Cheat Engine

[xconspirisist]

Hey folks, I'd like to check my understanding of program address spaces if someone has a moment;

When looking in CheatEngine, at a listing of instructions in the "instruction view" (opcodes with arguments), as well as the "memory view" - is this all the same "program address space"?

ie, in memory, does it look something like; instructions starting at 0x0000, then stack, then heap? Does this mean that "low address" such as 0x00400 are likely to be an address in the "instruction area", but a higher address, like 0x90000 are likely to be addresses in the programs' heap? It's not like there are two address spaces that both start at 0x0?

Does cheat engine just display two separate views because it knows a program's instructions end at say 0x89999, and after that it's "memory" / data?

[ParkourPenguin]

In the memory browser, the top half is called the disassembler view and the bottom half is the hex view. They're viewing the same address space, just in two different ways. Press Ctrl + Space to sync them.

Concepts like the stack and heap are abstractions over the raw bytes of memory in a program's address space. In the end it's all just bytes.

Address 0 is never mapped to anything and will segfault if it's accessed.

The executable is typically loaded near the start of the address space, the heap (if one even exists) after that, and the main thread's stack near the end of the address space.
Programs can still allocate memory wherever they want.

CE displays two different views because that's how its UI is designed. Again, it's two different ways to portray bytes. It's fine to disassemble data like integers/floats as if they were instructions, and it's fine to read instructions as if they were primitive value types. Given that it's almost certainly not what the program intended, it may not be correct to do so, but it's possible.

[xconspirisist]

Thank you ParkourPenguin for taking the time - I really appreciate it. That really helps.

I went on to look at Memory Regions within CheatEngine, and spent a lot of time reading up about Virtual Address Space, and looked through things like the DLL Enumeration list.

One follow-on question, is it possible to hide/ignore regions of memory in CheatEngine that are unlikely to be interesting when debugging a game? Looking at the list of Enumerated DLLS, things like wow64cpu.dll, kernel32.dll, gdi32.dll, gameoverlayrenderer.dll and many more won't contain "game bytes" that I care about. Seems like an easy way to drastically reduce the number of bytes I have to look through / use for pointerscans? I see that I can specify these as addresses start/from, but is there any way to specify it based on the names of DLLs / mapped regions of memory?

[Dark Byte]

Pointerscan already excludes those regions when scanning. (Advanced options, include system modules is unchecked)