Cheat Engine

[paul44]

images here: [ https://ibb.co/album/YPKfdh ]

When i perform a manual scan - either AOB or 8-byte - to find the static value,
it returns that value within 5~7 secs. However, using a [memscan], it takes easily up to 30 secs ?!
=> i have never performed an 8-byte memscan this way before; only module_opcode scans. So surely, some parameter has to be altered here ?!
(btw: this is a data_scan, so must parcour "full memory")

ps1: in the lua opcode, the 2nd 'getStaticAddress' performs the 8-byte scan (initially did an aob)
ps2: i will not swear on it, but i believe the 1st aob_scan (also data scan) performed equally faster then its memscan
ps3: I tested with aob_scan first, but considering it being so slow then tried to use the 'vtQword' "variant"...

[ParkourPenguin]

Lua aobscan / memscan both use the same CE code the "manual" scan uses. It's not that aobscan / memscan take several times longer- it's your code that's taking several times longer. It's hard to say what exactly it is about your code that makes it take that long if you don't show all of it.

`getStaticAddr` function:

• Don't pass `nil` for `input2` or `alignmentparam` parameters- use the empty string instead
  
• You're scanning through unaligned memory. 8-byte values should be aligned to an 8-byte boundary, but CE assumes a 4-byte alignment by default (main window, memory scan options, fast scan)
  
• `scan.Result` is only valid if you called `setOnlyOneResult(true)`
  
• You're calling `getOnlyResult()` but don't do anything with the return value
  
• Where is `nScanResult` defined? If that's a global, don't use globals like this, it just leads to unreadable and unmaintainable code
  
• Why does the function `getStaticAddr` even exist in the first place? It just looks like a wrapper around `createMemScan` with an abstruse interface

AA script:

• There's a {$lua} tag in the enable section but no {$asm} tag before the disable section. That is weird if not an error
  
• You're executing that code in the syntax check stage- need `if syntaxcheck then return end`
  
• Where does `aResult` come from? Is that another global that gets set by `getStaticAddr`? Again, stop that
  
• `addrStr = '0000' .. string.format('%X0',string.format('%.0f',aResultList[i]/0x10))` - This converts the integer `aResultList[i]` to a double by division (possibly with loss of precision), formats it to a string truncating it in the process, converts that string to an integer, then converts that integer back to a string but now in hexadecimal and an extra 0 at the end. That's completely unnecessary. There are bitwise operations you can use: `addrStr = ('%X'):format(aResultList[i] & 0xFFFFFFFFFFFFFF00)`. Hard to say exactly what's correct since you didn't show all of your code (no clue what aResultList[i] is)
  
• I don't know what you're trying to do with `sTmp`, but it's never used anywhere important

There's probably more if you show the rest of the `getStaticAddr` function.

[paul44]

^if you don(t mind, I'd like to concentrate first on why that time_difference between manual vs memscan.
(and yes, this is my wrapper version for my AOBscans ~ 99.5% of the cases just a "one_result" aob scan)

=> image: see here [ https://freeimage.host/i/ce-getoffsetlocationstatic-21.dck2A57 ]

Based on my interpretation of 'celua', your feedback and (plenty of) CEF posts, I assume this is the "correct" way to define/set an 8-byte memscan().
However, while time has improved - about 15 secs now - it is still quite different then the 4~5 secs when scanning manually ?!

So: what needs to be finetuned still ?

________
ps: i've done combos, changing several params with the same result.
('8' to '4', start/end_range omitting, and such...)

ps2: the address "conversion" trick I got initially from #Stackoverflow, but it was not working for me. and I wound up doing this...
Your formatting is new to me - will check - but then realised one can do (asm-like) shr/shl using them '>>' (if i recall well)
~> will need to verify/test that...

[Dark Byte]

use IsUnique instead of OnlyOneResult as OnlyOneResult will find the lowest address with the given result, using only one single thread (as other threads could find result before the first one), while IsUnique will terminate the scan as soon as a result is found, no matter which thread gets it first

[paul44]

@Dark Byte: that's it... case closed. in fact, it seems to be even a bit faster then its manual "counterpart"; or that could just be wishfull thinking...
[code]
local scan = createMemScan(false)
scan.IsUnique = true
--scan.setOnlyOneResult(true)
[/code]

@ParkourPenguin: as promised:
`getStaticAddr` function:
* Don't pass `nil` for `input2` or `alignmentparam` parameters- use the empty string instead: you are correct, and done accordingly
(i'm pretty sure having taken this from CEF_examples in the past ~ i'm talking +3 yrs back here)
* You're scanning through unaligned memory. 8-byte values should be aligned to an 8-byte boundary, but CE assumes a 4-byte alignment by default (main window, memory scan options, fast scan): blame that on my lack of experience/insight. as stated earlier, only/primarily use this function to collect aob_sigs in order to collect static addresses (in 95+% of cases)
* `scan.Result` is only valid if you called `setOnlyOneResult(true)': correct and intentional. the "options" to collect/work with multiple results - aResult[] - is part of my current research...
* You're calling `getOnlyResult()` but don't do anything with the return value: see prev remark
* Where is `nScanResult` defined? If that's a global, don't use globals like this, it just leads to unreadable and unmaintainable code: see prev remark
* Why does the function `getStaticAddr` exist in the first place? It just looks like a wrapper: that's exactly it, and - no offense - but not "just" ! Pretty much all of my tables execute (lua) memscans at some point/level; it seems only logical - natural if you wll - to write up a function to parametrize most of them actions to get/collect the result...
And btw: back then i've looked at several/similar wrappers - plenty of them around - but eventually decided to write up my own for one major reason: I do not like using 'wildcards' (!) in my aob_signatures (as these tend to "break quicker" - if that is the right expression after updates/patches). Practically: I use an signature in proximity - without wildcards - and obtain the actual opcode_address by adding/substracting an offset_value)

* There's a {$lua} tag in the enable section but no {$asm} tag before the disable section: my mistake. if you'll find that in my tables, it is indeed an oversight on my end
* You're executing that code in the syntax check stage- need `if syntaxcheck then return end`: don't like to use that as it "hides" possible errors (what else can i say )
* Where does `aResult` come from? Is that another global that gets set by `getStaticAddr`? Again, stop that: see remarks above. And i am inclined to follow you in avoiding global vars, but sometimes it makes it a lot easier for me to handle/tackle things. Keep in mind that i'm not a programmer ! (VS what ?)
* `addrStr = '0000' ....: the scan returns an address with (eg) ''02121B3E000C", and it always needs to be rounded to the lower digit. as mentioned earlier, the suggestion @stackoverflow did not work on my end, so came up with this initially. your format_expression is new to me, but will also try that bitwise expression (as i've done that in the - not so near - past)
* what you're trying to do with `sTmp': it's actually a small "function" which reverses - in this case - the hex_address per 2 digits... so i could use it as input for my memscan (was kinda hoping that this would solve my delay_problem)

Bottomline: do not "worry" about my 'getStaticAddress' function. It might not be perfect - what is - but i'm using it for quite some years now and it works - in my book - great

-EDIT-
@ParkourPenguin: you are correct about the AND operation; just tested.

and it goes without saying: thx to you both for assisting.