Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


YetAnotherAOB (YAAOB) LUA script

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> LUA Tutorials
View previous topic :: View next topic  
Author Message
mgr.inz.Player
I post too much
Reputation: 143

Joined: 07 Nov 2008
Posts: 4073
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Sat Dec 17, 2011 4:07 pm    Post subject: YetAnotherAOB (YAAOB) LUA script This post has 1 review(s) Reply with quote

I made a lua script tool, which is very helpful if you want to create/update/check your "aobscan AA scripts".

e.g.
Code:
label(health)                               
registersymbol(health)                       
aobscan(healthaob, FF D2 F3 0F 10 48 08)     
healthaob+2:                                 
health:                                     
//{yourcode}                                   
// "+2" (inside "healthaob+2:")  is an adjustment, (hexadecimal value)


With my script, you can search your AOBs. All matching addresses are listed with disassembled code.



Features/options:

- adjustment (see AA script above)

- DisAssembleBytesBeforeFoundAddress - you can specify how many bytes to disassemble (before found address)

- DisAssembleNextInstructions - you can specify how many instructions after found address you want to show up.

- OnlyTop - to prevent listing more than OnlyTop addresses (if OnlyTop==0, show all)

- SkipInstructions - skip first few instructions (because probably they are wrong)(value from 2 to 4 is good I think )

- "<<<<<<<<<<<<< EXACT" mark - it informs you that address is exact to "guessed" instruction address.
(guessing is based on DB getInstructionSize function inside loop )

- "<<<" mark - found address is in the middle of instruction (i.e. not exact with guessed address)




As an example
I'm searching all addresses with this array of byte:
F3 0F 11 8E AC 04 00 00

an adjustment is -0x12 (-18 dec)

35 bytes before, 10 instructions after and skip first two instructions


Here is my script output (Lua Engine window):
Quote:

SEARCHING FOR:
F30F118EAC040000

SCAN OPTIONS: -W+X-C
ADJUSTMENT: -12 (hex)

found: 3 address(es)



address no. 1: 10083511-12= 0x100834ff

100834E5 - 8D 4C 24 1C - lea ecx,[esp+1C]
100834E9 - 51 - push ecx
100834EA - 8B CD - mov ecx,ebp
100834EC - FF D2 - call edx
100834EE - F3 0F10 48 08 - movss xmm1,[eax+08]
100834F3 - 0F57 D2 - xorps xmm2,xmm2
100834F6 - 0F2E CA - ucomiss xmm1,xmm2
100834F9 - 9F - lahf
100834FA - F6 C4 44 - test ah,44
100834FD - 7B 1A - jnp 10083519
100834FF - F3 0F10 86 AC040000 - movss xmm0,[esi+000004AC] <<<<<<<<<<<<< EXACT

10083507 - 0F2F C2 - comiss xmm0,xmm2
1008350A - 73 05 - jae 10083511
1008350C - 0F2F C1 - comiss xmm0,xmm1
1008350F - 76 08 - jna 10083519
10083511 - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
10083519 - 80 BE 9B040000 00 - cmp byte ptr [esi+0000049B],00
10083520 - 0F84 65010000 - je 1008368B
10083526 - 01 9E A0040000 - add [esi+000004A0],ebx
1008352C - 80 7C 24 12 00 - cmp byte ptr [esp+12],00
10083531 - 75 10 - jne 10083543



address no. 2: 106C3E47-12= 0x106c3e35

106C3E1D - C7 86 A4040000 0F000000 - mov [esi+000004A4],0000000F
106C3E27 - 88 5C 24 23 - mov [esp+23],bl
106C3E2B - 89 9E A0040000 - mov [esi+000004A0],ebx
106C3E31 - FF 15 80A3D710 - call dword ptr [10D7A380] <<<
106C3E37 - F3 0F10 05 E060D810 - movss xmm0,[10D860E0] <<<
106C3E3F - F3 0F10 0D 18F4D810 - movss xmm1,[10D8F418]
106C3E47 - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
106C3E4F - F3 0F10 0D 24B8D910 - movss xmm1,[10D9B824]
106C3E57 - F3 0F11 86 A8040000 - movss [esi+000004A8],xmm0
106C3E5F - F3 0F11 8E B0040000 - movss [esi+000004B0],xmm1
106C3E67 - F3 0F10 0D 60C5DB10 - movss xmm1,[10DBC560]
106C3E6F - F3 0F11 86 BC040000 - movss [esi+000004BC],xmm0
106C3E77 - F3 0F11 86 C0040000 - movss [esi+000004C0],xmm0
106C3E7F - F3 0F10 05 246FE010 - movss xmm0,[10E06F24]
106C3E87 - F3 0F11 8E B4040000 - movss [esi+000004B4],xmm1



address no. 3: 109EAADB-12= 0x109eaac9

109EAAAA - 0F10 15 3C47F210 - movups xmm2,[10F2473C]
109EAAB1 - F3 0F10 0D 4047F210 - movss xmm1,[10F24740]
109EAAB9 - F3 0F10 05 4447F210 - movss xmm0,[10F24744]
109EAAC1 - F3 0F11 54 24 20 - movss [esp+20],xmm2
109EAAC7 - F3 0F11 4C 24 24 - movss [esp+24],xmm1 <<<
109EAACD - F3 0F11 44 24 28 - movss [esp+28],xmm0 <<<
109EAAD3 - F3 0F11 96 A8040000 - movss [esi+000004A8],xmm2
109EAADB - F3 0F11 8E AC040000 - movss [esi+000004AC],xmm1
109EAAE3 - F3 0F11 86 B0040000 - movss [esi+000004B0],xmm0
109EAAEB - 8B 74 24 1C - mov esi,[esp+1C]
109EAAEF - 03 EB - add ebp,ebx
109EAAF1 - 83 C6 04 - add esi,04
109EAAF4 - 83 FD 04 - cmp ebp,04
109EAAF7 - 89 74 24 1C - mov [esp+1C],esi
109EAAFB - 0F8C BEFEFFFF - jl 109EA9BF
109EAB01 - 8B 5C 24 14 - mov ebx,[esp+14]



Check out those addresses:
10083511, 106C3E47 and 109EAADB


Yes, there is:
movss [esi+000004AC],xmm1
(opcode F3 0F11 8E AC040000 )


Now look at:
100834FF <<<<<<<<<<<<< EXACT (it is exact with guessed address)

106C3E31 <<<
106C3E37 <<<

109EAAC7 <<<
109EAACD <<<

I was lucky Very Happy It is "address no. 1" and "<<<<<<<<<<<<< EXACT" mark

If I wasn't (it is address no. 2 or bigger and only "<<<" mark) - array of byte and/or adjustment must be changed.

Very Happy



Btw, you can also use this script this way:
- you created cheat table for your game, for example RETAIL version, simple and clean cheats and without aobscan

- you want to make cheat table for STEAM version too, and you have cheatengine-noob friend and he has STEAM version

- copy opcodes from original instruction ( where you made a hackpoint) (or copy array of bytes near original instruction and calculate an adjustment)

- update variables inside "settings" section (my LUA code) (you can change OnlyTop = 20 to something else, e.g. OnlyTop = 200)

- send to friend your updated LUA file

Then, ask him to:
- launch game, then launch CE

- attach CE to game process

- CTRL+ALT+L, then file->open Lua file. EXECUTE SCRIPT

- Lua Engine window will pop up.

- now only, right click, select all, right click, copy.

Now he can send you a feedback (from clipboard)


For now, it is only beta version
(I'm cleaning my code, so be patient. I'm planning to add GUI, saving output to file and etc.)

(IF YOU DON'T SEE ATTACHMENT, Press and Hold Ctrl-F5 or Press and Hold Ctrl-(while Clicking Refresh in the TOOLBAR) )

_________________
Back to top
View user's profile Send private message MSN Messenger
hstpctech
How do I cheat?
Reputation: 0

Joined: 12 Feb 2013
Posts: 3

PostPosted: Thu Feb 14, 2013 7:15 am    Post subject: Re: YetAnotherAOB (YAAOB) LUA script Reply with quote

hi,

thanks, your script has proven very useful. Would you mind to modify it into a function I can pass string of bytes?

cheers,
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 143

Joined: 07 Nov 2008
Posts: 4073
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Thu Feb 14, 2013 9:25 am    Post subject: Reply with quote

I'm waiting for CheatEngine version 6.3

Then I'll look into this.

_________________
Back to top
View user's profile Send private message MSN Messenger
hstpctech
How do I cheat?
Reputation: 0

Joined: 12 Feb 2013
Posts: 3

PostPosted: Thu Feb 14, 2013 12:22 pm    Post subject: Reply with quote

mgr.inz.Player wrote:
I'm waiting for CheatEngine version 6.3

Then I'll look into this.

Sounds good; I look forward for it.
Back to top
View user's profile Send private message
Alice0725
Expert Cheater
Reputation: 10

Joined: 24 Jul 2012
Posts: 146

PostPosted: Fri Feb 15, 2013 10:11 am    Post subject: Reply with quote

It is very nice that aob supports calculation.

But, I've tested the latest CE in svn, looks like it will take more time to finish the search than the prev. version.

EX.

Code:

[ENABLE]
{
  --Dead Space 3 Plus 5 Trainer
  --by Alice0725, Jan 4, 2013
}
aobscan(aobHealth,D8 99 F8 00 00 00 DF E0 F6 C4 01 75 05 F6 C2 01 74 03 33 C0)
aobscan(aobStasis,D9 81 00 01 00 00 D8 B1 04 01 00 00 D9 5D F4 D9 45 F4 D8 D1)
aobscan(aobBullet,8B 91 90 02 00 00 3B 90 58 01 00 00 8B 89 00 03 00 00 0F 93)
aobscan(aobOxygen,D8 65 F8 D9 5E 60 D8 5E 60 53 DF E0 F6 C4 41 0F 85 9D 00 00)
aobscan(aobRes,89 4D F0 85 C9 0F 84 ** ** ** ** 8B 57 6C 8B B1 74 01 00 00 52)

label(locHealth)
label(locStasis)
label(locBullet)
label(locOxygen)
label(locRes)
registersymbol(locRes)
registersymbol(locHealth)
registersymbol(locBullet)
registersymbol(locStasis)
registersymbol(locOxygen)

aobHealth:
locHealth:

aobBullet:
locBullet:

aobStasis:
locStasis:

aobOxygen:
locOxygen:

aobRes:
locRes:

[DISABLE]
unregistersymbol(locHealth)
unregistersymbol(locBullet)
unregistersymbol(locStasis)
unregistersymbol(locOxygen)
unregistersymbol(locRes)
Back to top
View user's profile Send private message
hstpctech
How do I cheat?
Reputation: 0

Joined: 12 Feb 2013
Posts: 3

PostPosted: Fri Feb 15, 2013 10:23 am    Post subject: Reply with quote

Hi Alice,

would you help me explain why in MAA every character's record is starting with exactly the same pointer?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Tutorials -> LUA Tutorials All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites