Cheat Engine

[KryziK]

I need to search a process' entire memory for a specific byte pattern, and I need to do it from within a DLL.

Currently, I obtain the system's minimum and maximum application address and iterate through every address between them. However, this makes the process crash. My first thought was that the protection was causing the crash. So, I added a VirtualQuery call every iteration to check if it was PAGE_ACCESS or PAGE_NOEXECUTE (which fixed SOME crashing). However, this is obviously very slow because of so many API calls. I will fix this by using the page size to get the next page, check if it is readable, and then proceed to read from there (want to get the crashing fixed first).

However, while the current method of iterating through every address is slow, it certainly shouldn't crash when it hits some addresses. It works fine when starting from certain addresses, but not others, so I think I must be missing some sort of protection.

A few of the questions I have are:
1. I see lots of pattern searchers online, and none of them bother uerying anything. Is my assumption of needing to query valid, or am I wasting my time?
2. Is there a certain protection or special case I am missing when reading from memory that is causing this crash, or am I just perhaps doing something wrong in terms of my code?
3. I'm not quite sure how pages work, but will there be a potential for a byte pattern I'm searching for to span multiple pages (the end of one and beginning of another)? Will this mean I need to query a page ahead?

Additional information:
Starting from the process' base address gives me a few addresses where the code I am searching for is found. Some are within the main module's memory (static), and some are not. However, starting from the minimum address of 10000 causes a crash somewhere before the first result (which is around 230000).

Edit: Currently checking the following in terms of protection:

[Dark Byte]

1: They most likely get a range pre programmed, like modulebase+size only
2: Watch out for PAGE_GUARD pages, like the top of the stack of a thread. When that gets hit a pagefault will happen that you should respond to. If you don't then when the game actually needs to grow the stack it will crash

Also, when you try to read memory that isn't allocated you will raise an access violation exception. Make sure you handle that properly

And then in the past there where memory pages marked as "No_cache", and trying to read those would BSOD you. I think that has been fixed by now, but it's recommended not to touch those

3: If your (current address % pagesize)+patternsize-1 > pagesize, then yes

[KryziK]

Thank you. For the most part my scans replicate CE's results (I get a few not on CE's list, and CE has a few not on my list). Not quite sure why that happens, but at the moment it doesn't really matter.

How does CE scan for an array of bytes so quickly? Even with my updated code, my scan takes probably a full second longer than CE's "instantaneous" scan. If you could point me to the specific file in the source code, I'd take a look at it. Or you could provide a brief overview!

Edit: Forgot to mention that CE's Writable, Executable, and CopyOnWrite checkboxes are all filled (not checked) to try to search as much memory as possible.

[Pingo]

Here a fast scan array function in C#.
From my personal tests, its just as fast as CE.
I'm not sure what language you're coding in but it might help you anyway.

I use this in my memory class for aobscanning. At one point i even made a simple memory scanner, worked well.

[KryziK]

[Pingo]

Yea no prob, thought id post it just incase.

I also use it in my C# dlls.
I'v had very little experience with C++, wish i could help more but i can't.

[atom0s]

The most common method of byte scanning in C++ (injected) is similar to this:

[KryziK]

Thanks, Wiccaan. Unfortunately, since I am not worried about whether the pattern is in a module or not, I don't want to slow down my search code by bothering with obtaining any module information. My MaskCompare code is basically the same, however.

Would it be better to not bother with gathering module information and just query every page/set of pages, or use the module information to help me replace VirtualQuery while within those modules, and then only query the memory between them?

[atom0s]

[KryziK]

I may write two separate functions so that either can be used, but for now I am just trying to search all of memory. Currently I loop through each page, incrementing by the system info's pagesize. Then, if the page is readable (by checking the struct given by VirtualQuery for MEM_COMMIT, PAGE_NOACCESS, PAGE_GUARD, PAGE_EXECUTE, and PAGE_NOCACHE), I loop through each byte from the base address of the page to the pagesize - pattern length. For each byte there, I also loop through each byte of the pattern, so it's similar to the mask comparing function. At the moment, the scan takes a full second or two, yet CE's scan, even though it's external, appears to complete instantly.

[Dark Byte]

VirtualQuery returns more than 1 page, so you can cache that

or if you put every read between a try/except it will slow down a lot as well (you MUST use exception handling through, as the game might free a memory block you're currently reading)

also, try increasing the priority of your thread to higher than the other threads of the game, else you only get a fraction of the cpu power assigned to that process

[KryziK]

[Dark Byte]

Just wondering how many results you get?
If more than 100 make sure you do not convert the addresses to text, and certainly not add them to a gui object during the scan. (gui updates are horribly slow)

[KryziK]

I get almost the same as CE, which is ~150. The total number of results is the only thing printed to the command prompt. Even if I print the addresses, it completes in just about the same amount of time as without.