Difference between revisions of "Cheat Engine:Memory Scanning"

From Cheat Engine
Jump to navigation Jump to search
m (Reverted edits by This content is not available (Talk) to last revision by Dark Byte)
(Fixed spelling mistakes. Added explanation about alignment of addresses in Fast Scan paragraph.)
Line 1: Line 1:
 
[[Category:Help]]
 
[[Category:Help]]
 
{{NeedWork}}
 
{{NeedWork}}
Initial contribution, just placing a few 'things about ce scanning' here to work out later
+
Initial contribution, just placing a few 'things about ce scanning' here to work out later.
  
 
----
 
----
  
Memory scanning is one of the most major features of CheatEngine.
+
Memory scanning is one of the most major features of Cheat Engine.
Memory scanning is reading the memory provided to the application.
+
Memory scanning means searching for a specific value or a pattern in the memory provided to the application.
CheatEngine's scanning makes use of multiple processors when available.
+
Cheat Engine's scanning makes use of multiple processor cores when available.
  
CheatEngine allows you to search addresses in various ways using different types of searching.
+
Cheat Engine allows you to search addresses in various ways using different types of searching.
 +
 
 +
Firstly, you need to define what type of search you want to perform.
  
Firstly you need to define what type of search you want.
 
 
What you need to define is: Value Type, Scan Option, Scan Range and other smaller options.
 
What you need to define is: Value Type, Scan Option, Scan Range and other smaller options.
  
 
==Value Type==
 
==Value Type==
  
The available types CheatEngine can scan with are:
+
The available types Cheat Engine can scan for are:
  
 
*Binary
 
*Binary
Line 41: Line 42:
  
  
Which one you should choose depends on the value you want to search.
+
Which one you should choose depends on the value and type of the value you want to search for.
 
A value that only switches between 1 and 0 is often a Binary.
 
A value that only switches between 1 and 0 is often a Binary.
While any integer number (1, 3, 4599, 15686, etc...) is most often a 4 byte value.
+
While an integer number (1, 3, 4599, 15686, etc...) is most often a 4-byte value.
 
Strictly non-integer numbers are always Float or Double. Small numbers are often Float, bigger ones Double.
 
Strictly non-integer numbers are always Float or Double. Small numbers are often Float, bigger ones Double.
 
Text is often stored as a String/Text.
 
Text is often stored as a String/Text.
Line 49: Line 50:
 
==Scan Option==
 
==Scan Option==
  
Sometimes you may not know the exact number of a value you want to search, or it changes too fast to scan normally. That's why CheatEngine provides several ways of looking for values. These scan options make it possible to find any value, wether you know it or not.
+
Sometimes you may not know the exact number of a value you want to search for, or it changes too often to scan normally. That's why Cheat Engine provides several ways of looking for values. These scan options make it possible to find any value, whether you know it or not.
 
The options available are divided in two: First Scan options and Next Scan options.
 
The options available are divided in two: First Scan options and Next Scan options.
  
Line 90: Line 91:
  
  
All these options speak for themselves. CheatEngine remembers the values found in the previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the First Scan.
+
All these options speak for themselves. Cheat Engine remembers the values found in the previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the First Scan.
  
 
==Scan Range==
 
==Scan Range==
  
CheatEngine only scans between the given range markers. Default are these From: 00400000 To: 7FFFFFFF
+
Cheat Engine only scans between the given range markers. Default are these From: 00400000 To: 7FFFFFFF
If you know for certain that a certain address must be between two addresses, then you can change these markers and CheatEngine will only search between those.
+
If you know for certain that a certain address must be between two addresses, then you can change these markers and Cheat Engine will only search between those.
  
  
 
----
 
----
  
Fast Scan: Fast scan speeds up the scanning by skipping 'unaligned' memory addresses.
+
Fast Scan: Fast scan speeds up the scanning by skipping unaligned(by 4) memory addresses. Aligned address means that it can be divided by the alignment number without remainder. Unaligned means that when an address is divided by the alignment number, there is a remainder. For example, address 0x40000 is aligned by 4 and also aligned by 0x1000. Address 0x40004 is aligned by 4 but isn't aligned by 0x1000. Number 0x40001 is not aligned by neither 4, nor 0x1000. Most  objects in memory are aligned by 4, but not always.
 
 
  
When you perform a scan, CheatEngine will provide you with a list of addresses matching your search. These shown addresses are also updated as the actual addresses change, at a rate set in the Settings menu.
+
When you perform a scan, Cheat Engine will provide you with a list of addresses matching your search. Shown values of variables at found addresses are updated as the actual in-game values of variables change, at a rate set in the Settings menu.
 
There are two types of addresses in this list: Green ones and black ones.
 
There are two types of addresses in this list: Green ones and black ones.
 
Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value.
 
Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value.
These addresses show up as normal addresses in the list, but are actualy like this:
+
These green addresses show up as absolute virtual addresses in the list, but are actually offsets to base address of one of the loaded modules in the process' address space. So when you have static(green) address 4075FFB0 and module's base address is 40000000, it is calculated as 40000000+75FFB0, which Cheat Engine often shows you as ModuleName.exe+75FFB0.
ApplicationName.exe+75FFB0 (This is merely an example.)
 
  
Black means dynamic addresses. These will change location whenever you load the application, even during the application's run. Using pointers you can find static addresses for these dynamic ones.
+
Black means dynamic addresses. Variables at these addresses will change location(variables will change their addresses) whenever you load the application, and even while the application is running. Using pointers you can find static addresses for these dynamic ones.
  
 
==Grouped==
 
==Grouped==
  
Grouped scanning allows you to find a structure more quickly when you know it's layout.  Individual values are in the format "type:value" separated by spaces.  For example if you know that health is an integer and your current health is 75/100, and that the structure has the current value, an unknown 4 byte quantity, and then the max value, you can search for this:
+
Grouped scanning allows you to find a structure more quickly when you know its layout.  Individual values are in the format "type:value", separated by spaces.  For example if you know that health is an integer and your current health is 75/100, and that the structure has the current value, an unknown 4 byte quantity, and then the max value, you can search for this:
  
 
<pre>4:75 4:* 4:100</pre>
 
<pre>4:75 4:* 4:100</pre>

Revision as of 16:25, 17 July 2020

This entry needs a lot of work. Please contribute if you can.

Check this page to see if there are some suggestions for adding to Memory Scanning.

Initial contribution, just placing a few 'things about ce scanning' here to work out later.


Memory scanning is one of the most major features of Cheat Engine. Memory scanning means searching for a specific value or a pattern in the memory provided to the application. Cheat Engine's scanning makes use of multiple processor cores when available.

Cheat Engine allows you to search addresses in various ways using different types of searching.

Firstly, you need to define what type of search you want to perform.

What you need to define is: Value Type, Scan Option, Scan Range and other smaller options.

Value Type

The available types Cheat Engine can scan for are:

  • Binary
  • Byte (values between 0 and 255 or -128 to 127 if signed)
  • 2 byte (values between 0 and 65536 or -32768 to 32767 if signed)
  • 4 byte (values between 0 and 4294967295 or -2147483648 and 2147483647 if signed)
  • 8 byte (values between 0 and 18446744073709551614 or -9223372036854775808 and 9223372036854775807 if signed)
  • Float (values between 1.5 x 10^-45 and 3.4 x 10^38 )
  • Double (values between 5.0 x 10^-324 and 1.7 x 10^308 )
  • Array of bytes
  • String (/Text)
  • All (Byte to Double)
  • Grouped


Which one you should choose depends on the value and type of the value you want to search for. A value that only switches between 1 and 0 is often a Binary. While an integer number (1, 3, 4599, 15686, etc...) is most often a 4-byte value. Strictly non-integer numbers are always Float or Double. Small numbers are often Float, bigger ones Double. Text is often stored as a String/Text.

Scan Option

Sometimes you may not know the exact number of a value you want to search for, or it changes too often to scan normally. That's why Cheat Engine provides several ways of looking for values. These scan options make it possible to find any value, whether you know it or not. The options available are divided in two: First Scan options and Next Scan options.

First Scan options are:

  • Exact Value
  • Bigger than...
  • Smaller than...
  • Value between...
  • Unknown initial value


Next Scan options are:

  • Exact Value
  • Bigger than...
  • Smaller than...
  • Value between...
  • Increased Value
  • Increased Value by...
  • Decreased Value
  • Decreased Value by...
  • Changed Value
  • Unchanged Value
  • Same as First Scan


All these options speak for themselves. Cheat Engine remembers the values found in the previous scan, allowing it to compare new values with the old ones and revert to a previous scan. It also remembers the values of the First Scan.

Scan Range

Cheat Engine only scans between the given range markers. Default are these From: 00400000 To: 7FFFFFFF If you know for certain that a certain address must be between two addresses, then you can change these markers and Cheat Engine will only search between those.



Fast Scan: Fast scan speeds up the scanning by skipping unaligned(by 4) memory addresses. Aligned address means that it can be divided by the alignment number without remainder. Unaligned means that when an address is divided by the alignment number, there is a remainder. For example, address 0x40000 is aligned by 4 and also aligned by 0x1000. Address 0x40004 is aligned by 4 but isn't aligned by 0x1000. Number 0x40001 is not aligned by neither 4, nor 0x1000. Most objects in memory are aligned by 4, but not always.

When you perform a scan, Cheat Engine will provide you with a list of addresses matching your search. Shown values of variables at found addresses are updated as the actual in-game values of variables change, at a rate set in the Settings menu. There are two types of addresses in this list: Green ones and black ones. Green means static addresses. Whenever you load the application these addresses will stay the same/hold the same value. These green addresses show up as absolute virtual addresses in the list, but are actually offsets to base address of one of the loaded modules in the process' address space. So when you have static(green) address 4075FFB0 and module's base address is 40000000, it is calculated as 40000000+75FFB0, which Cheat Engine often shows you as ModuleName.exe+75FFB0.

Black means dynamic addresses. Variables at these addresses will change location(variables will change their addresses) whenever you load the application, and even while the application is running. Using pointers you can find static addresses for these dynamic ones.

Grouped

Grouped scanning allows you to find a structure more quickly when you know its layout. Individual values are in the format "type:value", separated by spaces. For example if you know that health is an integer and your current health is 75/100, and that the structure has the current value, an unknown 4 byte quantity, and then the max value, you can search for this:

4:75 4:* 4:100