Cheat Engine

[Z003]

Hi all,

I have the following scenario:

From my iPhone, using gdb (gnu debugger) I have dumped the process memory of a game:

d1.bin = memory dump with money @ 964
d2.bin = memory dump with money still @ 964
d3.bin = memory dump with money @ 714

My objective is to find the region of memory which stored the money values.

I've tried to simply diff the files using programs like WinHEX and Beyond Compare 3, but even the 'noise filtering' dumps d1 <=> d2 have far too many changes. d2 <=> d3 have even more, too many to handle manually.

The catch is the format in which the money is stored in is unknown. I've tried searching d1/d2 for simple int 0x03C4 (964d) and seeing if any of them correspond to the same memory location in d3 which has changed to 0x02CA (714d) but no luck. I have a feeling they are stored as a truncated float.

The perfect solution for this would be to allow Cheat Engine to somehow use d1 as the first search memory (looking for exact value 964), d2 as the 2nd search memory (looking for unchanged values or researching 964), and d3 as the 3rd search memory (looking for exact value 714).

Any advice would be greatly appreciated. Thank you!

PS. I've attached the dumps in case anyone feels like experimenting with them. Its a rar that contains the 3 .bin files which are binary memory dumps of the game process. I can't post urls yet for some reason but its here:

megaupload dot com/?d=AYFF65DX

[Z003]

If anyone runs into this post in the future, my solution was to use a program similar to cheat engine called 'artmoney'.

It was able to load the memory dumps as files but perform searches on them as if they were process memory. By searching for "coded value" type I was even able to find the regions of memory that were modified and freeze them, despite the fact they were encrypted and signed.

[mennis_88]

very kool how did you get the dumps?