Discuss Valid vs Invalid memory?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

HexMurder

Arcane Hacker
Dank Tier VIP
Dank Tier Donator
Jun 7, 2012
319
7,988
22
Ok I actually have a few different topics that i would like to understand here.
So I am hacking a game on an emulator (pcsx2 to be specific). I found an address for my players location, and created a pattern for it. The address generally resides at 0x21AXXXXX.

The method of pattern scanning uses a modules base address. BUT the problem is that i can't find a module in which this address exists. Cheat engine never gives me a module name for it. I dumped the name and base address for every module in pcsx2 and nothing was close to 0x20000000.
As you can see here cheat engine declares the memory before 0x20000000 as invalid or non existant.


But if i read the address at 0x1FFFFFF0 i would simply get 0. So how does cheat engine know that this memory isn't valid? And how does it recognize that there is valid memory at 0x20000000 if there are no modules within that range?


I made a pattern scanning function that scans a range of memory instead of a module. So if I scan 0x20000000 for 0x5000000 bytes I will indeed find my pattern. But if I start anywhere in that "invalid" memory range as seen in the cheat engine picture it wont find any results. I can literally start at 0x1FFFFFFC (only 4 bytes away from the 0x20000000 that works fine) and it will fail to find the pattern. I am assuming it is because it is starting in an invalid memory range.


I know there are multiple questions in one, and i have a few more. But i would like to start with these.
 
Last edited:

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
VirtualQueryEx (or internal VirtualQuery) is the function you're looking for. The member "State" of the returned MEMORY_BASIC_INFORMATION structure will tell you if the memory is commited ("valid").
In you're pattern scanning function you should just skip pages which aren't commited.
 

HexMurder

Arcane Hacker
Dank Tier VIP
Dank Tier Donator
Jun 7, 2012
319
7,988
22
Thanks guys! But Where is the memory being stored if not in a module?

Like i said in my op, the address is usually located at 0x21AXXXXX (literal example being 0x21AC4000) But that isnt in range of any of the modules i have dumped. Here is the dump:
C++:
Base Address		Module Size		Module Name
F20000		        236B000		pcsx2.exe
77C40000		180000		ntdll.dll
76470000		110000		kernel32.dll
76330000		47000		KERNELBASE.dll
76590000		100000		USER32.dll
76690000		90000		GDI32.dll
760C0000		A000		LPK.dll
76230000		9D000		USP10.dll
75A90000		AC000		msvcrt.dll
76720000		A1000		ADVAPI32.dll
75A50000		19000		sechost.dll
76380000		F0000		RPCRT4.dll
754E0000		60000		SspiCli.dll
754D0000		C000		CRYPTBASE.dll
74AB0000		6C000		MSVCP140.dll
74A90000		14000		VCRUNTIME140.dll
74A80000		4000		api-ms-win-crt-runtime-l1-1-0.dll
74990000		E1000		ucrtbase.DLL
74980000		3000		api-ms-win-core-timezone-l1-1-0.dll
74970000		3000		api-ms-win-core-file-l2-1-0.dll
74960000		3000		api-ms-win-core-localization-l1-2-0.dll
72730000		3000		api-ms-win-core-synch-l1-2-0.dll
74950000		3000		api-ms-win-core-processthreads-l1-1-1.dll
74940000		3000		api-ms-win-core-file-l1-2-0.dll
74930000		4000		api-ms-win-crt-string-l1-1-0.dll
74920000		3000		api-ms-win-crt-heap-l1-1-0.dll
74910000		4000		api-ms-win-crt-stdio-l1-1-0.dll
74900000		4000		api-ms-win-crt-convert-l1-1-0.dll
748F0000		3000		api-ms-win-crt-locale-l1-1-0.dll
748E0000		5000		api-ms-win-crt-math-l1-1-0.dll
748D0000		5000		api-ms-win-crt-multibyte-l1-1-0.dll
748C0000		3000		api-ms-win-crt-time-l1-1-0.dll
748B0000		3000		api-ms-win-crt-filesystem-l1-1-0.dll
748A0000		3000		api-ms-win-crt-environment-l1-1-0.dll
74890000		3000		api-ms-win-crt-utility-l1-1-0.dll
722B0000		19E000		COMCTL32.dll
762D0000		57000		SHLWAPI.dll
72140000		32000		WINMM.dll
717E0000		51000		WINSPOOL.DRV
75540000		7B000		COMDLG32.dll
769F0000		C4C000		SHELL32.dll
755C0000		15D000		ole32.dll
76810000		91000		OLEAUT32.dll
776C0000		60000		IMM32.DLL
77750000		CD000		MSCTF.dll
72220000		80000		uxtheme.dll
77720000		B000		profapi.dll
72070000		13000		dwmapi.dll
61700000		94000		msftedit.DLL
72050000		17000		CRYPTSP.dll
73F80000		3B000		rsaenh.dll
73F60000		E000		RpcRtRemote.dll
75720000		83000		CLBCatQ.DLL
709B0000		131000		WindowsCodecs.dll
751E0000		4C000		apphelp.dll
61990000		2C7000		buShell.dll
71D00000		191000		gdiplus.dll
61D70000		E0000		ucrtbase.dll
63F10000		1E000		EFACli.dll
623C0000		50000		FileSyncShell.dll
61CE0000		85000		MSVCP110.dll
618B0000		D2000		MSVCR110.dll
61C60000		78000		Telemetry.dll
63A30000		1A000		LoggingPlatform.DLL
74DD0000		7000		WSOCK32.dll
767D0000		35000		WS2_32.dll
77830000		6000		NSI.dll
77820000		5000		PSAPI.DLL
75400000		9000		VERSION.dll
62510000		15000		Cabinet.dll
74200000		58000		WINHTTP.dll
741B0000		50000		webio.dll
61F00000		2F000		XmlLite.dll
75DB0000		2AB000		WININET.dll
75A10000		4000		api-ms-win-downlevel-user32-l1-1-0.dll
76220000		4000		api-ms-win-downlevel-shlwapi-l1-1-0.dll
769E0000		4000		api-ms-win-downlevel-version-l1-1-0.dll
77C10000		3000		api-ms-win-downlevel-normaliz-l1-1-0.dll
776B0000		3000		normaliz.DLL
75B40000		235000		iertutil.dll
77740000		5000		api-ms-win-downlevel-advapi32-l1-1-0.dll
77690000		17000		USERENV.dll
614B0000		1FA000		GROOVEEX.DLL
6D150000		246000		msi.dll
60A00000		883000		GrooveIntlResource.dll
62420000		31000		EhStorShell.dll
75870000		19D000		SETUPAPI.dll
75D80000		27000		CFGMGR32.dll
75A70000		12000		DEVOBJ.dll
74DF0000		F5000		PROPSYS.dll
62530000		70000		ntshrui.dll
73380000		19000		srvcli.dll
74490000		B000		cscapi.dll
70890000		A000		slc.dll
10000000		6AF000		gsdx32-avx.dll
6590000		        1F000		lilypad.dll
627B0000		30000		DINPUT8.dll
9540000		        650000		spu2-x.dll
5A4E0000		72000		DSOUND.dll
74B20000		25000		POWRPROF.dll
106B0000		9332000		cdvdGigaherz.dll
65B0000		        A000		USBnull.dll
66B0000		        A000		FWnull.dll
6810000		        1A000		DEV9null.dll
6CC20000		39000		MMDevAPI.DLL
63A50000		30000		wdmaud.drv
74030000		4000		ksuser.dll
74470000		7000		AVRT.dll
6CC60000		36000		AUDIOSES.DLL
68150000		8000		msacm32.drv
74830000		14000		MSACM32.dll
65A60000		7000		midimap.dll
6CD0000		        16000		xinput1_3.dll
6A4A0000		9000		HID.DLL
75A20000		2F000		WINTRUST.dll
768B0000		121000		CRYPT32.dll
77730000		C000		MSASN1.dll
7200000		        8E000		XAudio2_7.dll
699B0000		175000		d3d11.dll
69E60000		4C000		dxgi.dll
657D0000		1D000		DXGIDebug.dll
742F0000		168000		nvspcap.dll
72750000		D000		WTSAPI32.dll
71840000		396000		nvapi.dll
55880000		10C6000		nvwgf2um.dll
75230000		17000		bcrypt.dll
FC50000		        3F000		d3dx11_43.dll
DA30000		        207000		d3dcompiler_43.dll
726F0000		3D000		bcryptprimitives.dll
 
Last edited:

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
It's just allocated memory lol. Whenever the game creats a new instance of a class for example new memory will be allocated (eg. with new[] or VirtualAlloc).
And that dump only includes the mapped modules but not the dynnamic memory locations. To view all memory regions go to the memory viewer in cheat engine and press Ctrl+R (or View → Memory Regions).
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
Depending what's happening, maybe you could try hooking VirtualAlloc, dump all the regions that get allocated and the return address so you can find what function is allocating your 0x21AC4000 region. I did something like this one time and luckily found some relative offset magic that saved me. This was on quake engine, the virtual machine uses VirtualAlloc to alloc some memory, and then parses the byte code modules and drops them into this new memory spot. I hookered VirtualAlloc, traced it back to some LoadVM() function which had a nice little VM Module Pointer Table but had to use some wierd ass dynamic hard coded relative offsets to seal the deal. I'm thinking because this is an emulator it will be kinda similar
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,074
78,998
2,371
I guess if you haven't run into this before, some people might not realize that when the DLL/EXE is loaded, pages in memory are committed and the the code and data in the binary just gets loaded into those memory pages. The memory pages get different read/write/execute permissions based on what sections of the PE file they are stored in, .text .data etc...The Base Relocation Table is used to fix any hard coded addresses and relative virtual addresses link everything else together. So now when we say "in a module" we just mean, an address in between ImageBase and (ImageBase + SizeOfImage), meaning it can be reached by using relative virtual addresses + ImageBase. Other than that anything else is "not in a module" including the sexy stack and heap.

Basically any game that uses a VM or Engine that do any runtime compilation/loading won't have everything neatly inside DLLs, that's why I have several different patternScan functions depending how deep you need to scan in the process. anywho ill stop rambling now
 

HexMurder

Arcane Hacker
Dank Tier VIP
Dank Tier Donator
Jun 7, 2012
319
7,988
22
Rake;49570 said:
I guess if you haven't run into this before, some people might not realize that when the DLL/EXE is loaded, pages in memory are committed and the the code and data in the binary just gets loaded into those memory pages. The memory pages get different read/write/execute permissions based on what sections of the PE file they are stored in, .text .data etc...The Base Relocation Table is used to fix any hard coded addresses and relative virtual addresses link everything else together. So now when we say "in a module" we just mean, an address in between ImageBase and (ImageBase + SizeOfImage), meaning it can be reached by using relative virtual addresses + ImageBase. Other than that anything else is "not in a module" including the sexy stack and heap.

Basically any game that uses a VM or Engine that do any runtime compilation/loading won't have everything neatly inside DLLs, that's why I have several different patternScan functions depending how deep you need to scan in the process. anywho ill stop rambling now
Appreciate that man. Don't have time to tst any of this right now but i will fill you in on my results when i can. Thanks so much for the info :)
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods