Cheat Engine

thirdfoot · Newbie cheater Reputation: 0 Joined: 09 Feb 2019 Posts: 21

I have a C++ program that does an AOB scan based on my findings in CE. I use:

PROCESS_VM_READ | PROCESS_VM_WRITE |PROCESS_VM_OPERATION |PROCESS_QUERY_INFORMATION

for the OpenProcess rights. The weird thing is, my memory search find a whole duplicate Read only area of the same code that I'm looking for, on a lower address, while CE only finds the actual Execute/Read only that I really want.

A really weird thing I noticed is that if I make a VirtualProtectEx call before RPM to that read only area, it goes away entirely. Game continues to run for hours as expected without that area and all is good. It trips my memory scanner if I don't get rid of it or jump over it on purpose. I just wish to know what's happening... I don't get why RPM flushes it if I try to set PAGE_EXECUTE_READWRITE on it.

If I only do VirtualProtectEx on my WPM calls, the memory scanner continues to only find the wrong area and it doesn't go away. I've hacked many games but never seen a duplicate game memory area like this before...

All code and calls works fine on intended execute/read only area. I just have no idea what this read only area is, and how I should deal with it like CE does.

How does CE consider that area and what makes it avoid it, does it check for pure read only? It doesn't seem to make any difference if I uncheck "Executable" or turn off "Fast Scan" before doing a pattern search.

EDIT:
It seems that if I change my scanner to include a check for PAGE_EXECUTE_READ it skips the area as expected. It also made my already multithreaded scanner a hell of a lot faster.

I'm thinking that I may not need to scan as much as I've previously done, in other games as well. That most game asm I'll hack will be execute/read only. I haven't really been paying much attention to protections until this issue...

As it stands,

Dark Byte · Posted: Sat Nov 20, 2021 4:39 pm Post subject:

is your scanner a DLL ?

thirdfoot · Newbie cheater Reputation: 0 Joined: 09 Feb 2019 Posts: 21

Dark Byte · Posted: Sun Nov 21, 2021 1:36 am Post subject:

If it was a dll your scanner could be scanning a copy of the memory you read before. (if for some reason you copied it instead if directly scanning)

is the memory in mapped memory ? If so you can check for that and skip it

thirdfoot · Newbie cheater Reputation: 0 Joined: 09 Feb 2019 Posts: 21

I don't copy any memory during the scan, I just save structs of AddrToReadFrom and NumBytesToRead in a large vector list during valid memory scan. Then delegate the live search to a few threads.

Thanks for the tip. I tried sorting out MEM_MAPPED type memory pages, and indeed it works. Went back to being a bit slow again 😅 (a few seconds) so I might just keep looking actively for PAGE_EXECUTE_READ as long as I know all my hacks are there and mostly because it was lightning fast (pretty much instant).

What do you think the game is doing here? Could it be something to do with it supporting consoles as well? That they are including some memory mapping algorithms not really used on PC? I don't have any experience with memory mapping or what it's really used for... Yet something new to read up on.

I get why they would use memory mapping e.g. for large files of data since the RAM is faster to access perhaps, but I don't get why they map executable memory that's already in virtual memory anyway. I just don't get their thought process...