Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Monitor shared memory

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions
View previous topic :: View next topic  
Author Message
luminebot
How do I cheat?
Reputation: 0

Joined: 07 Jun 2021
Posts: 8

PostPosted: Mon Jun 07, 2021 2:03 pm    Post subject: Monitor shared memory Reply with quote

Hi there, I'm new to cheat engine and I found it extremely helpful in my end. But now I'm stuck with a problem.

I have two programs communicating each other in local machine with Shared Memory instead of a network and it use Memory Mapped File. After doing small research, I found msdn doc how shared memory with memory mapped file work. The thing is, either programs hold the pointer to the memory region. it don't need to call WinAPI whenever the program need to read / write, it only called once during initialization as the part to getting the pointer, making API hooking useless.

Now the question, is it possible to set breakpoint to data inside Memory Mapped File? I like to know whether there's pointer pointing at certain memory address inside the memory mapped file and add breakpoint to it whenever there's read or write.


Last edited by luminebot on Wed Jun 09, 2021 11:44 am; edited 2 times in total
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Jun 07, 2021 4:37 pm    Post subject: Reply with quote

assuming it's not a virtual machine, you could use dbvm find what accesses.

This version of 'find what accesses' uses physical memory and doesn't distinguish between processes.

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
luminebot
How do I cheat?
Reputation: 0

Joined: 07 Jun 2021
Posts: 8

PostPosted: Mon Jun 07, 2021 9:11 pm    Post subject: Reply with quote

Dark Byte wrote:
assuming it's not a virtual machine, you could use dbvm find what accesses.

This version of 'find what accesses' uses physical memory and doesn't distinguish between processes.


Thanks for reply! I’m not really familiar with dbvm, could you please provide step by step?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Jun 08, 2021 12:19 am    Post subject: Reply with quote

1: save everything you're doing on your system

2: rightclick the address in the addresslist and chiose "dbvm find out what accesses address"

3: answer yes once or twice and then your system either freezes, BSODs, or you get an access config window.
Assuming you get the config window: The defaults should be ok. But make sure physical memory os automatically filled in. If not, enable kernelmode openprocess in settings and reopen the process and try again

4: click ok and it'll be exactly like the normal find what accesses/writes

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
luminebot
How do I cheat?
Reputation: 0

Joined: 07 Jun 2021
Posts: 8

PostPosted: Tue Jun 08, 2021 2:09 am    Post subject: Reply with quote

Dark Byte wrote:
1: save everything you're doing on your system

2: rightclick the address in the addresslist and chiose "dbvm find out what accesses address"

3: answer yes once or twice and then your system either freezes, BSODs, or you get an access config window.
Assuming you get the config window: The defaults should be ok. But make sure physical memory os automatically filled in. If not, enable kernelmode openprocess in settings and reopen the process and try again

4: click ok and it'll be exactly like the normal find what accesses/writes


Thanks for the reply! I think I get the idea how to do it, I haven’t try it yet since I’m away for work now, but I got more question now.

From what you write above, it seems assume i found the address after opening the process. This memory mapped file is shared between two process, the first process is client which only read stuff from it (only certain occasion it write data), while the other one is server which write data to it.

I do use “Find what access / writes” several time but only for a simple purpose in single process, so now the questions:
1. Which process I should open with Cheat Engine? client or server?
2. Assuming there’s no BSOD or crash or stuff like that, will this “Find what access / writes” list gets updated even the access / writes triggered from different process that I open with Cheat Engine?

Once again, thanks for guidance
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Tue Jun 08, 2021 3:14 am    Post subject: Reply with quote

DBVM find what accesses is based on physical memory access detection

Shared memory has the exact same physical address in both processes so you can pick either

The data is collected based on the pagetable of the accessing process.
Note: if this part fails (just ??'s when showing disassembler code) in settings-debugger click on the "make possible" button and restart windows.

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
luminebot
How do I cheat?
Reputation: 0

Joined: 07 Jun 2021
Posts: 8

PostPosted: Tue Jun 08, 2021 8:20 am    Post subject: Reply with quote

Thanks for all the replies! I got it working now, but there's weird catch that I need to verify later, I might ask more question bit later in weekend when I have time for tinkering this, since DBVM require me to shut down / disable Hyper-V and render WSL 2 disabled and I need it for work stuff.

But what I got so far:
- The most important part is perhaps I was wrong about how these two programs work fundamentally, the server program indeed writes data to MMF, it also constantly write current timestamp so it's get updated very frequent, but what I see in the client with Cheat Engine is some kind of snapshot of the MMF since the timestamp isn't moving at all. Turns out there's `Update()` function that I need to call in client, like house keeping function that need to be called regularly and it seems it copy the MMF content to internal memory in which I can observe in Cheat Engine.

- Even after concluding the first point above, normal "Find what writes/access this address" isn't working for me, I thought it would work since I assume the client copy MMF content into it's own memory. I could verify with my own program that MMF get updated frequently every seconds (in case I mistaken it as local memory in server program). But "DBVM Find what writes or access this address" work for me, when I call the function which suppose to read the data in certain memory region, it add into the list after watching it. I haven't open the disassembler yet since I'm not good with asm.

- Speaking of copying into internal memory (which at this point, i still assuming), I couldn't find the MMF address when opening client program in Cheat Engine, what I found is the snapshot I mentioned earlier, the pointer to MMF might be destroyed when it gets copied to local memory as part of the cleanup, but it will be weird since i don't detect any MMF WinAPI calls, I mean if it gets destroyed or lost, it should be query again to WinAPI to get the pointer to MMF

- When I tried to open the server program with cheat engine, I tried to use "DBVM Find what writes or access this address" into the MMF memory, I saw dozen of instructions happening at high speed but there's seems no new instruction listed when I call "Update()" function from the client.

For now, I'm good to go since I able to watch which memory gets read when client call certain function so I might able to emulate the server program. But if you do have insight what happening with my scenario, please let me know
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Discussions All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites