Difference between revisions of "Cheat Engine:Memory Scanning"

From Cheat Engine
Jump to navigation Jump to search
(array of bytes)
 
(23 intermediate revisions by 13 users not shown)
Line 1: Line 1:
{{NeedWork}}
+
[[Category:Help]]
Initial contribution, just placing a few 'things about ce scanning' here to work out later
 
  
----
+
Memory scanning is one of the most major features of Cheat Engine.
 +
Memory scanning means searching for a specific value or a pattern in the memory provided to the open (target) process.
 +
Cheat Engine's scanning makes use of multiple processor cores when available. The final result of a scan is a list of addresses, and this list can be refined (reduced) by other next scans.
  
Memory scanning is one of the most major features of CheatEngine.
+
Cheat Engine allows you to search in various ways using different types of searching. All options are provided by the main window of CE: value to search, scan type, value type, many memory scan options, and some other extra options.
Memory scanning is reading the memory provided to the application.
 
CheatEngine's scanning makes use of multiple processors when available.
 
  
CheatEngine allows you to search addresses in various ways using different types of searching.
+
'''Note:''' You must open a target process to active these options.
  
Firstly you need to define what type of search you want.
+
==Value to scan==
What you need to define is: Value Type, Scan Option, Scan Range and other smaller options.
 
  
<span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">==Value Type== The available types CheatEngine can scan with are: *Binary *Byte (values between 334633473340 and 255 or -128 to 127 if signed) *2 byte (values between 0 and 65536 or -32768 to 32767 if signed) *4 byte (values between 0 and 4294967295 or -2147483648 and 2147483647 if signed) *8 byte (values between 0 and 18446744073709551614 or -9223372036854775808 and 9223372036854775807 if signed) *Float (values between 1.5 x 10^-45 and 3.4 x 10^38 ) *Double (values between 5.0 x 10^-324 and 1.7 x 10^308 ) *Array of bytes *String (/Text) *All (Byte to Double) *Custom Which one you should choose depends on the value you want to search.</span> Jenis == Nilai == Jenis tersedia cheatengine dapat memindai dengan adalah: * Biner * Byte (nilai antara 334633473340 dan 255 atau -128 sampai 127 jika ditandatangani) * 2 byte (nilai antara 0 dan 65536 atau -32.768 ke 32767 jika ditandatangani) * 4 byte (nilai antara 0 dan 4294967295 atau 2147483647 -2147483648 dan jika ditandatangani) * 8 byte (nilai antara 0 dan 18446744073709551614 atau -9223372036854775808 dan 9223372036854775807 jika ditandatangani) * Lampung (nilai antara 1,5 x 10 ^ -45 dan 3,4 x 10 ^ 38) * Double (nilai antara 5,0 x 10 ^ -324 dan 1,7 x 10 ^ 308) * Array byte * String (/ Teks) * Semua (Byte untuk Double) * Custom Yang mana yang Anda harus memilih tergantung pada nilai yang Anda inginkan untuk pencarian.</span> <span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">A value that only switches between 1 and 0 is often a Binary.</span> Sebuah nilai yang switch hanya antara 1 dan 0 sering Binary a.</span> <span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">While any integer number (1, 3, 4599, 15686, etc...) is most often a 4 byte value.</span> Sementara sejumlah bilangan bulat (1, 3, 4599, 15686, dll ..) yang paling sering nilai byte 4.</span> <span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">Strictly non-integer numbers are always Float or Double.</span> Sebenarnya non-integer angka selalu float atau dua kali.</span> <span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">Small numbers are often Float, bigger ones Double.</span> Sejumlah kecil sering float, yang lebih besar dua kali.</span> <span onmouseover="_tipon(this)" onmouseout="_tipoff()"><span class="google-src-text" style="direction: ltr; text-align: left">Text is often stored as a String/Text.</span> Teks sering disimpan sebagai String / Teks.</span>
+
The defaut base for '''Value''' is decimal but you can check the '''Hex''' option to use an hexadecimal value or '''Lua formula''' option to use a valid Lua expression. Latter option actives an extra option '''Separate Lua State''' by default checked.
  
==Scan Option==
+
==Scan Type==
  
Sometimes you may not know the exact number of a value you want to search, or it changes too fast to scan normally. That's why CheatEngine provides several ways of looking for values. These scan options make it possible to find any value, wether you know it or not.
+
Sometimes you may not know the exact number of a value you want to search for, or it changes too often to scan normally. That's why Cheat Engine provides a dropbox with several ways of looking for values. These scan options make it possible to find any value, whether you know it or not.
The options available are divided in two: First Scan options and Next Scan options.
+
The available options depend on the scan order (initial/first or subsequent/next):
  
First Scan options are:
+
For the First Scan the scan types options are:
  
*Exact Value
+
*'''Exact Value'''
  
*Bigger than...
+
*'''Bigger than...'''
  
*Smaller than...
+
*'''Smaller than...'''
  
*Value between...
+
*'''Value between...'''
  
*Unknown initial value
+
*'''Unknown initial value'''
  
  
Next Scan options are:
+
For the Next Scan the scan types options are:
  
*Exact Value
+
*'''Exact Value'''
  
*Bigger than...
+
*'''Bigger than...'''
  
*Smaller than...
+
*'''Smaller than...'''
  
*Value between...
+
*'''Value between...'''
  
*Increased Value
+
*'''Increased Value'''
  
*Increased Value by...
+
*'''Increased Value by...'''
  
*Decreased Value
+
*'''Decreased Value'''
  
*Decreased Value by...
+
*'''Decreased Value by...'''
  
*Changed Value
+
*'''Changed Value'''
  
*Unchanged Value
+
*'''Unchanged Value'''
  
*Same as First Scan
+
*'''Same as First Scan'''
  
  
All these options speak for themselves. CheatEngine remembers the values found in her previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the First Scan.
+
All these options speak for themselves.
  
==Scan Range==
+
==Value Type==
  
CheatEngine only scans between the given range markers. Default are these From: 00400000 To: 7FFFFFFF
+
The available types Cheat Engine can scan for are:
If you know for certain that a certain address must be between two addresses, then you can change these markers and CheatEngine will only search between those.
 
  
 +
*'''Binary'''
  
----
+
*'''Byte''' (values between 0 and 255 or -128 to 127 if signed)
  
Fast Scan: Fast scan speeds up the scanning by skipping 'unaligned' memory addresses.
+
*'''2 Bytes''' (values between 0 and 65535 or -32768 to 32767 if signed)
  
 +
*'''4 Bytes''' (values between 0 and 4294967295 or -2147483648 and 2147483647 if signed)
  
When you perform a scan, CheatEngine will provide you with a list of addresses matching your search. These shown adresses are also updated as the actual addresses change, at a rate set in the Settings menu.
+
*'''8 Bytes''' (values between 0 and 18446744073709551615 or -9223372036854775808 and 9223372036854775807 if signed)
There are two types of addresses in this list: Green ones and black ones.
 
Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value.
 
These addresses show up as normal addresses in the list, but are actualy like this:
 
ApplicationName.exe+75FFB0 (This is merely an example.)
 
  
Black means dynamic addresses. These will change location whenever you load the application, even during the application's run. Using pointers you can find static addresses for these dynamic ones.
+
*'''Float''' (values between 1.5 x 10^-45 and 3.4 x 10^38  )
 +
 
 +
*'''Double''' (values between 5.0 x 10^-324 and 1.7 x 10^308 )
 +
 
 +
*'''String''' (/Text)
 +
 
 +
*'''Array of byte'''
 +
 
 +
*'''All''' (from '''Byte''' to '''Double''')
 +
 
 +
*'''Grouped''' : Grouped scanning allows you to find a structure more quickly when you know its layout. Individual values are in the format "type:value", separated by spaces. For example if you know that health is an integer and your current health is 75/100, and that the structure has the current value, an unknown 4 byte quantity, and then the max value, you can search for this:
 +
 
 +
<pre>4:75 4:* 4:100</pre>
 +
 
 +
Which one you should choose depends on the value and type of the value you want to search for.
 +
A value that only switches between 1 and 0 is often a Binary.
 +
While an integer number (1, 3, 4599, 15686, etc...) is most often a 4-byte value.
 +
Strictly non-integer numbers are always Float or Double. Small numbers are often Float, bigger ones Double.
 +
Text is often stored as a String/Text.
 +
 
 +
==Memory Scan Options==
 +
 
 +
Cheat Engine offers you a dropbox option to scan all the memory space used by the target process or only specific areas used by the main process or any of the depending DLL. Depending on selected options, the scan range defined by the '''Start''' and the '''Stop''' addresses is automatically adjusted by CE (from 0000000000000000 to 7fffffffffffffff for all memory space) but you can edit/overwrite these limits.
 +
 
 +
A tri-state option '''Executable''' allow you to scan only the executable, non-executable, or any kind of executable memory.
 +
The options '''Writable''' and '''CopyOnWrite''' allow to scan only the writable and/or copy-on-write ranges of memory.
 +
 
 +
The '''Fast Scan''' option can speeds up the scanning by testing only the '''Aligned''' memory addresses or the '''Last Digits''' of the specified value. For aligned address you can choose the multiplier with a defaut value equal to 4 (the most used value used by games and any other applications). Mathematically, an aligned address is a multiple of the multiplier value. For example, address 0x40000 is aligned by 4 and also aligned by 0x1000 because after dividing it by both alignment numbers, remainder of the result is 0 in both cases. Address 0x40004 is aligned by 4 but isn't aligned by 0x1000 because when you divide it by 4, the remainder is 0, but when you divide it by 0x1000, the remainder is 4. Address 0x40001 is not aligned by neither 4, nor 0x1000.
 +
 
 +
If the searched value can change in real-time in the target process then you can activate the option '''Pause the game while scanning''' which will freeze the target process while doing the memory scan.
 +
 
 +
==Other extra options==
 +
 
 +
'''Unrandomizer''' option: TODO
 +
 
 +
'''Enable Speedhack''' option: see [[Cheat Engine:Internals|Cheat Engine Internals]]
 +
 
 +
==Performing a memory scan==
 +
 
 +
If you choose the right options, you can perform a new scan by clicking on '''First Scan''' button. Cheat Engine will provide you with a list of addresses matching your search. Shown values of variables at found addresses are updated as the actual in-game values of variables change, at a rate set in the Settings menu. There are two types of addresses in this list: green ones and black ones.
 +
 
 +
* Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value.
 +
These green addresses show up as absolute virtual addresses in the list, but are actually offsets to base address of one of the loaded modules in the process' address space. So when you have static(green) address 4075FFB0 and module's base address is 40000000, it is calculated as 40000000+75FFB0, which Cheat Engine often shows you as ModuleName.exe+75FFB0.
 +
 
 +
* Black means dynamic addresses. Variables at these addresses will change location(variables will change their addresses) whenever you load the application, and even while the application is running. Using pointers you can find static addresses for these dynamic ones.
 +
 
 +
Then you can refine/reduce the list of addresses performing a '''Next Scan'''. Cheat Engine remembers the values found in the previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the '''First Scan'''.

Latest revision as of 15:39, 23 April 2022


Memory scanning is one of the most major features of Cheat Engine. Memory scanning means searching for a specific value or a pattern in the memory provided to the open (target) process. Cheat Engine's scanning makes use of multiple processor cores when available. The final result of a scan is a list of addresses, and this list can be refined (reduced) by other next scans.

Cheat Engine allows you to search in various ways using different types of searching. All options are provided by the main window of CE: value to search, scan type, value type, many memory scan options, and some other extra options.

Note: You must open a target process to active these options.

Value to scan[edit]

The defaut base for Value is decimal but you can check the Hex option to use an hexadecimal value or Lua formula option to use a valid Lua expression. Latter option actives an extra option Separate Lua State by default checked.

Scan Type[edit]

Sometimes you may not know the exact number of a value you want to search for, or it changes too often to scan normally. That's why Cheat Engine provides a dropbox with several ways of looking for values. These scan options make it possible to find any value, whether you know it or not. The available options depend on the scan order (initial/first or subsequent/next):

For the First Scan the scan types options are:

  • Exact Value
  • Bigger than...
  • Smaller than...
  • Value between...
  • Unknown initial value


For the Next Scan the scan types options are:

  • Exact Value
  • Bigger than...
  • Smaller than...
  • Value between...
  • Increased Value
  • Increased Value by...
  • Decreased Value
  • Decreased Value by...
  • Changed Value
  • Unchanged Value
  • Same as First Scan


All these options speak for themselves.

Value Type[edit]

The available types Cheat Engine can scan for are:

  • Binary
  • Byte (values between 0 and 255 or -128 to 127 if signed)
  • 2 Bytes (values between 0 and 65535 or -32768 to 32767 if signed)
  • 4 Bytes (values between 0 and 4294967295 or -2147483648 and 2147483647 if signed)
  • 8 Bytes (values between 0 and 18446744073709551615 or -9223372036854775808 and 9223372036854775807 if signed)
  • Float (values between 1.5 x 10^-45 and 3.4 x 10^38 )
  • Double (values between 5.0 x 10^-324 and 1.7 x 10^308 )
  • String (/Text)
  • Array of byte
  • All (from Byte to Double)
  • Grouped : Grouped scanning allows you to find a structure more quickly when you know its layout. Individual values are in the format "type:value", separated by spaces. For example if you know that health is an integer and your current health is 75/100, and that the structure has the current value, an unknown 4 byte quantity, and then the max value, you can search for this:
4:75 4:* 4:100

Which one you should choose depends on the value and type of the value you want to search for. A value that only switches between 1 and 0 is often a Binary. While an integer number (1, 3, 4599, 15686, etc...) is most often a 4-byte value. Strictly non-integer numbers are always Float or Double. Small numbers are often Float, bigger ones Double. Text is often stored as a String/Text.

Memory Scan Options[edit]

Cheat Engine offers you a dropbox option to scan all the memory space used by the target process or only specific areas used by the main process or any of the depending DLL. Depending on selected options, the scan range defined by the Start and the Stop addresses is automatically adjusted by CE (from 0000000000000000 to 7fffffffffffffff for all memory space) but you can edit/overwrite these limits.

A tri-state option Executable allow you to scan only the executable, non-executable, or any kind of executable memory. The options Writable and CopyOnWrite allow to scan only the writable and/or copy-on-write ranges of memory.

The Fast Scan option can speeds up the scanning by testing only the Aligned memory addresses or the Last Digits of the specified value. For aligned address you can choose the multiplier with a defaut value equal to 4 (the most used value used by games and any other applications). Mathematically, an aligned address is a multiple of the multiplier value. For example, address 0x40000 is aligned by 4 and also aligned by 0x1000 because after dividing it by both alignment numbers, remainder of the result is 0 in both cases. Address 0x40004 is aligned by 4 but isn't aligned by 0x1000 because when you divide it by 4, the remainder is 0, but when you divide it by 0x1000, the remainder is 4. Address 0x40001 is not aligned by neither 4, nor 0x1000.

If the searched value can change in real-time in the target process then you can activate the option Pause the game while scanning which will freeze the target process while doing the memory scan.

Other extra options[edit]

Unrandomizer option: TODO

Enable Speedhack option: see Cheat Engine Internals

Performing a memory scan[edit]

If you choose the right options, you can perform a new scan by clicking on First Scan button. Cheat Engine will provide you with a list of addresses matching your search. Shown values of variables at found addresses are updated as the actual in-game values of variables change, at a rate set in the Settings menu. There are two types of addresses in this list: green ones and black ones.

  • Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value.

These green addresses show up as absolute virtual addresses in the list, but are actually offsets to base address of one of the loaded modules in the process' address space. So when you have static(green) address 4075FFB0 and module's base address is 40000000, it is calculated as 40000000+75FFB0, which Cheat Engine often shows you as ModuleName.exe+75FFB0.

  • Black means dynamic addresses. Variables at these addresses will change location(variables will change their addresses) whenever you load the application, and even while the application is running. Using pointers you can find static addresses for these dynamic ones.

Then you can refine/reduce the list of addresses performing a Next Scan. Cheat Engine remembers the values found in the previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the First Scan.