Cheat Engine

Gniarf

I'm looking for bits that are =1 in the attached config0.dat and that are =0 in both other files, so:
1-I open config0.dat in CE x86 and do a first binary scan for bits that are set.
2-Then open config1.dat and do a next scan for bits that are =0. Yet the result window shows some offsets that are still =1 in config1.dat.
3-If do a second rescan on config1.dat for bits that are =0, I get 0 results, even if some results were shown as =0 on the previous scan.

If I do the same thing on CE x64, CE crashes or silently closes on step 2.

Note1: I'm always using the "bits" mode instead of "decimal".
Note2: It's not cpu affinity this time Wink

.

Seen on CE r2192.

I've tried to reproduce that behavior on files that are in the cheat engine directory, but failed, that's why I'm posting the files I'm working on.

Sample affected files: http://www.mediafire.com/?od09tq1sjs0ep3j

EDIT: It's not specific to the binary datatype, I also get corrupted results and crashs with the byte datatype.

Gniarf · Posted: Fri Nov 01, 2013 12:04 am Post subject:

Ok, I decided to go ahead and fix the bug myself. Basically there were 2 array overflow issues in TScanner.nextnextscanmembinary:
1-j could go past maxindex.
2-maxindex was 1 byte too big.

All in all I suggest the following fix:

Dark Byte · Posted: Fri Nov 01, 2013 4:43 am Post subject:

Thanks, i hadn't had time to look into it yet (i did look over the file access when making the big endian file scanner but didn't see anything wrong there)

actually, it's a little bit more complex

it's fixed in the svn now

Gniarf · Posted: Fri Nov 01, 2013 11:24 am Post subject:

Got up in the middle of the night thinking "Oh Sh*** what if found=1 -> chunksize=1 -> maxindex=0 -> no while looping ?!"... Well looks like you found it first, sorry for screwing up.

Anyway, doing some tests around this bug I created a file that contains db 01,01, and guess what, if I scan for "1", type binary, CE will only find one result. After some investigation it boils down to variablesize being = 2 because getBytecountBinaryString (from memscan.pas) thinks that "1" takes 2 bytes, so you'd need a special handler incase result mod 8=1 (since 9 bits always take 2 bytes).

...But that'd only partly solve the problem, since I could redo my experiment with a file containing db 03,03 and scanning for "11". There the problem is that the scanning loop in TScanner.FirstScanmem/TScanner.FirstNextScanmem should be stopped at N bits from the end instead of a given number of bytes when scanning for binary strings.

Dark Byte · Posted: Fri Nov 01, 2013 2:56 pm Post subject:

check the svn. there was one more situation where next scan would bork out

Gniarf · Posted: Fri Nov 01, 2013 4:05 pm Post subject:

About the fix in getBytecountBinaryString, if you do it that way you get result=2+N for a 8*N+1 bit string (except when N=0) which gives 3 bytes for 9 bits. Correct me if I'm wrong but such string can only spread over 1+N bytes. So i'd go for: