View previous topic :: View next topic |
Author |
Message |
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Mon Apr 05, 2010 4:30 pm Post subject: |
|
|
This seems to work. I sorta did what dark byte told me to do.
Code: |
SIZE_T S;
MEMORY_BASIC_INFORMATION MBI;
SYSTEM_INFO SI;
GetSystemInfo(&SI);
DWORD lpStartAddress, lpStopAddress;
lpStartAddress = (DWORD) SI.lpMinimumApplicationAddress;
lpStopAddress = (DWORD) SI.lpMaximumApplicationAddress;
for (DWORD addr = lpStartAddress; addr <= lpStopAddress; addr++)
{
S = VirtualQueryX((LPCVOID) addr, &MBI, sizeof(MEMORY_BASIC_INFORMATION));
if ((S == sizeof(MEMORY_BASIC_INFORMATION)) && (MBI.State == MEM_COMMIT) && (MBI.Type == MEM_PRIVATE) && (MBI.RegionSize > 0) && (MBI.Protect == PAGE_READWRITE))
{
for (DWORD i = (DWORD) MBI.BaseAddress; i <= ((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize - 4096); i++)
{
if ((Type == 0 && *(BYTE*) i == (BYTE) Value) || ((Type == 1) && *(WORD*) i == (WORD) Value) || ((Type == 2) && *(DWORD*) i == (DWORD) Value) || ((Type == 3) && *(UINT64*) i == (UINT64) Value) || ((Type == 4) && *(char*) i == (char) Value_Text))
{
InsertItem(i, hwndDlg);
}
}
}
addr = (DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize;
}
ShowResults(hwndDlg);
|
|
|
Back to top |
|
|
tombana Master Cheater Reputation: 2
Joined: 14 Jun 2007 Posts: 456 Location: The Netherlands
|
Posted: Tue Apr 06, 2010 3:36 am Post subject: |
|
|
Quote: | This seems to work. | No.
1. Remove the 'addr++' here, because at the end of the loop you are increasing addr already so no need to increment it by one.
Code: | for (DWORD addr = lpStartAddress; addr <= lpStopAddress; addr++) |
2. Why are you subtracting 4096? You should actually check the next region to see if it's readable so you could read values that overlap two pages, and if not you shouldn't subtract 4096 but just the size of the type you are scanning for (so that would be 8 bytes for uint64).
3. ((Type == 4) && *(char*) i == (char) Value_Text))
I hope that's not the way you are comparing complete strings. |
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Tue Apr 06, 2010 2:44 pm Post subject: |
|
|
Oh god. It's like watching a man slowly dying in a desert. Waiting for that little code snippet..
But oh.. oh.. it's Christmas day !!!!
Code: | while ( VirtualQuery( ( VOID * )( ( int )mbi.BaseAddress + mbi.RegionSize ), &mbi, sizeof( MEMORY_BASIC_INFORMATION ) ) ) {
if( mbi.Protect == .............. ) {
dwEndAddr = ( DWORD )mbi.BaseAddress + mbi.RegionSize - 1 - scanSize;
for( DWORD i = ( DWORD )mbi.BaseAddress; i <= dwEndAddr; i++ ) {
__try {
.....
}
__except( true ) {
i = dwEndAddr;
}
}
}
} |
inb4 my code has no scanSize or ........ gives errors, etc.
inafter http://img255.imageshack.us/img255/7752/scan0003su.jpg |
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Tue Apr 06, 2010 8:24 pm Post subject: |
|
|
Code: |
if (CheckBox1 == BST_CHECKED)
{
SIZE_T ScanSize;
if (Type == 0)
{
ScanSize = sizeof(BYTE);
}
if (Type == 1)
{
ScanSize = sizeof(WORD);
}
if (Type == 2)
{
ScanSize = sizeof(DWORD);
}
if (Type == 3)
{
ScanSize = sizeof(UINT64);
}
if (Type == 4)
{
ScanSize = sizeof(string);
}
DWORD lpflOldProtect;
SIZE_T S;
MEMORY_BASIC_INFORMATION MBI;
SYSTEM_INFO SI;
GetSystemInfo(&SI);
DWORD lpStartAddress, lpStopAddress;
lpStartAddress = (DWORD) SI.lpMinimumApplicationAddress;
lpStopAddress = (DWORD) SI.lpMaximumApplicationAddress;
for (DWORD addr = lpStartAddress; addr <= lpStopAddress; addr++)
{
S = VirtualQueryX((LPCVOID) addr, &MBI, sizeof(MEMORY_BASIC_INFORMATION));
if ((S == sizeof(MEMORY_BASIC_INFORMATION)) && (MBI.State == MEM_COMMIT) && (MBI.Type == MEM_PRIVATE) && (MBI.RegionSize > 0) && (MBI.Protect == PAGE_READWRITE))
{
for (DWORD i = (DWORD) MBI.BaseAddress; i <= ((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize - 4096); i++)
{
VirtualProtect((LPVOID) i, 4, PAGE_READWRITE, &lpflOldProtect);
if ((Type == 0 && *(BYTE*) i == (BYTE) Value) || ((Type == 1) && *(WORD*) i == (WORD) Value) || ((Type == 2) && *(DWORD*) i == (DWORD) Value) || ((Type == 3) && *(UINT64*) i == (UINT64) Value) || ((Type == 4) && *(char*) i == (char) Value_Text))
{
InsertItem(i, hwndDlg);
}
}
}
addr = (DWORD) addr + (DWORD) MBI.RegionSize;
}
ShowResults(hwndDlg);
}
|
WORKS GREAT |
|
Back to top |
|
|
Flyte Peanuts!!!! Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Tue Apr 06, 2010 9:04 pm Post subject: |
|
|
iPromise wrote: | -snip-
WORKS GREAT |
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Tue Apr 06, 2010 9:11 pm Post subject: |
|
|
while flyte's post does explain this perfectly, i'll try to elaborate:
"VirtualProtect((LPVOID) i, 4, PAGE_READWRITE, &lpflOldProtect);" for every single byte.
And here I thought you wanted to increase the speed.... _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Anden100 Grandmaster Cheater Reputation: 0
Joined: 20 Apr 2007 Posts: 668
|
Posted: Wed Apr 07, 2010 4:29 am Post subject: |
|
|
Those nice if's concerning the ScanSize , why is it there?, cause if it's to determine the amount of data to be compared:
Code: | if (Type == 4)
{
ScanSize = sizeof(string);
} |
Should be the length of the string which you wish to compare |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Apr 07, 2010 5:50 am Post subject: |
|
|
Looking at the code, he's not even using scansize for anything, so I doubt that will be a problem.
Of course, I guess he probably meant to do: i <= ((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize - ScanSize+1 _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Wed Apr 07, 2010 11:49 am Post subject: |
|
|
Dark Byte wrote: | Looking at the code, he's not even using scansize for anything, so I doubt that will be a problem.
Of course, I guess he probably meant to do: i <= ((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize - ScanSize+1 |
shouldn't that be a -1 ? |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Apr 07, 2010 1:25 pm Post subject: |
|
|
actually +0, I didn't notice he used <= instead of <
example:
base: 00400000 size=1000
size-4=ffc
so from 00400000 until address is > 00400ffc _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Anden100 Grandmaster Cheater Reputation: 0
Joined: 20 Apr 2007 Posts: 668
|
Posted: Wed Apr 07, 2010 2:37 pm Post subject: |
|
|
Dark Byte wrote: | Looking at the code, he's not even using scansize for anything, so I doubt that will be a problem. |
Did try to point that out as well, by asking him why they were there
And couldn't you as well use memcmp (or similar) to compare the values, instead of doing all those compares? (dunno if it would be faster, but it sure would look better) |
|
Back to top |
|
|
Slugsnack Grandmaster Cheater Supreme Reputation: 71
Joined: 24 Jan 2007 Posts: 1857
|
Posted: Wed Apr 07, 2010 2:49 pm Post subject: |
|
|
Anden100 wrote: | Dark Byte wrote: | Looking at the code, he's not even using scansize for anything, so I doubt that will be a problem. |
Did try to point that out as well, by asking him why they were there
And couldn't you as well use memcmp (or similar) to compare the values, instead of doing all those compares? (dunno if it would be faster, but it sure would look better) |
memcmp would not be smart. even using scasx would not necessarily be smart since those instructions became slow as manufacturers started making their processors more risc like. the overhead of having a call would not make memcmp viable especially as he's only comparing small blocks |
|
Back to top |
|
|
hcavolsdsadgadsg I'm a spammer Reputation: 26
Joined: 11 Jun 2007 Posts: 5801
|
Posted: Wed Apr 07, 2010 3:44 pm Post subject: |
|
|
most CRT functions now are probably implemented as a compiler intrinsic and will just get inlined as it deems necessary. if you enable the SSE/2 flag it'll try to use those versions as well.
but if you think you can do better, VS comes with the CRT source. |
|
Back to top |
|
|
CristoferMartins Newbie cheater Reputation: 0
Joined: 18 Dec 2009 Posts: 22
|
Posted: Thu Apr 08, 2010 11:18 am Post subject: |
|
|
Hey people,i have a question.
I make a prototype of a scan,and i dont know if this is efficient.
For search integer i copy the all memory of a region to a array of integers and then loop in this array...
Anyway,anyone know a amazing way to read the memory fast and work correct?I dont understand the cheat engine code... |
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Thu Apr 08, 2010 11:25 am Post subject: |
|
|
Just a quick thought. Which of these is quicker?
1) Find page address and size, read whole page with single ReadProcessMemory call and iterate through that block of memory as a set of bytes, casting appropriately.
2) Find page address and size, read each value with its own ReadProcessMemory call. _________________
It's not fun unless every exploit mitigation is enabled. |
|
Back to top |
|
|
|