Cheat Engine

[nb81]

Hi,

Could someone tell me how CE lists all the symbols in a process?
I've tried what I found on MSDN(SymInitialize then SymEnumSymbols/SymFromName/SymFromAddr/etc.) but they just won't work when I try to get something from this(They Are Billions) game, they return ERROR_MOD_NOT_FOUND(126). It works fine with ntdll(and alike) modules but not with the main exe(TheyAreBillions.exe). I'm calling functions from an injected dll.

I'm not familiar with CE's source or Pascal itself so I figured it would be best to ask here instead of trying to find something in the source.

Thanks a lot in advance!

edit: after a few hours of reading through .net internal documentation I figured those symbols aren't actually symbols but names extracted from metadata. I still can't quite understand how it's possible to get the name and address of a runtime compiled function so if anyone knows, please help me out.

[Burningmace]

You're getting the name and address of the compiled function because Microsoft exports symbols for their compiled binaries, and the export table is telling you where the APIs are.

The export directory table gives you the name of each export and the function's RVA, which can then be translated into a section offset. This allows CE (and most other debuggers) to tell you where that API is in memory.

The debug directory is usually a CodeView table, which effectively points to where the PDBs are stored on disk. For Windows files these can be looked up and downloaded from the internet via symserv. The PDBs then give you the names of each function from the original source code, usually some information about which source file it was in, and what the RVA of the compiled function is.

However, in .NET this is a little different. The .NET executable has a metadata table which already exposes the names of functions, classes, properties, etc. - you can load this up in Telerik JustDecompile and see for yourself. Since .NET doesn't compile natively in the PE (it's CIL rather than, say, x86_64) the method RVAs from the .NET metadata point to where the method implementation's IL exists in the .text section. Debug directories and PDBs are still a thing but they exist only to map the name of the source file and line of the source file to the RVA of the method, rather than being the primary source of symbol names.

Chances are you're not getting this info from your game's binary because there's no available PDB and it was release compiled. This makes the traditional MSDN calls fail because there's no debug info to read. If you load it up in Telerik JustDecompile or dotPeek or whatever you may get lucky and find that the class and method names aren't obfuscated. If you want to read this back out, .NET Core has a pretty awesome namespace called System.Reflection.Metadata which exposes the PE reader and .NET metadata reader classes, allowing you to do very low-level parsing of the metadata structures. If you're looking for something a bit more high-level (e.g. you want the name of a method and info about its accessibility flags or whatever) you could look into Mono.Cecil for doing the parsing.