Cheat Engine

exskill · How do I cheat? Reputation: 0 Joined: 12 Jul 2023 Posts: 3

Hello friends. Using any DMA board and MemProcFS allows you to analyze the memory of a remote machine in real time. All processes of the remote machine are displayed as folders that contain all the information.
Inside the folders is the virtual memory file of the process.
The memory structure in the file is fully consistent with the target machine, all addresses are the same.
Using any HEX editor, you can open a virtual memory file (vmem). The search is fast, but there is no cool Cheat Engine functionality.
If you click “Open File” in CE, it will write an error “Out of Memory Error”. Is it possible to change the logic so that when opening large files, CE does not try to load them into memory, but processes them with a standard reading stream?

Dark Byte · Posted: Wed Jul 12, 2023 1:04 pm Post subject:

That will require a plugin.
is there also a file that describes the memory layout ? else the scan can take a long time

exskill · How do I cheat? Reputation: 0 Joined: 12 Jul 2023 Posts: 3

Yes, there is a detailed virtual memory map in the process folder. Path:
M:\name\Tutorial-i386.-17188\memmap\vad.txt
or
M:\pid\17188\memmap\vad.txt

Example:

# PID Object Address Pages Commit Range Start-End Type FLAGS Description
-----------------------------------------------------------------------------------------------------------
0000 17188 ffffe1064bea62c0 10 0 0 0000000000010000-000000000001ffff Heap --rw-- HEAP-04 [NtSegment]
0001 17188 ffffe1064bea6680 1 0 0 0000000000020000-0000000000020fff Pf --r---
0002 17188 ffffe1064bea6900 1 0 0 0000000000030000-0000000000030fff Pf --r---
0003 17188 ffffe1064bea50a0 1d 0 0 0000000000040000-000000000005cfff Pf --r---
0004 17188 ffffe10644b1cd20 40 c 0 0000000000060000-000000000009ffff Stack p-rw-- STACK-0D54
0005 17188 ffffe1064bea5aa0 4 0 0 00000000000a0000-00000000000a3fff Pf --r---
0006 17188 ffffe1064bea5c80 3 0 0 00000000000b0000-00000000000b2fff Pf --r---
0007 17188 ffffe10644b1d9a0 2 2 1 00000000000c0000-00000000000c1fff p-rw--
0008 17188 ffffe1064a2481c0 8 0 0 0000000000150000-0000000000157fff Pf --r---
0009 17188 ffffe10644b1d220 10 8 0 0000000000160000-000000000016ffff Heap p-rw-- HEAP-03 [NtSegment]
000a 17188 ffffe10644b220e0 6a 2 0 0000000000170000-00000000001d9fff Heap p-rw-- HEAP-00 [NtLfh]
000b 17188 ffffe1064beaba40 3 0 0 00000000001e0000-00000000001e2fff File --r--- 144ccf1df_6.0.19041.2673_ru-ru_07947b48041b8ac1\comctl32.dll.mui
000c 17188 ffffe1064bea96a0 2 0 0 00000000001f0000-00000000001f1fff Pf --r---
000d 17188 ffffe10644b1cc80 200 5 0 0000000000200000-00000000003fffff Teb p-rw-- TEB-0D54
000e 17188 ffffe1064bea3de0 273 7c 0 0000000000400000-0000000000672fff Image ---wxc \Program Files\Cheat Engine 7.5\Tutorial-i386.exe
...

The virtual memory file is located the path:
M:\name\Tutorial-i386.-17188\memory.vmem
or
M:\pid\17188\memory.vmem

exskill · How do I cheat? Reputation: 0 Joined: 12 Jul 2023 Posts: 3

Can you tell me what to fix in the source code so that the file opens without an error? Writing a plugin and using a virtual memory map is too complicated. Sad

Dark Byte · Posted: Thu Jul 20, 2023 5:36 am Post subject:

in filehandler.pas you'll have to rewrite ReadProcessMemoryFile, WriteProcessMemoryFile, and VirtualQueryExFile.

ReadProcessMemoryFile and WriteProcessMemoryFile so they only fetch parts of the file when needed. And rewrite VirtualQueryExFile so that it reads that map vad.txt file and parses the results accordingly to the results of QueryVirtualMemory

and of course rewrite the part where CE opens the file in newkewrnelhandler.pas in DBKFileAsMemory. Instead of loading the file into a memorystream you'll need to open the file and obtain a handle, which you'll then use for the other calls(I recommend using TLS for the handle so each thread has it's own read handle. Else you'll have to implement a critical section around reading)

(It's the same amount of work as writing a plugin)