Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


aobscan fails when literal signature is replaced by "ma

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
fakuivan
Newbie cheater
Reputation: 0

Joined: 27 Dec 2018
Posts: 17
PostPosted: Thu Dec 27, 2018 1:41 am    Post subject: aobscan fails when literal signature is replaced by "ma Reply with quote
Title got cropped: ´aobscan fails when literal signature is replaced by "macro"´

When using a defined keyword as the input for the "aobscanmodule" function, the sigscan fails, I assume because it tries to interpret the literal value instead of replacing it by the defined value.

Example:

Code:

{ Game   : Dishonored2.exe
  Version:
  Date   : 2018-12-27
  Author : fakui

  Get the base player pointer
}

[ENABLE]
define(signature, 48 8B 41 10 48 8B 48 28 48 8B 48 )

//aobscanmodule(INJECT,Dishonored2.exe,  48 8B 41 10 48 8B 48 28 48 8B 48  )  // works
aobscanmodule(INJECT,Dishonored2.exe, signature )  // doesnt work, the assert instruction doesn't pass
assert(INJECT,48 8B 41 10 48 8B 48 28)  // block us from injecting code on random locations
alloc(newmem,$1000,"Dishonored2.exe"+7B1F04)

label(code)
label(return)

newmem:

code:
  mov rax,[rcx+10]
  mov rcx,[rax+28]
  jmp return

INJECT:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 48 8B 41 10 48 8B 48 28

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Dishonored2.exe"+7B1F04

"Dishonored2.exe"+7B1EF7: CC                       -  int 3
"Dishonored2.exe"+7B1EF8: CC                       -  int 3
"Dishonored2.exe"+7B1EF9: CC                       -  int 3
"Dishonored2.exe"+7B1EFA: CC                       -  int 3
"Dishonored2.exe"+7B1EFB: CC                       -  int 3
"Dishonored2.exe"+7B1EFC: CC                       -  int 3
"Dishonored2.exe"+7B1EFD: CC                       -  int 3
"Dishonored2.exe"+7B1EFE: CC                       -  int 3
"Dishonored2.exe"+7B1EFF: CC                       -  int 3
"Dishonored2.exe"+7B1F00: 48 83 EC 28              -  sub rsp,28
// ---------- INJECTING HERE ----------
"Dishonored2.exe"+7B1F04: 48 8B 41 10              -  mov rax,[rcx+10]
"Dishonored2.exe"+7B1F08: 48 8B 48 28              -  mov rcx,[rax+28]
// ---------- DONE INJECTING  ----------
"Dishonored2.exe"+7B1F0C: 48 8B 48 8B              -  mov rcx,[rax-75]
"Dishonored2.exe"+7B1F10: 41 10 48 8B              -  adc [r8-75],cl
"Dishonored2.exe"+7B1F14: 48 28 74 7E 48           -  sub [rsi+rdi*2+48],sil
"Dishonored2.exe"+7B1F19: 8B 80 08 02 00 00        -  mov eax,[rax+00000208]
"Dishonored2.exe"+7B1F1F: 48 85 C0                 -  test rax,rax
"Dishonored2.exe"+7B1F22: 74 72                    -  je Dishonored2.exe+7B1F96
"Dishonored2.exe"+7B1F24: 80 78 20 00              -  cmp byte ptr [rax+20],00
"Dishonored2.exe"+7B1F28: 74 6C                    -  je Dishonored2.exe+7B1F96
"Dishonored2.exe"+7B1F2A: 48 8B 81 28 03 00 00     -  mov rax,[rcx+00000328]
"Dishonored2.exe"+7B1F31: 4C 8B 40 70              -  mov r8,[rax+70]
}


is this expected behaviour?
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586
PostPosted: Thu Dec 27, 2018 4:18 am    Post subject: Reply with quote
fakuivan wrote:
Code:
//aobscanmodule(INJECT,Dishonored2.exe,  48 8B 41 10 48 8B 48 28 48 8B 48  )  // works
aobscanmodule(INJECT,Dishonored2.exe, signature )  // doesnt work, the assert instruction doesn't pass
is this expected behaviour?

yes expected, AobScanModule expects bytes.

its the preprocessor job to process macros, keywords or whatever .. and then replaces them.

but CE's preprocessor is not working this way, so yeah its normal.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
fakuivan
Newbie cheater
Reputation: 0

Joined: 27 Dec 2018
Posts: 17
PostPosted: Thu Dec 27, 2018 11:45 am    Post subject: Reply with quote
How is the preprocessor capable of distinguishing what parameters a directive with a specific name takes? Preprocessors are supposed to be more primitive than that.

I'd personally regard this behaviour as unexpected (ignoring the fact that it's undocumented in the wiki). Why should ``aobscanmodule`` not be able to consume a defined symbol? Seems like an artificial limitation imo.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25859
Location: The netherlands
PostPosted: Thu Dec 27, 2018 11:56 am    Post subject: Reply with quote
aobscan's are handled before most else, including defines.
That way defines can use aobscan results

e.g:
Code:

aobscan(bla123,90 90 90)
define(something,bla123)

assert(something,90 90 90)

registersymbol(something)

something:
db 90 90 90




If you want to redefine a aobscan you need to use {$lua} sections (which are handled before everything else)

e.g:
Code:

{$lua}
  local signature='48 8B 41 10 48 8B 48 28 48 8B 48'
  return 'aobscanmodule(INJECT,Dishonered2.exe,'..signature..')')
{$asm}

assert(INJECT,48 8B 41 10 48 8B 48 28)  // block us from injecting code on random locations
alloc(newmem,$1000,"Dishonored2.exe"+7B1F04)
...

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
fakuivan
Newbie cheater
Reputation: 0

Joined: 27 Dec 2018
Posts: 17
PostPosted: Thu Dec 27, 2018 5:29 pm    Post subject: Reply with quote
So then would it be correct to say that the aobscan functions act like advanced ``defines``? Substituting the first name by the memory location of the signature.

I still don't understand why you'd need to perform the aobscan replacements before everything else, instead of executing the statements in the order they appear in the assembly section.

Would something like this be valid then?:

Quote:

define(macro,section)
macro:
dq 0
aobscan(section,90 90 90)
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 471

Joined: 09 May 2003
Posts: 25859
Location: The netherlands
PostPosted: Thu Dec 27, 2018 5:46 pm    Post subject: Reply with quote
AOB's are done first for speed.
They all get grouped into a single scan , so instead of doing 10 AOB scans, it only needs to do 1 (that finds all 10 aob's in one go)
So all aob lines first get replaced by define(name,address) and then the aa script is executed

As for that code, not sure, defining with a define can be tricky, those should be in the order they are done
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites