retrieving floating point values from open process

yer_averagejoe · 9 Nov 2008 at 16:29

Waht I want to do is write a program that graphs things like speed, revs, gear changes etc. over time by retrieving data from a game such as need for speed.

My question is, how would I go about doing this? in paticular, finding the memory locations where the floating point values for speed etc are kept. One way i thought of was to read the process's memory in 16 bit (4 byte: float) chunks, grabbing each value that is 0.0 when the car is on the starting line, with no user input, saving their current value and address etc. and then watching each one for an increase when you put your foot down. then I'd eliminate any that didnt increase and make reasonable guesses as to which was speed, which was revs, time, gear etc..

has anyone done anything like this? is this a reasonable way of going about doing this?

cheers. Joe

Spyhop · 9 Nov 2008 at 18:26

AFAIK that's how "Trainers" for PC games are made, only they write to memory as well as read it to provide homebrew cheats.

Never looked in to it, but it seems like it would be rather difficult since there'd be a hell of a lot of data to track, things might not all be padded out to sit on 4 byte boundaries, and you don't know for sure what types and representations are actually used for the things you're interested in. Your idea does sound like the right way to try it though.

I think this is actually how some form of HD-DVD/Blu-Ray encryption was cracked. They grabbed the entire memory set of some playback software and walked through it, trying each n-byte segment as a candidate decryption key

yer_averagejoe · 9 Nov 2008 at 19:46

yeah although i think trainers already know memory locations and types. I'm just assuming the values I'm interested in will be floats.. it seems like a good bet. yeah I'd start at '0' (where-ever that may be) and read the next 16 bits, store that as a float with its value and go to the next bit, and read the 16 bits after that, store it as a float etc.

that would give me a heck of a lot of values, mostly rubbish. I'd keep all that read 0.0 as floats and get rid of the rest
then I'd monitor these when the car accelerates and only keep the ones that increase and are above 0 and in some reasonable range. that'd hopefully whittle what i have left down to a reasonable amount.. then I'd have to sift through those to determine the values I want, based on reasonable assumptions. It might require a bit of playing around with the car to start off with... Theoretically its possible but its quite a task! Thats the brute force way. Don't programs create a memory map when they're run? can these be accessed?

Fourstar · 9 Nov 2008 at 21:35

You could give Cheat Engine a go. It can search for values (including floats) by various means and seems to have an active community.

I didn't try it out as I was looking for something penguin compatible.

/edit - Someone has created a Need for Speed trainer using Cheat Engine. The source code is linked to from the thread. May give you some pointers

Una · 9 Nov 2008 at 22:21

yer_averagejoe said:
Waht I want to do is write a program that graphs things like speed, revs, gear changes etc. over time by retrieving data from a game such as need for speed.

My question is, how would I go about doing this? in paticular, finding the memory locations where the floating point values for speed etc are kept. One way i thought of was to read the process's memory in 16 bit (4 byte: float) chunks, grabbing each value that is 0.0 when the car is on the starting line, with no user input, saving their current value and address etc. and then watching each one for an increase when you put your foot down. then I'd eliminate any that didnt increase and make reasonable guesses as to which was speed, which was revs, time, gear etc..

has anyone done anything like this? is this a reasonable way of going about doing this?

cheers. Joe

Ok the best way to do this is dll injection / function hooking. Finding memory locations is quite hard if the addresses are randomised each time you run the binary (which is common now)... Some addresses/offsets are predicable however but this isnt the best way to do it.

cat /proc/pid/maps (on linux) will give you the memory mappings. Your values will be in the data segment. On windows I don't know off the top of my head (there's a huge document about PE file format around somewhere).

However. Your best idea is to locate the functions which process the data and hook them. Then you can take their input before the original function is called and modify / read it.

Best way to find the functions is too disassemble the binary and if your lucky it wont be stripped of symbols. You can sometimes guess which functions do what by looking at their symbolic names. Then use a debugger/read the code and check it is actually what your looking for.

Once you have written your function hooking code you just inject the dll into the running process and your sorted =)

Edit: Oh yeah, check out this as well - http://research.microsoft.com/sn/detours/ ..