|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Rawing Cheater Reputation: 0
Joined: 01 May 2010 Posts: 42 Location: Austria
|
Posted: Wed Sep 21, 2016 8:03 am Post subject: Finding a certain address in program code with lua |
|
|
I've written a trainer for a game using lua. The problem is that the address of a certain value (let's pretend it's the player's money) tends to change with each new game patch.
To counter this, I thought I could do something like this:
1) Find some code that accesses the money value. Say the code looks like
and is at address "GAME.EXE+15".
2) Find the start of the function (say it's "GAME.EXE+10").
3) Use lua to disassemble the code starting at "GAME.EXE+10" until it finds an instruction of the form "mov eax,[some address]", and extract the address.
I implemented this and confirmed it produces the expected result. For reference, the code looks like this:
Code: | function find_address()
local address= "GAME.GSysAlloc_SingletonSupport<FGFxAllocator>::GSysAlloc_SingletonSupport<FGFxAllocator>+8F57A0"
local max_offset= 50
local offset= 0
--address= getAddress(address) --no idea why, but the code won't work if I call getAddress here...
while offset<max_offset do
local addr= address..'+'..offset
local code= disassemble(addr)
local match= string.match(code, ',%[([0-9A-F]+)%]') --we're looking for lines of the form "instruction whatever,[address]"
if match~=nil then
return match
end
offset= offset+getInstructionSize(addr)
end
return '00000000'
end |
Now, the question is, what do I do if the game's code changes due to a patch, and suddenly "GAME.EXE+10" is no longer the start of the function, but (worst case scenario) in the middle of another instruction that started at, say, "GAME.EXE+9"? Disassembling the code starting at "GAME.EXE+10" would then produce wrong results, wouldn't it? Is there a way to find an address at which an instruction begins, so that I can start disassembling there? (It doesn't necessarily have to be the start of the function.)
_________________
Game over! Die again! |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Wed Sep 21, 2016 1:47 pm Post subject: |
|
|
Use AOBScan() with wildcards.
Code: | local found = AOBScan("A1 ?? ?? ?? ?? XX XX XX XX XX") |
|
|
Back to top |
|
|
Rawing Cheater Reputation: 0
Joined: 01 May 2010 Posts: 42 Location: Austria
|
Posted: Thu Sep 22, 2016 10:36 am Post subject: |
|
|
I'll try that, thanks. Looking at how large my offset is (+8F57A0), the position of that instruction will probably change by a lot with the next patch, so an AOBScan is likely more reliable.
_________________
Game over! Die again! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|