Cheat Engine

[luminebot]

Hi there, I'm new to cheat engine and I found it extremely helpful in my end. But now I'm stuck with a problem.

I have two programs communicating each other in local machine with Shared Memory instead of a network and it use Memory Mapped File. After doing small research, I found msdn doc how shared memory with memory mapped file work. The thing is, either programs hold the pointer to the memory region. it don't need to call WinAPI whenever the program need to read / write, it only called once during initialization as the part to getting the pointer, making API hooking useless.

Now the question, is it possible to set breakpoint to data inside Memory Mapped File? I like to know whether there's pointer pointing at certain memory address inside the memory mapped file and add breakpoint to it whenever there's read or write.

[Dark Byte]

assuming it's not a virtual machine, you could use dbvm find what accesses.

This version of 'find what accesses' uses physical memory and doesn't distinguish between processes.

[luminebot]

[Dark Byte]

1: save everything you're doing on your system

2: rightclick the address in the addresslist and chiose "dbvm find out what accesses address"

3: answer yes once or twice and then your system either freezes, BSODs, or you get an access config window.
Assuming you get the config window: The defaults should be ok. But make sure physical memory os automatically filled in. If not, enable kernelmode openprocess in settings and reopen the process and try again

4: click ok and it'll be exactly like the normal find what accesses/writes

[luminebot]

[Dark Byte]

DBVM find what accesses is based on physical memory access detection

Shared memory has the exact same physical address in both processes so you can pick either

The data is collected based on the pagetable of the accessing process.
Note: if this part fails (just ??'s when showing disassembler code) in settings-debugger click on the "make possible" button and restart windows.

[luminebot]

Thanks for all the replies! I got it working now, but there's weird catch that I need to verify later, I might ask more question bit later in weekend when I have time for tinkering this, since DBVM require me to shut down / disable Hyper-V and render WSL 2 disabled and I need it for work stuff.

But what I got so far:
- The most important part is perhaps I was wrong about how these two programs work fundamentally, the server program indeed writes data to MMF, it also constantly write current timestamp so it's get updated very frequent, but what I see in the client with Cheat Engine is some kind of snapshot of the MMF since the timestamp isn't moving at all. Turns out there's `Update()` function that I need to call in client, like house keeping function that need to be called regularly and it seems it copy the MMF content to internal memory in which I can observe in Cheat Engine.

- Even after concluding the first point above, normal "Find what writes/access this address" isn't working for me, I thought it would work since I assume the client copy MMF content into it's own memory. I could verify with my own program that MMF get updated frequently every seconds (in case I mistaken it as local memory in server program). But "DBVM Find what writes or access this address" work for me, when I call the function which suppose to read the data in certain memory region, it add into the list after watching it. I haven't open the disassembler yet since I'm not good with asm.

- Speaking of copying into internal memory (which at this point, i still assuming), I couldn't find the MMF address when opening client program in Cheat Engine, what I found is the snapshot I mentioned earlier, the pointer to MMF might be destroyed when it gets copied to local memory as part of the cleanup, but it will be weird since i don't detect any MMF WinAPI calls, I mean if it gets destroyed or lost, it should be query again to WinAPI to get the pointer to MMF

- When I tried to open the server program with cheat engine, I tried to use "DBVM Find what writes or access this address" into the MMF memory, I saw dozen of instructions happening at high speed but there's seems no new instruction listed when I call "Update()" function from the client.

For now, I'm good to go since I able to watch which memory gets read when client call certain function so I might able to emulate the server program. But if you do have insight what happening with my scenario, please let me know