Cheat Engine

[Erez Zrihen]

I use your latest version of Cheat Engine, which is 6.5, and recently I have read about your "Pointer scan for this address" option and learnt how to use it. This works great, BUT ONLY with 4 Byte, Float and Double addresses, BUT NOT with 2 byte, byte and 8 bytes addresses, and that because you didn't give these options of scans. Because of that, I can't pointer scan addresses that I have found with 2 bytes, byte and 8 bytes! Please fix this.

[hhhuut]

[Erez Zrihen]

I have already tried, what you suggested me to do, but it doesn't work for me!
This is wrong to say that the value type is irrelevant, because it is very relevant!
For example, if I am looking for an address that points to two bytes, then it's value suppose to be in the range 0 to 65,536, or -32,768 to 32,767 if signed.
BUT when it scans 4 bytes, instead 2 bytes, then there exists the possibility that the current address is the address that I am looking for, but it's value is above 65,536, because it scanned 4 bytes and not 2 bytes! If it scans two bytes, it should see that it's value is the value that I tell him to compare, and it has to return me this address. It doesn't return me the address, because it scans 4 bytes instead of 2!

[Dark Byte]

the value has no effect whatsoever on the pointerscan. (it's main concern is the address and the addresses that point near it. nowhere during the scan it even considers the value, let alone the type)
(also, doing a 2 or 1 byte value scan with the pointerscanner will result in your harddisk being filled before it even starts scanning for the address you're actually interested in)

But you may want to deselect the "addresses must be 32-bit aligned" option and if the address is on an unaligned address itself, disable "compressed pointerscan file" else the results it finds will point to an aligned address

[Erez Zrihen]

Thanks for your quick replies. Maybe I just give up too quickly, I will try more.
By the way, have any of you succeeded already to pointer scan 2 bytes?
If yes, then tell me exactly how.

[Dark Byte]

yes, a pointerscan for a 2 byte is the same as a pointerscan for a 4 byte. (assuming it's aligned. Otherwise, do as stated above, disable the option for aligned pointers and compressed pointer files)

But the main issue is WHY did the game use a 2 byte value? Generally speaking the cpu really doesn't like 2 byte values, so compilers tend to align it on a 4 byte after all. And due to little endian, the 2 byte value can be interpreted as 4 byte then with no ill effect. (except that a value higher than 65535 will be interpreted as 2 byte by the game itself)

Is this a game running inside an emulator? (dosbox?)

[Erez Zrihen]

You are correct! I am playing "Alone in the dark" with dosbox emulator.
I want to fire with my rifle infinite times, so I use your cheat engine to unlimit the number of bullets left, but every time I close dosbox and run dosbox again, I have to find the address of the rifle's bullets over and over again, because it's address changes, and I don't like to do this over and over again, so I want to use your "pointer scan for this address", so every time I start playing the game with dosbox, I will find the address of the rifle's bullet instantly. Infogrames defined Rifle's bullets as two bytes, not four!
4 bytes value are equal to 2 bytes value (for the same address), ONLY IF HIWORD (the right two bytes after the first left two bytes) are both equal to ZERO!
In C and C++ if I have
int* a and short* b point to the same address and sizeof(int) == 4 && sizeof(short) == 2 always returns 1 (TRUE), then *a == *b NOT always return 1 (TRUE)! But sometimes YES AND sometimes NO!
Also you should know that even modern games, define flags (TRUE and FALSE, or YES and NO) and these flags are not needed to be 4 bytes, because this is just waste of 3 bytes in computer's memory. 1 byte is enough to define any flag. For example, in a game, where my character can swim, like Quake, there is a flag that tells if my character swims or not, so it's values are only 1 or 0 (1 if I my character swims and 0 if I my character doesn't swim). Although quake is not modern game, but Tomb Raider 2013 does and I am sure you can swim in this game! In Quake, this is good to know to find the address of this flag and just make it constant to 1, because whenever I fire my lightning gun underwater it explodes. It will explodes also in the air, if I use your cheat engine and sets this flag constant to 1. In every game, where I can swim, I have breath that if it is over, I am dead. I can use your cheat engine to unlimit the breath, so my character can live underwater forever, or make the game thinks that I am in the air, and make my character falls and walk/run on the ground, like I am not underwater, even though he/she does! But flag that tell if my character swims or not, probably is not 4 bytes!

[Dark Byte]

dosgames are problematic because they use 16 bit memory addressing
a memory address of 0001:0010 is the same as 0000:0020

the ce pointerscan only works on 32-bit memory addresses (and only those referencing the process memory, and not emulated memory which has a different starting point), so I don't think it will be able to find anything.

Perhaps you may be able to use a groupscan to find the memory region you're interested in instead. (e.g look around the memory for things that are always the same, like a charactername or max amount of something)

[Erez Zrihen]

Are you going to support emulators and 16 bit memory in the next version of Cheat Engine?

[hhhuut]

I'd think that's pretty unlikely, because 16bit memory isn't used any more ...

[Erez Zrihen]

Yes, but what about those who want to hack dos games like me?
You know, there are plenty of dos games to hack and emulators, like dosbox are still used today.
and what is your answer about other emulators in general?
If you claim that I should always use 4 bytes for integer values, then why in Scan Type before I click "First Scan" and "Next Scan" buttons, I can choose 2 Bytes, 1 Byte and 8 Bytes? If you think that there is no need for them, then you could just remove these options, so why did you added these options?
Also I am interested to learn from you how you make cheat engine to read and write to process's memory directly. I know that when I open the list of running processes, your Cheat Engine either calls EnumProcesses or CreateToolHelp32Snapshot, Process32First and Process32Next and when I select a running process from the list, your Cheat Engine calls OpenProcess. It also calls ReadProcessMemory to display the values in the Value column of the table, after First and Next scans, and WriteProcessMemory after I change value of record. I also want to make a program that ReadProcessMemory and WriteProcessMemory, like your successful Cheat Engine does, but my programs can't do that! I mean that EnumProcesses succeeds and also OpenProcess does, but ReadProcessMemory and WriteProcessMemory and even VirtualProtectEx and DebugActiveProcess ALWAYS FAIL and GetLastError() returns 5 ERROR_ACCESS_DENIED. Please tell me your secret, how your Cheat Engine can access process's memory and mine not!
It's also interesting me to know how can you suspend the process, resume it and even how to speed hack the process!!! I very like it!

[Dark Byte]

emulator support is in. (which is why there are 2 byte and 1 byte values, and for a few extremely rare cases, but generally speaking, best not use them)

but pointers and 16-bit assembly are not supported

pointerscan in 16-bit is just an exercise in futility as segments and offsets do not need to be stored next to eachother. The game might store the segment it's in at top of the memory only one time, and keep a list of offsets elsewhere. Making the link between segment:offset pretty much impossible to figure out without sourcecode or disassembling/reversing.


emulator pointerscan(32-bit emulator): even if the game itself uses little endian (most game consoles use big endian causing even more issues) the point of origin will be different and hard to automatically guess.
normally, a value of 00400000 in memory would represent virtual address 00400000, but in an emulator, it could be 20400000 if it has the emulated memory mapped at 20000000 (pcsx does that)
So, for the pointerscan to work, it would have to make that calculation. There is a plugin somewhere to do this, but it has only limited use, as you have to do a scan without static memory bases. Meaning you will get every possible memory combination as result.
(also, if the emulator uses big endian, all pointers need to get reversed as well)
And if the emulated system makes use of paging it's even more difficult to track.
In emulators, I recommend using native game hack tools. (e.g for dos gamewiz32 , for android ceserver, etc...)

As for the API, if openProcess succeeds it should have worked. (0 and -1 are both fails)
Make sure your program is running as admin, and that it's compiled to the proper achitecture. (don't debug a 64-bit app with a 32-bit app)
And in some cases you may have to give the app SeDebugPrivilege (or just limit what you request in OpenProcess)

[Erez Zrihen]

Thanks for your reply and your advices!
Sorry that I didn't and I forget to say this earlier, but I am saying this now that I have already tried SeDebugPrivilege and the call to this function succeeded. I also ran the program as administrator. I also tried x86 and x64 compilations. I also tried OPEN_ALL_ACCESS and later PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE. I also tried the flag without the LIMITED. Still failed and got the same error code 5.
And what should I do if I want to pointer scan Rifle's number of bullets left in alone in the dark emulated by dosbox? Note that it is 2 bytes, not 4. I still want to hack and pointer scan this address. What should I set in options and settings of pointer scanner?
You also suggested earlier to use groupscan. How exactly?