View previous topic :: View next topic |
Author |
Message |
tombana Master Cheater Reputation: 2
Joined: 14 Jun 2007 Posts: 456 Location: The Netherlands
|
Posted: Wed Apr 16, 2008 8:50 am Post subject: IsAddressSafe |
|
|
Hi, I have a question about the IsAddressSafe function in memscan.c.
Code: |
PTE=(UINT_PTR)StartAddress;
PTE=PTE/0x1000*PTESize+0xc0000000;
//now check if the address in PTE is valid by checking the page table directory at 0xc0300000 (same location as CR3 btw)
PDE=PTE/0x1000*PTESize+0xc0000000; //same formula
|
I didn't understand that part, so I looked up everthing I could find about Page Directory's and Page Table Entry's, and what I found was:
The highest 10 bits of a virtual address are an index and offset (if multiplied by 4) into the Page Directory. (CR3 register contains the base of the Page Directory) In this entry of the Page Directory, the first 20 bits are the base of the Page Table.
The next 10 bits of the (original) virtual address are the index (and if multiplied by 4 an offset) into this Page Table. Then in this entry, the first 20 bits are the base of the real physical page. (Assuming the address did exist in physical memory.)
Now I don't understand: How should PTE=StartAddress/0x1000*PTESize+0xc0000000; get you the address of the Page Table Entry, and how should PDE=PTE/0x1000*PTESize+0xc0000000; get you the address of the Page Directory Entry.
I hope someone can make this clear for me.
Thanks in Advance.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Wed Apr 16, 2008 11:25 am Post subject: |
|
|
that's the way windows has setup the pagetable and pagedirs
They could have put the pagedir's in front of the pagetable's but they didn't, making this calculation easier (If they wanted they could have kept the pagedir even outside of virtual memory and completly randomized)
anyhow, with the current setup:
0xc0000000 = base of PTE
0xc0300000 (0xc0600000 in PAE mode) = base of PDE
you can check that by giving a address of 0
When you divide the address by 0x1000 you are left with only the first 20 bits of the address
PTESize is 4 in a non-PAE system and 8 in a PAE system
This gets us a index into the PTE list
Getting the entry that describes the PTE will be a PDE
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
tombana Master Cheater Reputation: 2
Joined: 14 Jun 2007 Posts: 456 Location: The Netherlands
|
Posted: Thu Apr 17, 2008 10:12 am Post subject: Thanks |
|
|
Thanks for the reply.
I didn't realize that dividing by 0x1000 would get you the first 20 bits, I thought you had to do something like (Address << 20) or w/e.
So because the pagetables are in front of the pagedirs, and all the page tables are right after each other without spaces in between, that means: instead of first taking 10 bits to find the pde, and then the next 10 bits to find the pte, you can use those 20 bits together to find the pte right away.
Then you can get the address of the pde by taking the first 20 bits of the address of the pte. This means there are (0x300000/4=0xc0000) page table's possible.
Thank's for clearing this out for me.
By the way, Dark Byte, how did you figure these things out when making cheat engine? Did you make this calculation yourself or did you get it from a site?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25296 Location: The netherlands
|
Posted: Thu Apr 17, 2008 12:40 pm Post subject: |
|
|
yes, there are 0xc0000 page tables possible, and each pagetable describe 4KB so a max of 0xC0000000 (3GB) can be addressed.
Of course, because windows uses several 4MB page dir entries (e.g for the kernel) more memory can be allocated, and the unused spaces that could be used for pagetables will used for app-data
I did find from a few sites that the pagetable started at 0xc0000000 but I did find out myself that the pagetable is directly followed by the pagedir (and optional pagedirptr table) by inspecting the CR3 register and querying the physical address using MmGetPhysicalAddress()
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
tombana Master Cheater Reputation: 2
Joined: 14 Jun 2007 Posts: 456 Location: The Netherlands
|
Posted: Fri Apr 18, 2008 10:32 am Post subject: |
|
|
Nice work on finding that out (And everything else in cheatengine offcourse)
But what about a virtual address like 0xDEADBEAf (above 0xc0000000). Then if you divide that by 0x1000 and do it times 4, and add it to 0xc0000000, you'll get some address even above the page dir, right? How does that work?
|
|
Back to top |
|
|
|