Cheat Engine

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

I'm making trying to decide the best way to scan another processes memory and I've seen some methods that use ReadProcessMemory and others that use CreateRemoteThread with an injected dll to do the search.

Most of the code I have so far is made up of a C++ class of trainer functions I had a while ago and features I've incorporated from a tutorial I would have linked to if the forums let me. It has all the stuff for using MEMORY_BASIC_INFORMATION and VirtualQueryEx to find out what's readable and writable anyway.

So basically I'm looking for pros and cons of ReadProcessMemory vs CreateRemoteThread with an injected dll. If I do use a dll would I need to include all the functionality in the dll or could I work out most of what I need in my main app?

STN · Posted: Sun Jun 17, 2012 6:48 am Post subject:

An injected dll is obviously the fastest way to search. However, you have to make your own exception handling if you were to search addresses outside the module or different modules or without regards to any module address (e.g 00000000 to ffffffffff).

ReadProcessMemory(); ease this process as it handles exceptions generated by unaccessible addresses. E.g in minecraft since its a java game and there is no specific module to search inside, i had to scan till ffffffff. RPM() is a lot slower than dll injection where you just have to grab the memory since you're already inside.

So it all depends on what you're doing. If you were sigscanning the xlive signature, dll injection would have been the fastest solution.

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

All I want to happen is for the user to be able to enter an array of bytes into my app and find either the next occurance or all occurance of the array. As far as I know, VirtualQueryEx should take care of working out what's readable and writable.

In the discussion here (that I only found after my initial post), DarkByte mentioned in topic 495632 that dll scanning was too much of a problem because it scans itself. I still can't post urls, but you can replace the end of what's in the address bar with that number.

I think that's what he saying, although he might have just meant it wasn't suitable for particular purpose or found a way around it since.

I might be avoid using a dll by allocating some memory and pasting in the search functions myself, but then it would still scan itself in that case.[/url]

Dark Byte · Posted: Sun Jun 17, 2012 8:18 am Post subject:

VirtualQueryEx won't always work as the game might allocate or free memory right after your call to virtualqueryex, so you have to keep that in mind

And if you do dll scanning, you have to make sure that you do not scan your own dll's memory blocks. So do not allocate any new memory on the fly during a scan and tell your scanner that it should not scan the regions of the dll. With RPM you do not have that problem.

Just saying that if you do scanning from inside a process, you have to keep in mind that unexpected things will happen

Also, rpm isn't really that slow, just make sure you do big memory block reads and not small blocks like 1 byte at a time

And you can always go kernelmode and map the pages of the target process directly into your app without the need to copy.

is the code you are looking for inside a module or randomly allocated ? That can cut down on what regions to scan as well

CodeReaver · Newbie cheater Reputation: 0 Joined: 19 Apr 2005 Posts: 24

Thanks for the advice, DarkByte. It sounds like the dll injection method would be more trouble than it's worth. The tutorial I tried to link to (gimmeamilk's "C programming: Write a memory scanner" tutorial on youtube) has a good example of finding the readable/writable data with VirtualQueryEx and using ReadProcessMemory to read blocks of data at a time. I think that should be everything I need.

You mentioned in the thread I tried to link to that you were getting rid of the dll searches, so I assume you're doing a similar sort of thing with cheat engine.

There's a tool called WinHack that I used to use for memory scans, pokes and freezing and had taglists and stuff that I could give to people who weren't as good at gamehacking but still wanted to experiment. It was also handy to use in conjunction with cheat engine when I need to view multiple memory locations as once. The program doesn't work with current versions of windows, so I'm writing a replacement. I'm also planning on adding a few specialised features for Soul Reaver, such as cycling through the object/enemy lists.