Cheat Engine

CosmoCortney

Hello,
every debugger made for video game consoles allows us to dump the memory to a file. Is Cheat Engine capable of doing so with any process loaded into memory?

I have found something labeled as Save memory region in the memory viewer. But I am unsure if it allows me to dump the RAM...

Dark Byte · Posted: Tue Jul 05, 2016 3:53 pm Post subject:

not all, but you can save sections using the memory view window file->save memory region

but you could probably also use the taskmanager, rightclick the process and then choose "create dump file"

CosmoCortney · Posted: Tue Jul 05, 2016 4:11 pm Post subject:

Tried the task manager method but there seems to be additional junk inside the dump so none of the addresses match.
When I try to dump the file with cheat engine as you have mentioned it tells me that not all of the memory was readable. The target address is at 0x03B53C98 and i wanted the dump to start at 0x00000000. But saving very small snippets works well. But that's not what I want

STN · Posted: Tue Jul 05, 2016 6:09 pm Post subject:

Use LordPE or IDA or similar software. CE is a memory scanner first and a debugger second so using a specialized software for your purpose works better than expecting another to be an AIO.

CosmoCortney · Posted: Tue Jul 12, 2016 9:02 am Post subject:

Well, I thought it'd be possible since a lot of debuggers for consoles can dump the memory which is a really helpful feature.
Well, LordPE seems to be unable to detect x64 programs Sad

Dark Byte · Posted: Tue Jul 12, 2016 9:09 am Post subject:

Processes in windows act different than a console.

for example, address 0x00000000 to 0x0000ffff just doesn't exist. It's not 0, not 0xff , it just doesn't exist.
This is due to paging. Processes exist out of pages, which each point to a random physical memory location.

Also, unlike a book, pages can be missing. e.g pages 1 to 15 are usually missing, and this is fine. As long as the process doesn't reference those pages, everything will work as it should.
But this does cause an issue for dumping memory, as you would have to fill in the gaps for missing pages, which would basically be a waste of diskspace.

Of course, if you REALLY want to dump RAM, then enable kernelmode read/write process memory, open the [Physical Memory] process and save a memory region from 00000000 to whatever amount of RAM your system has (and perhaps a bit more to include device memory like a videocard)

CosmoCortney · Posted: Tue Jul 12, 2016 9:44 am Post subject:

Yea, I have noticed that it just maps a lot of snippets of RAM instead of a consecutive section. But this is totally fine. I can dump the right region if the address is between them. The problem is when the mapped memory area is not the same. I could dump the memory areas just fine with a tool called PETools. It supports x86 and x64 and shows me which memory regions have read/write-, execute permissions or cannot be accessed.