Cheat Engine

[poorprogrammer]

Hello,

Yes, I know that VB.-net is not the most suited language for memory manipulation; however, it is the one I am most comfortable with. I am very new to looking in the memory of other processes, but have been spending some free time on it the past few weeks. This forum, among others, has been very helpful to me. I am running on Windows 7x64, an AMD processor, and using VS2010 - compiled against .-NET4.0. I am having a bit of a problem identifying what, exactly, I should be looking for. Here's where I am so far.

Code enters and immdately elevates its token to a system level debug process so that I can read protected memory. This took me some time to figure out but works as follows. (pinvoke and definitions not included here. available upon request if anyone needs them.)

[code]
I had to remove my code because it says I can't post URLs yet, and it's detecting something in the code as a url...
[/code]

Once we're sure we're going to be able to read everything, we get the process ID of our target, and then open a process handle.
[code]
I had to remove my code because it says I can't post URLs yet, and it's detecting something in the code as a url...
[/code]

We start using VirtualQueryEx to get all the pages. I followed an 8 part tutorial for writing a memory scanner in C. I just adapted the code to VB.-net, and broke it up in ways that make more sense to me. Essentially we just pass the handle and start at memory address "Nothing" to get the first page. We then iterate up based on the MEMORY_BASIC_INFORMATION structure we get back. We add the base address to the size to find the next page, and then pass that memory value... what I'm running into here is that VirtualQueryEx freaks out if I start passing the range of UInt32s. This will be problematic if I'm trying to scan a 64 bit application. Anyway... we just flip through and only store commited pages that can be written to (I don't have a library to include, PAGE_blahblah are all constants that I pulled from technet regarding the BASIC_MEMORY_INFORMATION).

[code]
I had to remove my code because it says I can't post URLs yet, and it's detecting something in the code as a url...
[/code]

Great we have our blocks, and it always throws an (handled) overflow exception on the last block, because when it trys to go past the base + size it extends past the UInt32 (IntPtr and UInt64 jack up VirtualQueryEx as noted above).

Now I iterate through the pages and look for a value. Right now I have it do an initial scan for a specified value that's either 1, 2, or 4 bytes. I have a toggle between Int32 and Single(float) values for 4 bytes. After that I can check for increased, decreased, and new static values from those matches. This is where I think I'm running into problems. I'm not worried about speed right now, I'm going to thread it out once I have it working. I'm more concerned about knowing what I should be looking for here. This is where my lack of knowledge of memory structure is killing me.

So, here's what I'm doing right now:

[code]
I had to remove my code because it says I can't post URLs yet, and it's detecting something in the code as a url...
[/code]

There is also an overloaded Search sub that takes "value" as a single, and passes the false as the fourth value to get_value. Again, this is slow on the first pass when scanning something with several hundred pages. I find that I'm getting some duplicate matches back, and also that I'm getting things that don't really seem to be matches injected into the mix. I also find that I am not always able to find the numbers that are displayed in the game, and I'm not sure what strategy other people use to find these.

Any help would be greatly appreciated. Hopefully I've shown you that I've been trying to work this problem through and am not just asking for a handout. I'm willing to work through this stuff, I just need a direction/strategy to go in. I see a lot of information about pointers, but I don't really understand how that applies if I am scanning every byte. My understanding is that the pointers reference multiple tiers of memory until eventually signaling that a value is stored at some location. By scanning everything, shouldn't I find that location anyway?

And now that I've had to remove my code... I guess you can't really see that... when I can post URLs, I will put it back in...

Thanks,

[NoMercy]

How do you read the pages? With ReadProcessMemory(), if so check return values.

[poorprogrammer]

Yes, I'm using ReadProcessMemory. Since it won't let me post my code, let me try to explain it a bit better:

I get my pages with VirtualQueryEx and store the memory_basic_information in an object that also contains a byte array and a boolean array. I use ReadProcessMemory to populate the byte array and then step through it looking for matches. If it does not find a match, it marks the corrosponding slot in the boolean array as false.

The way I am checking for matches right now is by passing in a reference to the object's byte array, a numeric offset (that steps up one each time) the byte size of the data type I'm looking for, and a flag that indicates if it is an int32 or single(float). The last flag is only used if it is 4 bytes in size. I then use the appropriate bitconverter method (bitconverter.toboolean, .toint16, .toint32, or .tosingle) to populate a temp value and check it against the value I'm looking for (equals, greater than, or less than).

The problem I seem to be having is that I'm not pulling down matches for things that (appear) to be obvious. Things like my health bar, my power bar, my x y and z coordinates. So, what I'm wondering is how do people go about figuring out the right data type. Basically - how to I use what I've written and/or is there a better way to check matches?

[NoMercy]

Your problem basically is that you can't find the right addreses? You could better search for them with CE and then add them in your trainer.