How MHS performs pointer search?

Discussions Related to Game Hacking and Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

How MHS performs pointer search?

Postby Dimple » Tue Jun 28, 2011 2:19 pm

I had never really thought of it before, but MHS seems to have a super effective way to perform a pointer search (this probably applies to all the other searches, too). I tried to implement the simplest pointer search ever but using it takes forever. MHS does the same in less than a second.

I need to search through the memory for references to a static string to beat the DMA, but the method I'm using right now is just way too slow. So, how does MHS search through the memory so fast? I'm examining the source code right now but it would help if I got a general explanation of what's the idea behind the code. I can't use L. Spiro script because the search will need to be integrated into a program. Implementing it in C++ is the only option.

Thanks in advance.
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: How MHS performs pointer search?

Postby L. Spiro » Tue Jun 28, 2011 6:25 pm

The largest amount of overhead induced by Pointer Search comes from dereferencing them to determine if they actually point to a valid block of RAM.
We want to avoid this at all costs, so we have to determine that the value is not a pointer as quickly as possible.

The functions that return pointers are supposed to follow some basic rules that we can exploit to quickly weed them out before dereferencing them.
#1: C/C++ standard requires pointers returned by ::malloc()/new to point to a location that is aligned properly for the largest primitive data type. That means 8 bytes.
The standard C library ignores this in Windows and returns pointers that point to addresses aligned to 4-bytes.
Thus if the value we are testing to be a pointer fails to meet (VALUE & 0x3) it is discarded as not being a pointer.

#2: Pointers may not point above and below certain addresses.
Use ::GetSystemInfo() to determine this range and discard values that point too low or too high.

#3: Pointers themselves are always aligned on 4-byte addresses on x86 and 8-byte addresses on x64. Only check these addresses in your scan.

These 3 checks will help you eliminate many values before you are required to do the last check.
#4: Pointers must point to a valid location in memory. Use VirtualQueryEx() to check the properties of the address where the value points.
If the page is not valid, the value is not a pointer.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: How MHS performs pointer search?

Postby Dimple » Mon Jul 11, 2011 4:10 pm

Thanks a lot. :)

Btw. does MHS use VirtualQueryEx to "walk" through the memory to find the areas that are committed?
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland

Re: How MHS performs pointer search?

Postby L. Spiro » Tue Jul 12, 2011 7:52 am

It does.

One common mistake is to walk and scan at the same time.
Build a table of the addresses you are going to scan (and the chunk sizes) and then scan them.
This is not only more organized, it allows you to easily break a chunk into multiple chunks. This is required for searching emulators etc., which have ROM images stored in 512-megabyte chunks, which will probably fail to be allocated for your local scan buffer.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Re: How MHS performs pointer search?

Postby Dimple » Tue Jul 12, 2011 11:46 pm

Thanks for the tip, I guess I should rewrite my memory scanner. :P
Dimple
Hackleberry Fin
 
Posts: 21
Joined: Tue Dec 14, 2010 8:25 pm
Location: Finland


Return to General Related Discussions

Who is online

Users browsing this forum: No registered users and 0 guests

cron