View previous topic :: View next topic |
Author |
Message |
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Wed Aug 02, 2017 3:47 pm Post subject: aobscan until aob exists, then activate table item [SOLVED] |
|
|
Hi all, somehow I cannot figure out how to solve this...
I have a game (The Forest) where the opcodes to find exist after the level is loaded.
repeat... until eats up CPU and freezes the trainer. So I read a lot in here and DB always recommends to use timers for this.
So I try to do an aobscan in lua to check every 10 seconds for the aob. If found, activate the table entry (ASM again with an aobscan, then code injection).
I ended up with this. But it does not work. I am able to click the AA script and it works.
This is the lua from the table
Code: | function onOpenProcess()
local t1 = createTimer(nil, false)
t1.Interval = 10000
t1.OnTimer = function(t1)
local STAMMSda = AOBScan("8B 40 34 3D 01 00 00 00 75","+X"); -- added to reduce the scan time by only searching for executable opcodes
if STAMMSda ~= nil then
local list = getAddressList()
local mem = list.getMemoryRecordByDescription("get _stamms")
mem.Active = true
t1.Destroy()
end
end
t1.Enabled = true -- here I made the mistake by using a wrong name for the timer
end
|
This is the AA script from the table named "get _stamms":
Code: | [ENABLE]
aobscan(STAMMS,8B 40 34 3D 01 00 00 00 75) // is unique
alloc(newmem,$1000)
globalalloc(_stamms,4)
label(code)
label(return)
newmem:
mov [_stamms],eax
code:
mov eax,[eax+34]
cmp eax,00000001
jmp return
STAMMS:
jmp newmem
nop
nop
nop
return:
registersymbol(STAMMS)
[DISABLE]
STAMMS:
db 8B 40 34 3D 01 00 00 00
unregistersymbol(STAMMS)
dealloc(_stamms)
dealloc(newmem)
|
I use the variable _stamms for getting the base address of a pointer.
Where is my mistake?
Edit: Changed the code to the working one with optimizations from posts below. Thanks to all!
Last edited by Zec on Sat Aug 05, 2017 8:39 am; edited 3 times in total |
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Wed Aug 02, 2017 6:32 pm Post subject: |
|
|
You declared the timer as t1 but tried to reference it using "timer".
Code: | local t1 = createTimer(nil, false)
...
timer.Enabled = true |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Fri Aug 04, 2017 11:24 am Post subject: |
|
|
OMG, yeah, was late that day.
Thanks a lot. Now it works!
|
|
Back to top |
|
|
dl748 Advanced Cheater Reputation: 0
Joined: 05 Mar 2016 Posts: 75
|
Posted: Fri Aug 04, 2017 12:03 pm Post subject: |
|
|
Also, its good to limit the memory being searched. For example, if you are looking for asm script.
AOBScan("8B 40 34 3D 01 00 00 00 75");
to
AOBScan("8B 40 34 3D 01 00 00 00 75","-W-C+X");
will ONLY search executable memory instead of ALL memory. This will speed up the scan tremendously.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Aug 04, 2017 12:18 pm Post subject: |
|
|
I saw games which had writable and execute protection flags set.
Here the alternative "*W-C+X"
_________________
|
|
Back to top |
|
|
dl748 Advanced Cheater Reputation: 0
Joined: 05 Mar 2016 Posts: 75
|
Posted: Fri Aug 04, 2017 12:31 pm Post subject: |
|
|
Its very rare, its slower, and you can generally limit it to things like JVM or .NET games (even then, i try not to find a pointer from generated code as the executable will have a static pointer as well). Everything else can use copy off write off and execute on.
|
|
Back to top |
|
|
mgr.inz.Player I post too much Reputation: 218
Joined: 07 Nov 2008 Posts: 4438 Location: W kraju nad Wisla. UTC+01:00
|
Posted: Fri Aug 04, 2017 12:58 pm Post subject: |
|
|
For example Prey from 2017 (not JVM nor .NET)
Also aobscan from AA uses "*W*C*X"
Edit:
Just try this:
do "4byte unknown initial value" first scan with +X and -W and -C, you will get 16'630'784 (in my case, Prey) results.
Now do again first scan, this time with +X and *W and -C. There will be 17'210'368 results. The difference is only 579'584
Using +X is strong enough and we can use it with *W.
_________________
|
|
Back to top |
|
|
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Fri Aug 04, 2017 3:34 pm Post subject: |
|
|
Thanks for the tipps. I will try and compare. The game I make the trainer for is The Forest. I switched from pointers to this method because there are many updates (open alpha) and the pointers always brake. The opcodes are more stable in this case.
|
|
Back to top |
|
|
dl748 Advanced Cheater Reputation: 0
Joined: 05 Mar 2016 Posts: 75
|
Posted: Fri Aug 04, 2017 9:30 pm Post subject: |
|
|
mgr.inz.Player wrote: | For example Prey from 2017 (not JVM nor .NET)
Also aobscan from AA uses "*W*C*X"
Edit:
Just try this:
do "4byte unknown initial value" first scan with +X and -W and -C, you will get 16'630'784 (in my case, Prey) results.
Now do again first scan, this time with +X and *W and -C. There will be 17'210'368 results. The difference is only 579'584
Using +X is strong enough and we can use it with *W. |
Then you must be doing something different because all of my addresses have static placements in Prey.exe (mov eax,[Prey.exe+ADDRESSOFFSET]) and its completely in the +X (-W-R). This is due to DEP.
EDIT:Sorry there is a single global variable that gives me access to weapons and health (ammo, inventory, whatnot)
|
|
Back to top |
|
|
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Sat Aug 05, 2017 8:32 am Post subject: |
|
|
Result is that using only "+X" has the best effect. This is "*W*C+X". Scan time is 50% then. Changing W and C have not that impact.
Is it possible to use the flags also in the table AA script?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4300
|
Posted: Sat Aug 05, 2017 9:32 am Post subject: |
|
|
Zec wrote: | Is it possible to use the flags also in the table AA script? |
Instead of:
Code: | aobscan(STAMMS,8B 40 34 3D 01 00 00 00 75)
... |
You can write:
Code: | {$lua}
local res = assert(AOBScan('8B 40 34 3D 01 00 00 00 75','+X'), 'no results found')
local address = res[0]
res.destroy()
return string.format('define(STAMMS,%s)', address)
{$asm}
... |
Or, for more control and a slightly faster scan:
Code: | {$lua}
local memscan = createMemScan(nil)
memscan.OnlyOneResult = true
memscan.firstScan(soExactValue, vtByteArray, rtRounded, '8B 40 34 3D 01 00 00 00 75', '', 0, 0x7fffffffffffffff, '+X', fsmNotAligned, '', true, true, false, false)
memscan.waitTillDone()
local addr = memscan.Result
memscan.destroy()
assert(addr, 'no results found')
return string.format('define(STAMMS,%08X)', addr)
{$asm}
... |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
dl748 Advanced Cheater Reputation: 0
Joined: 05 Mar 2016 Posts: 75
|
Posted: Sat Aug 05, 2017 1:48 pm Post subject: |
|
|
Zec wrote: | Result is that using only "+X" has the best effect. This is "*W*C+X". Scan time is 50% then. Changing W and C have not that impact.
Is it possible to use the flags also in the table AA script? |
In AA script, if you want a more targeted, faster scan you can also use aobscanmodule(varname, module, bytestoscan). Which will only scan the bytes in the EXE or DLL you specify
|
|
Back to top |
|
|
Zec Newbie cheater Reputation: 0
Joined: 02 Jul 2016 Posts: 17
|
Posted: Thu Aug 17, 2017 12:33 pm Post subject: |
|
|
Yes, I know. But The Forest is very strange (or maybe I have messed up with CE). The code that is executed does not belong to any module.
Other say, TF is accessible via mono menu. But when I attach CE to TF this menu dies not show. So I need to go this way.
|
|
Back to top |
|
|
|