Cheat Engine

[crydev]

Hello,

I am new here, until now I only needed information already posted but now I am stuck and have a few questions.

I am writing my own memory scanner, a Cheatengine like application with a user interface, scanner, debugger, disassembler and thread/module operation interface.

I have already written the scanning mechanism, which is a lot different from cheatengine's way (by looking at the Delphi sources) , with a first- and next scan. However, my next scan is the thing that contains a bug which I haven't been able to figure out since a month or two.

First scan returns a set of results, say 10 million. Whenever I run a next scan over it, scanning for the same value as I originally did first, it would return between 5 and 6 million results, where it should return between 9,5 and 10 million. (almost the same as the original scan). Whenever I run next scan again, and over and over again, it acts as expected. It returns only just less results than the previous scan. There must be a difference in algorithm, but I haven't been able to find it.

My questions:

• I use VirtualQueryEx to read out the pages only once when starting a new first scan. The regions are saved in a list and splitted over the available threads. My next scan just goes over the saved regions. Is this correct, or do I need to run VirtualQueryEx over again for a next scan? This does not make sense to me because some regions could be changed or unreadable, invalidating many results where this would not be nessecary;
  
• When scanning (both first- and next scan), I read the complete region in a buffer using one ReadProcessMemory call. This should work and runs fast, but I have my doubts for the next scan. When stepping through the read calls using the debugger I ran into some ERROR_PARTIAL_COPY error codes, but when I checked for ERROR_PARTIAL_COPY using an if and OutputDebugString, nothing was ever confirmed so. I also tried this in single thread mode, so the multithreading cannot be the cause of GetLastError/SetLastError interference. Could my issue be located here? partial/corrupt reading makese sense to me as a cause of my next scan issue. Also, if so, what things cause the partial copy error? How can I prevent this?
  

I also have a cheatengine related question that I am curious about. My memory scanner just uses ReadFile and WriteFile synchronously to write and read out data to the result files. This runs fast when there are not too many results but when having 100 million or more, it blocks in the end of the scan, slowing it down by much. I tried asynchronous I/O (Completion ports, overlapped, WriteFileEx) but this did not fit my needs. It was also way too hard and only worked half of the time because my application's design produces too many I/O requests in a too fast timespan.

How does cheatengine write data to the files so fast, while not blocking the scan sequence? I assumed that it was nessecary to have all data written out before starting a next scan, because that would deliver corrupt results as not everything could have been written yet.

Thanks in advance![/list]

[Dark Byte]

cheat engine cheats by finishing before the write operation is done.
The time it takes to switch back to the game and do stuff is usually long enough for the write operation to finish anyhow. And if not, then next scan is going to take a bit longer as it first waits for the results to be fully written

Also, don't believe the errorcode and result of a readprocessmemory call. The total number of bytes read is what actually counts

As for nextscan bugging out, think about variables that overlap between pages.
a 4 byte value at 1234ffff can contain a value you may want to read
so read 4096+3 bytes of page 1234f000

[crydev]

Thanks Dark_Byte, I will have a look at it.