the config. In normal systems 80000000 to ffffffff hardly ever contains anything useful so in this example, it'd be no faster. But also not slower)

STN · Posted: Sat May 17, 2014 8:46 am Post subject:

@DB: What about dual core or quad core processors instead of just HT technology?. They actually act as separate processors and dividing the memory into regions according to how many cores the processor has should surely increase the scanning performance ? For example

thread1 scans 0 to 4(add 0s)
thread2 scans 4 to 7fffffff

and so on for number of cores available.

I haven't tried but in theory it should make the process faster because you are scanning different areas of memory with each core and as i have seen each core works separately from another.

@toffler: Yes.
EDIT: To your second question: Consider this situation
Your signature/string: 50 85

mem region: 70 50 85

Doing a 2 byte compare it will fail so you need to either move one byte ahead and scan again two bytes at a time which is very slower or scan if either of the bytes match and if they do grab more from the mem region and compare ahead. Again slower than just simple byte comparison.