Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How pointerscan exactly scan?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source
View previous topic :: View next topic  
Author Message
ashftw
How do I cheat?
Reputation: 0

Joined: 05 Apr 2019
Posts: 3

PostPosted: Fri Apr 26, 2019 12:35 am    Post subject: How pointerscan exactly scan? Reply with quote

I am rewriting CE's pointerscan to c++ on Linux platform.
I had iterated each pointer offset like this:

Code:

maxlevel = 2
maxoffset = 2048
"base" is current region
.end if ELF's ._end section
(...) is dereference
    add pointer if address in range [   "base"       ;   "base".end        ] // level 0
    add pointer if address in range [  ("base"+0)    ;  ("base"+0)+2048    ] // level 1
    add pointer if address in range [ (("base"+0)+0) ; (("base"+0)+0)+2048 ] // level 2
    add pointer if address in range [ (("base"+0)+4) ; (("base"+0)+4)+2048 ] // level 2
    add pointer if address in range [ (("base"+0)+8) ; (("base"+0)+8)+2048 ] // level 2
    add pointer if address in range [  ("base"+4)    ;  ("base"+4)+2048    ] // level 1
    add pointer if address in range [ (("base"+4)+0) ; (("base"+4)+0)+2048 ] // level 2
    add pointer if address in range [ (("base"+4)+4) ; (("base"+4)+4)+2048 ] // level 2
    add pointer if address in range [ (("base"+4)+8) ; (("base"+4)+8)+2048 ] // level 2
    ...
    add pointer if address in range [  ("base".end-4)    ;  ("base".end-4)+2048    ] // level 1
    add pointer if address in range [ (("base".end-4)+0) ; (("base".end-4)+0)+2048 ] // level 2
    add pointer if address in range [ (("base".end-4)+4) ; (("base".end-4)+4)+2048 ] // level 2
    add pointer if address in range [ (("base".end-4)+8) ; (("base".end-4)+8)+2048 ] // level 2


but it seems very slow (12'000'000 paths/thread/sec vs. CE's 150'000'000 paths/thread/sec)

So how exactly CE scans for pointer?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 362

Joined: 09 May 2003
Posts: 21511
Location: The netherlands

PostPosted: Fri Apr 26, 2019 1:58 am    Post subject: Reply with quote

Ce keeps a (custom implementation of a ) map that holds all pointervalues and the addresses that have that as value.
so then it just has to ask for values within a range and it'll get all the addresses that have a value in that range

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ashftw
How do I cheat?
Reputation: 0

Joined: 05 Apr 2019
Posts: 3

PostPosted: Fri Apr 26, 2019 4:12 am    Post subject: Reply with quote

So that map is actually pointermap's ".scandata" file, that contains maps of process, right? Like '/proc/self/maps' in Linux:
file: "base.exe", address: 0x400000, size: 0x1000, etc...
file: "library.dll", address: 0x725000, size: 0x22000, etc...

I am really confused by your answer. Can you show in the code exactly where this is going? Or classes/methods that doing this?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 362

Joined: 09 May 2003
Posts: 21511
Location: The netherlands

PostPosted: Fri Apr 26, 2019 4:54 am    Post subject: Reply with quote

it's this monster: https://github.com/cheat-engine/cheat-engine/blob/master/Cheat%20Engine/pointervaluelist.pas

most importantly:
https://github.com/cheat-engine/cheat-engine/blob/ed059e44be2c268a770587bf74c867f08c8bb5b4/Cheat%20Engine/pointervaluelist.pas#L583


basically it holds a list of all the values in the target process that represent an address, and for each value which addresses (multiple) hold that value

so then when searching for value XXXXXXXX-structsize to XXXXXXXX it gets all the addresses a lot quicker.

Of course it first has to do a full memory scan and confirm every value it encounters is a pointer by referencing if the memory is available or not (in linux check /proc/pid/maps yes)

(Also, keep in mind TBL cache hits/misses etc... so if possible, keep the allocs low and all memory nearby)


--edit
also, I just noticed why you're confused.
While your pointerscanner starts from base addresses and scans until it accidentally hits the one target destination address, CE's pointerscanner starts from the destinationaddress and goes the other way until it finds any base address
This method of course makes it pretty difficult to calculate how long it is going to take, because each path can cause more paths until max level

(See it like raytracing. Instead of following the infinite amount of possible rays a lightsource emits, just start from the screenpixel and follow it's path until it reaches a lightsource )

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Back to top
View user's profile Send private message MSN Messenger
ashftw
How do I cheat?
Reputation: 0

Joined: 05 Apr 2019
Posts: 3

PostPosted: Fri Apr 26, 2019 8:03 am    Post subject: Reply with quote

Oh, I got it. Thank you!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites