Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


aobscan until aob exists, then activate table item [SOLVED]

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
Zec
How do I cheat?
Reputation: 0

Joined: 02 Jul 2016
Posts: 7

PostPosted: Wed Aug 02, 2017 3:47 pm    Post subject: aobscan until aob exists, then activate table item [SOLVED] Reply with quote

Hi all, somehow I cannot figure out how to solve this...

I have a game (The Forest) where the opcodes to find exist after the level is loaded.

repeat... until eats up CPU and freezes the trainer. So I read a lot in here and DB always recommends to use timers for this.

So I try to do an aobscan in lua to check every 10 seconds for the aob. If found, activate the table entry (ASM again with an aobscan, then code injection).

I ended up with this. But it does not work. I am able to click the AA script and it works.

This is the lua from the table
Code:
function onOpenProcess()
  local t1 = createTimer(nil, false)
  t1.Interval = 10000
  t1.OnTimer = function(t1)
    local STAMMSda = AOBScan("8B 40 34 3D 01 00 00 00 75","+X");   -- added to reduce the scan time by only searching for executable opcodes
    if STAMMSda ~= nil then
      local list = getAddressList()
      local mem = list.getMemoryRecordByDescription("get _stamms")
      mem.Active = true
      t1.Destroy()
    end
  end
  t1.Enabled = true     -- here I made the mistake by using a wrong name for the timer
end

This is the AA script from the table named "get _stamms":
Code:
[ENABLE]
aobscan(STAMMS,8B 40 34 3D 01 00 00 00 75) // is unique
alloc(newmem,$1000)
globalalloc(_stamms,4)

label(code)
label(return)

newmem:
  mov [_stamms],eax

code:
  mov eax,[eax+34]
  cmp eax,00000001
  jmp return

STAMMS:
  jmp newmem
  nop
  nop
  nop
return:
registersymbol(STAMMS)

[DISABLE]

STAMMS:
  db 8B 40 34 3D 01 00 00 00

unregistersymbol(STAMMS)
dealloc(_stamms)
dealloc(newmem)


I use the variable _stamms for getting the base address of a pointer.

Where is my mistake?

Edit: Changed the code to the working one with optimizations from posts below. Thanks to all!


Last edited by Zec on Sat Aug 05, 2017 8:39 am; edited 3 times in total
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 51

Joined: 06 Jul 2014
Posts: 1744
Location: Arcadian Suburbia

PostPosted: Wed Aug 02, 2017 6:32 pm    Post subject: Reply with quote

You declared the timer as t1 but tried to reference it using "timer".
Code:
local t1 = createTimer(nil, false)
...
timer.Enabled = true

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Zec
How do I cheat?
Reputation: 0

Joined: 02 Jul 2016
Posts: 7

PostPosted: Fri Aug 04, 2017 11:24 am    Post subject: Reply with quote

OMG, yeah, was late that day. Very Happy

Thanks a lot. Now it works!
Back to top
View user's profile Send private message
dl748
Cheater
Reputation: 0

Joined: 05 Mar 2016
Posts: 41

PostPosted: Fri Aug 04, 2017 12:03 pm    Post subject: Reply with quote

Also, its good to limit the memory being searched. For example, if you are looking for asm script.

AOBScan("8B 40 34 3D 01 00 00 00 75");

to

AOBScan("8B 40 34 3D 01 00 00 00 75","-W-C+X");

will ONLY search executable memory instead of ALL memory. This will speed up the scan tremendously.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 148

Joined: 07 Nov 2008
Posts: 4173
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Fri Aug 04, 2017 12:18 pm    Post subject: Reply with quote

I saw games which had writable and execute protection flags set.
Here the alternative "*W-C+X"

_________________
Back to top
View user's profile Send private message MSN Messenger
dl748
Cheater
Reputation: 0

Joined: 05 Mar 2016
Posts: 41

PostPosted: Fri Aug 04, 2017 12:31 pm    Post subject: Reply with quote

Its very rare, its slower, and you can generally limit it to things like JVM or .NET games (even then, i try not to find a pointer from generated code as the executable will have a static pointer as well). Everything else can use copy off write off and execute on.
Back to top
View user's profile Send private message
mgr.inz.Player
I post too much
Reputation: 148

Joined: 07 Nov 2008
Posts: 4173
Location: W kraju nad Wisla. UTC+01:00

PostPosted: Fri Aug 04, 2017 12:58 pm    Post subject: Reply with quote

For example Prey from 2017 (not JVM nor .NET)
Also aobscan from AA uses "*W*C*X"


Edit:
Just try this:
do "4byte unknown initial value" first scan with +X and -W and -C, you will get 16'630'784 (in my case, Prey) results.

Now do again first scan, this time with +X and *W and -C. There will be 17'210'368 results. The difference is only 579'584

Using +X is strong enough and we can use it with *W.

_________________
Back to top
View user's profile Send private message MSN Messenger
Zec
How do I cheat?
Reputation: 0

Joined: 02 Jul 2016
Posts: 7

PostPosted: Fri Aug 04, 2017 3:34 pm    Post subject: Reply with quote

Thanks for the tipps. I will try and compare. The game I make the trainer for is The Forest. I switched from pointers to this method because there are many updates (open alpha) and the pointers always brake. The opcodes are more stable in this case.
Back to top
View user's profile Send private message
dl748
Cheater
Reputation: 0

Joined: 05 Mar 2016
Posts: 41

PostPosted: Fri Aug 04, 2017 9:30 pm    Post subject: Reply with quote

mgr.inz.Player wrote:
For example Prey from 2017 (not JVM nor .NET)
Also aobscan from AA uses "*W*C*X"


Edit:
Just try this:
do "4byte unknown initial value" first scan with +X and -W and -C, you will get 16'630'784 (in my case, Prey) results.

Now do again first scan, this time with +X and *W and -C. There will be 17'210'368 results. The difference is only 579'584

Using +X is strong enough and we can use it with *W.


Then you must be doing something different because all of my addresses have static placements in Prey.exe (mov eax,[Prey.exe+ADDRESSOFFSET]) and its completely in the +X (-W-R). This is due to DEP.

EDIT:Sorry there is a single global variable that gives me access to weapons and health (ammo, inventory, whatnot)
Back to top
View user's profile Send private message
Zec
How do I cheat?
Reputation: 0

Joined: 02 Jul 2016
Posts: 7

PostPosted: Sat Aug 05, 2017 8:32 am    Post subject: Reply with quote

Result is that using only "+X" has the best effect. This is "*W*C+X". Scan time is 50% then. Changing W and C have not that impact.

Is it possible to use the flags also in the table AA script?
Back to top
View user's profile Send private message
ParkourPenguin
Grandmaster Cheater Supreme
Reputation: 51

Joined: 06 Jul 2014
Posts: 1744
Location: Arcadian Suburbia

PostPosted: Sat Aug 05, 2017 9:32 am    Post subject: Reply with quote

Zec wrote:
Is it possible to use the flags also in the table AA script?

Instead of:
Code:
aobscan(STAMMS,8B 40 34 3D 01 00 00 00 75)
...

You can write:
Code:
{$lua}
local res = assert(AOBScan('8B 40 34 3D 01 00 00 00 75','+X'), 'no results found')
local address = res[0]
res.destroy()
return string.format('define(STAMMS,%s)', address)
{$asm}
...

Or, for more control and a slightly faster scan:
Code:
{$lua}
local memscan = createMemScan(nil)
memscan.OnlyOneResult = true
memscan.firstScan(soExactValue, vtByteArray, rtRounded, '8B 40 34 3D 01 00 00 00 75', '', 0, 0x7fffffffffffffff, '+X', fsmNotAligned, '', true, true, false, false)
memscan.waitTillDone()
local addr = memscan.Result
memscan.destroy()
assert(addr, 'no results found')
return string.format('define(STAMMS,%08X)', addr)
{$asm}
...

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
dl748
Cheater
Reputation: 0

Joined: 05 Mar 2016
Posts: 41

PostPosted: Sat Aug 05, 2017 1:48 pm    Post subject: Reply with quote

Zec wrote:
Result is that using only "+X" has the best effect. This is "*W*C+X". Scan time is 50% then. Changing W and C have not that impact.

Is it possible to use the flags also in the table AA script?


In AA script, if you want a more targeted, faster scan you can also use aobscanmodule(varname, module, bytestoscan). Which will only scan the bytes in the EXE or DLL you specify
Back to top
View user's profile Send private message
Zec
How do I cheat?
Reputation: 0

Joined: 02 Jul 2016
Posts: 7

PostPosted: Thu Aug 17, 2017 12:33 pm    Post subject: Reply with quote

Yes, I know. But The Forest is very strange (or maybe I have messed up with CE). The code that is executed does not belong to any module.

Other say, TF is accessible via mono menu. But when I attach CE to TF this menu dies not show. So I need to go this way.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites