Sign in to follow this  
Followers 0
Info

GetProcessMemory()?

10 posts in this topic

#1 ·  Posted (edited)

Could anyone give me a hint about how to find all the memory addresses in the process that have the same value, just like the search function in CE?

Edited by Info

Share this post


Link to post
Share on other sites



Bump

Perhaps a kernel32 function?

Share this post


Link to post
Share on other sites

No.

Share this post


Link to post
Share on other sites

I wrote one in AutoIt that purely did scanning of all the addresses, skipping ones that weren't read+write. It's REALLY slow though.

CE gives their source, don't really know much of C++, don't know any Deplhi. Though you could probably see how they do it and possibly make a DLL or something that does it and returns an array.

I'll look for the code that I wrote and see how slow it really is. I just remember it being bad bad bad though.

Share this post


Link to post
Share on other sites

Great, but one do you mean by "skipping ones that weren't read+write"?

Share this post


Link to post
Share on other sites

Great, but one do you mean by "skipping ones that weren't read+write"?

Okay update.

Got the old autoit written scanner again. It's pretty darn slow compared to CheatEngine :/ I even am using all sorts of techniques to lower the amount I have to scan.

I am, however, writing an autoit CE UDF. Completely controls CheatEngine though autoit commands. Here are a few I am working on:

CESetProcess

CEScan

CEAddressList

=)

The only thing I can't get working at the moment is making the CE window not visible to the user.

I am setting the flag @SW_HIDE on "Cheat Engine 5.5". It does make the window go away, but the taskbar is still there. I even tried the HideTaskbar function and it can't find the window to remove it from the taskbar.

If anyone has a working example of how to hide CE completely, that would rock!

Szh

Share this post


Link to post
Share on other sites

Still waiting for some angel to come with a nice hint. >_<

I am setting the flag @SW_HIDE on "Cheat Engine 5.5". It does make the window go away, but the taskbar is still there.

Are you sure you're talking about the taskbar and not about the program manager?

@SW_HIDE in WinSetState() hides the window from the taskbar...

Share this post


Link to post
Share on other sites

Bump

Share this post


Link to post
Share on other sites

Bump

Here was the scanner I was working on. Pure AU3. It's (like I said), really really slow.

#include <GUIConstants.au3>
#Include <GuiListView.au3>
#include <NomadMemory.au3>
#include <Array.au3>
;

$PID = WinGetProcess("InkBall")
$OpenMem = _MemoryOpen($PID)
ScanMemory($OpenMem, 2)



Func _ScanReadableMemory($Handle)
    
    Local $StartMemory = Dec("00400000")
    Local $EndMemory = Dec("7FFFFFFF")
    Local $Address, $LastAddress, $Progress
    Local $Buffer = DllStructCreate('dword;dword;dword;dword;dword;dword;dword')
    Local $BufferScan2 = DllStructCreate('dword;dword;dword;dword;dword;dword;dword')
    Local $ReturnArray[1][2]
    
    $Address = '0x' & Hex($StartMemory)
    
    While 1
        
        DllCall($Handle[0], 'int', 'VirtualQueryEx', 'int', $Handle[1], 'int', $Address, 'ptr', DllStructGetPtr($Buffer), 'int', DllStructGetSize($Buffer))
        
        Local $BaseAddress = '0x' & Hex(DllStructGetData($Buffer, 1)); + 0)
        Local $AllocBase = '0x' & Hex(DllStructGetData($Buffer, 2))
        Local $AllocProtect = Hex(DllStructGetData($Buffer, 3))
        Local $RegionSize = DllStructGetData($Buffer, 4)
        Local $State = '0x' & Hex(DllStructGetData($Buffer, 5))
        Local $Protect = Hex(DllStructGetData($Buffer, 6))
        Local $Type = '0x' & Hex(DllStructGetData($Buffer, 7))
        
        $LastAddress = $Address
        $Address = '0x' & Hex($BaseAddress + $RegionSize)
        
        If $Address = $LastAddress Then
            ExitLoop
        EndIf
        
        #cs
        Select
            Case $AllocProtect = 0x00
                $AllocProtect = ''
            Case $AllocProtect = 0x01
                $AllocProtect = 'No Access'
            Case $AllocProtect = 0x02
                $AllocProtect = 'Read'
            Case $AllocProtect = 0x04
                $AllocProtect = 'Read+Write'
            Case $AllocProtect = 0x08
                $AllocProtect = 'Write-Copy'
            Case $AllocProtect = 0x10
                $AllocProtect = 'Execute'
            Case $AllocProtect = 0x20
                $AllocProtect = 'Exe-Read'
            Case $AllocProtect = 0x40
                $AllocProtect = 'Exe-Read+Write'
            Case $AllocProtect = 0x80
                $AllocProtect = 'Exe-Write-Copy'
        EndSelect
        
        Select
            Case $State = 0x1000
                $State = 'Commit'
            Case $State = 0x2000
                $State = 'Reserve'
            Case $State = 0x10000
                $State = 'Free'
        EndSelect
        
        Select
            Case $Protect = 0x00
                $Protect = ''
            Case $Protect = 0x01
                $Protect = 'No Access'
            Case $Protect = 0x02
                $Protect = 'Read'
            Case $Protect = 0x04
                $Protect = 'Read+Write'
            Case $Protect = 0x08
                $Protect = 'Write-Copy'
            Case $Protect = 0x10
                $Protect = 'Execute'
            Case $Protect = 0x20
                $Protect = 'Exe-Read'
            Case $Protect = 0x40
                $Protect = 'Exe-Read+Write'
            Case $Protect = 0x80
                $Protect = 'Exe-Write-Copy'
        EndSelect
        
        Select
            Case $Type = 0x20000
                $Type = 'Private'
            Case $Type = 0x40000
                $Type = 'Mapped'
            Case $Type = 0x1000000
                $Type = 'Image'
        EndSelect
        #ce
        
        $AddressScan2 = "0x" & Hex(Dec(StringTrimLeft($BaseAddress, 2)) + $RegionSize)
        
        DllCall($Handle[0], 'int', 'VirtualQueryEx', 'int', $Handle[1], 'int', $AddressScan2, 'ptr', DllStructGetPtr($BufferScan2), 'int', DllStructGetSize($BufferScan2))
        Local $AllocBase2 = '0x' & Hex(DllStructGetData($BufferScan2, 2))
        Local $AllocProtect2 = Hex(DllStructGetData($BufferScan2, 3))
        Local $State2 = '0x' & Hex(DllStructGetData($BufferScan2, 5))
        Local $Protect2 = Hex(DllStructGetData($BufferScan2, 6))
        ; If the next set is readable as well.
        If $AllocBase2 <> 0x0 And $State2 = 0x1000 Then
            If $AllocProtect2 <> 0 And $AllocProtect2 <> 0x1 Then
                If $Protect2 <> 0 And $Protect2 <> 0x1 Then
                    ;First set
                     If $AllocBase <> 0x0 And $State = 0x1000 And $RegionSize > 282624 Then
                        If $AllocProtect <> 0 And $AllocProtect <> 0x1 Then
                            If $Protect <> 0 And $Protect <> 0x1 Then
                                ReDim $ReturnArray[UBound($ReturnArray) + 1][2]
                                $ReturnArray[UBound($ReturnArray) - 1][0] = $BaseAddress
                                $ReturnArray[UBound($ReturnArray) - 1][1] = Hex($RegionSize)
                            EndIf
                        EndIf
                    EndIf
                EndIf
            EndIf
        EndIf
        
        
        If $BaseAddress < 0 Then
            $BaseAddress = 2147483648 + ($BaseAddress) + 2147483648
        EndIf
        If ($BaseAddress + $RegionSize) >= $EndMemory Then
            ExitLoop
        EndIf
        
    WEnd
    
    Return $ReturnArray

    
EndFunc


Func ScanMemory($aOpenMemory, $vValue, $sType = 'dword')
    
    Local $ReturnAddressList[1][2]
    ; Get the scannable memory
    $aRet = _ScanReadableMemory($OpenMem)
    _ArrayDisplay($aRet)

    
    For $I = 1 To UBound($aRet) - 1
        $StartMem = Dec(StringTrimLeft($aRet[$I][0], 2))
        $EndMemory = $StartMem + Dec($aRet[$I][1])
        $CurrentAddress = $StartMem
        ;MsgBox(0, "", Hex($StartMem) & "/" & Hex($EndMemory))
        While $CurrentAddress <> $EndMemory
            If _MemoryRead("0x" & Hex($CurrentAddress), $aOpenMemory, $sType) = $vValue Then
                ReDim $ReturnAddressList[UBound($ReturnAddressList) + 1][2]
                $ReturnAddressList[UBound($ReturnAddressList) - 1][0] = "0x" & Hex($CurrentAddress)
                $ReturnAddressList[UBound($ReturnAddressList) - 1][0] = $vValue
            EndIf
            $CurrentAddress += 1
            TrayTip("Address", "0x" & Hex($CurrentAddress), 15)
        WEnd
        
        _ArrayDisplay($ReturnAddressList)
        
    Next

    
EndFunc

I'm hoping to have my CEUDF.au3 out pretty soon here. Should be a great way to completely control CE while it's not even visible to the user (I had to modify some functions, but the hide works now).

I'm not entirely sure why it will be better for the user to go through our screens and such instead of just using CheatEngine itself. But I guess we can make it as easy as possible for the user to get going on it without having to learn how to use CE >_<

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0