MemSpy Tutorial: Finding Pointer Chains and Scanning Process Values Like a Pro
Memory scanning and pointer tracking are foundational skills for reverse engineers, security researchers, and game modders. When an application restarts, dynamic memory allocation causes variable addresses to change. To create a reliable script or tool, you must find a static starting point—a pointer chain.
This tutorial demonstrates how to use MemSpy to scan process values, isolate variables, and map pointer chains back to a base module. Prerequisites and Setup
Before starting, ensure you have the necessary environment and permissions.
Administrator Privileges: MemSpy requires high-level access to read and write virtual memory. Run MemSpy as an Administrator.
Target Process: Open your target application (e.g., a test game or a dummy program with changing values).
Target Value: Identify a specific in-app metric you want to track, such as a score, health value, or timer. Step 1: Attaching MemSpy to the Process
To manipulate memory, you must first hook MemSpy into the active workspace of the target application. Open MemSpy. Click the Process or Target icon in the top toolbar. Select your application from the running process list.
Click Attach. MemSpy will map the virtual memory space of the executable. Step 2: Scanning for Specific Process Values
If you want to find a variable like a health value currently sitting at 100, you must filter down millions of memory addresses. The Initial Scan
Set the Value Type based on the data (usually 4 Bytes / Int32 for integers, or Float for decimals). Enter 100 into the value field. Select Exact Value as the scan type.
Click First Scan. The left panel will populate with thousands of addresses holding that value. Filtering the Results
Return to your target application and change the value (e.g., take damage so health becomes 85). In MemSpy, change the value field to 85. Click Next Scan.
Repeat this process of changing the value and scanning until you are left with a few addresses.
Double-click the correct address to move it to your active cheat table at the bottom of the screen. Step 3: Finding What Writes to the Address
The address you found is dynamic. If you restart the app, this address will change. You need to find the instructions interacting with it. Right-click the saved address in your active table.
Select Find out what writes to this address (this attaches a debugger to the process). Change the value inside your application again.
A debugger window will pop up showing an assembly instruction, such as mov [edx+10], eax.
Click on the instruction. Look at the bottom metadata panel to find the value of the pointer.
Example: If the instruction is mov [edx+10], eax, look for the value of edx. Let’s assume edx is 0x00F4A320. The 10 (hexadecimal 0x10) is your Offset. Step 4: Scanning for the Pointer
Now you need to find the address that holds the pointer value 0x00F4A320. Copy the pointer value (00F4A320). Check the Hex box next to the MemSpy value input field. Paste the pointer value into the scan bar. Click New Scan, then First Scan.
This returns addresses holding the pointer. If you get multiple results, you may need to filter them or look for an address highlighted in green text. Green text signifies a static base address belonging to the application module (e.g., executable.exe+0x002B10).
If the address is black, it is another dynamic pointer. You must repeat Step 3 and Step 4 on this new address to find the next link in the chain. Step 5: Mapping the Pointer Chain
Once you trace the path back to a static base module, you have successfully built a pointer chain. A typical multi-level pointer chain looks like this:
“executable.exe” + 0x002B10 → Offset 0x14 → Offset 0x0C → Offset 0x10 → Your Target Value Verifying the Chain in MemSpy Click Add Address Manually in the active table area. Check the Pointer box.
Input the base module address (e.g., executable.exe+002B10).
Click Add Offset to add rows for each offset you discovered, entering them from the bottom up. Click OK.
If the value displayed in your manual pointer matches your in-game value—and remains correct even after restarting the target application—you have successfully found a permanent pointer chain like a pro.
If you want to troubleshoot a specific step or need help scripting this pointer chain, let me know: What data type does your target value use? How many levels of offsets have you uncovered so far?
Are you encountering any anti-cheat or access violation errors?
I can provide tailored debugging steps or code snippets based on your setup.
Leave a Reply