View previous topic :: View next topic |
Author |
Message |
ashftw How do I cheat? Reputation: 0
Joined: 05 Apr 2019 Posts: 3
|
Posted: Fri Apr 26, 2019 12:35 am Post subject: How pointerscan exactly scan? |
|
|
I am rewriting CE's pointerscan to c++ on Linux platform.
I had iterated each pointer offset like this:
Code: |
maxlevel = 2
maxoffset = 2048
"base" is current region
.end if ELF's ._end section
(...) is dereference
add pointer if address in range [ "base" ; "base".end ] // level 0
add pointer if address in range [ ("base"+0) ; ("base"+0)+2048 ] // level 1
add pointer if address in range [ (("base"+0)+0) ; (("base"+0)+0)+2048 ] // level 2
add pointer if address in range [ (("base"+0)+4) ; (("base"+0)+4)+2048 ] // level 2
add pointer if address in range [ (("base"+0)+8) ; (("base"+0)+8)+2048 ] // level 2
add pointer if address in range [ ("base"+4) ; ("base"+4)+2048 ] // level 1
add pointer if address in range [ (("base"+4)+0) ; (("base"+4)+0)+2048 ] // level 2
add pointer if address in range [ (("base"+4)+4) ; (("base"+4)+4)+2048 ] // level 2
add pointer if address in range [ (("base"+4)+8) ; (("base"+4)+8)+2048 ] // level 2
...
add pointer if address in range [ ("base".end-4) ; ("base".end-4)+2048 ] // level 1
add pointer if address in range [ (("base".end-4)+0) ; (("base".end-4)+0)+2048 ] // level 2
add pointer if address in range [ (("base".end-4)+4) ; (("base".end-4)+4)+2048 ] // level 2
add pointer if address in range [ (("base".end-4)+8) ; (("base".end-4)+8)+2048 ] // level 2
|
but it seems very slow (12'000'000 paths/thread/sec vs. CE's 150'000'000 paths/thread/sec)
So how exactly CE scans for pointer?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Fri Apr 26, 2019 1:58 am Post subject: |
|
|
Ce keeps a (custom implementation of a ) map that holds all pointervalues and the addresses that have that as value.
so then it just has to ask for values within a range and it'll get all the addresses that have a value in that range
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ashftw How do I cheat? Reputation: 0
Joined: 05 Apr 2019 Posts: 3
|
Posted: Fri Apr 26, 2019 4:12 am Post subject: |
|
|
So that map is actually pointermap's ".scandata" file, that contains maps of process, right? Like '/proc/self/maps' in Linux:
file: "base.exe", address: 0x400000, size: 0x1000, etc...
file: "library.dll", address: 0x725000, size: 0x22000, etc...
I am really confused by your answer. Can you show in the code exactly where this is going? Or classes/methods that doing this?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Fri Apr 26, 2019 4:54 am Post subject: |
|
|
it's this monster: https://github.com/cheat-engine/cheat-engine/blob/master/Cheat%20Engine/pointervaluelist.pas
most importantly:
https://github.com/cheat-engine/cheat-engine/blob/ed059e44be2c268a770587bf74c867f08c8bb5b4/Cheat%20Engine/pointervaluelist.pas#L583
basically it holds a list of all the values in the target process that represent an address, and for each value which addresses (multiple) hold that value
so then when searching for value XXXXXXXX-structsize to XXXXXXXX it gets all the addresses a lot quicker.
Of course it first has to do a full memory scan and confirm every value it encounters is a pointer by referencing if the memory is available or not (in linux check /proc/pid/maps yes)
(Also, keep in mind TBL cache hits/misses etc... so if possible, keep the allocs low and all memory nearby)
--edit
also, I just noticed why you're confused.
While your pointerscanner starts from base addresses and scans until it accidentally hits the one target destination address, CE's pointerscanner starts from the destinationaddress and goes the other way until it finds any base address
This method of course makes it pretty difficult to calculate how long it is going to take, because each path can cause more paths until max level
(See it like raytracing. Instead of following the infinite amount of possible rays a lightsource emits, just start from the screenpixel and follow it's path until it reaches a lightsource )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
ashftw How do I cheat? Reputation: 0
Joined: 05 Apr 2019 Posts: 3
|
Posted: Fri Apr 26, 2019 8:03 am Post subject: |
|
|
Oh, I got it. Thank you!
|
|
Back to top |
|
|
|