Cheat Engine

[HereWeGoAgain]

Hello all, new to Cheat Engine. I've been going through some tutorials and have a few things that I'd like clarified / explained. I know it's a bit lengthy, but it would be greatly appreciated if everything could be answered!

Part A:

Are data types such as floats and doubles stored differently than their byte sized counterparts? For instance, is it ever possible when searching for a float that a 4-byte search be used, or an 8 byte for a double? Or does it not work that way?


Part B:
Are the addresses shown to you the real, physical memory address? Or is everything logically addressed relative to the process? Is logical addressing a reason for CE needing to be attached to a process? And that leads to my next question. Does attaching to a process actually do anything to it if no debugger is attached? Can a process know if it's been attached to by CE?


Part C:
The dissect data structure tool. Is it literally a way to get the structure from an instance of an object, like a class or struct? Or am I thinking about this the wrong way? If you had something like the sample below, the tool would show you the addresses of where the variables are stored and the offsets would be identical for all other instances of that type?
class Player {
float speed;
int health;
float x, y;
}

If so, is the memory used always laid out sequentially? What about larger objects, wouldn't those have a chance of getting fragmented or spread out in memory? How does the tool work then?

Additionally, when you start with an address and it lists memory locations after it, is there a way to see the addresses before it too? Such as with the example of a simple structure above, if you had started with the address of health, speed would be completely hidden. Correct?


Part D:
Maybe more of an assembly language question, but in a tutorial it was said that if an address is green it means it is static. And that when it is static, it will be either in the same place in the process every time or it has an offset from a module that won't be changing. In the latter, does this still mean that the position will never change? Even after restarts? I haven't been able to find a whole lot of information on assembly language modules. Are they the same as ASM sections? Do they identify the start of the process memory? I have no idea.

[Dark Byte]

a:
Yes, they are stored according to the ieee754 standard http://steve.hollasch.net/cgindex/coding/ieeefloat.html

Sometimes an value increasing only a little, can be found using a 4 byte scan using increased value, but you won't be able to recognize the value as anything you'd use in normal life

b:
In computers/operating systems each process it's own virtual memory range starting from 0 to ffffffffffffffff
But this doesn't mean that all processes actually occupy that much memory. The memory is split up into 4KB ranges (pages) and then linked together into a map using the pagetable system. And the pages can be at random locations in the physical memory

So when you access address virtual address 0x00400000 it checks several tables that link to eachother to find the physical address of that virtual address and then you read that

And if a address is not described, then it just doesn't exist (in CE it's shown as ?? ?? ?? memory)

For CE to be able to get the physical address from a virtual address it will need to 'open' a process and get information necessary (like the location of the pagetable information for this specific process)

(Of course windows provides functions for this which do the same)

c:
Yes, it lets you define a structure in the order you think it is
Structures are always sequential in memory, e.g vtable, followed by speed, followed by health, followed by x and y

Larger objects will also be sequential, but you can always use pointers to link to other structures/classes

As for starting after the start: That's why you use the debugger. You find out the code that is accessing health, and it will be written something like mov [eax+248],esi
then you know that eax+248 is health, and then eax+0 is the start address of the structure

In the memoryview you can always scroll around to see other possibilities. E.g a good rule of thumb is that structures often start with a pointer that points to a block of pointers (vtable or other descriptor, and the pointers are the methods of the class)

D:
A static address is an address relative to the start of the module it is in.
Some modules always load at 00400000 or 100000000 and never change, so there you can say that the address is always the same, BUT some modules can change the location each time they get loaded, and in that case the address itself will change, BUT you can always find it by getting the start address of the module and a specific distance.
That's why when you doubleclick on a static address (green address) it is written down as modulename+xxxxxxxx (in the address field, not shown in the list) as opposed to the address you see in the found address list

[HereWeGoAgain]

Thanks, that was all very helpful.

Especially