Cheat Engine

[pisto]

I'm writing because I think that 2 features of Cheatengine need an improvement: heaplist and pointer scan.
I have never seen the pointer scan work (perhpas I've always been unlucky), it always give fake results, or not at all, and it's slow. Then, listing the heap blocks is *very* slow, and that little window shows the blocks' bound, but not its size, and it's annoying to open the calculator and calculate the difference.
So, I'd suggest the coders of cheatengine to read this article that I found: securityxploded[dot]com/enumheaps.php
I didn't test it, but the author claims that his replacement of Heap32First and Heap32Next is much faster.
Moreover, I'd like to see the call stack of when the memory block has been allocated.
Could this be something useful in cheatengine?
I implemented this last feature, and a pointer scan, as a dll that's injected at process startup: it hooks and catches any call to HeapAlloc (and HeapFree and HeapReAlloc). About the pointer scan, the algorithm uses the heaplist built with these 3 hooks, and so checks only the valid memory (does Cheatengine do the same?): it works more quickly than cheatengine (usually 10 seconds with a maximum pointer depth of 10 on my 9 years () old pc).
If you think that these features are worthy, I can give you the source code of my dll.

bye

[Csimbi]

[Dark Byte]

ce's pointer scan checks all writable memory(Virtualqueryex filtering regions with write access), not only heap memory, but I guess I could add in a option to limit to heap only, since most base class objects are usually allocated in the heap anyhow

Best way to test if the method works is using the pointerscan routine on ce's tutorial step 8 (ce tutorial step 8 pass=525927)

And sure, send me the source, I'll have a look at it, could be useful

as for ce's pointer scan speed in 5.5, use the non-injected version, the injected one is slow

[pisto]

I'm going to leave right today for holydays. I'll get back in a week, and then I'll put some comments on my code and translate some names (my code is a funny mix of italian and sloppy english) and I'll send you. I can't just patch the svn, I'm coding in C++, as the author of the link in my first post, I don't know anything about delphi.

EDIT:
just ran some tests with the cheatengine tutorial: my code doesn't work because the pointer at step 8 is not within a heap block (uh?). Besides, originally my code added the heap block captured in the hooks only if the caller of HeapAlloc was the main executable module: but since the tutorial uses the old GlobalAlloc/LocalAlloc functions (why?), the call to HeapAlloc is made from the code that wraps the heap functions in the global/local ones (that is in kernel32.dll).
All of this can be fixed, and probably you can override the normal cheatengine behaviour with mine only when reading a page that's used as heap.

EDIT2:

here is the code, and the binary too.
My dll is made for a program called Wormkit, a sort of (hack)add-on loader for Worms Armageddon. Unfortunatly, Wormkit.exe loads only WA.exe: you should rename your executable to that for testing. Anyway, Wormkit is coded in Delphi, and you can easily change it (I included the sources its sources too).

I think that the pointer scan should look on memory that's both readable and writable, what's the point in searching in non-modificable memory?

www dot webalice.it/micioptah/pointerScan.rar

[Dark Byte]

Ok, i'll check it out

[pisto]

I forgot to describe the weird input method:
because I don't know how to code a GUI, and for some reasons I couldn't create a console window, yo need to put commands (start [address], checknow, etc... described in the cpp file) in a input.txt file, in the current directory of the program. Then, click ok on the little message box asking to go, and it will parse the file. Output will be in output.txt.