Basic Memory Scanning - Like Cheat Engine

[epidemicz]

Very quick, very dirty test proof of how to scan a program's memory for values ala Cheat Engine.

This code based off some info found in this thread.

How to Test?
-------------------
-Open a blank notepad.
-Check Unicode Exe in compile options.
-Type random text in notepad.
-Change findString.
-Press F5.

Testing against Cheat Engine's results give 100% exact matches.

There's not many comments, but there's not really much to say either. VirtualQueryEx gives valid memory blocks, ReadProcessMemory grabs the data in the blocks and we loop through to see if we have a match.

Code: Select all

;Epidemicz - 12/30/2010 PB 4.51 x86
;====================================
;Basic Memory Scanner Test Proof
;====================================
;Compile in unicode to test on notepad

;Find Window
HWND = FindWindow_(NULL, "Untitled - Notepad")

;Get ProcessID
GetWindowThreadProcessId_(HWND, @pid)

address=0
maxAddress=$7FFFFFFF

; findNumber=0  - uncomment to use with number method
findString$="LOL123LOL456"
len=Len(findString$)

;Opens Process With full access
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, pid);

Repeat
  result=VirtualQueryEx_(hProcess, address, @mbi.MEMORY_BASIC_INFORMATION, SizeOf(MEMORY_BASIC_INFORMATION))
  If mbi\State = #MEM_COMMIT And mbi\Protect <> #PAGE_READONLY And mbi\Protect <> #PAGE_EXECUTE_READ And mbi\Protect <> #PAGE_GUARD And mbi\Protect <> #PAGE_NOACCESS
    sBuffer=AllocateMemory(mbi\RegionSize)
    res=ReadProcessMemory_(hProcess, address, sBuffer, mbi\RegionSize, @written)
    If written > 0
      For x = 0 To written
          ;string method - use to find text
          ;================
           tmp$=PeekS(sBuffer+x, len) ;string length ! important
           If FindString(tmp$, findString$, 1)
             Debug "FOUND MATCH - " + Hex(mbi\BaseAddress+x) + "=" + tmp$
           EndIf
           
          ;number method - use to find number value
          ;==============
;           tmp=PeekL(sBuffer+x)
;           If tmp=findNumber
;             Debug "FOUND MATCH - " + Hex(mbi\BaseAddress + x) + "=" + Str(tmp)
;           EndIf
      Next
    EndIf  
    FreeMemory(sBuffer)
  EndIf
  address=mbi\BaseAddress+mbi\RegionSize
Until  address >= maxAddress Or result=0
End

[Nituvious]

That's really neat! Thanks for sharing!

[Rook Zimbabwe]

I love it!!! With a little work this can be better than Cheat-O-Matic!!!

[SFSxOI]

Great job, thank you

BTW, is the memory location returned with or without any memory offset?

[epidemicz]

mbi\BaseAddress should give you the chunk where the memory is , x should be the offset from that point. I think that's what you're asking.

[DarkDragon]

Doesn't work here (Windows 7 x64, German "Unbenannt - Editor" instead of "Untitled - Notepad" and windowhandle is valid, but it doesn't find the string), result is 0 but hProcess is not 0.

[Thorium]

Doesn't work here (Windows 7 x64, German "Unbenannt - Editor" instead of "Untitled - Notepad" and windowhandle is valid, but it doesn't find the string), result is 0 but hProcess is not 0.

Maybe because access rights are not set correctly. On Vista and 7 you might need PROCESS_QUERY_LIMITED_INFORMATION set to query memory information. This flag is not supported on XP, so PROCESS_ALL_ACCESS is different for XP and 7.

[Thorium]

Just tried it and it takes ages.
Using PeekS and FindString is way to slow.

[epidemicz]

If it doesnt work or retrieve instantly something isn't right. I have to have unicode checked on compile options, make sure that is on.

Also debug mode slows it down a bit but should still be instant on notepad, is for me at least. Try calculator, the val is in string on xp num on win 7

[SFSxOI]

Works great here, fast. Windows 7 Ultimate, x86. Are you guys compiling it in unicode?

[SFSxOI]

mbi\BaseAddress should give you the chunk where the memory is , x should be the offset from that point. I think that's what you're asking.

Yes, thats it. Thank You

[epidemicz]

SFSxOI:
Awesome, glad to hear it's working for you.

All:

I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.

[Thorium]

I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.

Do you use this string search methode, or coded a faster one?
If not i can make you a way faster one, if you want.

[epidemicz]

I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.

Do you use this string search methode, or coded a faster one?
If not i can make you a way faster one, if you want.

It's quick and dirty right now, I just used this method. So, I certainly would be grateful for any code contributions.

[Thorium]

Ok,
i did a quick faster one:

Code: Select all

          If CompareMemoryString(sBuffer + x, @findString$, #PB_Default, len)
             Debug "FOUND MATCH - " + Hex(mbi\BaseAddress+x) + "=" + PeekS(sBuffer + x, len)
          EndIf

Just replace the string search part with this.

However is does not find anything and i dont know why yet. It also does not find anything with your procedure.
But i know why it took endless long on my computer. It actualy was in a endless loop because i executed it as x86 on a x64 system. The addresses are all quads on x64, so the code only used the lower dword of it. It should work on x64 if you remove the check for the max address. Because max address is much to low for x64.

But it does not find anything. Must take a better look tomorrow.