[hr:3ix3o7qs][/hr:3ix3o7qs]Introduction[hr:3ix3o7qs][/hr:3ix3o7qs]Google Chrome is a multi-process browser and it may be confusing to find out which process is the right one to attach to when hacking flash games....because they're all "chrome.exe". This tutorial shows how to find the correct one, and how to attach cheat engine or swfmdump to it.


[hr:3ix3o7qs][/hr:3ix3o7qs]Instructions[hr:3ix3o7qs][/hr:3ix3o7qs]
1. Load a flash file in google chrome.

2. Go to about:memory (type that in the address bar and press enter).
(broken image removed)

3. In "Processes", find "Plug-in: Shockwave Flash" and pay attention to its placement and Process ID (PID). In my picture, it's 4th in the list with a PID of 3296 (in decimal) or CE0 (in hex). The placement and PID is changes every time.
(broken image removed)

4. 4th process in the list, PID is 3296 in decimal and CE0 in hex. That's pretty much it, but I'll show how to attach cheat engine and swfmdump to that process.
Here's a random decimal to hex (and vice versa) converter you could use.


[hr:3ix3o7qs][/hr:3ix3o7qs]Attaching to Cheat Engine (CE)[hr:3ix3o7qs][/hr:3ix3o7qs]In Cheat Engine, one attaches CE to the process by clicking the computer icon, or clicking the "Process" button, though I personally use the latter (one less click heh).

1st method.
(broken image removed)
Click the computer icon, choose the 4th chrome.exe process. It should have a PID of CE0 (it's in hex). Click "Open".

2nd method.
(broken image removed)
Click the "Process" button.

(broken image removed)
Choose the 4th chrome.exe process from the bottom. It should have a PID of CE0 (it's in hex). Simply click on it.



[hr:3ix3o7qs][/hr:3ix3o7qs]Attaching to swfmdump[hr:3ix3o7qs][/hr:3ix3o7qs]

(broken image removed)
 Click the 4th chrome.exe process. It should have a PID of 3296 (in decimal now). Click on it and choose scan.


[hr:3ix3o7qs][/hr:3ix3o7qs]Note[hr:3ix3o7qs][/hr:3ix3o7qs]The PID and placement of that process will probably change every time.

[Edit by phreneticus]: Fix'd the images.

Do I need to register at imageshack to see those images?

The images are working, what are you on about?

As an on-topic remark, Chrome now (ver. 10.0.648.204) makes it super easy to target Flash. It's the Chrome process right after rundll32.exe

So I posted earlier about this, and got the original idea from SatanicGurrl.. I love it a lot, but you just need to do it everytime Chrome gets updated.

This is just about finding the right process in Chrome to attach CE to.

What it does is that it adds the Equivalent Hex values to the PID column in the about:memory page so you don't have to keep translating the Decimal Values into Hex every time.

When you're done, it'll look something like this:
(broken image removed)

• Download and install Resource Hacker.
• Open Resource Hacker and open (Ctrl+O) the latest chrome.dll file by navigating to
  Code: [Select]
  %LOCALAPPDATA%GoogleChromeApplication and open the latest version folder (highest numbered folder). From here, just open chrome.dll.
• Inside Resource Hacker, with chrome.dll open, navigate to BINDATA/501/0. This should open up the template page for about:memory inside Chrome.
• Locate the two lines where it says
  Code: [Select]
  <span class='th' jscontent="pid"></span>You'll find them closer to the end, one after <tr jsselect="browzr_data">
  and another after <tr jsselect="child_data">.
• Change each of above span tagged lines to
  Code: [Select]
  <span class='th' jscontent="pid+'n0x'+(pid.toString(16).length<4?'0':'')+pid.toString(16).toUpperCase()"></span>This just gets Chrome to show the PID in Hex under the Decimal value in uppercase with padded 0s.
• From here, just hit the Compile Script button (Alt+C) and Save (Ctrl+S) the file. It's recommended that you save while Chrome isn't open so that the program doesn't overwrite your changes on closing.
• Once you startup Chrome, head to the About:Memory page, and you should be all set until the next update! (broken image removed)

Of course, I forgot to add that you just take the Hex value of the process alongside "Shockwave Flash" and use that to attach to Cheat Engine.

Edit: Found %LOCALAPPDATA% Variable

For the really lazy, just target the chrome.exe process which comes right after rundll32.exe
Seriously, it's that easy now.

I wanted to add that I'm running Linux (Ubuntu 10.04) and using GameConqueror 0.12 instead of CheatEngine. Google Chrome on this setup runs a process called npviewer.bin for flash. Just a warning that re-loading the web page or switching games kills this process and may crash GC if you are still monitoring the process.