-- Author: Csimbi -- Source: https://forum.cheatengine.org/viewtopic.php?p=5782638#5782638 -- Usage: -- - Copy this LUA file into CE's autorun folder -- - Put a line with the LUACall right under your first AOB scan with your seconds scan. -- The first symbol must be an AOB scan result, addressing the instruction from which the next scan's start address is derived. -- The second symbol will be registered only when it was successfully found. -- The plain version scans all memory, but I doubt this is what most people will want, hence the _N version. -- The _N version allows you to limit the AOB scan to certain number of bytes. -- You really should be using the _N version because you already know what you are looking for, and where :D -- -- The script can pick up addresses from instructions like these: -- jmp 0C -- je FFFFFFF4 -- jne 7FFF12345678 -- call 12345678 -- call 7FFF12345678 -- call [7FFF12345678] -- --- AA example: -- [ENABLE] -- aobscan(myFirstAOBScan,72 ?? 67 ?? 61 6D ??) -- LuaCall(do_AOB_scan_at_derived_address('mySecondAOBScan',[=[myFirstAOBScan]=],"80 68 ?? AB F4 6A ?? 72")) -- -- Alternatively, if you want to limit the search window to 255 bytes (0xFF) - which, You really should. -- LuaCall(do_AOB_scan_at_derived_address_N('mySecondAOBScan',[=[myFirstAOBScan]=],'0xFF',"80 68 ?? AB F4 6A ?? 72")) -- -- Notes: -- - Your initial AOB scan may be of any type of AOB scan; the subsequent scan (LuaCall) will continue from the 'address' derived from the instruction. -- - The 'mySecondAOBScan' will be registered for you, remember to unregister it when you no longer need it. -- - You can use 'myFirstAOBScan' instead of 'mySecondAOBScan', too; but then you lose the previous scan's address (which is okay if you don't need it). function derive_real_address_from_registered_instruction(registered_instruction) local sRetVal, temp, iAddress, sInstruction, iAddr, iPtr local sAddress, sBytes, sOpcode, sExtraField --print('LUACall: derive_real_address_from_instruction') if registered_instruction==' 00000000' then return nil end iAddress=getAddressSafe(registered_instruction) if iAddress==nil then return nil; end if getInstructionSize(iAddress)<2 then return nil end sInstruction=disassemble(iAddress) --print('Disassembly: '..sInstruction) if sInstruction==nil or sInstruction=="" then return nil end sExtraField, sOpcode, sBytes, sAddress=splitDisassembledString(sInstruction) --print('Address: '..sAddress) --print('Bytes: '..sBytes) --print('Opcode: '..sOpcode) --print('ExtraField: '..sExtraField) sOpcode=sOpcode:sub(1,-1):gsub("^%s*(.-)%s*$", "%1") -- trim it if sOpcode==nil or sOpcode=="" then return nil end temp, sOpcode=string.match(sOpcode, "(.-)%s(%S+)$") -- get last word --print('Result: '..sOpcode) if sOpcode:find( "%[" ) then sDerivedAddress=sOpcode:sub(2) -- cut first char sDerivedAddress=sDerivedAddress:sub(1,-2) -- cut last char iAddr=tonumber(sDerivedAddress,16) --print('iAddr: '..string.format("%X",iAddr)) iPtr=readPointer(iAddr) sRetVal=string.format("%X",iPtr) else sRetVal=sOpcode end --print('-----') return sRetVal end function do_AOB_scan_at_derived_address(symbol, registered_instruction, pattern) local sDerivedAddress --print('LUACall: do_AOB_scan_at_derived_address') sDerivedAddress=derive_real_address_from_registered_instruction(registered_instruction) if sDerivedAddress==nil then print('Could not derive address from instruction at address.'); return end --print('sDerivedAddress: '..sDerivedAddress) local script='aobscanregion('..symbol..','..sDerivedAddress..',7fffffffffffffff,'..pattern..')\r\nregistersymbol('..symbol..')' local success=autoAssemble(script) if not success then unregisterSymbol(symbol); print('AOB result was not found for '..symbol..' using signature: \r\n'..pattern..'\r\nbetween '..sDerivedAddress..' and 0x7fffffffffffffff.'); error() end --print('-----') end function do_AOB_scan_at_derived_address_N(symbol, registered_instruction, limit, pattern) local sDerivedAddress --print('LUACall: do_AOB_scan_at_derived_address_N') if limit==nil or limit=="" then end sDerivedAddress=derive_real_address_from_registered_instruction(registered_instruction) if sDerivedAddress==nil then print('Could not derive address from instruction at address.'); return end --print('sDerivedAddress: '..sDerivedAddress) local script='aobscanregion('..symbol..','..sDerivedAddress..','..sDerivedAddress..'+'..limit..','..pattern..')\r\nregistersymbol('..symbol..')' local success=autoAssemble(script) if not success then unregisterSymbol(symbol); print('AOB result was not found for '..symbol..' using signature: \r\n'..pattern..'\r\nbetween '..sDerivedAddress..' and '..sDerivedAddress..'+'..limit..'.'); error() end --print('-----') end