 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
 Posted: Tue Jan 23, 2018 2:03 am Post subject: Need help on creating a "trainer" |
 |
|
Hello, I'm new in making trainer with Cheat Engine and i would like to know if what i want to do is possible
So when we lunch the trainer it detect if WindowsEntryPoint is open
if not the traineer close with a popup message saying open the game
If the game is open, this trainer as 1 button saying "Activate"
When we activate the button it search all float value of 10.00
after that it change all value found to 1500
and thats it, so tell me if its possible, at i said i am ne if you have some tutorial related to what i want to do tell me them 
( And also i ma french sorry for my english error that i can do )
|
|
| Back to top |
|
 |
Corroder
Grandmaster Cheater Supreme
 Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Tue Jan 23, 2018 3:41 am Post subject: |
|
|
I am not sure the script below is post on correct forum section because this is Lua scripting, but here is a example :
| Code: | function my_game_attach(timer)
if getProcessIDFromProcessName("GameName,exe") ~= nil then -- tested with 'notepad.exe'
object_destroy(timer)
openProcess("notepad.exe")
l2.caption = 'Game process opened'
else
t.Destroy()
showMessage('Game not open. Please open the game and re-open this trainer')
closeTrainer()
end
end
t=createTimer(nil);
timer_setInterval(t,10)
timer_onTimer(t,my_game_attach)
function closeTrainer()
closeCE()
return caFree
end
function findDoubleValueAndReplace(findValue, replaceWith) --- not sure 10.00 and 1500 type are floating value
memscan = createMemScan()
foundlist = createFoundList(memscan)
protectionflags = "-W*X-C"
memscan.firstScan(soExactValue, vtDouble, rtTruncated, findValue, nil,
"0","7fffffff",protectionflags,
fsmAligned,"4",
false, false, false, false)
memscan.waitTillDone()
foundlist.initialize()
for i=0,foundlist.Count-1 do
fullAccess( getAddress(foundlist.Address[i]) , 8)
writeDouble( foundlist.Address[i], replaceWith)
end
sleep(50)
foundlist.destroy()
sleep(50)
memscan.destroy()
end
function lets_do_it()
findDoubleValueAndReplace(10.00, 1500)
end
---- Make Form and stuffs
f = createForm(true)
f.Width = 200
f.Height = 200
f.BorderStyle = 'Single'
f.Position ='poScreenCenter'
f.Caption = 'My Trainer'
l1 = createLabel(f)
l1.left = 10
l1.top = 10
l1.font.size = 14
l1.font.name = 'Arial'
l1.font.style = 'fsBold'
l1.font.color = '0x327C5F' --- Green
l1.caption = 'Game Name'
l2 = createLabel(f)
l2.left = 10
l2.top = l1.height+ 10
l2.font.size = 10
l2.font.name = 'Arial'
l2.font.style = 'fsBold'
l2.font.color = '0x327C5F' --- 0xEE1717 = Red, if game not open
l2.caption = 'Waiting...'
b1 = createButton(f)
b1.top = l2.top + l2.height + 25
b1.width = 100
b1.height = 30
b1.left = (f.width - b1.width) / 2
b1.caption = 'My Hack'
b2 = createButton(f)
b2.top = b1.top + b1.height + 10
b2.width = 100
b2.height = 30
b2.left = (f.width - b2.width) / 2
b2.caption = 'Exit'
b1.onClick = lets_do_it
b2.onClick = closeTrainer |
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
| Posted: Tue Jan 23, 2018 7:17 am Post subject: |
|
|
| Corroder wrote: | I am not sure the script below is post on correct forum section because this is Lua scripting, but here is a example :
| Code: | function my_game_attach(timer)
if getProcessIDFromProcessName("GameName,exe") ~= nil then -- tested with 'notepad.exe'
object_destroy(timer)
openProcess("notepad.exe")
l2.caption = 'Game process opened'
else
t.Destroy()
showMessage('Game not open. Please open the game and re-open this trainer')
closeTrainer()
end
end
t=createTimer(nil);
timer_setInterval(t,10)
timer_onTimer(t,my_game_attach)
function closeTrainer()
closeCE()
return caFree
end
function findDoubleValueAndReplace(findValue, replaceWith) --- not sure 10.00 and 1500 type are floating value
memscan = createMemScan()
foundlist = createFoundList(memscan)
protectionflags = "-W*X-C"
memscan.firstScan(soExactValue, vtDouble, rtTruncated, findValue, nil,
"0","7fffffff",protectionflags,
fsmAligned,"4",
false, false, false, false)
memscan.waitTillDone()
foundlist.initialize()
for i=0,foundlist.Count-1 do
fullAccess( getAddress(foundlist.Address[i]) , 8)
writeDouble( foundlist.Address[i], replaceWith)
end
sleep(50)
foundlist.destroy()
sleep(50)
memscan.destroy()
end
function lets_do_it()
findDoubleValueAndReplace(10.00, 1500)
end
---- Make Form and stuffs
f = createForm(true)
f.Width = 200
f.Height = 200
f.BorderStyle = 'Single'
f.Position ='poScreenCenter'
f.Caption = 'My Trainer'
l1 = createLabel(f)
l1.left = 10
l1.top = 10
l1.font.size = 14
l1.font.name = 'Arial'
l1.font.style = 'fsBold'
l1.font.color = '0x327C5F' --- Green
l1.caption = 'Game Name'
l2 = createLabel(f)
l2.left = 10
l2.top = l1.height+ 10
l2.font.size = 10
l2.font.name = 'Arial'
l2.font.style = 'fsBold'
l2.font.color = '0x327C5F' --- 0xEE1717 = Red, if game not open
l2.caption = 'Waiting...'
b1 = createButton(f)
b1.top = l2.top + l2.height + 25
b1.width = 100
b1.height = 30
b1.left = (f.width - b1.width) / 2
b1.caption = 'My Hack'
b2 = createButton(f)
b2.top = b1.top + b1.height + 10
b2.width = 100
b2.height = 30
b2.left = (f.width - b2.width) / 2
b2.caption = 'Exit'
b1.onClick = lets_do_it
b2.onClick = closeTrainer |
|
Oh great thanks ! how do i use lua code in cheat engine for make the trainer ? ( Sorry i'm very new ^^ )
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Tue Jan 23, 2018 7:18 am Post subject: |
 |
|
sure see above (though it scans doubles not floats and I've no idea why it's scanning non-writable memory (generally code) with -W instead of writable with +W), but why not just tell people to do that?
It's really not that hard to do manually, it's much easier to say "change all float 10 to 1500" (perhaps with a few screenshots or a 30 second video) than to create a trainer, and people get to learn something which might motivate them to learning a lot more on their own... I could understand if you wanted it to be just a part of several other things (or just for your own learning) but if that's literally all you want...
Last edited by FreeER on Tue Jan 23, 2018 7:47 am; edited 1 time in total |
|
| Back to top |
|
|
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
| Posted: Tue Jan 23, 2018 7:36 am Post subject: |
|
|
| FreeER wrote: | sure see above (though it scans doubles not floats and I've no idea why it's scanning non-writable memory (generally code) with -W instead of writable with +W), but why not just tell people to do that?
It's really not that hard to do manually, it's much easier to say "change all float 10 to 1500" (perhaps with a few screenshots or a 30 second video) than to create a trainer, and people get to learn something which might motivate them to learning a lot more on their own... I could understand if you wanted it to be just a part of several other things but if that's literally all it's doing... |
Well i'm already doing it bye changing all value but i want to share it with ly friend that don't know how to use Cheat engine ^^
Thats why i wanted to make a simple trainer that as just one button ^^
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Tue Jan 23, 2018 7:50 am Post subject: |
|
|
| Sure, but wouldn't it be better to teach your friend a 30 second thing rather than baby them with one click magic? I've gone that route with people before and generally they end up thinking you can do literally anything and get annoyed when you don't because they have no idea what's actually going on.... just a suggestion, sometimes simpler for the user is not actually better for anyone
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Tue Jan 23, 2018 8:07 am Post subject: |
|
|
| FreeER wrote: | sure see above (though it scans doubles not floats and I've no idea why it's scanning non-writable memory (generally code) with -W instead of writable with +W), but why not just tell people to do that?
... |
Sure, that iis why I add comment on my script "--- not sure 10.00 and 1500 type are floating value.." and I think no function "search" for float value, but common use "findValue(float)" to find float value memory region.
I believe it's more easier using AA code to do it. And just because I am weak with AA code then I hope someone should provide a better function to do find and replace float value in "function findDoubleValueAndReplace(findValue, replaceWith)" and could change the function name to "function findFloatValueAndReplace(findValue, replaceWith)"...
@alexisoko :
| Quote: | | Oh great thanks ! how do i use lua code in cheat engine for make the trainer ? ( Sorry i'm very new ^^ ) |
in CE menu > Table > Show Cheat Table Lua Script
and write your code there (example : you can copy my code above and paste there, and next click execute)
last, if everything fine then you can save your code as a CT file or CETRAINER.
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
| Posted: Tue Jan 23, 2018 8:24 am Post subject: |
|
|
| Corroder wrote: | | FreeER wrote: | sure see above (though it scans doubles not floats and I've no idea why it's scanning non-writable memory (generally code) with -W instead of writable with +W), but why not just tell people to do that?
... |
Sure, that iis why I add comment on my script "--- not sure 10.00 and 1500 type are floating value.." and I think no function "search" for float value, but common use "findValue(float)" to find float value memory region.
I believe it's more easier using AA code to do it. And just because I am weak with AA code then I hope someone should provide a better function to do find and replace float value in "function findDoubleValueAndReplace(findValue, replaceWith)" and could change the function name to "function findFloatValueAndReplace(findValue, replaceWith)"...
@alexisoko :
| Quote: | | Oh great thanks ! how do i use lua code in cheat engine for make the trainer ? ( Sorry i'm very new ^^ ) |
in CE menu > Table > Show Cheat Table Lua Script
and write your code there (example : you can copy my code above and paste there, and next click execute)
last, if everything fine then you can save your code as a CT file or CETRAINER. |
Okay thanks, also the app is not like a .exe its an app from the Windows Stpre and for select it in CE we have to selecte WindowsEntryPoint or something like that, how i do that because you'r code selecte a .exe app
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Tue Jan 23, 2018 8:46 am Post subject: |
|
|
| alexisoko wrote: |
Okay thanks, also the app is not like a .exe its an app from the Windows Stpre and for select it in CE we have to selecte WindowsEntryPoint or something like that, how i do that because you'r code selecte a .exe app |
find that WindowsEntryPoint name. When you open it using CE, note the name of WindowsEntryPoint you attach to CE and try put the name to your script. Usually the entry point name is WinMain (on win 32 bit).
In C++ to retrieves the name of the executable file for the specified process with GetProcessImageFileName function, should be :
| Code: | DWORD WINAPI GetProcessImageFileName(
_In_ HANDLE hProcess,
_Out_ LPTSTR lpImageFileName,
_In_ DWORD nSize
); |
I don't know how to do that using Lua or CE.
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
| Posted: Tue Jan 23, 2018 9:09 am Post subject: |
|
|
| Corroder wrote: | | alexisoko wrote: |
Okay thanks, also the app is not like a .exe its an app from the Windows Stpre and for select it in CE we have to selecte WindowsEntryPoint or something like that, how i do that because you'r code selecte a .exe app |
find that WindowsEntryPoint name. When you open it using CE, note the name of WindowsEntryPoint you attach to CE and try put the name to your script. Usually the entry point name is WinMain (on win 32 bit).
In C++ to retrieves the name of the executable file for the specified process with GetProcessImageFileName function, should be :
| Code: | DWORD WINAPI GetProcessImageFileName(
_In_ HANDLE hProcess,
_Out_ LPTSTR lpImageFileName,
_In_ DWORD nSize
); |
I don't know how to do that using Lua or CE. |
okay okay i will try
|
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Tue Jan 23, 2018 9:41 am Post subject: |
|
|
| Quote: | | not sure 10.00 and 1500 type are floating value |
Of course 10 and 1500 can be floats, float and double are the same exact standard, the only difference is that floats are 32 bits rather than 64 (2x aka double) so support fewer decimal points of accuracy/precision than a double but those values are no where close to the limits....
| Quote: | | I think no function "search" for float |
You can search for floats in exactly the same way as doubles simply by using vtSingle (aka single precision rather than double precision) instead of vtDouble. Anything the CE gui can search for memscan can search for, you just have to look at what the actual options are in celua.txt (or perhaps the wiki, TheyCallMeTim13 has been updating it)
| Quote: | | I believe it's more easier using AA code to do |
There's no way to do it in AA code at all unless you write a memory scanner yourself, in assembly (or load a library and call or write lua code but at that point it's not really AA code). The closest thing you have is aobscan but that'd only find a single result.
| Quote: | | I hope someone should provide a better function |
| Code: | --[[
Generic function to write a value to unknown variable type
address - address to write to
value - value to write
vt - value type as vt* define (vtDword, vtSingle, etc.)
]]
function writeValue(address, value, vt)
-- handle not having required arguments
if not address or not value or not vt then return nil end
local types = {
[vtByte] = writeBytes,
-- *smallInteger added in CE 6.7
[vtWord] = writeSmallInteger or function(address, value) writeBytes(address, wordToByteTable(value)) end,
[vtDword] = writeInteger,
[vtQword] = writeQword,
[vtSingle] = writeFloat,
[vtDouble] = writeDouble,
-- unsupported, require custom functions for one reason or another
--[vtString]
--[vtByteArray]
--[vtGrouped],
--[vtBinary],
}
local sizes = {
[vtByte] = 1,
[vtWord] = 2,
[vtDword] = 4,
[vtQword] = 8,
[vtSingle] = 4,
[vtDouble] = 8
}
local writeFunction = types[vt];
if not writeFunction then return nil end
local res = writeFunction(address, value)
if res then return res end
--[[
if failed try making it writable and try again, unfortunately fullAccess will also make it executable as well...
which can require the protectionflags to change to find it a second time... but to only make it writable
would require creating a way to call VirtualProtect from lua, not particularly hard but.... maybe a little
beyond the scope of this example, basically you'd use autoAssemble to setup a function which would take
a pointer to the arguments in memory and call VirtualProect properly (of course, you'd need one for x86 and one for x64)
and then have a lua function that would take the arguments, write them to some memory and use executeCode to
call the assembled VirtualProect wrapper function with the address of that memory
]]
fullAccess(address, sizes[vt])
return writeFunction(address, value)
end
--[[
function to scan for a value and replace all found instances of it
findValue - the value to find
replaceValue - the value to replace the findValue with
[findType] - the value type of the value to find and write, defaults to 4 bytes / vtDword
[protectionflags] - string to describe the type of memory to scan, options are
W - writable, X - executable, C - copy on write, prefixed with
+ for required, - for not allowed, or * for ignored (same as not providing one)
defaults to writable, non-executable, non-copy-on-write = "+W-X-C"
[rounding] - rounding type, one of (in order of least values matched to most):
rtRounded, rtExtremerounded, rtTruncated
default: rtRounded
]]
function findValueAndReplace(findValue, replaceValue, findType, protectionflags, rounding)
-- handle not having required arguments
if not findValue or not replaceValue then return nil end
-- default values
findType = findType or vtDword
protectionflags = protectionflags or "+W-X-C"
rounding = rounding or rtRounded -- rtRounded is the most restrictive.
-- do scan
memscan = createMemScan()
memscan.firstScan(soExactValue, findType, rounding, findValue, nil,
"0", "7fffffffffffffff", protectionflags,
fsmAligned,"4", false, false, false, false)
memscan.OnScanDone = function(memscan)
print('scan done')
foundlist = createFoundList(memscan)
foundlist.initialize()
print(foundlist.Count)
for i=0,foundlist.Count-1 do
print('writing to', foundlist.Address[i])
writeValue(foundlist.Address[i], replaceValue, findType)
end
sleep(50) -- not certain these are necessary but
foundlist.deinitialize()
foundlist.destroy()
sleep(50) -- not certain these are necessary but
memscan.destroy()
end
memscan.waitTillDone()
end |
edit:
| Quote: | | In C++ to retrieves the name of the executable file for the specified process with GetProcessImageFileName function |
CE sets the process variable to the name of the exectuable you attach to, though it also lets you get a table of all processes: | Code: | | getProcesslist(): Returns a table with the processlist (pid - name ) |
so you could also use getProcesslist()[getOpenedProcessID()] (those do not include any path however, just the actual name and extension)
|
|
| Back to top |
|
|
alexisoko
How do I cheat?
![]() Reputation: 0
Joined: 23 Jan 2018
Posts: 6
|
| Posted: Tue Jan 23, 2018 10:31 am Post subject: |
|
|
| FreeER wrote: | | Quote: | | not sure 10.00 and 1500 type are floating value |
Of course 10 and 1500 can be floats, float and double are the same exact standard, the only difference is that floats are 32 bits rather than 64 (2x aka double) so support fewer decimal points of accuracy/precision than a double but those values are no where close to the limits....
| Quote: | | I think no function "search" for float |
You can search for floats in exactly the same way as doubles simply by using vtSingle (aka single precision rather than double precision) instead of vtDouble. Anything the CE gui can search for memscan can search for, you just have to look at what the actual options are in celua.txt (or perhaps the wiki, TheyCallMeTim13 has been updating it)
| Quote: | | I believe it's more easier using AA code to do |
There's no way to do it in AA code at all unless you write a memory scanner yourself, in assembly (or load a library and call or write lua code but at that point it's not really AA code). The closest thing you have is aobscan but that'd only find a single result.
| Quote: | | I hope someone should provide a better function |
| Code: | --[[
Generic function to write a value to unknown variable type
address - address to write to
value - value to write
vt - value type as vt* define (vtDword, vtSingle, etc.)
]]
function writeValue(address, value, vt)
-- handle not having required arguments
if not address or not value or not vt then return nil end
local types = {
[vtByte] = writeBytes,
-- *smallInteger added in CE 6.7
[vtWord] = writeSmallInteger or function(address, value) writeBytes(address, wordToByteTable(value)) end,
[vtDword] = writeInteger,
[vtQword] = writeQword,
[vtSingle] = writeFloat,
[vtDouble] = writeDouble,
-- unsupported, require custom functions for one reason or another
--[vtString]
--[vtByteArray]
--[vtGrouped],
--[vtBinary],
}
local sizes = {
[vtByte] = 1,
[vtWord] = 2,
[vtDword] = 4,
[vtQword] = 8,
[vtSingle] = 4,
[vtDouble] = 8
}
local writeFunction = types[vt];
if not writeFunction then return nil end
local res = writeFunction(address, value)
if res then return res end
--[[
if failed try making it writable and try again, unfortunately fullAccess will also make it executable as well...
which can require the protectionflags to change to find it a second time... but to only make it writable
would require creating a way to call VirtualProtect from lua, not particularly hard but.... maybe a little
beyond the scope of this example, basically you'd use autoAssemble to setup a function which would take
a pointer to the arguments in memory and call VirtualProect properly (of course, you'd need one for x86 and one for x64)
and then have a lua function that would take the arguments, write them to some memory and use executeCode to
call the assembled VirtualProect wrapper function with the address of that memory
]]
fullAccess(address, sizes[vt])
return writeFunction(address, value)
end
--[[
function to scan for a value and replace all found instances of it
findValue - the value to find
replaceValue - the value to replace the findValue with
[findType] - the value type of the value to find and write, defaults to 4 bytes / vtDword
[protectionflags] - string to describe the type of memory to scan, options are
W - writable, X - executable, C - copy on write, prefixed with
+ for required, - for not allowed, or * for ignored (same as not providing one)
defaults to writable, non-executable, non-copy-on-write = "+W-X-C"
[rounding] - rounding type, one of (in order of least values matched to most):
rtRounded, rtExtremerounded, rtTruncated
default: rtRounded
]]
function findValueAndReplace(findValue, replaceValue, findType, protectionflags, rounding)
-- handle not having required arguments
if not findValue or not replaceValue then return nil end
-- default values
findType = findType or vtDword
protectionflags = protectionflags or "+W-X-C"
rounding = rounding or rtRounded -- rtRounded is the most restrictive.
-- do scan
memscan = createMemScan()
memscan.firstScan(soExactValue, findType, rounding, findValue, nil,
"0", "7fffffffffffffff", protectionflags,
fsmAligned,"4", false, false, false, false)
memscan.OnScanDone = function(memscan)
print('scan done')
foundlist = createFoundList(memscan)
foundlist.initialize()
print(foundlist.Count)
for i=0,foundlist.Count-1 do
print('writing to', foundlist.Address[i])
writeValue(foundlist.Address[i], replaceValue, findType)
end
sleep(50) -- not certain these are necessary but
foundlist.deinitialize()
foundlist.destroy()
sleep(50) -- not certain these are necessary but
memscan.destroy()
end
memscan.waitTillDone()
end |
edit:
| Quote: | | In C++ to retrieves the name of the executable file for the specified process with GetProcessImageFileName function |
CE sets the process variable to the name of the exectuable you attach to, though it also lets you get a table of all processes: | Code: | | getProcesslist(): Returns a table with the processlist (pid - name ) |
so you could also use getProcesslist()[getOpenedProcessID()] (those do not include any path however, just the actual name and extension) |
Well .. i thinks thanks but i don'tunderstand everything ( french ) can you do the full code so i can understand better ? Ty anyway for helping me
|
|
| Back to top |
|
|
TheyCallMeTim13
Wiki Contributor
 Reputation: 51
Joined: 24 Feb 2017
Posts: 976
Location: Pluto
|
| Posted: Tue Jan 23, 2018 4:46 pm Post subject: |
|
|
This is what I use to pull the file version for games, and here you can see how to get the path, but it only works with module based processes.
| Code: |
function getGameVersion()
local modules = enumModules()
if modules == nil or modules[1] == nil then return end
return getFileVersion(modules[1].PathToFile)
end |
_________________
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Tue Jan 23, 2018 6:55 pm Post subject: |
|
|
| FreeER wrote: | | Quote: | | not sure 10.00 and 1500 type are floating value |
Of course 10 and 1500 can be floats, float and double are the same exact standard, the only difference is that floats are 32 bits rather than 64 (2x aka double) so support fewer decimal points of accuracy/precision than a double but those values are no where close to the limits....
| Quote: | | I think no function "search" for float |
You can search for floats in exactly the same way as doubles simply by using vtSingle (aka single precision rather than double precision) instead of vtDouble. Anything the CE gui can search for memscan can search for, you just have to look at what the actual options are in celua.txt (or perhaps the wiki, TheyCallMeTim13 has been updating it)
| Quote: | | I believe it's more easier using AA code to do |
There's no way to do it in AA code at all unless you write a memory scanner yourself, in assembly (or load a library and call or write lua code but at that point it's not really AA code). The closest thing you have is aobscan but that'd only find a single result.
| Quote: | | I hope someone should provide a better function |
| Code: | --[[
Generic function to write a value to unknown variable type
address - address to write to
value - value to write
vt - value type as vt* define (vtDword, vtSingle, etc.)
]]
function writeValue(address, value, vt)
-- handle not having required arguments
if not address or not value or not vt then return nil end
local types = {
[vtByte] = writeBytes,
-- *smallInteger added in CE 6.7
[vtWord] = writeSmallInteger or function(address, value) writeBytes(address, wordToByteTable(value)) end,
[vtDword] = writeInteger,
[vtQword] = writeQword,
[vtSingle] = writeFloat,
[vtDouble] = writeDouble,
-- unsupported, require custom functions for one reason or another
--[vtString]
--[vtByteArray]
--[vtGrouped],
--[vtBinary],
}
local sizes = {
[vtByte] = 1,
[vtWord] = 2,
[vtDword] = 4,
[vtQword] = 8,
[vtSingle] = 4,
[vtDouble] = 8
}
local writeFunction = types[vt];
if not writeFunction then return nil end
local res = writeFunction(address, value)
if res then return res end
--[[
if failed try making it writable and try again, unfortunately fullAccess will also make it executable as well...
which can require the protectionflags to change to find it a second time... but to only make it writable
would require creating a way to call VirtualProtect from lua, not particularly hard but.... maybe a little
beyond the scope of this example, basically you'd use autoAssemble to setup a function which would take
a pointer to the arguments in memory and call VirtualProect properly (of course, you'd need one for x86 and one for x64)
and then have a lua function that would take the arguments, write them to some memory and use executeCode to
call the assembled VirtualProect wrapper function with the address of that memory
]]
fullAccess(address, sizes[vt])
return writeFunction(address, value)
end
--[[
function to scan for a value and replace all found instances of it
findValue - the value to find
replaceValue - the value to replace the findValue with
[findType] - the value type of the value to find and write, defaults to 4 bytes / vtDword
[protectionflags] - string to describe the type of memory to scan, options are
W - writable, X - executable, C - copy on write, prefixed with
+ for required, - for not allowed, or * for ignored (same as not providing one)
defaults to writable, non-executable, non-copy-on-write = "+W-X-C"
[rounding] - rounding type, one of (in order of least values matched to most):
rtRounded, rtExtremerounded, rtTruncated
default: rtRounded
]]
function findValueAndReplace(findValue, replaceValue, findType, protectionflags, rounding)
-- handle not having required arguments
if not findValue or not replaceValue then return nil end
-- default values
findType = findType or vtDword
protectionflags = protectionflags or "+W-X-C"
rounding = rounding or rtRounded -- rtRounded is the most restrictive.
-- do scan
memscan = createMemScan()
memscan.firstScan(soExactValue, findType, rounding, findValue, nil,
"0", "7fffffffffffffff", protectionflags,
fsmAligned,"4", false, false, false, false)
memscan.OnScanDone = function(memscan)
print('scan done')
foundlist = createFoundList(memscan)
foundlist.initialize()
print(foundlist.Count)
for i=0,foundlist.Count-1 do
print('writing to', foundlist.Address[i])
writeValue(foundlist.Address[i], replaceValue, findType)
end
sleep(50) -- not certain these are necessary but
foundlist.deinitialize()
foundlist.destroy()
sleep(50) -- not certain these are necessary but
memscan.destroy()
end
memscan.waitTillDone()
end |
edit:
| Quote: | | In C++ to retrieves the name of the executable file for the specified process with GetProcessImageFileName function |
CE sets the process variable to the name of the exectuable you attach to, though it also lets you get a table of all processes: | Code: | | getProcesslist(): Returns a table with the processlist (pid - name ) |
so you could also use getProcesslist()[getOpenedProcessID()] (those do not include any path however, just the actual name and extension) |
Thank for depth explains mainly for general function "findValueAndReplace". Sp, now everyone can learn and understand these kind.
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
FreeER
Grandmaster Cheater Supreme
![]() Reputation: 53
Joined: 09 Aug 2013
Posts: 1091
|
| Posted: Tue Jan 23, 2018 9:05 pm Post subject: |
|
|
No problem Corroder hope you find it useful!
Though I wish people (not you specifically but it's happened several times in this topic already and it happens everywhere quite frequently) would stop quoting a huge post to make a tiny reply lmao. Yeah, I know that's just what CEF does by default but it makes reading through a topic later quite annoying (or just scrolling down to the bottom of a reply to see what the new information is) 
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
