View previous topic :: View next topic |
Author |
Message |
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 6:59 am Post subject: AOB Scan help :/ |
|
|
Hello everyone,
I've got a question regarding the aobscan(label, Pattern)
I was always wondering, if I can make my own pointers, by using aobscan() with individual patterns wherever found.
However, I was unable to do that so far, because the scan returns another address than I expect..
although my pattern is found only once in the memory, if I use it on a autoasseble aobscan() script, I'm getting an address I cannot find any related data to what I find if I manually do an array o byte search..
The real pattern can usually be found between 17000000 and 1BFFFFFF, whereas the aobscan() within the auto assembler returns some address near 056*****
does anyone have a clue, what's going on there?
Is it even possible to achieve what I'm trying to?
or are those aobscans working with base structure adresses only?
that's my Auto assemble script:
Code: |
[ENABLE]
aobscan(mleBase,6D 6C 65 05 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 61 67 73 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41 00 00 A0 41 * * * * * * * * 72 67 64 06 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 69 69 65 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41)
label(mBase)
registersymbol(mBase)
mleBase:
mBase:
[DISABLE]
unregistersymbol(mBase)
|
I'd be grateful for any kind of hint I might get.
thanks in advance.
mugaen
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 10, 2018 7:10 am Post subject: |
|
|
Pretty sure that the AA aobscan scans all memory regardless of wether it's writable, executable, or copyOnWrite so make sure your manual scan matches those settings and that it's still unique. If it's in a module you can use aboscanmodule to scan just that module, otherwise there is aobscanregion but note that it could be loaded in different places for other people.
Also, if there's not an offset you don't need a second label you can just use
aobscan(labelname, ...)
registerSymbol(labelname)
(plus the AA framework+unregister of course)
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 7:20 am Post subject: |
|
|
Hmm.. Is this the right settings?
I still get just that one result.
Thank you, .. well I want to see how that script behaves if it finds the address, so I could use other lables as well.. I'd like to use it for an address in the middle of that structure later
Description: |
|
Filesize: |
14.66 KB |
Viewed: |
16005 Time(s) |
|
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 10, 2018 7:23 am Post subject: |
|
|
That is correct. Hm, the only other thing I can think of right now is that the CE gui (at least) doesn't scan some types of memory by default based on edit->settings->scan settings
edit: If that's still not it you might check what address it's finding and compare that to the memory regions window (in memory viewer: tools->memory regions) and see which it's in and what attributes it has that might be excluding it from the regular scans....
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 7:45 am Post subject: |
|
|
it says "read", if I check the regions.
if I check the bytes at the address found, they're completely different..
Code: | 31 00 2D 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 65 01 00 32 00 00 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 75 00 69 00 2E 00 78 00 61 00 6D 00 6C 00 2E 00 70 00 68 00 6F 00 6E 00 65 00 2E 00 64 00 6C 00 6C 00 00 00 65 00 78 00 74 00 2D 00 6D 00 73 00 2D 00 77 00 69 00 6E 00 2D 00 78 00 61 00 6D 00 6C 00 2D 00 70 00 61 00 6C 00 2D 00 6C 00 31 00 |
compared to what I search for
Code: | 6D 6C 65 05 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 61 67 73 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41 00 00 A0 41 * * * * * * * * 72 67 64 06 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 69 69 65 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41 |
.. does that mean, that I actually can use the first byte found in an array of bytes as an address with own offsets which are pointing to the values I want?
I mean.. using the aobscan() within the Auto Assembler..?
Last edited by muGaen on Wed Jan 10, 2018 7:50 am; edited 1 time in total |
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 10, 2018 7:49 am Post subject: |
|
|
huh, outside my knowledge then I'm afraid. You'll need to wait on someone like Dark Byte who understands more
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 7:56 am Post subject: |
|
|
maybe Ive found a bad example to try the aobscan on..
I just figured that out a few hours ago..
I used to work with pointerscans until I'd eventually end up standing against a wall.
thank you for your help nonetheless. those were good hints I can now consider in the future!
I hope we're gonna be able to solve this here though
I'm going to wait for others advices then too
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Wed Jan 10, 2018 7:57 am Post subject: |
|
|
i havent read everything here, but i wanna make sure you have "show symbols" and "show module addresses" options are enabled.
and if its mono game, enable mono features then hook your desired instructions.
i barely find games that dont have module addresses where it make me so bored when finding a unique pattern.
im not quite sure if the game use copy-on-write, but whatever its (your current case) it should not be that complex.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 8:09 am Post subject: |
|
|
"show symbols" and "show module addresses" has been enabled by default, but how do I enable mono features?
the problem I'm struggling with is that I haven't been able to find a single pointer for that specific code block, that lasted longer than a game restart (I could find other everlasting pointers though).
Are there any options for the aobscan? something like search until you find the 2nd approach of a code (in case it's not individual?)
thanks for your help
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 8:12 am Post subject: |
|
|
You could use the Lua AOB scan function, it returns a list and allows you to set protection flags for the scan.
_________________
|
|
Back to top |
|
|
OldCheatEngineUser Whateven rank Reputation: 20
Joined: 01 Feb 2016 Posts: 1587
|
Posted: Wed Jan 10, 2018 8:21 am Post subject: |
|
|
if its a mono game, then a "mono" word will appear here: (after attaching to the process)
CE main window panel:
file - edit - table - d3d - ??? - help
??? = mono, (if its mono game) otherwise no.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote: | i am a sweetheart. |
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 8:28 am Post subject: |
|
|
I'm going to try and figure that lua script aob scan out. So I might find some kinda workaround solution for the problem I'm having.
It would be nice to have all the approaches listed, if not individual.
But I guess I've got a bit to do, to dig into this.
thank you Tim!
OldCEUser: No, there's not even a placeholder between d3d and help.
|
|
Back to top |
|
|
TheyCallMeTim13 Wiki Contributor Reputation: 50
Joined: 24 Feb 2017 Posts: 976 Location: Pluto
|
Posted: Wed Jan 10, 2018 8:42 am Post subject: |
|
|
Here is a snippet of code from one of my Lua plugins to help get you started.
Code: |
local AOBSignaturePrivileges = nil -- '+X-C-W'
-- ...
if AOBSignaturePrivileges then
result = AOBScan(strSignature, AOBSignaturePrivileges)
else
result = AOBScan(strSignature)
end
if result ~= nil then
count = result.Count
result.destroy()
end
-- ...
|
_________________
|
|
Back to top |
|
|
FreeER Grandmaster Cheater Supreme Reputation: 53
Joined: 09 Aug 2013 Posts: 1091
|
Posted: Wed Jan 10, 2018 9:49 am Post subject: |
|
|
Lua AOBScan is pretty simple
from celua.txt in install directory
Code: | AOBScan("aobstring", protectionflags OPTIONAL, alignmenttype OPTIONAL, alignmentparam HALFOPTIONAL):
protectionflags is a string.
X=Executable W=Writable memory C=Copy On Write. Add a + to indicate that flag MUST be set and a - to indicate that that flag MUST NOT be set. (* sets it to don't care)
Examples:
+W-C = Writable memory exluding copy on write and doesn't care about the Executable flag
+X-C-W = Find readonly executable memory
+W = Finds all writable memory and don't care about copy on write or execute
"" = Find everything (is the same as "*X*C*W" )
alignmenttype is an integer:
0=No alignment check
1=Address must be dividable by alignmentparam
2=Address must end with alignmentparam
alignmentparam is a string which either holds the value the addresses must be dividable by or what the last digits of the address must be
|
so in an AA script you could do (example based on step 2 of the tutorial)
Code: | [ENABLE]
{$lua}
-- if just editing the sript don't run the rest of this lua code
-- should practically return the same type of result as if it did run
-- for error checking purposes
if syntaxcheck then
return ('define(INJECT,%s)'):format(0)
end
local results = AOBScan('8B 83 80', '-W+X') -- unique AOBScan('8B 83 80 04 00 00')
assert(results, 'aobscan failed') -- will prevent script from enabling if not found
-- do stuff to select address from results
local debug = true
if debug then
-- print all found addresses
print('found results', results.Count)
for i=0,results.Count-1 do
print(results[i])
end
end
-- just picking the first right now lol, it works for me
local addr = results[0]
results.destroy() -- free memory used for addresses
-- returned string will be treated as AA code in place of {$lua} {asm} section
return ('define(INJECT,%s)'):format(addr)
{$asm}
registersymbol(INJECT) // doesn't seem to have a problem with registering a define statement :)
// code to do stuff here
[DISABLE]
unregistersymbol(INJECT) | of course there are several variations of code that'd get similar results but I think this one shows more of the lua features than most others, primarily the assert stopping the script from disabling, and the return result being treated as AA code. Though you can also return anything that's invalid AA code.
If you wanted you could even create a function in a lua file and put it in your autorun directory of CE's install so that you can call it without writing it out in the tablefiles, but then you'd have to include it with each of your tables if you shared them and explain how to use it, alternatively you can put it in the table's lua script but then people get a prompt about running the lua code if it's not signed (or users have set CE to always prompt).
http://forum.cheatengine.org/viewtopic.php?p=5734504#5734504 shows (afaik) how you should be able to use a memscan to limit the range of the scan as well... but I had issues with actually getting it to return results lol
|
|
Back to top |
|
|
muGaen Newbie cheater Reputation: 0
Joined: 10 Jan 2018 Posts: 17
|
Posted: Wed Jan 10, 2018 10:05 am Post subject: |
|
|
thank you very much.
well. I was trying a few things out, and found out, that there must be another problem.
even if I had that working lua script right now, I doubt that it'd work.
I tried adding a few bytes at the beginning of my byte array. after adding four new values at the beginning, the first matching address would be higher than where I have to look (4D******)
.. So I suppose, I should look for another solution
edit: it reminds me of some pointer behavior.. As if I'd find a pointer pointing at the address where the aob scan had a match.. is that possible?
|
|
Back to top |
|
|
|