Feature - CheatEngine like search

[disconnect3d]

Hey,

It would be cool to have a similar feature like CheatEngine provides - the possibility to re-search the addresses found in last search, for a given value.

There's also a plugin for that on https://github.com/ItayGarin/gdb-cheat-engine but imho we need something that is easier to use (like -n or --next flag in search command).

[zachriggle]

Can you give me an example of how this feature would work when in use? I'm not familiar with the workflow for this.

[Grazfather]

@disconnect3d Check out PINCE

@zachriggle: You'd need to maintain some bucket of addresses and their values at last search. Support a feature that allows filtering on the list by their current value. Ideally not sure on their current value, but with the option to filter on how they changed.

e.g.

1. Find all 4byte dwords (regions, alignment, etc configurable) whose value is 0xcafebabe. Get this list and hold it.
2. Next find all 4 byte dwords within that list whose new value is 0xdeadbeef
3. Repeat 2 until this list is small enough that I can guess which is the value I want.

Ideally instead of just searching for values that were 0xcafebabe and changed to 0xdeadbeef, you could do something like find values that were 0xcafebabe and changed since last search, or didn't, or increased.

My manipulating a known value (e.g. your health in the context of a game) this search helps you narrow down where its stored in memory

I suggest you play with Cheat Engine for a bit if you're interested in understanding the features.

[disconnect3d]

@Grazfather Thanks for the link and explanation.

I didn't forget about the issue and the feature is quite simple to implement, however we will have to agree on the command interface.
I will post a prototype of this soon. @zachriggle you can assign me to it.

[disconnect3d]

@zachriggle I see you have started working on the issue.

I am not sure whether we need the --save argument. Imho the search results could be saved each time a search is done and if -n or --next is passed, only the "last found addresses" should be searched.

I am attaching a git patch I have made like a month ago. I haven't added it earlier because I didn't really like the global variable solution, however, probably that's the easiest way to have the results saved.
(Also the patch fails to apply right now)

search.patch.txt

PS: I had to change the extension from .patch to .txt since github doesn't support that.

[Grazfather]

@zachriggle cool thanks for that.

[zachriggle]

For @disconnect3d, I also added a config option.

pwndbg> config
Name                   Value (Def)    Documentation
---------------------------------------------------
auto-save-search       False          automatically pass --save to "search" command
...

[disconnect3d]

@zachriggle That's exactly what I wanted to ask for like 5 minutes ago.
Cool! Thanks :).