 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
 Posted: Wed Apr 28, 2010 8:20 am Post subject: Help about VirtualProtect(Ex). |
 |
|
Thank you for viewing my page.
Basically I am trying to create an InGame Trainer,
since the game dynamically change, I can't find any static pointer to those.
Why?
[I open the game and CE, then values of what I am searching is fixed for the current game. The values of that address cannot be change InGame too,
so I cannot look for some pointers =3, the addresses only change when game starts to load.]
So what I did was creating an AOBScanner(Actually I asked this) and add some VirtualProtect Functions. Please check what am I doing wrong here.
| Code: |
BYTE* ScanAOB(BYTE* AOB, BYTE* memdump, unsigned long searchsize, unsigned int aobsize)
{
HANDLE auHandler = GetCurrentProcess();
DWORD oldprot;
unsigned long a = 0, i = 0;
for(i = 0; i < searchsize; i++)
{
while(AOB[a] == '?')
{
a++;
i++;
}
VirtualProtectEx(GetCurrentProcess(),(void*)memdump[i],9,PAGE_EXECUTE_READWRITE,&oldprot);
if(memdump[i] == AOB[a])
{
if(a == (aobsize - 1))
{
return &memdump[i-a];
}
a++;
}
else{
a = 0;
}
VirtualProtectEx(GetCurrentProcess(),(void*)memdump[i],9,oldprot,NULL);
}
return 0;
}
|
I call it here and add some VirtualProtects too because I will edit some addresses.
| Code: |
byte Level70[9] = { 0x38, 0x34, 0x31, 0x32, 0x31, 0x39, 0x33, 0x31, 0x32};
byte GO[9] = { 0x34, 0x36, 0x34, 0x36, 0x34, 0x36, 0x34, 0x36, 0x34};
SendAddy = (DWORD)ScanAOB(Level70, (byte*)0x1D000000, 0xEFFFFFFF, 9);
VirtualProtectEx(GetCurrentProcess(),(void*)SendAddy,9,PAGE_EXECUTE_READWRITE,&oldprot);
WriteProcessMemory(GetCurrentProcess(),(void*)SendAddy,GO,9,NULL);
VirtualProtectEx(GetCurrentProcess(),(void*)SendAddy,9,oldprot,NULL);
|
So how am I doing?
=3
I am so lost, I don't know if the ScanAOB thing has the fault.
It's so hard to search AOB's with a large area.
[EDIT]
So I think I got it, I can only search aobs at a smaller range..
Why it can only scan for a small range?
It keeps on popping errors if I declare a far range value.
|
|
| Back to top |
|
 |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Thu Apr 29, 2010 1:07 am Post subject: |
|
|
| Code: | | SendAddy = (DWORD)ScanAOB(Level70, (byte*)0x1D000000, 0xEFFFFFFF, 9) |
why do u use such a large memory, EFFFFF is believe kernel O_o
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Apr 29, 2010 6:51 am Post subject: |
|
|
this is a very dangerous method of scanning and shows a lack of conceptual understanding of memory. ipromise was continually making this exact same mistake despite being told millions of times not to.
your process' virtual memory is split up into many pages of a fixed length. the standard page length on windows is 2048 bytes. each page can have a different page protection which is what you're trying to modify with virtualprotectex. a lot of these pages are not allocated and in which case, you should not be trying to read them. if a page is not allocated then the game is obviously not using it either, so you have no reason to try to read it. in fact, forcing that page to be readable is completely pointless.
the correct thing to do is to use virtualquery/ex to query these page protections. this will return information on whether a given memory region is readable. if yes, it shows how big the block of contiguous memory is with the same protection rights.
you should in fact, never have to use virtualprotect/ex when coding a scanning/reading function. you are only ever interested in reading memory that the game is interacting with. the game will only be interacting with said memory if it is readable ( and possibly writable ). therefore you should only ever read memory that is already readable.
also, if i was you, i would recode that scanaob function..
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Thu Apr 29, 2010 7:58 am Post subject: |
|
|
| Slugsnack wrote: |
you should in fact, never have to use virtualprotect/ex when coding a scanning/reading function. you are only ever interested in reading memory that the game is interacting with. the game will only be interacting with said memory if it is readable ( and possibly writable ). therefore you should only ever read memory that is already readable.
also, if i was you, i would recode that scanaob function.. |
Oh! Wow I got it with your explanation(VirtualProtect/Ex).
I thought this was to allow and unallow writing to memories that the game uses.
After reading further about memories and observing the CE,
I learn about User and Kernel.
Correct me if my understanding is wrong.
User handle memories from 0x00000000 to 7FFFFFFF while
Kernel handle memories from 0x80000000 to FFFFFFFF.
from my previous understanding, I am only allow to access memories from User Mode, 0-7FFFFFFF. But now it seems that on the game I'm trying to hack, only the Kernel(0x80000000 to 0xFFFFFFFF ) memories are the accessible address I can edit(with a shorter range of search).
I wanted to edit an address that was located at 0x04000000 to 0x05000000, but the game always crashes.
I tried the VirtualProtect, the Game didn't crash but the search dosn't work on that area. Can you give me hints where should I start or what should I do?
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Apr 29, 2010 8:46 am Post subject: |
|
|
| are you still doing your scanning ? or the editing itself ? for the scanning part, you should never have to use virtualprotect. you need to use virtualquery/ex though
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Thu Apr 29, 2010 5:38 pm Post subject: |
|
|
Thanks for the support, I'll try VirtualQuery
be back for feedbacks
[Edit]
As I read VirtualQuery, on my understanding it only reads the protection the memory has.. I'll test VQ then.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Thu Apr 29, 2010 6:42 pm Post subject: |
|
|
| yes, virtualquery reads what protection it has. you just need to find all readable regions and then read from them. ignore all non-readable regions, you aren't bothered about those
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Fri Apr 30, 2010 8:58 pm Post subject: |
|
|
Please check my work, I don't know why it doesn't work.
| Code: | BYTE* ScanAOB(BYTE* AOB, BYTE* memdump, unsigned long searchsize, int aobsize)
{
DWORD dwEndAddr;
unsigned long a = 0, i = 0;
while(VirtualQuery((void*)memdump,&mbi,sizeof(MEMORY_BASIC_INFORMATION)))
{
if ((mbi.State == MEM_COMMIT) && (mbi.Type == MEM_PRIVATE) && (mbi.RegionSize > 0) && (mbi.Protect == PAGE_READWRITE))
{
dwEndAddr = ( DWORD )mbi.BaseAddress + mbi.RegionSize - 1 - aobsize;
for( DWORD i = ( DWORD )mbi.BaseAddress; i <= dwEndAddr; i++ ) {
__try {
for(i = 0; i < searchsize; i++)
{
while(AOB[a] == '?')
{
a++;
i++;
}
if(memdump[i] == AOB[a])
{
if(a == (aobsize - 1))
{
return &memdump[i-a];
}
a++;
}
else a = 0;
}
}
__except( true ) {
i = dwEndAddr;
}
}
}
}
return 0;
}
|
I have read the thread about iPromise.
Please criticise the code <3
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat May 01, 2010 6:31 am Post subject: |
|
|
you only really need to check mbi.protect tbh. and you still have the problem in your aob scanning part. if you were to get a partial match, it would continue from where that the bytes first stopped matching. instead it should continue from the address of last attempted match + 1
here's some advice. make a string made of an array of bytes and try to find a match for certain substrings in there.
|
|
| Back to top |
|
|
blitz02
Cheater
![]() Reputation: 0
Joined: 28 Feb 2007
Posts: 44
|
| Posted: Sun May 02, 2010 6:46 am Post subject: |
|
|
Oh thanks for the hint..
I kinda surrender to somethings regarding gameguard <.<
It's about the "??" thing after some several seconds.
I think gameguard unhooks the CE which causes the "??" thing.
First I hook gameguard, the game loads. ( I can see the memory clearly );
Second I search for somethings then it suddenly go "??", which gives me the idea of unhooking of the CE from the process. Then after a while I cannot inject it anymore so I have to restart the whole steps  )
I have an idea for an alternative of scanning, but it'll take some time I guess.
What is your opinion regarding gameguard unhooking thinggy?
That really makes me down for sometime 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
