Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Scan help :/
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 6:59 am    Post subject: AOB Scan help :/ Reply with quote

Hello everyone,
I've got a question regarding the aobscan(label, Pattern)

I was always wondering, if I can make my own pointers, by using aobscan() with individual patterns wherever found.
However, I was unable to do that so far, because the scan returns another address than I expect..

although my pattern is found only once in the memory, if I use it on a autoasseble aobscan() script, I'm getting an address I cannot find any related data to what I find if I manually do an array o byte search..

The real pattern can usually be found between 17000000 and 1BFFFFFF, whereas the aobscan() within the auto assembler returns some address near 056*****

does anyone have a clue, what's going on there?
Is it even possible to achieve what I'm trying to?
or are those aobscans working with base structure adresses only?


that's my Auto assemble script:

Code:

[ENABLE]

aobscan(mleBase,6D 6C 65 05 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 61 67 73 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41 00 00 A0 41 * * * * * * * * 72 67 64 06 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 69 69 65 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41)
label(mBase)
registersymbol(mBase)

mleBase:
mBase:


[DISABLE]


unregistersymbol(mBase)


I'd be grateful for any kind of hint I might get.

thanks in advance.
mugaen
Back to top
View user's profile Send private message
FreeER
Master Cheater
Reputation: 17

Joined: 09 Aug 2013
Posts: 461

PostPosted: Wed Jan 10, 2018 7:10 am    Post subject: Reply with quote

Pretty sure that the AA aobscan scans all memory regardless of wether it's writable, executable, or copyOnWrite so make sure your manual scan matches those settings and that it's still unique. If it's in a module you can use aboscanmodule to scan just that module, otherwise there is aobscanregion but note that it could be loaded in different places for other people.

Also, if there's not an offset you don't need a second label you can just use

aobscan(labelname, ...)
registerSymbol(labelname)

(plus the AA framework+unregister of course)
Back to top
View user's profile Send private message
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 7:20 am    Post subject: Reply with quote

Hmm.. Is this the right settings?

I still get just that one result.

Thank you, .. well I want to see how that script behaves if it finds the address, so I could use other lables as well.. I'd like to use it for an address in the middle of that structure later



sd.PNG
 Description:
 Filesize:  14.66 KB
 Viewed:  748 Time(s)

sd.PNG


Back to top
View user's profile Send private message
FreeER
Master Cheater
Reputation: 17

Joined: 09 Aug 2013
Posts: 461

PostPosted: Wed Jan 10, 2018 7:23 am    Post subject: Reply with quote

That is correct. Hm, the only other thing I can think of right now is that the CE gui (at least) doesn't scan some types of memory by default based on edit->settings->scan settings



edit: If that's still not it you might check what address it's finding and compare that to the memory regions window (in memory viewer: tools->memory regions) and see which it's in and what attributes it has that might be excluding it from the regular scans....
Back to top
View user's profile Send private message
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 7:45 am    Post subject: Reply with quote

it says "read", if I check the regions.
if I check the bytes at the address found, they're completely different..

Code:
31 00 2D 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 65 01 00 32 00 00 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 75 00 69 00 2E 00 78 00 61 00 6D 00 6C 00 2E 00 70 00 68 00 6F 00 6E 00 65 00 2E 00 64 00 6C 00 6C 00 00 00 65 00 78 00 74 00 2D 00 6D 00 73 00 2D 00 77 00 69 00 6E 00 2D 00 78 00 61 00 6D 00 6C 00 2D 00 70 00 61 00 6C 00 2D 00 6C 00 31 00


compared to what I search for

Code:
6D 6C 65 05 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 61 67 73 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41 00 00 A0 41 * * * * * * * * 72 67 64 06 00 00 00 E0 10 B6 D1 41 00 00 C8 42 00 00 C8 42 00 00 00 00 00 00 C8 42 00 00 C8 42 * * * * * * * * 69 69 65 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 41



.. does that mean, that I actually can use the first byte found in an array of bytes as an address with own offsets which are pointing to the values I want?
I mean.. using the aobscan() within the Auto Assembler..?


Last edited by muGaen on Wed Jan 10, 2018 7:50 am; edited 1 time in total
Back to top
View user's profile Send private message
FreeER
Master Cheater
Reputation: 17

Joined: 09 Aug 2013
Posts: 461

PostPosted: Wed Jan 10, 2018 7:49 am    Post subject: Reply with quote

huh, outside my knowledge then I'm afraid. You'll need to wait on someone like Dark Byte who understands more Smile
Back to top
View user's profile Send private message
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 7:56 am    Post subject: Reply with quote

maybe Ive found a bad example to try the aobscan on.. Very Happy Very Happy
I just figured that out a few hours ago..
I used to work with pointerscans until I'd eventually end up standing against a wall.

thank you for your help nonetheless. those were good hints I can now consider in the future! Cool

I hope we're gonna be able to solve this here though Rolling Eyes
I'm going to wait for others advices then too Idea Arrow
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 6

Joined: 01 Feb 2016
Posts: 752

PostPosted: Wed Jan 10, 2018 7:57 am    Post subject: Reply with quote

i havent read everything here, but i wanna make sure you have "show symbols" and "show module addresses" options are enabled.

and if its mono game, enable mono features then hook your desired instructions.

i barely find games that dont have module addresses where it make me so bored when finding a unique pattern.

im not quite sure if the game use copy-on-write, but whatever its (your current case) it should not be that complex.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
patched cheat engine tutorials
Back to top
View user's profile Send private message Visit poster's website
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 8:09 am    Post subject: Reply with quote

"show symbols" and "show module addresses" has been enabled by default, but how do I enable mono features?

the problem I'm struggling with is that I haven't been able to find a single pointer for that specific code block, that lasted longer than a game restart (I could find other everlasting pointers though).

Are there any options for the aobscan? something like search until you find the 2nd approach of a code (in case it's not individual?)

thanks for your help
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 6

Joined: 24 Feb 2017
Posts: 170
Location: Right Here Buddy.

PostPosted: Wed Jan 10, 2018 8:12 am    Post subject: Reply with quote

You could use the Lua AOB scan function, it returns a list and allows you to set protection flags for the scan.
_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 6

Joined: 01 Feb 2016
Posts: 752

PostPosted: Wed Jan 10, 2018 8:21 am    Post subject: Reply with quote

if its a mono game, then a "mono" word will appear here: (after attaching to the process)

CE main window panel:

file - edit - table - d3d - ??? - help

??? = mono, (if its mono game) otherwise no.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
patched cheat engine tutorials
Back to top
View user's profile Send private message Visit poster's website
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 8:28 am    Post subject: Reply with quote

I'm going to try and figure that lua script aob scan out. So I might find some kinda workaround solution for the problem I'm having.

It would be nice to have all the approaches listed, if not individual.
But I guess I've got a bit to do, to dig into this.

thank you Tim! Idea

OldCEUser: No, there's not even a placeholder between d3d and help.
Back to top
View user's profile Send private message
TheyCallMeTim13
Wiki Contributor
Reputation: 6

Joined: 24 Feb 2017
Posts: 170
Location: Right Here Buddy.

PostPosted: Wed Jan 10, 2018 8:42 am    Post subject: Reply with quote

Here is a snippet of code from one of my Lua plugins to help get you started.
Code:

local AOBSignaturePrivileges = nil -- '+X-C-W'
-- ...
      if AOBSignaturePrivileges then
         result = AOBScan(strSignature, AOBSignaturePrivileges)
      else
         result = AOBScan(strSignature)
      end
      if result ~= nil then
         count = result.Count
         result.destroy()
      end
-- ...

_________________
A: What manner of man are you that can summon up fire without flint or tinder?
T: I... am an enchanter.
Back to top
View user's profile Send private message
FreeER
Master Cheater
Reputation: 17

Joined: 09 Aug 2013
Posts: 461

PostPosted: Wed Jan 10, 2018 9:49 am    Post subject: Reply with quote

Lua AOBScan is pretty simple

from celua.txt in install directory
Code:
AOBScan("aobstring", protectionflags OPTIONAL, alignmenttype OPTIONAL, alignmentparam HALFOPTIONAL):
protectionflags is a string.
  X=Executable W=Writable memory C=Copy On Write. Add a + to indicate that flag MUST be set and a - to indicate that that flag MUST NOT be set. (* sets it to don't care)
  Examples:
    +W-C = Writable memory exluding copy on write and doesn't care about the Executable flag
    +X-C-W = Find readonly executable memory
    +W = Finds all writable memory and don't care about copy on write or execute
    "" = Find everything (is the same as "*X*C*W" )

alignmenttype is an integer:
  0=No alignment check
  1=Address must be dividable by alignmentparam
  2=Address must end with alignmentparam
alignmentparam is a string which either holds the value the addresses must be dividable by or what the last digits of the address must be



so in an AA script you could do (example based on step 2 of the tutorial)

Code:
[ENABLE]
{$lua}
-- if just editing the sript don't run the rest of this lua code
-- should practically return the same type of result as if it did run
-- for error checking purposes
if syntaxcheck then
  return ('define(INJECT,%s)'):format(0)
end

local results = AOBScan('8B 83 80', '-W+X') -- unique AOBScan('8B 83 80 04 00 00')
assert(results, 'aobscan failed') -- will prevent script from enabling if not found

-- do stuff to select address from results
local debug = true
if debug then
  -- print all found addresses
  print('found results', results.Count)
  for i=0,results.Count-1 do
    print(results[i])
  end
end

-- just picking the first right now lol, it works for me
local addr = results[0]
results.destroy() -- free memory used for addresses

-- returned string will be treated as AA code in place of {$lua} {asm} section
return ('define(INJECT,%s)'):format(addr)
{$asm}
registersymbol(INJECT) // doesn't seem to have a problem with registering a define statement :)

// code to do stuff here


[DISABLE]
unregistersymbol(INJECT)
of course there are several variations of code that'd get similar results but I think this one shows more of the lua features than most others, primarily the assert stopping the script from disabling, and the return result being treated as AA code. Though you can also return anything that's invalid AA code.

If you wanted you could even create a function in a lua file and put it in your autorun directory of CE's install so that you can call it without writing it out in the tablefiles, but then you'd have to include it with each of your tables if you shared them and explain how to use it, alternatively you can put it in the table's lua script but then people get a prompt about running the lua code if it's not signed (or users have set CE to always prompt).

http://forum.cheatengine.org/viewtopic.php?p=5734504#5734504 shows (afaik) how you should be able to use a memscan to limit the range of the scan as well... but I had issues with actually getting it to return results lol
Back to top
View user's profile Send private message
muGaen
Newbie cheater
Reputation: 0

Joined: 10 Jan 2018
Posts: 17

PostPosted: Wed Jan 10, 2018 10:05 am    Post subject: Reply with quote

thank you very much.

well. I was trying a few things out, and found out, that there must be another problem.
even if I had that working lua script right now, I doubt that it'd work.

I tried adding a few bytes at the beginning of my byte array. after adding four new values at the beginning, the first matching address would be higher than where I have to look (4D******)

.. So I suppose, I should look for another solution Confused


edit: it reminds me of some pointer behavior.. As if I'd find a pointer pointing at the address where the aob scan had a match.. is that possible?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites