Cheat Engine

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6

It's not a Cheat Engine question, but I thought you maybe could help me.

In C++, I can modify another process memory with:

atom0s · Posted: Thu Jan 20, 2011 2:18 pm Post subject:

CreateToolhelp32Snapshot
Process32First
Process32Next
Module32First
Module32Next

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6

Okay, I can create a snapshot and get the info about the process/module. However, the data given by Process32... and Module32... (PROCESSENTRY32 and MODULEENTRY32) does not contain the base address (LPCVOID lpBuffer) I want to use with the WriteProcessMemory(...) function.

Can you explain how should I proceed to obtain it? Or there is another way to edit a memory value only with a offset, without the need of the base value?

Again, thanks for the help.

atom0s · Posted: Thu Jan 20, 2011 7:45 pm Post subject:

Module32First / Module32Next fill a MODULEENTRY32 struct which does contain the base address of each module.

You can read about each part of the structure here:
http://msdn.microsoft.com/en-us/library/ms886756.aspx

Edited for clarity..

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6

I'm so dumb, for some reason I've missed it.

It worked EXACTLY like I wanted, thank you very much for the help!

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6

Sorry for "closing" the topic before, new questions have appeared.

I think my question will get clearer if I show my results so far first.

The value of memory I want to modify (according to Cheat Engine) is 0x017B216C.

Seeing the process I want to modify with Module32... functions, I see that base address is 0x400000 (modBaseAddr) and the size of the module (modBaseSize) is 3579904 bytes long. It means that the place of memory I want to modify is not there.

My next step was looking at the Heaps. Making the iterations with Heap32... and Heap32List... I was able to construct this list: [sorry, I can't post urls yet T__T] (there is no real reason to see it if you don't want). The address I want is not here either.

What am I missing?

I was talking to a friend at work today, and he said a program are allocated in three parts: one is for code, other for static variables and another one for dynamic allocated memory. I think I reached the first one with the base address of the module and the last one looking at the heaps. Since what I want to do is changing a program's configuration, I believe the data I want is in the second area. I'm not sure if what I'm saying is correct though.

It seems like I'm progressing thanks to you Wiccaan.

atom0s · Posted: Fri Jan 21, 2011 6:40 pm Post subject:

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6

The memory piece I want to edit DOES NOT belong to any module in "Enumerate DLL's and Symbols" (I observed offset and size). It also does not belong to anything in the "View -> Heaplist".

Looking at the "View -> Memory Regions". I can find the region as:

Address - Allocation Protect - State - Protect - Type - Size
03070000 - Read+Write - Commit - Read+Write - Private - 125000
(in this OS the memory I want to modify is at 0x0310216C).

I wonder how Cheat Engine found this area, so I could find it the same way in my program.

atom0s · Posted: Fri Jan 21, 2011 8:28 pm Post subject:

Check out: VirutalQueryEx

Along with that since the memory is allocated, try debugging the address you are working with and see if you can locate a pointer. If you can find a pointer outside of the allocated memory you may be able to easily alter it each load.

TuxTheWise · How do I cheat? Reputation: 0 Joined: 20 Jan 2011 Posts: 6