Memory Hacking Software

I'm currently working on my own memory engine, its 80% done. The only obstacle that is bothering me now is the Unknown Initial Value scan.

This was my old method, but it was too slow to scan on any games:

-> Scan for all the readable addresses in the game, and then record them down to a file like this: "address value", ex: 0xDEADBEAF 10

-> 'Changed scan' reads the file, obtains the address (0xDEADBEAF) and the value (10), makes a record of them, reads the new value from the address (0xDEADBEAF), and if the new value and the old value (10) match then the values havn't changed. If however, the new value does not match the old value (10) then the values have changed.

This whole process takes too long and I don't have any new ideas of how to finish the unknown initial value scan. Can somebody please help me?

I know about your new memory searcher.


Anyway, you only need to save the first address of a chunk, and then save the chunk.
[0xDEADB00F][ALL DATA STARTING AT ADDRESS 0xDEADB00F (could be 2 megabytes of data, 12, 25, 512, whatever)…]

This gives you a format that can be saved to a file in nearly an instant.
For any value in a chunk, its actual address is [OffsetIntoChunk+StartingAddressOfChunk].


When performing the following scan to eliminate values, load an entire chunk into RAM at once.
Reading from files is slow. Perform read operations as infrequently as possible.


L. Spiro

So trying to understand what you have said, basically, if the starting address of the process was 0x00400000, and lets say for example the size of the whole application is 2048.

I would do something like this:

Code: Select all

BYTE bBuffer [ 2048 ] = {0};
memcpy ( (void*) bBuffer, (void*) 0x00400000, 2048 );


and now that I have a record of the buffer, I could check out each value but going through the buffer, something like this?

Code: Select all

DWORD dwStartAddr = 0x00400000;

for ( SIZE_T i = 0; i < 2048; i ++ )
{
if ( read <BYTE> ( dwStartAddr + i ) != bBuffer (i)
{
// value has changed
}
}


Is that how your sopposed to do it?

What you actually save to disk would be the value 0x00400000, the length of the chunk (2048), and then the contents of bBuffer.
2056 bytes on x86, 2064 on x64. You are planning to support 64-bit machines I hope.

Since your code suggests that you are scanning via DLL injection, you don’t need to copy from address 0x00400000 to bBuffer; you can just ::WriteFile( hFile, reinterpret_cast<LPCVOID>(0x00400000), 2048, NULL, NULL ).


Your second set of code is essentially correct for DLL injection scans.
However, you need to read this article.


L. Spiro

iPromise wrote:I'm currently working on my own memory engine, its 80% done. The only obstacle that is bothering me now is the Unknown Initial Value scan.

This was my old method, but it was too slow to scan on any games:

-> Scan for all the readable addresses in the game, and then record them down to a file like this: "address value", ex: 0xDEADBEAF 10

-> 'Changed scan' reads the file, obtains the address (0xDEADBEAF) and the value (10), makes a record of them, reads the new value from the address (0xDEADBEAF), and if the new value and the old value (10) match then the values havn't changed. If however, the new value does not match the old value (10) then the values have changed.

This whole process takes too long and I don't have any new ideas of how to finish the unknown initial value scan. Can somebody please help me?

Do you have a link to your WIP page for your tool? I would be interested in seeing how it compares to my boy, Spiro's (nothing personal, but I don't think almost ANYONE will top his... but you never know).