Solved How Cheat Engine ingores memory regions?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Adversities

Newbie
Full Member
Aug 19, 2016
29
148
0
Hi guys, i'm Adversities and i'm currently developing a nice library to make your own Cheat Tools (without Cheat Engine dependence).
On my github there're the classes "Memory (by NopTech) and SigScan (by At0mos)" for AoB scanning (modified so you don't have to do AoBScan("00 ??", "x?", baseAddress, Size) you only do AoBScan("00 ??", baseAddress, size)), but currently i've developed a better way to scan memory from C#, I made a method based on Boyer Moore's algorithm to get all the addresses matched from a region. You don't have to specify a base address and size, it does the scan like Cheat Engine does, faster and completely on all the regions of memory.

But i'm stuck... Why? well because Cheat Engine ignores memory regions, yes, sounds weird, but it's true and i dont know why it does that.
Let me give you an example, we want to find the addresses with the following value: 00 A0 BA 85 (Cheat Engine founds: 2k Results) (My scan founds: 35k Results [Them're ok, i've checked it with Memory Browser from CE, and them has the correct value]) then what that means? it means that Cheat Engine ignores memory regions to make scans faster, but i dont know in what it's based to ignore regions, so i dont want my scan to get 33k Results more than Cheat Engine, it's not all, i'm just curious, why the fuck Cheat Engine ignores regions? if someone can help me understanding in deep i'd be really grateful.
 
Last edited:

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
Cheat Engine skips certain regions depending on the scanner settings:
Default settings:


This means Cheat Engine only scans regions which are writeable (PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_READWRITE | PAGE_WRITECOPY).
Read/execute regions are ignored.

The second option is the byte alignment. Depending on what datatype you're scanning for it != 1. That means it skips every nth address.
Redo your Cheat Engine scan with settings like this:

This will give you ALL results. If your function gives you even more results then your function must contain an error.

Edit: The CopyOnWrite option is useless and irrelevant in 99.99999% of all cases. I just included it for the sake of completeness.
 

Adversities

Newbie
Full Member
Aug 19, 2016
29
148
0
Thanks you for answer bro :)
I've the following flags:

PROCESS_TERMINATE = (0x0001),
PROCESS_CREATE_THREAD = (0x0002),
PROCESS_SET_SESSIONID = (0x0004),
PROCESS_VM_OPERATION = (0x0008),
PROCESS_VM_READ = (0x0010),
PROCESS_VM_WRITE = (0x0020),
PROCESS_DUP_HANDLE = (0x0040),
PROCESS_CREATE_PROCESS = (0x0080),
PROCESS_SET_QUOTA = (0x0100),
PROCESS_SET_INFORMATION = (0x0200),
PROCESS_QUERY_INFORMATION = (0x0400)

I dont see Page_Execute_ReadWrite/WriteCopy | Page_ReadWrite/WriteCopy on my list, where can i find a complete list of these access type?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
Thanks you for answer bro :)
I've the following flags:

PROCESS_TERMINATE = (0x0001),
PROCESS_CREATE_THREAD = (0x0002),
PROCESS_SET_SESSIONID = (0x0004),
PROCESS_VM_OPERATION = (0x0008),
PROCESS_VM_READ = (0x0010),
PROCESS_VM_WRITE = (0x0020),
PROCESS_DUP_HANDLE = (0x0040),
PROCESS_CREATE_PROCESS = (0x0080),
PROCESS_SET_QUOTA = (0x0100),
PROCESS_SET_INFORMATION = (0x0200),
PROCESS_QUERY_INFORMATION = (0x0400)

I dont see Page_Execute_ReadWrite/WriteCopy | Page_ReadWrite/WriteCopy on my list, where can i find a complete list of these access type?
Those flags are used when you want to create a handle to the process using (Nt)OpenProcess. For hacking purposes we mostly use PROCESS_ALL_ACCESS which combines all these flags.
The flags I posted are memory protection constants: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx
If a memory region is protected by the PAGE_EXECUTE_READ flag internally writing to will cause an exception and (Zw)WriteProcessMemory will fail. But if you use VirtualProtect(Ex) to change the protection state before writing to the page to something writeable like PAGE_EXECUTE_READWRITE it's possible to write to it.
 

Adversities

Newbie
Full Member
Aug 19, 2016
29
148
0
Those flags are used when you want to create a handle to the process using (Nt)OpenProcess. For hacking purposes we mostly use PROCESS_ALL_ACCESS which combines all these flags.
The flags I posted are memory protection constants: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366786(v=vs.85).aspx
If a memory region is protected by the PAGE_EXECUTE_READ flag internally writing to will cause an exception and (Zw)WriteProcessMemory will fail. But if you use VirtualProtect(Ex) to change the protection state before writing to the page to something writeable like PAGE_EXECUTE_READWRITE it's possible to write to it.
Yup sorry i was confused, and yes i'm using VirtualQueryEx, i'm using a well know method from codeproject.net because i dont understand exactly what it does

C#:
private void MemInfo(IntPtr pHandle)
        {
            IntPtr Addy = new IntPtr();
            while (true)
            {
                MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
                int MemDump = VirtualQueryEx(pHandle, Addy, out memInfo, Marshal.SizeOf(memInfo));
                if (MemDump == 0) break;
                if ((memInfo.State & 0x1000) != 0 && (memInfo.Protect & 0x100) == 0)
                    MemoryRegion.Add(memInfo);
                Addy = new IntPtr(memInfo.BaseAddress.ToInt32() + (int)memInfo.RegionSize);
            }
        }
I was looking for a way to modify this and get only the writable memory regions and also to skip mem_mapped regions.
Do you know how can i do that? and man, thanks a lot for your help :)
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
Yup sorry i was confused, and yes i'm using VirtualQueryEx, i'm using a well know method from codeproject.net because i dont understand exactly what it does

//codenz

I was looking for a way to modify this and get only the writable memory regions and also to skip mem_mapped regions.
Do you know how can i do that? and man, thanks a lot for your help :)
I'm no C# guy but so far it looks pretty good. To only get the writable regions you should check for these for protection flags:
PAGE_READWRITE = 0x04
PAGE_WRITECOPY = 0x08
PAGE_EXECUTE_READWRITE = 0x40
PAGE_EXECUTE_WRITECO = 0x80
When you combine these with the logical or operator you get 0xCC.

The first part of your check is correct. 0x1000 is the value of MEM_COMMIT. There's no need to check non-commited pages.
I'd just do: if(memInfo.State & 0x1000 && memInfo.Protect & 0xCC)
This should give you only writeable pages.

Edit: If you don't want to include memory pages with the MEM_MAPPED (0x40000) state just exclude it like this:
if(memInfo.State & 0x1000 && !(memInfo.State & 0x40000) memInfo.Protect & 0xCC)
 
Last edited by a moderator:

Adversities

Newbie
Full Member
Aug 19, 2016
29
148
0
I'm no C# guy but so far it looks pretty good. To only get the writable regions you should check for these for protection flags:
PAGE_READWRITE = 0x04
PAGE_WRITECOPY = 0x08
PAGE_EXECUTE_READWRITE = 0x40
PAGE_EXECUTE_WRITECO = 0x80
When you combine these with the logical or operator you get 0xCC.

The first part of your check is correct. 0x1000 is the value of MEM_COMMIT. There's no need to check non-commited pages.
I'd just do: if(memInfo.State & 0x1000 && memInfo.Protect & 0xCC)
This should give you only writeable pages.

Edit: If you don't want to include memory pages with the MEM_MAPPED (0x40000) state just exclude it like this:
if(memInfo.State & 0x1000 && !(memInfo.State & 0x40000) memInfo.Protect & 0xCC)
Happy for have your support man, again thanks a lot <3 gonna try this after clean my room (it's a mess rn) btw do you've discord or skype?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
Glad it's working find now :FeelsGoodMan: I indeed have Skype but mostly for private reasons. I'm looking forward to get discord at some point or when I'm not too lazy :4head:
And wildcards are probably the easiest part.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods