View previous topic :: View next topic |
Author |
Message |
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Sun Dec 12, 2021 3:17 am Post subject: script can not fetch addressess |
|
|
Hi,
I am making table for the game "Tunnel of Doom". In this game I've found a shared opcode that contains all the weapon address. Code is as below.
At [esi-20] address there is pointer which contains another pointer and at that pointer there is string of weapon name.
I have made AA script easily for this but there is lots of weapons so AA script requires so many alloc and registersymbols, so I have tried to make script in lua. I am not pro in lua so I have tried my best to make script in lua and it can not fetch 'esi' and 'strings'. I think I am doing some mistakes, so can anyone please help me to make this script correct?
My script:
Code: | {$lua}
local function ftchbs()
autoAssemble([[
aobscanmodule(weapon,TOD.exe,DD EE FF 83 C4 04 89 06 C7 06 00 00 00 00)
registersymbol(weapon)
]])
local base = getAddress("weapon+8")
debug_removeBreakpoint(base)
registerSymbol("base")
unregisterSymbol("weapon")
end
function debugger_onBreakpoint()
EIP = base
_wbase = ESI
registerSymbol("_wbase")
id = readInteger("_wbase")
id = readPointer(readPointer(id-0x20)+0x0)
unregisterSymbol("sID")
registerSymbol("sID",id)
debug_continueFromBreakpoint(co_run)
debugProcess(2)
return 1
end
local function cmpstr()
if _wbase ~= nil then
if readString(sID) == Pickaxe then
pkax = _wbase
registerSymbol("pkax")
end
end
end
[ENABLE]
ftchbs()
debug_setBreakpoint(base)
cmpstr()
[DISABLE]
debug_removeBreakpoint(base)
unregisterSymbol("pkax")
unregisterSymbol("_wbase")
unregisterSymbol("base") |
screenshots:
[/img]
|
|
Back to top |
|
|
careca777 Expert Cheater Reputation: 0
Joined: 27 Jul 2013 Posts: 121
|
Posted: Sun Dec 12, 2021 5:42 am Post subject: |
|
|
Could something like this be what you want?
Needs a pointer to jump start it.
Code: | [ENABLE]
{$lua}
--============================================================
--Get 00E941B0
autoAssemble'globalalloc(1StOffset,8)'
local 1StOffsetOffset = getAddress'[PointerToC744578]+0' -- +0 not needed, get pointer to 00E941B0
print ('Match 1StOffset')
print(("%08X"):format(readPointer(1StOffsetOffset)))
writePointer('1StOffset', readPointer(1StOffsetOffset))
print ('===========================')
--============================================================
--Get 00E286D8
autoAssemble'globalalloc(2NdOffset,8)'
local 2NdOffsetOffset = getAddress'[1StOffset]+0' --from the previous pointer 00E941B0 get 00E286D8
print ('2NdOffset')
print(("%08X"):format(readPointer(2NdOffsetOffset)))
writePointer('2NdOffset', readPointer(2NdOffsetOffset))
print ('===========================')
--============================================================
createTimer(500, function() memrec.Active = false; end)
[DISABLE] |
|
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Sun Dec 12, 2021 6:21 am Post subject: |
|
|
careca777 wrote: | Could something like this be what you want?
Needs a pointer to jump start it.
|
Thanks for the reply.
Actually whole thing complete in 3 stages.
At first we have to get address of opcode and assign variable to it.
At second stage we have to break at that location and fetch "ESI" and "Weapon String".
At third stage we have to compare string and assign it to variable.
So after above three stage completed we put variable as a address of different weapons into table.
May be there is shortcut and combine them in two or one stage but to make it simple I have divided it into 3 stage because I am not pro in lua.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Dec 12, 2021 1:34 pm Post subject: |
|
|
Using {$LUACODE} might be easier.
https://forum.cheatengine.org/viewtopic.php?t=618134
e.g. something like this:
Code: | {$lua}
if not weaponAddresses then
-- array of tables { name = weaponName, addr = ESI at injection point }
-- tables can also be indexed by weaponName
weaponAddresses = {}
end
{$asm}
[ENABLE]
aobscanmodule(weapon,TOD.exe,...)
alloc(newmem,4096)
label(return)
registersymbol(weapon)
newmem:
{$luacode wpnaddr=esi}
local name = readString(readPointer(readPointer(wpnaddr - 0x20)))
if not weaponAddresses[name] then
local t = { name = name, addr = wpnaddr }
weaponAddresses[#weaponAddresses + 1] = t
weaponAddresses[name] = t
end
{$asm}
mov [esi],00000000
jmp return
weapon+8:
jmp newmem
nop
return:
[DISABLE]
weapon+8:
db C7 06 00 00 00 00
unregistersymbol(weapon)
dealloc(newmem)
|
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Sun Dec 12, 2021 10:23 pm Post subject: |
|
|
Thank you very much ParkourPenguin for reply,
I have learned something new with your post. I will try to understand whole post in spare time.
For now only want to ask this,
I have added your script to table but after that how to add addresses of weapons to table and is it required that opcode access weapon address continuously??
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Dec 12, 2021 10:58 pm Post subject: |
|
|
If you only want to register symbols, you can delete the top {$lua} block and use this in the {$luacode} block:
Code: | {$luacode wpnaddr=esi}
local name = readString(readPointer(readPointer(wpnaddr - 0x20)))
local symbol = 'wpn_'..name
if not getAddressSafe(symbol) then
registerSymbol(symbol, wpnaddr, true)
end
{$asm} | Add memory records manually with addresses "wpn_Pickaxe" etc.
Unless the weapon addresses change, the script can be turned off when you have all the weapons.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Mon Dec 13, 2021 3:38 am Post subject: |
|
|
ParkourPenguin wrote: | If you only want to register symbols, you can delete the top {$lua} block and use this in the {$luacode} block:
Code: | {$luacode wpnaddr=esi}
local name = readString(readPointer(readPointer(wpnaddr - 0x20)))
local symbol = 'wpn_'..name
if not getAddressSafe(symbol) then
registerSymbol(symbol, wpnaddr, true)
end
{$asm} | Add memory records manually with addresses "wpn_Pickaxe" etc.
Unless the weapon addresses change, the script can be turned off when you have all the weapons. |
Thank you very much for another script I will try that also and will tell you about that.
Actually I just want to ask how can I use that generated table "t" in my script?
Either I have to add addresses with some variables or it will automatically add found addresses to the table??
I have modified your script a bit to remove some crap addresses as follows but after activating it nothing happened. So just want to ask that if I have to do other steps or not after activating this script?
Code: | {$lua}
if not weaponAddresses then
-- array of tables { name = weaponName, addr = ESI at injection point }
-- tables can also be indexed by weaponName
weaponAddresses = {}
end
{$asm}
[ENABLE]
aobscanmodule(weapon,TOD.exe,DD EE FF 83 C4 04 89 06 C7 06 00 00 00 00)
alloc(newmem,4096)
label(return)
registersymbol(weapon)
newmem:
{$luacode wpnaddr=esi}
if readPointer(wpnaddr - 0x20) ~= 0 then
local name = readString(readPointer(readPointer(wpnaddr - 0x20)))
if not weaponAddresses[name] then
local t = { name = name, addr = wpnaddr }
weaponAddresses[#weaponAddresses + 1] = t
weaponAddresses[name] = t
end
end
{$asm}
mov [esi],00000000
jmp return
weapon+8:
jmp newmem
nop
return:
[DISABLE]
weapon+8:
db C7 06 00 00 00 00
unregistersymbol(weapon)
dealloc(newmem) |
Edit:
I have tried your second script and it have successfully fetched weapon address but after at some points some other crap addresses are accessed by this opcodes and game hangs but one good thing is that address of weapons remain same in whole session of game so after fetching all result I disable the script. How can I limit registering limited amount of symbols like 20(I mean "for t(n) n-1 ,20 do..etc) and then script disables itself.??
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Tue Dec 14, 2021 5:03 am Post subject: |
|
|
ParkourPenguin wrote: | This is starting to get a little ridiculous and you might be better off by finding a better injection point. |
Thank you very much for all your valuable help and time. I have added "_wpnSymbolRegisteredCount" things in your second script with registersymbol thing and works fine. now going to another chamber does not hangs the game. I really want to learn lua thing especially related to cheat engine and table things because I can not still understand table related codes. Cheat engine wiki is not completed so can you please suggest me where can I learn all things because I feel bad by asking questions and disturbing you again and again. I want to understand what your script actually do so below I have make comment in after some lines which I can not understand. Please correct me if I am wrong.
Code: |
assert(not _wpnSymbolRegisteredCount, 'Already running') -- 'Already running' string does not defined anywhere then what can be assert by this??
_wpnSymbolRegisteredCount = { count = 0, memrec = memrec } -- Is memrec is limited for this script only or it combined of all other script like this?If i define another 20 symbol at another injection point with another script then it is 20 or 40??
if not _wpnSymbolRegisteredCount or _wpnSymbolRegisteredCount.count >= 20 then -- does this means if "_wpnSymbolRegisteredCount" does not exist or >=20??
if not weaponAddresses[name] then
local t = { name = name, addr = wpnaddr }
weaponAddresses[#weaponAddresses + 1] = t
weaponAddresses[name] = t -- I can not understand this whole table part, can you please explain it what this 4 lines do. I only understand second line that our table contains these two columns {name, addr}
createTimer(1,function() -- 'createTimer(1' means this function only executes once??
if _wpnSymbolRegisteredCount then --Is this means if _wpnSymbolRegisteredCount exist then?? Confused because there is no comparison made. |
Again Thank you very much for all your help. You are really nice and helpful.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Tue Dec 14, 2021 12:35 pm Post subject: |
|
|
You should split learning this into two parts: learning the Lua language first, then learning what CE adds to Lua.
There are plenty of tutorials online you can use to learn Lua. Be careful which version of Lua you're learning: CE uses Lua 5.3. Many tutorials cover Lua 5.1 or some other version. There are important differences between versions.
The stuff CE adds to Lua is mostly documented in celua.txt in the main CE directory. Many things are also documented on the CE wiki.
"assert" is a part of Lua. The first argument is something converted to a bool. If it evaluates to false, assert generates an error with the second argument as the reason.
Lua can convert values that aren't bools into bools by checking if they aren't nil. e.g.:
Code: | if 0 then print'0 evaluates to true' end |
"memrec" is a special variable defined by CE before it executes {$lua} blocks. It is the memory record that contains the script being executed.
Lua "arrays" are really just tables with integer indexes starting at 1. The common pattern "t[#t+1]" appends an object to the end of the array (# is the length operator).
Lua tables map keys to values. You can index a table with a key to access a value: i.e. "weaponAddresses[name]" indexes the table "weaponAddresses" with the key "name" to access whatever value may be stored there, if any.
The surrounding if statement checks if it already fetched this weapon address.
createTimer is a function CE adds to Lua. I'm not sure if this use is documented on the wiki, but it is documented in celua.txt:
Quote: | createTimer(delay, function(...),...):
Creates a timer object that waits the given delay, executes the given function, and then selfdestructs. Tip: Don't use the timer after it has ran | Basically 1 means "wait one millisecond". After one millisecond (more or less), run the function, then destroy the timer (don't run again).
It might be safe to not do this and simply deactivate the memory record right there, but I don't know if {$luacode} blocks are run in a different thread (only the main thread can access the GUI) and I don't know if it's safe to deactivate the script while the code injection is being run ({$luacode} might return to deallocated memory). The main thread runs timers, and waiting a short while will let the injection complete.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Tue Dec 14, 2021 1:11 pm Post subject: |
|
|
luacode runs in a different thread
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Sun Dec 19, 2021 2:44 am Post subject: |
|
|
Thank you "ParkourPenguin" and "Dark Byte" for the reply. Luacode is really nice feature added to CE and I want to say thanks to Dark Byte and all other contributor of CE.
I have tried lua code in another injection point and but it does not worked. It does not fetch esi register's value to define to the symbol. Here is little explanation of that injection point.
The opcode "mov [esi+10],00000000" is shared opcode andat address of esi there is a pointer which contain another pointer which points to a address which contains a string same as my first post of this topic. Time address have string "Time played" and time is continuously increasing but it does not register value of ESI to symbol. Here is my script. Am i doing something wrong or luacode does not support it??
Code: |
[ENABLE]
aobscanmodule(genadrs,TOD.exe,46 10 C7 46 10 00 00 00 00) // should be unique
alloc(newmem,$100)
label(code)
label(return)
newmem:
{$luacode genaddr=esi}
if readString(readPointer(readPointer(genaddr))) == 'Time played' then
--local tme = genaddr
registerSymbol(tme, genaddr, true)
end
{$asm}
code:
mov [esi+10],00000000
jmp return
genadrs+02:
jmp newmem
nop 2
return:
registersymbol(genadrs)
[DISABLE]
genadrs+02:
db C7 46 10 00 00 00 00
unregistersymbol(genadrs)
dealloc(newmem) |
The following lua code works fine and if I add "gen_Time played" as address then it shows time perfectly
Code: |
{$luacode genaddr=esi}
if readPointer(genaddr) ~= 0 and readInteger(genaddr + 0x10) == 0 then
local gname = readString(readPointer(readPointer(genaddr)))
local gsymbol = 'gen_'..gname
registerSymbol(gsymbol, genaddr + 0x10, true)
end
{$asm} |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Dec 19, 2021 2:55 am Post subject: |
|
|
Code: | {$luacode genaddr=esi}
if readString(readPointer(readPointer(genaddr))) == 'Time played' then
--local tme = genaddr
registerSymbol(tme, genaddr, true)
end
{$asm} | What is "tme"? It's not defined anywhere.
The first argument to registerSymbol should be a string.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sun Dec 19, 2021 4:25 am Post subject: |
|
|
you can use print/printf in luacode to print out what's happening. (print is threadsafe, but keep in mind that it's slow)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
dharmang1910 Expert Cheater Reputation: 0
Joined: 09 May 2010 Posts: 102
|
Posted: Sun Dec 19, 2021 7:24 am Post subject: |
|
|
ParkourPenguin wrote: | Code: | {$luacode genaddr=esi}
if readString(readPointer(readPointer(genaddr))) == 'Time played' then
--local tme = genaddr
registerSymbol(tme, genaddr, true)
end
{$asm} | What is "tme"? It's not defined anywhere.
The first argument to registerSymbol should be a string. |
I have tried above "local tme = genaddr" to put value of ESI into tme symbol as above code but it does not worked so I have comment out that line to check if it is disturbing registerSymbol or not. First I have used time as a variable but it shows kernalbase32.time as a address so I have changed it to "tme".
Even "local tme = readInteger(genaddr)" did not worked.
|
|
Back to top |
|
|
|