Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


how to change aob scan second result?
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Fri Feb 13, 2015 12:05 pm    Post subject: how to change aob scan second result? Reply with quote

For example:
Code:
Aobscan(time,8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50)
time:
db 8B 31 62 85 CF 74 28 8B 50 08 8B 4A 50


He always change first result,so my question is how to chose wich one to change (for example third one) and how to change all results and not only first one.thank you in advance
Back to top
View user's profile Send private message
alanze
Advanced Cheater
Reputation: 3

Joined: 03 Oct 2012
Posts: 50

PostPosted: Fri Feb 13, 2015 6:14 pm    Post subject: This post has 1 review(s) Reply with quote

In autoassemble you can change only the first result.

Here is a lua script if you want to change the second, third or deeper results:
Code:

AoB = AOBScan("8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50")
if (AoB) then  -- check if there are results or not
   lngt = AoB.getCount()  -- get the AoB array length
   -- print("Results found: "..lngt)
   -- now we replace the third result
   if (lngt > 2) then writeBytes(AoB[2], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
   -- now we replace the fourth result
   if (lngt > 3) then writeBytes(AoB[3], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
   AoB.Destroy()  -- destroy the array
   AoB = nil
else
  -- print("No results found.")
end

Note that the AoB[] array starts from 0. So the third result is 2 (AoB[2]).
Also "createMemScan(0)" can be used instead of "AOBScan" but is more complicated.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 218

Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Feb 14, 2015 9:16 am    Post subject: Reply with quote

AOBScan function in AutoAssembler is slightly different than AOBScan function in Lua.

In AutoAssembler , all memory regions will be scanned (writable or not, executable or not, copyonwrite or not). And the only one result - CE immediately stops scanning when first address found.

Lua's AOBScan - behaves almost the same, but, it finds all addresses and returns them as array of strings (Free Pascal TStringList). Hexadecimal.

We use it like this
results=AOBScan(aobstring)

or this:
results=AOBScan(luatable)








PS: Lua's AOBScan can have more parameters:

AOBScan(aobstring, protectionflags OPTIONAL, alignmenttype OPTIONAL, alignmentparam HALFOPTIONAL)
aobstring - it is a string (not a lua table)
protectionflags - it is a string
alignmenttype - it is an integer (fsmNotAligned=0, fsmAligned=1, fsmLastDigits=2)
alignmentparam - it is a string


Usage
Code:

results=AOBScan(aobstring, '+W*X-C', fsmAligned, '4')
-- protection flags are set to: must be writable, doesn't care if executable or not, must NOT BE copyonwrite
-- alignment is enabled and addresses must be dividable by 4

_________________
Back to top
View user's profile Send private message MSN Messenger
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Mon Feb 16, 2015 3:23 am    Post subject: Reply with quote

Thank you both for answer.
@alanze your script say me failed,i dont know why,i try to figured last few hours and all time failed.
@mgr.inz.Player i am still new in lua and still learning, but can you make a example script ? because on that way i will better learn and understand,i just need to change all results and to learn how to change result what i choose,for example second one or just third one,thats two script what i need.

Btw before few months i am try to figured this but without results,so i make post to get help and better understand this.
Back to top
View user's profile Send private message
panraven
Grandmaster Cheater
Reputation: 54

Joined: 01 Oct 2008
Posts: 941

PostPosted: Mon Feb 16, 2015 9:48 am    Post subject: Reply with quote

try this, input 'testzone' to memory view address to see the test.

Code:
define(_,luacall)
[ENABLE]
{$lua}
function AoBSwapEx(search, patch, proctect, loop, ...) -- alignment omit as it is ok to be default
  proctect = type(proctect) ~= 'string' and '' or proctect
  loop     = type(loop) == 'number' and loop > 0 and math.floor(loop) == loop and loop or 0
  assert(type(search)=='string' and type(patch)=='string', '1st 2 parameters has to be aob string')
  local mask,wn = {},0
  for i = 1,string.len(patch),3 do
    local n = tonumber(string.sub(patch,i,i+2),16)
    if type(n)=='number' and n>= 0 and n < 256 then
      table.insert(mask,n)
    else
      table.insert(mask,-1)
      wn = wn + 1
    end
  end
  assert(#mask > wn,'nothing to patch')
  local range,rn = {}, 0
  for i=1,select('#',...) do
    local p = select(i,...)
    if type(p)=='number' and p>0 and math.floor(p) == p and not range[p] then
      range[p] = true
      rn = rn + 1
    end
  end
  local r = AOBScan(search, proctect)
  assert(r.Count > 0,'no match')
  local success = 0
  for i=1,r.Count do
    local order = loop == 0 and i or 1 + ((i-1) % loop)
--    print(order,r[i-1],loop)
    if rn == 0 or range[order] then
      local addy = tonumber(r[i-1],16)
      for j=1,#mask do
        if mask[j] >= 0 then writeBytes(addy+j-1,mask[j]) end
      end
      success = success + 1
    end
  end
  r.destroy()
  assert(success > 0,'no patching, required patch is more than search result count')
end
{$asm}
globalalloc(testzone,1024)

testzone:
db 01 02 01 06 07 09
testzone+10:
db 01 02 02 06 07 09
testzone+20:
db 01 02 03 06 07 09
testzone+30:
db 01 02 04 06 07 09

_(AoBSwapEx('01 02 ?? 06 07 09','01 02 ?? 06 07 09 ff 11 22 ff','',2,1))
 
 
[DISABLE]

Back to top
View user's profile Send private message
alanze
Advanced Cheater
Reputation: 3

Joined: 03 Oct 2012
Posts: 50

PostPosted: Thu Feb 19, 2015 5:13 pm    Post subject: Reply with quote

Check if you have CheatEngine 6.4, if not download and upgrade.
For example "myArray.Count" vs "myArray.getCount" the first doesn't work in ce 6.3, only in ce 6.4, the second works in all versions, that's way I used the second in my example.
I forgot to add the filters to the AOBScan function, without filters the entire memory is scanned. (maybe you got some extra results?)

Let's take a concrete example:
We search for "00FF00FF"; there are 8 results; we want to change result 6 with "90909090".
Code:

resultList = AOBScan("00 FF 00 FF", "+W*X-C")
if (resultList) then
   lngt = resultList.getCount()
   if (lngt > 5) then writeBytes(resultList[5], 0x90, 0x90, 0x90, 0x90) end
   resultList.Destroy()
   resultList = nil
end


Be careful with "(lngt > Z)" and "resultList[Z]", change Z accordingly
(for result 1 Z=0; for result 2 Z=1; for result 3 Z=2; ...)
Keep byte formatting as you see in the example code and replace with your bytes this "00 FF 00 FF" and this "0x90, 0x90, 0x90, 0x90" (0x in front of bytes is required for hexa numbers).
Variables are case sensitive so keep the case of words.

"+W*X-C" - this are memory filters:
Change this filters accordingly (W writable memory, X executable memory, C copyonwrite memory, + scan it, - don't scan, * don't care)
"+W*X-C" means: [scan writable memory] and [don't care if executable or not] and [do not scan copyonwrite memory].

AOBScan has other parameters, see previous posts (aobstring, '+W*X-C', fsmAligned, '4').

If you want to replace more results let's say 2, 3 and 7 extend the script with this lines:
Code:

if (lngt > 1) then writeBytes(resultList[1], 0x90, 0x90, 0x90, 0x90) end
if (lngt > 2) then writeBytes(resultList[2], 0x90, 0x90, 0x90, 0x90) end
if (lngt > 6) then writeBytes(resultList[6], 0x90, 0x90, 0x90, 0x90) end


To replace all of the results use this code:
Code:

resultList = AOBScan("00 FF 00 FF", "+W*X-C")
if (resultList) then
   lngt = resultList.getCount()
   for x=0, lngt-1, 1 do
      writeBytes(resultList[x], 0x90, 0x90, 0x90, 0x90)
   end
   resultList.Destroy()
   resultList = nil
end

In this code you change just the bytes "00 FF 00 FF" and "0x90, 0x90, 0x90, 0x90" and maybe "+W*E-C".

By the way: this code has to be put (pasted) in the "Lua Script Window" not in the "Auto Assemble Window" and executed.


Last edited by alanze on Sat Mar 28, 2015 11:56 am; edited 3 times in total
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Thu Feb 26, 2015 12:57 pm    Post subject: Reply with quote

@alanze awesome explanation,thank you very much bro i will try this.
Btw i make trainers with Da spammer script so i use lua script alot and i learn because this is awesome what cheat engine allow you and give Smile
P.s. i will comment results if i figured this..thank you
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Thu Mar 26, 2015 7:54 am    Post subject: Reply with quote

When i add this AA script in my trainer its say Hack Failed
Code:
resultList = AOBScan("8C 41 48 83 C0 74 28 8B 50 08 8B 4A 50 8D 55 E4", "+W*X-C")
if (resultList) then
   lngt = resultList.getCount()
   if (lngt > 1) then writeBytes(resultList[1], 0x8C, 0x41, 0x08, 0x83, 0xC0, 0x74, 0x28, 0x8B, 0x50, 0x08, 0x8B, 0x4A, 0x50, 0x8D, 0x55, 0xE4) end
   resultList.Destroy()
   resultList = nil
end

This is to he change only second result,and its not working.
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Fri Mar 27, 2015 10:35 am    Post subject: Reply with quote

ok i just find to this work good when i copy and paste in lua window and click Execute
Code:
AoB = AOBScan("8F 31 3C 82 C0 74 28 8B 50 08 8B 4A 50")
if (AoB) then  -- check if there are results or not
   lngt = AoB.getCount()  -- get the AoB array length
   -- print("Results found: "..lngt)
   -- now we replace the third result
   if (lngt > 2) then writeBytes(AoB[2], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
   -- now we replace the fourth result
   if (lngt > 3) then writeBytes(AoB[3], 0x8F, 0x31, 0x3C, 0x82, 0xC0, 0x74) end
   AoB.Destroy()  -- destroy the array
   AoB = nil
else
  -- print("No results found.")
end

But when i add this in DaSpammer trainer, its say hack failed,do anyone know why?
Back to top
View user's profile Send private message
alanze
Advanced Cheater
Reputation: 3

Joined: 03 Oct 2012
Posts: 50

PostPosted: Sat Mar 28, 2015 1:43 pm    Post subject: Reply with quote

Your scripts are correct, if some of them is not working it's because of the results you get, or the filters you use, (also maybe you miss a byte).
Maybe on first search you get 4 results, on another session 4 results but in different order, on another session 3 results.....
I just showed you a basic example on how to change second, third.. results of aob scan, but this scripts should be modified and extended based on your requirements.
For example you want it to work with DaSpammer trainer, in this case you need to place this script in to a function, then call the new function with a button or hotkey.
(the script is executed automatically when the trainer is started, but you want to activate/deactivate while is running)
Code:

function hackOne()
  resultList = AOBScan("8C 41 48 83 C0 74 28 8B 50 08", "+W*X-C")
  if (resultList) then
    lngt = resultList.getCount()
    if (lngt > 1) then writeBytes(resultList[1], 0x8C, 0x41, 0x08, 0x83) end
    resultList.Destroy()
  end
end

-- now hackOne() can be associated and launched with a button or hotkey

function hackTwo()
  -- another function
  -- put some code here
end


When you write and create new scripts, insert a few "print()" functions to see what's happening, and when everything is working remove them:
Code:

print(AoB[2])
-- the address of the third result will be printed
-- now you can look at the address, it's the correct one?
-- if not change the memory filters or check result 2 and 4, adapt, learn...
print("other sh...ts")
print("There are " .. lngt .. " results.")
print("The third address is: " .. resultList[2])

Lua can be used also in auto-assemble window but you have to turn on with a prefix:
Code:

{$lua}
-- some lua code

{$asm}
// some asm code

// also lua functions can be called from asm
luacall(hackOne())
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Sat Mar 28, 2015 9:16 pm    Post subject: Reply with quote

You the best bro,thank you very much Smile
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Wed Apr 01, 2015 9:28 am    Post subject: Reply with quote

now when i understand this how to change aob second and more results.
Is there possible to change in Aob second results
Code:
mov eax,[ecx+68]
test eax,eax
into
Code:
mov eax,[ecx+00000094]
test eax,eax


For example:
Code:
{$lua}
AoB = AOBScan("8B 45 10 8B 08 8B 41 68 85 C0")
if (AoB) then  -- check if there are results or not
   lngt = AoB.getCount()  -- get the AoB array length
   -- print("Results found: "..lngt)
   -- now we replace the third result
if (lngt > 1) then writeBytes(AoB[1],mov eax,[ecx+00000094]test eax,eax) end            -----something like that?
   AoB.Destroy()  -- destroy the array
   AoB = nil
else
  -- print("No results found.")
end
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Wed Apr 01, 2015 7:42 pm    Post subject: Reply with quote

You can create a tiny script to just write out your instructions:

Code:
[ENABLE]
alloc(mytest,$1000)
registersymbol(mytest)
mytest:
mov eax,[ecx+00000094]
test eax,eax
[DISABLE]
dealloc(mytest)
unregistersymbol(mytest)


Then, in memory viewer, right click and goto address "mytest" to see the bytes.

Code:
8B 81 94000000        - mov eax,[rcx+00000094]
85 C0                 - test eax,eax


So...

Code:
writeBytes(AoB[1],0x8B,0x81,0x94,0x00,0x00,0x00,0x85,0xC0)
Back to top
View user's profile Send private message
alanze
Advanced Cheater
Reputation: 3

Joined: 03 Oct 2012
Posts: 50

PostPosted: Thu Apr 02, 2015 9:45 pm    Post subject: Reply with quote

Note, a code injection is needed at that address because the original code has less bytes than the modified code.
You should try to find a strong aob pattern which is unique (even with offset),
then use auto assemble to do the changes (no lua scripting at all).


Last edited by alanze on Mon Apr 06, 2015 9:51 am; edited 2 times in total
Back to top
View user's profile Send private message
hondafrik
Advanced Cheater
Reputation: 0

Joined: 15 Jan 2014
Posts: 60
Location: Croatia

PostPosted: Fri Apr 03, 2015 7:44 pm    Post subject: Reply with quote

Zanzer method help me alot and hack in trainer work awesome,so thx alot Zanzer and Alanze Smile
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites