View previous topic :: View next topic |
Author |
Message |
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Mon Jul 11, 2016 7:46 am Post subject: address arithmetic |
|
|
I keep getting this error:
attempt to perform arithmetic on a string value (local 'adr')
Code: |
pattern = "?? ?? ?? 50 00 00 00 ?? 40 00 00 ?? ?? ?? ?? ??"
scans = AOBScan(pattern)
if scans == nil then
ShowMessage("nope\n"..pattern)
else
local adr = scans[0]
local base_adr = adr - 0x200
ShowMessage(adr.." "..base_adr)
end
|
Let me explain what I am trying to do.
In the game I am trying to find multiple 'enemy' character values. (Can be more than 30 valid matches!)
These all come from a base address for each character.
I am not able to directly search for the base address, but I can using AOB find one of the values I am interested in.
This value will always be at [esi + 200], where the base I am interested in is the esi.
What I want is the value of esi, so I can get the other values of interest that have offsets of 0x1c, 0x240, 0x14.
So my goal is to be able to do something like this:
Code: |
base_adr = ESI //or adr-0x200 as above
adr2 = base_adr + 0x1c
adr3 = base_adr + 0x240
adr4 = base_adr + 0x14
ShowMessage(readFloat(adr2).." "..readFloat(adr3).." "..readInteger(adr4))
|
Keep in mind that I do not have to write to anything, I only need to be able to read these values.
|
|
Back to top |
|
|
Redouane Master Cheater Reputation: 3
Joined: 05 Sep 2013 Posts: 363 Location: Algeria
|
Posted: Mon Jul 11, 2016 8:04 am Post subject: Re: address arithmetic |
|
|
de donia wrote: | I keep getting this error:
attempt to perform arithmetic on a string value (local 'adr')
|
Yea, when AOBScan succeeds, it returns a StringList object (like an array of hexadecimal strings), convert them back to numbers using tonumber:
Code: |
pattern = "?? ?? ?? 50 00 00 00 ?? 40 00 00 ?? ?? ?? ?? ??"
scans = AOBScan(pattern)
if not scans then -- same as if scans == nil (it can't be false)
ShowMessage("nope\n"..pattern)
else
local adr = tonumber(scans[0], 16) -- 16 is the base
local base_adr = adr - 0x200
ShowMessage(adr.." "..base_adr)
end
|
you must specify the base because the string will be in Hexadecimal (like "7FF614CF27C0").
Also, in your call to ShowMessage, the address will not be displayed as Hex (use string.format to do that), it will be displayed as a decimal number.
|
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Mon Jul 11, 2016 1:20 pm Post subject: |
|
|
Thanks, that was what I needed.
For my initial test this now works:
Code: |
pattern = "?? ?? ?? 50 00 00 00 ?? 40 00 00 ?? ?? ?? ?? ??"
scans = AOBScan(pattern)
if not scans then
ShowMessage("nope\n"..pattern)
else
for i = 0, scans.Count -1 do
local adr = tonumber(scans[i], 16)
local base_adr = adr - 0x200
ShowMessage(adr.." "..string.format("%x", base_adr))
end
end
|
i. Is there anything like vector<struct*> in Lua?
At no point do I know how many hits the scan will get, and in c++ I would have used a vector of a struct (containing all the specific character data I was interested in) to store the values for something I will do with them a bit later.
ii. I do not foresee this to be an issue, but just in case, is there a way to test if the opcode matches?
The addresses the AOB-scan finds should all have this opcode:
mov [esi+00000200],eax
Is it possible to exclude everything that doesn't have this?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Mon Jul 11, 2016 2:20 pm Post subject: |
|
|
1 - You can store the addresses in a table if you want.
Code: | local t = {} -- change the scope of t as needed
...
t[#t+1] = base_adr |
2 - Reading the bytes is an easy way.
Code: | readInteger(base_adr) == 0x02008689 -- usually good enough; otherwise, use readBytes and compare all bytes individually |
Use the disassembler class for more advanced filtering of instructions. You can still read the bytes yourself if you know how instructions are encoded, but that can sometimes be more complicated than just using CE's disassembler.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Thu Jul 14, 2016 11:21 am Post subject: |
|
|
1. So arrays don't have a fixed size in Lua, that is nice to know.
2. First one didn't really give me usable values, so I've to look at readBytes I guess.
The script is god awful slow though, and I don't think I can async for more than one pattern either.
i. How much quicker do you believe it would be to write a dll in c++ for the pattern scanning, and just inject it instead?
Would the speed benefits be significant if I used something like fdsasdf's method?
I mainly used CE and Lua because it is just a lot quicker for prototyping.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Thu Jul 14, 2016 11:41 am Post subject: |
|
|
That's technically a table, not an array. In Lua, the term "array" by convention refers to a table that is indexed using consecutive positive integers starting at 1.
I don't know what you mean by "usable values." If you're checking whether or not an address stores a particular instruction, any value you read from that address should be usable.
I'd bet the vast majority of the time spent executing that Lua script is spent on the AoB scan. Unless you feel like you can write a better one that still scans through all the memory of a process, you should first try using stricter search settings. Only scan through executable, non-writable, non-CoW memory. Make your AoB signature more unique (especially the first few bytes). If you know it's in a particular region of memory (i.e. a .dll), restrict the search area to that region (use memscan class for that).
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Sat Jul 16, 2016 9:58 am Post subject: |
|
|
I did a little more testing and came across two new issues:
i.
I have this pattern:
"?? ?? ?? 50 00 00 00 ?? 40 00 00 ?? ?? ?? ?? ??"
It will actually look like this:
"?? ?? 24 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 25 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 27 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 29 50 00 00 00 ?? 40 00 00 01 ?? ?? ?? ??"
"?? ?? 29 50 00 00 00 ?? 40 00 00 02 ?? ?? ?? ??"
Is this possible?
"?? ?? 2? 50 00 00 00 ?? 40 00 00 0? ?? ?? ?? ??"
Then maybe use readBytes for 3rd and 12th byte to check if they are 24-29 or 01/02 if it isn't sufficient.
ii.
While I was looking at one of the other addresses that I usually get from the arithmetic I noticed a trend.
If it was a npc it was always this:
004024D8 - 89 86 14000000 - mov [esi+00000014],eax
If it was an object it was always this:
00403204 - 89 86 14000000 - mov [esi+00000014],eax
if it was a player it was always this:
004014F1 - 89 86 14000000 - mov [esi+00000014],eax
As you can see the the first address is always the same for different stuff.
Is there a way to check for this, so I can filter out to only display players?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Sat Jul 16, 2016 10:05 am Post subject: |
|
|
i. Yes, you can search for nibbles.
ii. Why not just search for that instruction instead? It's probably going to be more unique than what you're currently searching for, especially if the instructions around that one are similar.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Sat Jul 16, 2016 10:53 am Post subject: |
|
|
I am not sure how to do this:
If I aob for:
"89 86 14 00 00 00"
I get like 6 static hits, among them are these:
004024D8
00403204
004014F1
The ones I mentioned earlier.
I am probably doing something wrong, how is this going to help me?
How do I go from that to a value I can use?
(Just to mention there were 27 players in the area when I did that search.)
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Sat Jul 16, 2016 11:04 am Post subject: |
|
|
I figured from a previous post your goal was to use that AoB scan to find the instruction that access that address. I think I can see what you're trying to do now.
A much simpler way of doing this would be to hook an instruction that accesses some address in the structure of every character. Pointers to the different characters are probably stored somewhere as well (i.e. in an array). I really would not recommend doing an AoB scan for data. If you do, you should use a much bigger signature than that. This topic might help.
Ignore what I said earlier. In order to see what instructions access that address, you'll need to set a breakpoint there. You can't just magically know what instructions access which addresses.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Sat Jul 16, 2016 12:27 pm Post subject: |
|
|
Yeah, I am trying to get information on players/objects/npcs within my reach.
All the info that is possible, something that obviously includes health, class, gear, and positional data,
basically anything I can get hold of.
My current approach of AoB is dirty, but there is still a road for me to walk when it comes to stuff like this.
I am currently trying to find the path that leads to this road, but trekking in mud is not fast going, and sometimes you get stuck, or lost, and need someone to help you find your bearings again.
Not everything on the map is accessible to me, only what is within my range.
As I move about, I lose sight of some entities, while I gain sight of others.
I have come to believe that what I can see is contained in an array somewhere, but to locate it, and be able to read from it is something I am far away from understanding.
It probably will be my destination, and I hope that some day I can reach it.
|
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Mon Jul 18, 2016 2:34 pm Post subject: |
|
|
Sadly most stuff I come across is meant for a single address, to freeze health, except for one where I found something meant to insta-kill enemies.
I did look at that topic but it was not much for my progress.
What I did find was the use of:
"Find what addresses this instruction accesses"
Above one of my instructions I was able to use it, and it would show one address, that kept getting updated rapidly with the different height values of the enemy.
mov eax,[ebp-08] <<---- this one
mov [esi+308],eax
If I had 10 enemies within reach I would see this number change constantly representing each of the enemies height values, as if it iterated over an array somewhere.
If I used it on the instruction below I would get up a match for every single enemy in reach in the "Changed Addresses"-window.
I am not sure if any of that can be used in any way,
disregarding for a moment that linking them together with the other character data seems complex.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4299
|
Posted: Mon Jul 18, 2016 2:42 pm Post subject: |
|
|
I highly doubt mov eax,[ebp-08] accesses some address in the enemies' structures. If you mean mov [esi+308],eax, then esi should be the base address of each of the enemies' structures. Once you have that information, you can do whatever you want with anything you want in the enemies' structures.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
de donia Newbie cheater Reputation: 0
Joined: 11 Jul 2016 Posts: 12
|
Posted: Wed Jul 20, 2016 1:33 pm Post subject: |
|
|
I currently find the esi with aobscan, and can usually do what I need with it,
but now I wonder if I can somehow speed the scan up a bit.
You mentioned using memscan to restrict the search area.
Is it possible to get an example of it, where hits get placed in a 'foundlist'?
I ran around a bit ingame and caught these addresses:
[edit] Oh God!
The code-tag on this forum doesn't make a small scrollable box for the code-info...
Truncated by request:
06000000 to 07FFFFFFF
and roughly
17000000 to 2DFFFFFFF
So it is not a single range, but two separate ones.
Actually there are like five separate ones, but the gap between four of them is not so big, so you can easily merge them together.
Last edited by de donia on Wed Jul 20, 2016 1:58 pm; edited 2 times in total |
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Wed Jul 20, 2016 1:36 pm Post subject: |
|
|
What was the point of that? Just provide a range.
|
|
Back to top |
|
|
|