mgr.inz.Player I post too much Reputation: 218 Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Sat Dec 17, 2011 4:07 pm Post subject: YetAnotherAOB (YAAOB) LUA script |
|
|
I made a lua script tool, which is very helpful if you want to create/update/check your "aobscan AA scripts".
e.g.
Code: | label(health)
registersymbol(health)
aobscan(healthaob, FF D2 F3 0F 10 48 08)
healthaob+2:
health:
//{yourcode}
// "+2" (inside "healthaob+2:") is an adjustment, (hexadecimal value) |
With my script, you can search your AOBs. All matching addresses are listed with disassembled code.
Features/options:
- adjustment (see AA script above)
- DisAssembleBytesBeforeFoundAddress - you can specify how many bytes to disassemble (before found address)
- DisAssembleNextInstructions - you can specify how many instructions after found address you want to show up.
- OnlyTop - to prevent listing more than OnlyTop addresses (if OnlyTop==0, show all)
- SkipInstructions - skip first few instructions (because probably they are wrong)(value from 2 to 4 is good I think )
- "<<<<<<<<<<<<< EXACT" mark - it informs you that address is exact to "guessed" instruction address.
(guessing is based on DB getInstructionSize function inside loop )
- "<<<" mark - found address is in the middle of instruction (i.e. not exact with guessed address)
As an example
I'm searching all addresses with this array of byte:
F3 0F 11 8E AC 04 00 00
an adjustment is -0x12 (-18 dec)
35 bytes before, 10 instructions after and skip first two instructions
Here is my script output (Lua Engine window):
Quote: |
SEARCHING FOR:
F30F118EAC040000
SCAN OPTIONS: -W+X-C
ADJUSTMENT: -12 (hex)
found: 3 address(es)
address no. 1: 10083511-12= 0x100834ff
100834E5 - 8D 4C 24 1C - lea ecx,[esp+1C]
100834E9 - 51 - push ecx
100834EA - 8B CD - mov ecx,ebp
100834EC - FF D2 - call edx
100834EE - F3 0F10 48 08 - movss xmm1,[eax+08]
100834F3 - 0F57 D2 - xorps xmm2,xmm2
100834F6 - 0F2E CA - ucomiss xmm1,xmm2
100834F9 - 9F - lahf
100834FA - F6 C4 44 - test ah,44
100834FD - 7B 1A - jnp 10083519
100834FF - F3 0F10 86 AC040000 - movss xmm0,[esi+000004AC] <<<<<<<<<<<<< EXACT
10083507 - 0F2F C2 - comiss xmm0,xmm2
1008350A - 73 05 - jae 10083511
1008350C - 0F2F C1 - comiss xmm0,xmm1
1008350F - 76 08 - jna 10083519
10083511 - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
10083519 - 80 BE 9B040000 00 - cmp byte ptr [esi+0000049B],00
10083520 - 0F84 65010000 - je 1008368B
10083526 - 01 9E A0040000 - add [esi+000004A0],ebx
1008352C - 80 7C 24 12 00 - cmp byte ptr [esp+12],00
10083531 - 75 10 - jne 10083543
address no. 2: 106C3E47-12= 0x106c3e35
106C3E1D - C7 86 A4040000 0F000000 - mov [esi+000004A4],0000000F
106C3E27 - 88 5C 24 23 - mov [esp+23],bl
106C3E2B - 89 9E A0040000 - mov [esi+000004A0],ebx
106C3E31 - FF 15 80A3D710 - call dword ptr [10D7A380] <<<
106C3E37 - F3 0F10 05 E060D810 - movss xmm0,[10D860E0] <<<
106C3E3F - F3 0F10 0D 18F4D810 - movss xmm1,[10D8F418]
106C3E47 - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
106C3E4F - F3 0F10 0D 24B8D910 - movss xmm1,[10D9B824]
106C3E57 - F3 0F11 86 A8040000 - movss [esi+000004A8],xmm0
106C3E5F - F3 0F11 8E B0040000 - movss [esi+000004B0],xmm1
106C3E67 - F3 0F10 0D 60C5DB10 - movss xmm1,[10DBC560]
106C3E6F - F3 0F11 86 BC040000 - movss [esi+000004BC],xmm0
106C3E77 - F3 0F11 86 C0040000 - movss [esi+000004C0],xmm0
106C3E7F - F3 0F10 05 246FE010 - movss xmm0,[10E06F24]
106C3E87 - F3 0F11 8E B4040000 - movss [esi+000004B4],xmm1
address no. 3: 109EAADB-12= 0x109eaac9
109EAAAA - 0F10 15 3C47F210 - movups xmm2,[10F2473C]
109EAAB1 - F3 0F10 0D 4047F210 - movss xmm1,[10F24740]
109EAAB9 - F3 0F10 05 4447F210 - movss xmm0,[10F24744]
109EAAC1 - F3 0F11 54 24 20 - movss [esp+20],xmm2
109EAAC7 - F3 0F11 4C 24 24 - movss [esp+24],xmm1 <<<
109EAACD - F3 0F11 44 24 28 - movss [esp+28],xmm0 <<<
109EAAD3 - F3 0F11 96 A8040000 - movss [esi+000004A8],xmm2
109EAADB - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
109EAAE3 - F3 0F11 86 B0040000 - movss [esi+000004B0],xmm0
109EAAEB - 8B 74 24 1C - mov esi,[esp+1C]
109EAAEF - 03 EB - add ebp,ebx
109EAAF1 - 83 C6 04 - add esi,04
109EAAF4 - 83 FD 04 - cmp ebp,04
109EAAF7 - 89 74 24 1C - mov [esp+1C],esi
109EAAFB - 0F8C BEFEFFFF - jl 109EA9BF
109EAB01 - 8B 5C 24 14 - mov ebx,[esp+14]
|
Check out those addresses:
10083511, 106C3E47 and 109EAADB
Yes, there is:
movss [esi+000004AC],xmm1
(opcode F3 0F11 8E AC040000 )
Now look at:
100834FF <<<<<<<<<<<<< EXACT (it is exact with guessed address)
106C3E31 <<<
106C3E37 <<<
109EAAC7 <<<
109EAACD <<<
I was lucky It is "address no. 1" and "<<<<<<<<<<<<< EXACT" mark
If I wasn't (it is address no. 2 or bigger and only "<<<" mark) - array of byte and/or adjustment must be changed.
Btw, you can also use this script this way:
- you created cheat table for your game, for example RETAIL version, simple and clean cheats and without aobscan
- you want to make cheat table for STEAM version too, and you have cheatengine-noob friend and he has STEAM version
- copy opcodes from original instruction ( where you made a hackpoint) (or copy array of bytes near original instruction and calculate an adjustment)
- update variables inside "settings" section (my LUA code) (you can change OnlyTop = 20 to something else, e.g. OnlyTop = 200)
- send to friend your updated LUA file
Then, ask him to:
- launch game, then launch CE
- attach CE to game process
- CTRL+ALT+L, then file->open Lua file. EXECUTE SCRIPT
- Lua Engine window will pop up.
- now only, right click, select all, right click, copy.
Now he can send you a feedback (from clipboard)
For now, it is only beta version
(I'm cleaning my code, so be patient. I'm planning to add GUI, saving output to file and etc.)
(IF YOU DON'T SEE ATTACHMENT, Press and Hold Ctrl-F5 or Press and Hold Ctrl-(while Clicking Refresh in the TOOLBAR) ) _________________ Dark Souls II Item Swap and Item List
My Borderlands2 tables
Recent CheatEngine builds
|
|