CrySearch Memory Scanner

Release Notes

CrySearch Memory Scanner

Author: evolution536
Websites: www.unknowncheats.me, www.crysearch.nl

v3.3:

• Changes to Import Parser:
• Fixed bug where restoring the function address from the export table would fail because of ordinal misclassification;
• Fixed bug where API Set redirections would be incorrectly resolved in rare cases;
• Fixed bug where some packed application such as UPX would display wrong output for some functions.
• Changes to Disassembler:
• Fixed bug where entrypoint button did not work correctly;
• Fixed bug where CrySearch would crash when opening certain packed applications.
• Added code cave scanner to the tools menu (Since v3.2, forgot release note);
• Fixed bug in address table where selecting pointer mode and no offsets would crash CrySearch;
• Added option in settings dialog to leave physically unbacked pages alone (anti-cheat option);
• Updated Capstone library to version 3.0.5;
• Updated U++ to 12158;
• Fixed the PID brute-forcing algorithm to only consider 4-byte aligned PIDs (Mi4uric3's suggestion);
• Fixed bug in the memory scanner where any next scan after the second one resulted in wrong results.

v3.2:

• Changed the Unknowncheats forum link in about dialog to the CrySearch website (www.crysearch.nl);
• Changes to the disassembler:
• Fixed bug where not all contents of some memory page would be disassembled by Capstone;
• Removed memory page selection control in favor of scrolling from page to page using up and down buttons;
• Reverted back to one background thread, threadpools and multiple threads are not necessary.
• Fixed bugs in memory scanner, resulting in certain ranges of memory not being searched at all;
• Added description of address table entry to memory dissection window where applicable.

v3.1:

• Fixed crashing bug in x64 on closing of process opened with module list warning;
• Implemented pointer logic for address table:
• In address table entry dialog, at most 16 offsets can be added;
• Settings dialog provides option to format offsets in decimal or hexadecimal.
• Fixes and changes to the memory dissection window:
• Now possible to double click some entry to edit its value;
• Fixed bug where existing values for entries would be incorrectly read in change value dialog;
• Now possible to freeze an address. This will automatically add the address to the address table;
• Fixed bug where altering the types of dissection rows would result in incorrect offsets;
• Added type guessing for dissection rows, enabled by default from the settings window in the memory dissection window;
• Now possible to create a dissection at some pointer-sized value that could be a pointer, by right-clicking the dissection row;
• 'Change Pointer' window is now called 'Edit', and provides possibility to change the size and pointer;
• Fixed bug where setting a global data type for all rows would not change everything properly.
• Fixed bug in read-only operation mode where address table values would not be periodically updated;
• Removed the Code Generator component. The code generator will be developed as a separate command-line application;
• Fixes and additions to the debugger window:
• Fixed bug where stack view would present incorrect measures;
• Added right-click options to copy the value of registers and stack addresses.
• Switched from BeaEngine to Capstone for disassembling;
• Added the name and architecture of the opened process in crash handler information;
• Fixed bug where import address table of deprecated library WSOCK32.DLL would crash CrySearch;
• Fixed bug where selecting the module with the highest index and opening a process with less modules could crash CrySearch.

v3.0:

• Slight performance optimizations by eliminating heap allocations;
• Added a configurable warning (advanced tab, settings window) for when OriginalFirstThunk is zero: e.g. the application is packed;
• Revised the memory scanner for performance and I/O usage:
• Changed the disk storage scheme from plain value array to using a bitset and more complex data structure on disk;
• Major changes for code size and speed;
• Changes resulted in improved search performance, especially for larger scans.
• Added a window to view all committed memory page in the target process, with the possiblity to free them (Allocate memory window);
• Fixed race condition issue in the caching of search results for the user interface, keeping more results in memory than intended;
• Improvements and changes to dumper plugins:
• Added a first version of a dumper that dumps a module by enumerating the pages inside the process base address plus size range (needs to be perfected);
• Added a signature to dumped files; the signature is placed in the NumberOfSymbols and PointerToSymbolTable fields in the PE header.
• Added option (settings window, advanced tab) to show architecture of process in open process window (intrusive, turned off by default);
• Added feature for brute-forcing process IDs (PID) to find possibly hidden processes. Available from Tools window:
• Tries PIDs from 0 to 65535, and colors processes that were not found in the regular process list red;
• Allows opening of brute-forced processes from right clicking.
• Fixed a bug where CrySearch fails to retrieve the module list on opening a process that results in an infinite loop;
• Some general code improvements that resulted in decreased executable file size;
• Refactored hotkey system and added hotkey that toggles freeze/thaw on all address table entries;
• Fixed bugs in thread hijacking method for DLL injection where:
• If the opened process never communicates back that injection has finished, the injection process would enter an infinite loop;
• The first thread was always selected for hijacking. A thread is randomly selected now instead for better compatibility.
• Slightly adjusted the CPU information in the about window: sorted chronologically, added CPU brand string and removed VMX;
• Fixed bug with routine override functions where deleting a used plugin from the plugin directory and opening the settings window subsequently would crash CrySearch;
• Fixed bug where type would be changed incorrectly in the change dialog of an address table entry;
• Removed the scan thread priority setting from the settings window;
• Changes in the address table:
• Removed the frozen parameter from persistent address table storage;
• Fixed bug where freezing an address table entry would revert after a few minutes of playing.

v2.11:

• Added scanning for values that are in between of two user-entered values;
• Fixed an inconsistency in comparing floats and doubles, not being rounded to the nearest integer;
• Fixed bug in the new scan window where the hexadecimal view option was not correctly toggled when selecting float or double types;
• Fixed bug in the imports window in CrySearch x64 where non-WOW64 modules were not removed in the module droplist;
• Some improvements to the View Handles window:
• Fixed bug where some handle access masks would cause CrySearch to hang;
• Fixed bug where handles would not be displayed when the name could not be queried;
• Now queries mount points using QueryDosDevice to present drive letters rather than native device paths.
• Fixed byte masking for the signature generation window:
• Added an option in the signature generation window to choose for automatic masking, and a corresponding default option in the settings window.
• Control transfer instructions and instructions with an immediate value are masked.
• Improved some cosmetics for windows and controls.

v2.10:

• Added right-click option to dump heaps in heap walk dialog (whatever is readable from the memory of the heap will be dumped);
• Revised memory scanner, performance changes should be noticable:
• In very big scans, performance improvement is negligible, because I/O still is the bottleneck. However, less time is wasted in not writing anything;
• Out-of-memory exceptions that used to occur are very unlikely to occur again;
• Improved value comparison, reducing processing overhead in scanning.
• Fixed bug where opening an x64 process with CrySearch x86 would give two error messages instead of one;
• Slight performance improvement in the import address table parser;
• Fixed bug in the import table parser that could cause a crash when resolving modules with an empty export table;
• Put a limit of 512 entries on the address table. If this limit is violated, nothing will be added. Instead, it will show you how many entries may be added;
• Fixed bug in disassembler with incorrect disassembly by reducing number of threads to 1;
• Started using BeaEngine v5.0 dev in CrySearch x86 because Windows Defender is annoyingly and falsely detecting BeaEngine.dll as malicious.

v2.05:

• Added the version number of the U++ trunk used to compile CrySearch to the about dialog;
• Fixed bug in the plugin system where loading a plugin with the same name would cause undefined behavior;
• Added support for plugin-defined core routines (An example plugin has been added in OverrideTestPlugin):
• Opening a process;
• Reading from process memory;
• Writing to process memory;
• Changing process memory protection constants.
• Fixed bug where the "NOP Selected" button in the disassembler window was visible in read-only mode;
• Added an error message for when no modules could be retrieved. This is useful to know because only half of CrySearch will work in this case;
• Changes in the module system:
• Fixed a bug where enumerating WOW64 modules would not work properly anymore in newer Windows versions;
• Added an option for x64 mode to hide modules that are not wow64, which is enabled by default for comfort.
• Fixed a bug in retrieving the .NET section of a process, where invalid data would crash CrySearch;
• Fixed possible buffer overrun bugs in several parts of CrySearch;
• Fixed bug in retrieving function addresses from modules that were previously hidden, that could crash CrySearch.

v2.04:

• Added feature to NOP out selected rows using right-click menu in the disassembly window;
• Fixed a bug in the PE window where the image base of an x64 process would be truncated to 32-bits;
• Fixed a bug where freezing and thawing addresses in the address table would not work properly anymore;
• Added the possibility to edit multiple selected address table entries at the same time, only by right-clicking and excluding editing the address;
• Reduced the timeout for retrieving window icons in the open process window;
• Improved the disassembler window:
• Added an option to go back to the entrypoint in the toolstrip and the right-click menu;
• Added resolving of intermodular function calls to functions in the import address table;
• Added heavy parallellism to the disassembler, greatly increasing processing speeds.
• Added a threshold to the amount of rows that can be selected for signature or byte array generation. This threshold is set to 256;
• Partially added masking for signature generation in the disassembly window.

v2.03:

• Some changes were made to the command line process analysis automation:
• Fixed a bug where a zombie process would still be succesfully opened for automated analysis using command line options;
• Added the name of the containing module to the start address of outputted threads.
• Fixed a few small bugs in the debugger:
• Fixed a bug where the attached process crashing after setting a write breakpoint would also crash CrySearch;
• Fixed a bug where very frequent refreshes of the call stack on breakpoint hit would crash CrySearch.
• Added a read-only operation mode:
• Setting available from the Settings window;
• Behavioral warning when changing the setting while a process is opened;
• Every component that writes to the opened process or requires writing permissions is disabled at user interface level.
• Changed the size of most input fields and buttons. Some operating systems showed them to be too small;
• Fixed a bug in the new scan window where selecting unknown initial value followed by string or array of bytes would render the window unusable.

v2.02:

• Added a view option to the right-click menu for search results to manually switch view of formatting to hexadecimal;
• Fixed bug where Null integer values 0x80000000(00000000) were not propely formatted in views;
• Fixed a bug where it was not possible to enter relative addresses in:
• The memory dissector component;
• The disassembler, to to address dialog.
• Fixed bug where clearing the scan results would not disable the next scan button accordingly;
• Made some changes to toolbars and menu bars:
• Moved heap walk from disassembly window button to Tools menu bar;
• Added signature and byte array generation buttons to disassembly window toolbar as well;
• Added page size indicator in the disassembly window toolbar, on the right.

v2.01:

• Fixed bug in disassembler where going to an address from a search result may crash the application;
• Fixed serious bug in next scans: unchanged, changed, increased and decreased value.

v2.0:

• Fixed a bug in the crash handler window where the module names of stack trace entries would not correctly resolve;
• Added support for Windows 10:
• Fixed OS version detection for Windows 10;
• Added support for Windows 10 ApiSetSchema;
• Support for UHD displays was added due to a major U++ update. Therefore the toolbar icons are smaller than they used to be;
• Added a tool to fill the memory with a specific value or randomized values. This tool can be found in the Tools menu.

A new revision is released after v1.18. Major improvements were implemented and XP support is discontinued. CrySearch may still work on Windows XP but support may be removed in the future.

v1.18:

• Improved memory dissector:
• Fixed bug where row offsets did not change correctly when changing its size;
• Added option to right-click address in memory dissection window to add it to the address table;
• Added option to edit the value of the row inline.
• Fixed bug in next scan where array of bytes and string sizes were not set, resulting in null searches;
• Fixed bug in disassembler where disassembling would stop on error, not covering the whole page;
• Improved debugger:
• Fixed bug for breakpoints that were set on branch instructions. They could not be resolved after the branch was taken;
• Fixed bug where closing the application with breakpoints active could freeze the execution.
• Fixed bug with address table where freezing a value would not work properly anymore due to previous optimizations;
• Fixed bug in memory scanner where it was possible, very rarely, for a data race to occur when counting the results;
• Fixed bug where subsequent next scans could crash the application;
• Added about dialog detection for instruction sets AVX2, FMA3 and TSX;
• Improved performance of string, wstring and aob scans by eliminating the values file dependency;
• Optimized the way readable memory is assigned to workers, increasing memory scanner speed;
• Fixed bug in imports window where loaded modules with an empty import table would return false information or potentially crash application;
• Added function counter in the imports window that displays the amount of functions imported from the selected module;
• Fixed bug in main window where hiding and showing the bottom pane would eliminate the drag limit;
• Fixed bug in code generator where generating code for static addresses could possibly crash the application;
• Fixed bug in main window where hiding and showing the disassembly window would crash the application.

v1.17:

• Added multiple selection possibility for search results. Select multiple and right-click to add them to the address table;
• Added possibility to select multiple address table entries and remove them all at once;
• Fixed bug in registering CrySearch as default program for opening address tables where the registry key could not be read;
• Fixed bug where dump failure in module section dump window would unwantedly close the window;
• Added CrySearch version number to the crash dump for more accurate reporting of bugs;
• Fixed bug where entering a bigger string in an address table entry would not alter the same search result simultaniously;
• Added option to match strings until a null terminator character is found. 256 characters is the maximum string length;
• Added command line options. This allows to automate the use of CrySearch as an analysis application (See command help);
• Added an option to use the DEL key on the keyboard to delete multiple items at once from the address table;
• Following a debugger breakpoint hit instruction now scrolls down further, and selects the address in case;
• Changed the disassembler to load any readable, writable and executable memory page in the process instead of only readable and executable.

v1.16:

• Improved overall performance of the application:
• Improved user interface performance in several places due to replacement of slow formatting functions;
• Improved memory usage and performance of the memory dissector by enabling dynamic reading of values;
• Improved debugger performance slightly by optimizing the stack view;
• Improved module window performance by optimizing the way modules are saved and retrieved.
• Fixed bug where detaching the debugger would not accurately remove all breakpoints;
• Fixed existing bug where changing the size of the first memory dissection row would make the second row not size properly;
• Fixed bug where loading 64-bit address table in 32-bit CrySearch could possible crash the application;
• Added indicator labels in the modules window and threads window to indicate the amount of modules that are being displayed;
• Fixed a few bugs related to rare occasion sanity checking in the PE parser that would have led to crashing the application;
• Fixed bug where changing the relative address of an address table entry to another module would not actually change the module name;
• Added user interface warning for failed lookup of NTDLL functions used by CrySearch;
• Fixed bug where crash handler window would not function properly when exception occured inside child thread;
• Added option to hide bottom pane of the application main window. This option is available in the Window menu;
• Fixed code generator to take relative addresses into account;
• Added retrieval of command line, working directory and window title inside PEB window.

v1.15:

• The icon of CrySearch has changed, thanks to Daax. He crafted a wonderful new icon for CrySearch;
• Improved part of the plugin SDK documentation;
• Made a few changes, bug fixes and improvements to the memory dissection window:
• Customized drawing of the memory dissection window, now drawing the address/offset in black and the type in grey;
• Fixed bug caused in the changes of last version where the address table file was not properly saved to file anymore;
• Fixed bug where float values would always be displayed as 0.0000000 values;
• Fixed bug where CrySearch did not save memory dissection contents in the address table file. Custom row types need this;
• Fixed bug where altering the type or size of a row would mangle the offset of the second entry in the wrong way;
• Fixed bug where changing the view mode of dissection rows when there are no dissections loaded would crash CrySearch;
• Fixed bug where setting hexadecimal view mode and default hexadecimal view mode were interfering.
• Changed plugin about box title to match the plugin name. This looks better than the default title;
• Added possibility to scan a process' memory for hexadecimal values. This option applies for byte, short, int and long;
• Changed thread window to resolve thread start addresses to a module and function if the opened process provides symbols;
• Greatly improved disassembler;
• Fixed bug where selecting multiple rows of disassembly to operate on a breakpoint would cause undefined behavior;
• Disassembler dynamically refreshes with user interface flow. This greatly reduces memory usage and indirectly fixes related bugs;
• Fixed bug where escaping the 'Go to address' dialog would refresh the disassembly. This was overhead.
• Added additional icons for existing operations in some tab windows to signify their existence in CrySearch;
• Greatly improved memory usage and performance of the memory scanner. Values are dynamically built by the display;
• Fixed bug in the dialog for modifying an address table entry where relative addresses could be duplicated in the table.

v1.14:

• Added event procedure to plugin system. CrySearch calls the event procedure for default in-app events like process open/close;
• Small user interface detail modifications and improvements:
• Changed width of the plugin window. Users may make plugins that require longer names or descriptions;
• Changed padding of address table control in the main window to fit the wireframe of the main window better;
• Changed array display controls to have a minimum column width. This prevents columns to be dragged out of range.
• Added user interface value updating for the search results. The update interval is the same as the address table update interval;
• Improved process creation from process selection window. You can now input arguments and start a process in suspended state;
• Fixed bug in imports window where setting a hook on some functions would crash the application;
• Added thread hijacking injection method for DLL files. Works for both x86 and x64 and the injection method is selectable from the Settings dialog;
• Cleared up the progress of setting a hook in the import table. When the function fails, it will display an error now;
• Greatly improved debugger and fixed bugs:
• Fixed bug in stack view where selecting a stack size higher than 1024 would cause undefined behavior;
• Fixed major bug in breakpoint set by the debugger not being reset after being hit;
• Fixed disabled breakpoints views (red colors) not being properly cleared after the breakpoint list goes empty;
• Fixed hardware breakpoints being set incorrectly resulting in undefined behavior depending on the process;
• Fixed instability where very fast subsequent breakpoint hits would result in crashing the application;
• Fixed instability where removing a breakpoint during very fast subsequent breakpoint hits would result in crashing the application.
• Renamed the 'General' tabpage in the Settings window to 'Internals';
• Improved error messaging using the module dumper more clear for when there is no dumper available;
• Fixed bug where String and WString updating sequences would result in unpredicted data and high cpu utilization;
• Fixed bug where float values in the search results or address table would always be truncated to 0.

v1.13:

• Changed about dialog to show a list of loaded libraries including their runtime versions;
• Added thread context snapshot feature. Right-click thread in thread window to open the snapshot window;
• Finally fixed process window closure bug. Wait cursor is displayed and window closure is delayed until next possible break oppertunity;
• Fixed dialog bug where tab no key other than the ESC key could be used;
• Fixed tab indices of controls in new scan dialog being wrong;
• Added memory dissection feature containing the following functionality:
• Basic dissection of memory blocks. Click Tools->Memory Dissection;
• Time-based updating of display-visible memory region. The interval is configurable;
• Right-click address table entry and create a dissection from it with a single click;
• Typing of dissection entries where type and length are selectable per row.
• Improved performance of memory scan that was decreased by the relative addresses feature;
• Fixed bug in address table where relative address weren't resolved if process was loaded after address table file was loaded;
• Fixed bug in address table where saving address table entries that didn't correctly resolve on load as invalid relative address crashed CrySearch;
• Fixed bug in main window where 'Edit'->'Clear Address List' would crash CrySearch if process was closed before clearing;
• Fixed bug in main window where closing a process would not refresh address table correctly;
• Fixed bug in process environment block window where x64 PEB address was not displayed correctly;
• Added Anti-Anti-Debugging with NtGlobalFlags. Attempting to hide the debugger from PEB option utilizes this feature.

v1.12:

• Fixed bug in process selection window where search box may reveal duplicate processes in the list;
• Added possibility to disable a breakpoint before removing it from the list to allow the breakpoint data to be available when the breakpoint is inactive. Available from right-click in debugger window;
• Changed the way the debugger catches unhandled exceptions:
• Added an option in the 'Settings' window to toggle whether exceptions should be caught;
• Changed exception message dialog to present 'Ignore' or 'Abort' choices to the user.
• Added toolstrip to the 'Debugger' tab window including button to clear breakpoints;
• Partial implementation of relative addresses:
• Search results that appear static are displayed in green. The appearance of an address is assumed based on address ranges;
• Address tables handle and persist offsets and address relativity, display as well as user input.
• Fixed implementation of editing hotkeys inside the 'Settings' window. It was never complete but it is now;
• Fixed bug in internal function improving performance and preventing possible memory leaks;
• Added byte-array generation for C++ and C# programming languages. Available from 'Disassembly' window by right-clicking multiple selected rows;
• Added CrySearch version number to address table file for future use;
• Fixed bug in address table file causing the process name to be incorrect in certain situations;
• Fixed bug in process selection window crashing when window is closed rapidly with callbacks running.

v1.11:

• Fixed bug with searching for processes in process selection dialog, not filtering because of previous async fix;
• Changed 'manually add address' dialog to support type selection too, as well as the title has changed slightly (Also affects edit address table entry);
• Fixed array of bytes' search results not being the correct length after being double-clicked;
• Added signature generation in FindPattern and bytearray (Evo) format. Available from 'Disassembly' window by right-clicking multiple selected rows.

v1.10:

• Added crash reporting system. When CrySearch crashes a crash report is generated for support;
• Changed data windows for module sections, heaps and handles to be sizeable and added count label;
• Added customizable routines in Settings window for ReadProcessMemory, WriteProcessMemory and VirtualProtectEx;
• Added CrySearch library, dissecting functionality from the executable to a library for plugin and future use;
• Added plugin system:
• Plugins folder for both architectures;
• Plugins window under 'Tools' with information and diagnostic options;
• Shipped plugin SDK to write own plugins.
• Changed module section dumper (default dumper) to be a plugin for CrySearch that is shipped by default, and fixed its file alignment;
• Changed loading and unloading of modules via the module window not to block in case the DLL entrypoint is blocking; (5 seconds timeout)
• Changed process opening window to asynchronously enumerate icons for available windows to avoid blocking the ui thread;
• Added possibility to jump to disassembler from call stack entry using right-click.

v1.09:

• Applied several performance fixes, increasing overall performance and memory usage. The disassembler is noticably faster;
• Added option to manually associate the .csat file extension with CrySearch (elevation is necessary);
• Added button to 'Save' address table instead of 'Save As' every time. 'Save' is enabled whenever a table is opened;
• Fixed an issue with the restoration of the EAT address of a function in the Imports window;
• Added system handle enumeration dialog in Tools menu:
• Close a remote handle inside the target process;
• View its access mask in human readable MSDN constants.
• Extended imports window to feature view of imports of every module in the loaded process;
• Fixed a bug with checking for ordinal imported functions skipping the name where it shouldn't be skipped;
• Changed memory allocation during memory scans to reduce aggressive allocation resulting in out-of-memory exceptions;
• Added .NET sections to lower right pane of General window. Allows dumping of .NET sections.

v1.08:

• Changed the forum link in the about dialog to resolve to the CrySearch thread instead of the forum home page;
• Added option to format input value in hexadecimal when changing the integer value of an address table entry;
• Added process name to save file for future use;
• Changed the debugger window to effectively support multiple breakpoints, which was a major flaw in the first version;
• Added the breakpoint trigger address to the debugger window, with 'follow in disassembler' feature on click;
• Implemented 'Unknown Initial Value' as scanning type for the memory scanner;
• Added customizable stack read limit on breakpoint hit, editable from the Settings dialog;
• Refactored the Settings dialog to specialize certain settings;
• Added feature to suspend and resume the entire process. This feature does not provide distinction between suspended and running threads;
• Fixed bug that caused CrySearch to crash when a process contains more than 256 modules;
• Dropped Toolhelp32 as library in favor of NtQuerySystemInformation;
• Added feature to thread window where CrySearch is able to identify suspended threads;
• Changed the window title to contain the process identifier when a process is opened;
• Added possibility to enter API function as start address for a new thread. Format: (name.dll!function);
• Added option to randomize window title. Located under the menu 'Window';
• Changed the amount of search results visible in the user interface to 100.000 to reduce memory usage.

v1.07:

• Added key accelerators to disassembly window to quicken certain actions;
• Added heap walking feature in disassembly window to view the heaps associated with the opened process;
• Changed the margin for resizing the splitter vertically in the main window to be smaller;
• Fixed unicode string option to be invisible when string or wstring data type is not selected in change record dialog;
• Added option to set CrySearch's main window to be always on top. Added to the 'Window' menu;
• Fixed bug in IAT procedure to crash on ordinal lookup failure for some processes;
• Fixed bug in general PE information not being reset on process closure;
• Fixed bug in CrySearch x64 where GetClassLongPtr had to be used in order to succesfully retrieve the window icon;
• Fixed bug where CrySearch would crash when the PE headers are destroyed;
• Changed restore PE headers from file in module window to search working directory of module as starting directory.

v1.06:

• Changed right-click selectable to set breakpoints from invisible to disabled in case the debugger is not attached;
• Added option in module window to open the working directory of a module in the Windows Explorer;
• Added possibility to sort the processes in the process selection window per column by clicking the desired column header;
• Changed the 'Go to Address' button in the Disassembly window to go to the lower neighbor in case the address is not exact;
• Added column in process selection window to display icon associated to main window of a process;
• Added option in process selection window to hide processes that do not have a main window;
• Added dragging area in process selection window that allows the user to drag the mouse to the window of the desired process;
• Added button in module window to dump entire process into folder which includes all modules of the process;
• Added feature to dump specific sections of a module inside the opened process using right-click in the module window.

v1.05:

• Fixed major crash when opening processes which executable's IAT is mangled or modified;
• Fixed dump issue with section dump, where raw section size may be 0. If so, normal section size is used;
• Added basic disassembly using BeaEngine, showing address, bytes and OPcodes;
• Added debugger supporting:
• Software breakpoints;
• Hardware breakpoints;
• Hiding itself from PEB;
• Handling symbols with option to invade process.
• Added versioning information to the PE resources;
• Added checkbox in context menu of address table that indicates whether hexadecimal view is enabled;
• Due to a recent addition in the U++ framework, the overal application size reduced by 130 kb;
• Reduced size of toolbar images, to also reduce size of the toolbar itself;
• Fixed bug in ApiSetSchema resolving that would cause a crash in a small amount of situations;
• About dialog:
• Added U++ support link;
• Added CPUID display that shows hardware supported processor extensions.

v1.04:

• Fixed dumping of modules in module window, forcing to dump .dll when trying to dump the main executable module;
• Added ApiSetSchema resolving for Windows 8.1 and fixed a bug samiliar to its implementation for Windows 7;
• Changed definition of PEB and TEB to be more complete and accurate;
• Fixed crash when restoring address in IAT, case-sensitive comparing was necessary;
• Fixed crash when restoring address of virtualized API from imports window;
• Added correct address resolving and restoring of forwarded functions, now retrieving address from forwarded endpoint module;
• Changed about dialog with a clickable link to the unknowncheats forum and richer text;
• Added button to manually add addresses to the address table;
• Fixed bug with dumping a module, where occasionally the string length is incorrect, resulting in a mismatch;
• Fixed bug with ordinal import resolving where invalid address would be returned and added warning on invalid addresses.

v1.03:

• Fixed IAT module name, being too short with 32 bytes, now 48 bytes;
• Added TEB view for threads in opened process;
• Added IAT hooking, allowing user to overwrite function address in IAT;
• Added IAT unhooking, restoring the address of a previously hooked function from module's EAT;
• Added ordinal import name lookup in IAT window, ordinal imports are now displayed by foreign function name;
• Hooked imports are displayed in red to indicate the user that it is possibly hooked;
• Optimized PE operations by purging calls to ReadProcessMemory, speeding up the initialization process of CrySearch;
• Added button to refresh IAT manually;
• Added ApiSetSchema resolving for Windows 7+, redirected API's are resolved to its logical dll (This does not work on Windows 8.1);
• Added PEB window with a table view of the PEB contents, including a button to reset the BeingDebugged flag.

v1.02:

• Added hotkey configuration feature, for a basic set of keys and actions and keys;
• Fixed process open window search function not being able to press return to open first search result;
• Fixed terminated process not being detected, leaving CrySearch in a blind state (improvement for bugfix in v1.01);
• Added possibility to create process from file instead of opening an existing one;
• Added next scan conditions for increased and decreased value;
• Improved check against x64 processes when using x86 CrySearch;
• Changed CrySearch x64 for it to be fully compatible with Wow64 processes;
• Added several code size optimizations;
• Added IAT viewing (in tabpage: Imports);
• Removed warning at first startup, default settings are silently restored instead.

v1.01:

• Fixed x86 and x64 settings file conflicting;
• Fixed scanning bug when process was terminated outside CrySearch;
• Fixed instability/crash when XML in settings file is modified unexpectedly;
• Fixed bug when closing and reoping 'General' window, where old section entries were not deleted;
• Fixed bug where opening a x86 process from x64 CrySearch, image base is incorrect;
• Added search box in process window to simplify loading of processes;
• Added shortcut closing of tool windows using Escape.

v1.0:

• First release.