Page 1 of 3
Basic Memory Scanning - Like Cheat Engine
Posted: Thu Dec 30, 2010 5:51 pm
by epidemicz
Very quick, very dirty test proof of how to scan a program's memory for values ala
Cheat Engine.
This code based off some info found
in this thread.
How to Test?
-------------------
-Open a blank notepad.
-Check Unicode Exe in compile options.
-Type random text in notepad.
-Change findString.
-Press F5.
Testing against Cheat Engine's results give 100% exact matches.
There's not many comments, but there's not really much to say either. VirtualQueryEx gives valid memory blocks, ReadProcessMemory grabs the data in the blocks and we loop through to see if we have a match.
Code: Select all
;Epidemicz - 12/30/2010 PB 4.51 x86
;====================================
;Basic Memory Scanner Test Proof
;====================================
;Compile in unicode to test on notepad
;Find Window
HWND = FindWindow_(NULL, "Untitled - Notepad")
;Get ProcessID
GetWindowThreadProcessId_(HWND, @pid)
address=0
maxAddress=$7FFFFFFF
; findNumber=0 - uncomment to use with number method
findString$="LOL123LOL456"
len=Len(findString$)
;Opens Process With full access
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, pid);
Repeat
result=VirtualQueryEx_(hProcess, address, @mbi.MEMORY_BASIC_INFORMATION, SizeOf(MEMORY_BASIC_INFORMATION))
If mbi\State = #MEM_COMMIT And mbi\Protect <> #PAGE_READONLY And mbi\Protect <> #PAGE_EXECUTE_READ And mbi\Protect <> #PAGE_GUARD And mbi\Protect <> #PAGE_NOACCESS
sBuffer=AllocateMemory(mbi\RegionSize)
res=ReadProcessMemory_(hProcess, address, sBuffer, mbi\RegionSize, @written)
If written > 0
For x = 0 To written
;string method - use to find text
;================
tmp$=PeekS(sBuffer+x, len) ;string length ! important
If FindString(tmp$, findString$, 1)
Debug "FOUND MATCH - " + Hex(mbi\BaseAddress+x) + "=" + tmp$
EndIf
;number method - use to find number value
;==============
; tmp=PeekL(sBuffer+x)
; If tmp=findNumber
; Debug "FOUND MATCH - " + Hex(mbi\BaseAddress + x) + "=" + Str(tmp)
; EndIf
Next
EndIf
FreeMemory(sBuffer)
EndIf
address=mbi\BaseAddress+mbi\RegionSize
Until address >= maxAddress Or result=0
End
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Thu Dec 30, 2010 7:12 pm
by Nituvious
That's really neat! Thanks for sharing!
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Thu Dec 30, 2010 9:10 pm
by Rook Zimbabwe
I love it!!! With a little work this can be better than Cheat-O-Matic!!!
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 3:21 pm
by SFSxOI
Great job, thank you
BTW, is the memory location returned with or without any memory offset?
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 7:20 pm
by epidemicz
mbi\BaseAddress should give you the chunk where the memory is , x should be the offset from that point. I think that's what you're asking.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 7:38 pm
by DarkDragon
Doesn't work here (Windows 7 x64, German "Unbenannt - Editor" instead of "Untitled - Notepad" and windowhandle is valid, but it doesn't find the string), result is 0 but hProcess is not 0.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 7:49 pm
by Thorium
DarkDragon wrote:Doesn't work here (Windows 7 x64, German "Unbenannt - Editor" instead of "Untitled - Notepad" and windowhandle is valid, but it doesn't find the string), result is 0 but hProcess is not 0.
Maybe because access rights are not set correctly. On Vista and 7 you might need PROCESS_QUERY_LIMITED_INFORMATION set to query memory information. This flag is not supported on XP, so PROCESS_ALL_ACCESS is different for XP and 7.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 7:53 pm
by Thorium
Just tried it and it takes ages.
Using PeekS and FindString is way to slow.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 8:01 pm
by epidemicz
If it doesnt work or retrieve instantly something isn't right. I have to have unicode checked on compile options, make sure that is on.
Also debug mode slows it down a bit but should still be instant on notepad, is for me at least. Try calculator, the val is in string on xp num on win 7
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 11:50 pm
by SFSxOI
Works great here, fast. Windows 7 Ultimate, x86. Are you guys compiling it in unicode?
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 11:52 pm
by SFSxOI
epidemicz wrote:mbi\BaseAddress should give you the chunk where the memory is , x should be the offset from that point. I think that's what you're asking.
Yes, thats it. Thank You
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sat Jan 08, 2011 11:56 pm
by epidemicz
SFSxOI:
Awesome, glad to hear it's working for you.
All:
I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sun Jan 09, 2011 12:14 am
by Thorium
epidemicz wrote:
I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.
Do you use this string search methode, or coded a faster one?
If not i can make you a way faster one, if you want.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sun Jan 09, 2011 12:19 am
by epidemicz
Thorium wrote:epidemicz wrote:
I'm working on a full scale app based off this snippet, so I'll see about releasing that to you guys soon. I wanna see if the CheatEngine guy will give me any probs for copying his UI.
Do you use this string search methode, or coded a faster one?
If not i can make you a way faster one, if you want.
It's quick and dirty right now, I just used this method. So, I certainly would be grateful for any code contributions.
Re: Basic Memory Scanning - Like Cheat Engine
Posted: Sun Jan 09, 2011 1:34 am
by Thorium
Ok,
i did a quick faster one:
Code: Select all
If CompareMemoryString(sBuffer + x, @findString$, #PB_Default, len)
Debug "FOUND MATCH - " + Hex(mbi\BaseAddress+x) + "=" + PeekS(sBuffer + x, len)
EndIf
Just replace the string search part with this.
However is does not find anything and i dont know why yet. It also does not find anything with your procedure.
But i know why it took endless long on my computer. It actualy was in a endless loop because i executed it as x86 on a x64 system. The addresses are all quads on x64, so the code only used the lower dword of it. It should work on x64 if you remove the check for the max address. Because max address is much to low for x64.
But it does not find anything. Must take a better look tomorrow.