memory lookup via Unknown initial value

[bapl]

Hello!

I would like to know how to call ReadProcessMemory through Dll, or use Classmemory, to repeat the same search that is in Cheat Engine, namely "Unknown initial value"?
Does anyone have any options on how this can be done based on the notepad.exe program?

I'm trying to partially port CheatEngine to an AHK environment by trying to replicate the methods.
So I'm interested in searching for values ​​in the following scan types: "Binary, Byte, 2 byte, 4 byte, 8 byte, float, double and string

I also do not understand why this method does not find the required value in 4 byte:

Code: Select all

#SingleInstance force
#Include classMemory.ahk

if (_ClassMemory.__Class != "_ClassMemory")
    msgbox Classmemory error
;=============================================================
processname := "ahk_exe win32calc.exe"
winget, pid, pid, %processname%
App := new _ClassMemory("ahk_pid " pid, "", hProcessCopy)
if !isObject(App) 
{
    msgbox failed to open a handle
    if (hProcessCopy = 0)
        msgbox The program isn't running (not found) or you passed an incorrect program identifier parameter. 
    else if (hProcessCopy = "")
        msgbox OpenProcess failed. If the target process has admin rights, then the script also needs to be ran as admin. Consult A_LastError for more information.
}

AOB := stringToAOBPattern("85695867", "UTF-8")
stringAdress := App.processPatternScan (0,0x7FFFFFFF, AOB*)
msgbox % stringAddress

I am getting an empty message in Msgbox

[Spawnova]

I'm not familiar with the class, but one thing to keep in mind is the memory is probably stored in little endian, but we read most things in big endian
for example say you wanted to find the value 0x11223344 you would make an AoB scan for 0x44 0x33 0x22 0x11 instead of 0x11 0x22 0x33 0x44

But these type of operations are going to be INCREDIBLY slow compared to cheat engine =[

[bapl]

@Spawnova
However, I'm still interested in how to find "Unknown initial value", be it slow or fast.
I'm sure the Cheat Engine is using some kind of trick based on the base address of the program in memory.

[swagfag]

it isnt working because this is not a method invocation
stringAdress := App.processPatternScan⎵(0,0x7FFFFFFF, AOB*)

[bapl]

it isnt working because this is not a method invocation
stringAdress := App.processPatternScan⎵(0,0x7FFFFFFF, AOB*)

I wrote it all together, but stringAddress is still empty.
stringAdress := App.processPatternScan(0,0x7FFFFFFF, AOB*)

[swagfag]

a shame really, but i cant say i wasnt expecting that

then start debugging ur script from the top. are ur inputs correct? are u getting the expected values back? are u misusing the functions/methods? and so on. u dont need me to teach u debugging. this is basic stuff

[bapl]

a shame really, but i cant say i wasnt expecting that

then start debugging ur script from the top. are ur inputs correct? are u getting the expected values back? are u misusing the functions/methods? and so on. u dont need me to teach u debugging. this is basic stuff

Sorry if my English is terrible, I use Google Translate. I will try to explain what I want to know, what I know and what I can't do.

What I want:
I want to transfer the main elements from Cheat Engine, namely:

- ListView: Address | Value | PreviousValue
- Value Type: Binary,Byte,2 Bytes,4 Bytes,8 Bytes,Float,Double,String
(I want, basically, to be able to enter integers and floating points)
- Scan Type: Exact Value,Exact Value,Bigger than...,Smaller than...,Value between..., Unknown initial value
(What worries me most here is Unknown initial value, because I could think of other methods myself).
- Start Address | Stop Address
(Specify the search range in memory)
This is a rough idea of how I want to issue in AHK:


1. I want to be able to configure all these values in the GUI window, so I want to understand how to work with the ClassMemory class.
2. I want to know how I can create a type of value from the above that I am sending.
3. I want to understand how to make ClassMemory specify the scan type "Unknown initial value", because there are values that you don't know initially.
4. I want to understand how I can search for values without explicitly pointing to a specific address.
5. I want to understand how to get an array of data found by a certain value, and not just the first occurrence.

I would like more examples for ClassMemory from what I have named, because it is very difficult to understand how to work with this Class.

An example of what I want:

1. Value := "589341", StartAddress := 0000000000000000, StopAddress := 00007fffffffffff, ValueType := "4 byte", ScanType := "Exact Value"
2. We send all the data to the function, which, based on the data, determines the Value type, the search method and the range of addresses for which the number needs to be checked.
3. The Address + Value is displayed in the results

[bapl]

In one of the forums, I was prompted to study this: https://lonami.dev/blog/woce-1/
But the problem is that I don’t know the Rust language, and therefore I won’t be able to remake the code for AHK, but I found the code for RUST there:

Code: Select all

use winapi::um::winnt::MEMORY_BASIC_INFORMATION;

...

// inside `impl Process`
pub fn scan_regions(&self, regions: &[MEMORY_BASIC_INFORMATION], scan: Scan) -> Vec<Region> {
    regions
        .iter()
        .flat_map(|region| match scan {
            Scan::Exact(n) => todo!("old scan implementation"),
            Scan::Unknown => {
                let base = region.BaseAddress as usize;
                match self.read_memory(region.BaseAddress as _, region.RegionSize) {
                    Ok(memory) => Some(Region {
                        info: region.clone(),
                        locations: CandidateLocations::Dense {
                            range: base..base + region.RegionSize,
                        },
                        value: Value::AnyWithin(memory),
                    }),
                    Err(_) => None,
                }
            }
        })
        .collect()
}
Time to try it out!

impl CandidateLocations {
    pub fn len(&self) -> usize {
        match self {
            CandidateLocations::Discrete { locations } => locations.len(),
            CandidateLocations::Dense { range } => range.len(),
        }
    }
}

...

fn main() {
    // -snip-

    println!("Scanning {} memory regions", regions.len());
    let last_scan = process.scan_regions(&regions, Scan::Unknown);
    println!(
        "Found {} locations",
        last_scan.iter().map(|r| r.locations.len()).sum::<usize>()
    );
}

Code: Select all

Scanning 88 memory regions
Found 3014656 locations

Does anyone know how to work with this?

[bapl]

Up post

[swagfag]

1. 1. then study the ahk documentation's GUI sections. everything is explained there
   2. then study ClassMemory's source. everything is explained in the comments
2. ??? more incomprehensible gibberish
3. "Unknown initial value" doesnt do anything in CE. it just lets u start the scan
4. search the entire address space
5. continue searching the remaining address space past whatever first occurrence u have already found

what u want is apparently someone to write code/transpile copypasted shit for u. maybe someone out there's interested, but i wouldnt bet much on it

all the Rust code does is call VirtualQueryEx() and ReadProcessMemory() in a loop(of course, suffocated by ur typical ten thousand lines of Rust bloat). u need better fundamentals regarding how memory works on Windows. i suggest starting by reading MSDN's docs