|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Fri Feb 13, 2015 12:05 pm Post subject: how to change aob scan second result? |
|
|
For example:
Code: | Aobscan(time,8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50)
time:
db 8B 31 62 85 CF 74 28 8B 50 08 8B 4A 50 |
He always change first result,so my question is how to chose wich one to change (for example third one) and how to change all results and not only first one.thank you in advance
|
|
Back to top |
|
|
alanze Advanced Cheater Reputation: 3
Joined: 03 Oct 2012 Posts: 50
|
Posted: Fri Feb 13, 2015 6:14 pm Post subject: |
|
|
In autoassemble you can change only the first result.
Here is a lua script if you want to change the second, third or deeper results:
Code: |
AoB = AOBScan("8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50")
if (AoB) then -- check if there are results or not
lngt = AoB.getCount() -- get the AoB array length
-- print("Results found: "..lngt)
-- now we replace the third result
if (lngt > 2) then writeBytes(AoB[2], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
-- now we replace the fourth result
if (lngt > 3) then writeBytes(AoB[3], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
AoB.Destroy() -- destroy the array
AoB = nil
else
-- print("No results found.")
end
|
Note that the AoB[] array starts from 0. So the third result is 2 (AoB[2]).
Also "createMemScan(0)" can be used instead of "AOBScan" but is more complicated.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sat Feb 14, 2015 9:16 am Post subject: |
|
|
AOBScan function in AutoAssembler is slightly different than AOBScan function in Lua.
In AutoAssembler , all memory regions will be scanned (writable or not, executable or not, copyonwrite or not). And the only one result - CE immediately stops scanning when first address found.
Lua's AOBScan - behaves almost the same, but, it finds all addresses and returns them as array of strings (Free Pascal TStringList). Hexadecimal.
We use it like this
results=AOBScan(aobstring)
or this:
results=AOBScan(luatable)
PS: Lua's AOBScan can have more parameters:
AOBScan(aobstring, protectionflags OPTIONAL, alignmenttype OPTIONAL, alignmentparam HALFOPTIONAL)
aobstring - it is a string (not a lua table)
protectionflags - it is a string
alignmenttype - it is an integer (fsmNotAligned=0, fsmAligned=1, fsmLastDigits=2)
alignmentparam - it is a string
Usage
Code: |
results=AOBScan(aobstring, '+W*X-C', fsmAligned, '4')
-- protection flags are set to: must be writable, doesn't care if executable or not, must NOT BE copyonwrite
-- alignment is enabled and addresses must be dividable by 4
|
_________________
|
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Mon Feb 16, 2015 3:23 am Post subject: |
|
|
Thank you both for answer.
@alanze your script say me failed,i dont know why,i try to figured last few hours and all time failed.
@mgr.inz.Player i am still new in lua and still learning, but can you make a example script ? because on that way i will better learn and understand,i just need to change all results and to learn how to change result what i choose,for example second one or just third one,thats two script what i need.
Btw before few months i am try to figured this but without results,so i make post to get help and better understand this.
|
|
Back to top |
|
|
panraven Grandmaster Cheater Reputation: 54
Joined: 01 Oct 2008 Posts: 941
|
Posted: Mon Feb 16, 2015 9:48 am Post subject: |
|
|
try this, input 'testzone' to memory view address to see the test.
Code: | define(_,luacall)
[ENABLE]
{$lua}
function AoBSwapEx(search, patch, proctect, loop, ...) -- alignment omit as it is ok to be default
proctect = type(proctect) ~= 'string' and '' or proctect
loop = type(loop) == 'number' and loop > 0 and math.floor(loop) == loop and loop or 0
assert(type(search)=='string' and type(patch)=='string', '1st 2 parameters has to be aob string')
local mask,wn = {},0
for i = 1,string.len(patch),3 do
local n = tonumber(string.sub(patch,i,i+2),16)
if type(n)=='number' and n>= 0 and n < 256 then
table.insert(mask,n)
else
table.insert(mask,-1)
wn = wn + 1
end
end
assert(#mask > wn,'nothing to patch')
local range,rn = {}, 0
for i=1,select('#',...) do
local p = select(i,...)
if type(p)=='number' and p>0 and math.floor(p) == p and not range[p] then
range[p] = true
rn = rn + 1
end
end
local r = AOBScan(search, proctect)
assert(r.Count > 0,'no match')
local success = 0
for i=1,r.Count do
local order = loop == 0 and i or 1 + ((i-1) % loop)
-- print(order,r[i-1],loop)
if rn == 0 or range[order] then
local addy = tonumber(r[i-1],16)
for j=1,#mask do
if mask[j] >= 0 then writeBytes(addy+j-1,mask[j]) end
end
success = success + 1
end
end
r.destroy()
assert(success > 0,'no patching, required patch is more than search result count')
end
{$asm}
globalalloc(testzone,1024)
testzone:
db 01 02 01 06 07 09
testzone+10:
db 01 02 02 06 07 09
testzone+20:
db 01 02 03 06 07 09
testzone+30:
db 01 02 04 06 07 09
_(AoBSwapEx('01 02 ?? 06 07 09','01 02 ?? 06 07 09 ff 11 22 ff','',2,1))
[DISABLE]
|
|
|
Back to top |
|
|
alanze Advanced Cheater Reputation: 3
Joined: 03 Oct 2012 Posts: 50
|
Posted: Thu Feb 19, 2015 5:13 pm Post subject: |
|
|
Check if you have CheatEngine 6.4, if not download and upgrade.
For example "myArray.Count" vs "myArray.getCount" the first doesn't work in ce 6.3, only in ce 6.4, the second works in all versions, that's way I used the second in my example.
I forgot to add the filters to the AOBScan function, without filters the entire memory is scanned. (maybe you got some extra results?)
Let's take a concrete example:
We search for "00FF00FF"; there are 8 results; we want to change result 6 with "90909090".
Code: |
resultList = AOBScan("00 FF 00 FF", "+W*X-C")
if (resultList) then
lngt = resultList.getCount()
if (lngt > 5) then writeBytes(resultList[5], 0x90, 0x90, 0x90, 0x90) end
resultList.Destroy()
resultList = nil
end
|
Be careful with "(lngt > Z)" and "resultList[Z]", change Z accordingly
(for result 1 Z=0; for result 2 Z=1; for result 3 Z=2; ...)
Keep byte formatting as you see in the example code and replace with your bytes this "00 FF 00 FF" and this "0x90, 0x90, 0x90, 0x90" (0x in front of bytes is required for hexa numbers).
Variables are case sensitive so keep the case of words.
"+W*X-C" - this are memory filters:
Change this filters accordingly (W writable memory, X executable memory, C copyonwrite memory, + scan it, - don't scan, * don't care)
"+W*X-C" means: [scan writable memory] and [don't care if executable or not] and [do not scan copyonwrite memory].
AOBScan has other parameters, see previous posts (aobstring, '+W*X-C', fsmAligned, '4').
If you want to replace more results let's say 2, 3 and 7 extend the script with this lines:
Code: |
if (lngt > 1) then writeBytes(resultList[1], 0x90, 0x90, 0x90, 0x90) end
if (lngt > 2) then writeBytes(resultList[2], 0x90, 0x90, 0x90, 0x90) end
if (lngt > 6) then writeBytes(resultList[6], 0x90, 0x90, 0x90, 0x90) end
|
To replace all of the results use this code:
Code: |
resultList = AOBScan("00 FF 00 FF", "+W*X-C")
if (resultList) then
lngt = resultList.getCount()
for x=0, lngt-1, 1 do
writeBytes(resultList[x], 0x90, 0x90, 0x90, 0x90)
end
resultList.Destroy()
resultList = nil
end
|
In this code you change just the bytes "00 FF 00 FF" and "0x90, 0x90, 0x90, 0x90" and maybe "+W*E-C".
By the way: this code has to be put (pasted) in the "Lua Script Window" not in the "Auto Assemble Window" and executed.
Last edited by alanze on Sat Mar 28, 2015 11:56 am; edited 3 times in total |
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Thu Feb 26, 2015 12:57 pm Post subject: |
|
|
@alanze awesome explanation,thank you very much bro i will try this.
Btw i make trainers with Da spammer script so i use lua script alot and i learn because this is awesome what cheat engine allow you and give
P.s. i will comment results if i figured this..thank you
|
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Thu Mar 26, 2015 7:54 am Post subject: |
|
|
When i add this AA script in my trainer its say Hack Failed
Code: | resultList = AOBScan("8C 41 48 83 C0 74 28 8B 50 08 8B 4A 50 8D 55 E4", "+W*X-C")
if (resultList) then
lngt = resultList.getCount()
if (lngt > 1) then writeBytes(resultList[1], 0x8C, 0x41, 0x08, 0x83, 0xC0, 0x74, 0x28, 0x8B, 0x50, 0x08, 0x8B, 0x4A, 0x50, 0x8D, 0x55, 0xE4) end
resultList.Destroy()
resultList = nil
end |
This is to he change only second result,and its not working.
|
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Fri Mar 27, 2015 10:35 am Post subject: |
|
|
ok i just find to this work good when i copy and paste in lua window and click Execute
Code: | AoB = AOBScan("8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50")
if (AoB) then -- check if there are results or not
lngt = AoB.getCount() -- get the AoB array length
-- print("Results found: "..lngt)
-- now we replace the third result
if (lngt > 2) then writeBytes(AoB[2], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
-- now we replace the fourth result
if (lngt > 3) then writeBytes(AoB[3], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
AoB.Destroy() -- destroy the array
AoB = nil
else
-- print("No results found.")
end |
But when i add this in DaSpammer trainer, its say hack failed,do anyone know why?
|
|
Back to top |
|
|
alanze Advanced Cheater Reputation: 3
Joined: 03 Oct 2012 Posts: 50
|
Posted: Sat Mar 28, 2015 1:43 pm Post subject: |
|
|
Your scripts are correct, if some of them is not working it's because of the results you get, or the filters you use, (also maybe you miss a byte).
Maybe on first search you get 4 results, on another session 4 results but in different order, on another session 3 results.....
I just showed you a basic example on how to change second, third.. results of aob scan, but this scripts should be modified and extended based on your requirements.
For example you want it to work with DaSpammer trainer, in this case you need to place this script in to a function, then call the new function with a button or hotkey.
(the script is executed automatically when the trainer is started, but you want to activate/deactivate while is running)
Code: |
function hackOne()
resultList = AOBScan("8C 41 48 83 C0 74 28 8B 50 08", "+W*X-C")
if (resultList) then
lngt = resultList.getCount()
if (lngt > 1) then writeBytes(resultList[1], 0x8C, 0x41, 0x08, 0x83) end
resultList.Destroy()
end
end
-- now hackOne() can be associated and launched with a button or hotkey
function hackTwo()
-- another function
-- put some code here
end
|
When you write and create new scripts, insert a few "print()" functions to see what's happening, and when everything is working remove them: Code: |
print(AoB[2])
-- the address of the third result will be printed
-- now you can look at the address, it's the correct one?
-- if not change the memory filters or check result 2 and 4, adapt, learn...
print("other sh...ts")
print("There are " .. lngt .. " results.")
print("The third address is: " .. resultList[2])
|
Lua can be used also in auto-assemble window but you have to turn on with a prefix:
Code: |
{$lua}
-- some lua code
{$asm}
// some asm code
// also lua functions can be called from asm
luacall(hackOne())
|
|
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Sat Mar 28, 2015 9:16 pm Post subject: |
|
|
You the best bro,thank you very much
|
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Wed Apr 01, 2015 9:28 am Post subject: |
|
|
now when i understand this how to change aob second and more results.
Is there possible to change in Aob second results Code: | mov eax,[ecx+68]
test eax,eax | into Code: | mov eax,[ecx+00000094]
test eax,eax |
For example:
Code: | {$lua}
AoB = AOBScan("8B 45 10 8B 08 8B 41 68 85 C0")
if (AoB) then -- check if there are results or not
lngt = AoB.getCount() -- get the AoB array length
-- print("Results found: "..lngt)
-- now we replace the third result
if (lngt > 1) then writeBytes(AoB[1],mov eax,[ecx+00000094]test eax,eax) end -----something like that?
AoB.Destroy() -- destroy the array
AoB = nil
else
-- print("No results found.")
end |
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Wed Apr 01, 2015 7:42 pm Post subject: |
|
|
You can create a tiny script to just write out your instructions:
Code: | [ENABLE]
alloc(mytest,$1000)
registersymbol(mytest)
mytest:
mov eax,[ecx+00000094]
test eax,eax
[DISABLE]
dealloc(mytest)
unregistersymbol(mytest) |
Then, in memory viewer, right click and goto address "mytest" to see the bytes.
Code: | 8B 81 94000000 - mov eax,[rcx+00000094]
85 C0 - test eax,eax |
So...
Code: | writeBytes(AoB[1],0x8B,0x81,0x94,0x00,0x00,0x00,0x85,0xC0) |
|
|
Back to top |
|
|
alanze Advanced Cheater Reputation: 3
Joined: 03 Oct 2012 Posts: 50
|
Posted: Thu Apr 02, 2015 9:45 pm Post subject: |
|
|
Note, a code injection is needed at that address because the original code has less bytes than the modified code.
You should try to find a strong aob pattern which is unique (even with offset),
then use auto assemble to do the changes (no lua scripting at all).
Last edited by alanze on Mon Apr 06, 2015 9:51 am; edited 2 times in total |
|
Back to top |
|
|
hondafrik Advanced Cheater Reputation: 0
Joined: 15 Jan 2014 Posts: 60 Location: Croatia
|
Posted: Fri Apr 03, 2015 7:44 pm Post subject: |
|
|
Zanzer method help me alot and hack in trainer work awesome,so thx alot Zanzer and Alanze
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|