View previous topic :: View next topic |
Author |
Message |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 12:37 am Post subject: Weird aobscan behavior |
|
|
I'm using the following code to get the address of a singleton object:
Code: | define(cplayer_vftable, C8 9D 45 42 01 00 00 00)
[ENABLE]
alloc(cplayer, 8)
registersymbol(cplayer)
aobscan(tmp, cplayer_vftable)
cplayer:
dq tmp
[DISABLE]
unregistersymbol(cplayer)
dealloc(cplayer) |
Unfortunately, [cplayer] always contains the same address: 1B29A1A08, and [1B29A1A08] is never equal to 142459DC8. Instead, it holds 0EB21ACF0E9E1AC4. I'm not sure why this is happening, and any help would be greatly appreciated.
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Cake-san Grandmaster Cheater
Reputation: 8
Joined: 18 Dec 2014 Posts: 541 Location: Semenanjung
|
Posted: Thu Jul 07, 2016 2:02 am Post subject: |
|
|
use readmem, instead. eg:
Code: |
[ENABLE]
aobscan(aob_game,48 8B 04 25 * * * * 0F B6 80 B1 00 00 00)
alloc(_game,4)
_game:
readmem(aob_game+4,4)
registersymbol(_game)
[DISABLE]
dealloc(_game)
unregistersymbol(_game)
|
_________________
... |
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 6:21 pm Post subject: |
|
|
Sorry if I'm misinterpreting what you said here, but I'm not quite sure I follow; I'm not trying to read memory at all -- I just want to save the address of the CPlayer block for other scripts to use.
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 6:37 pm Post subject: |
|
|
Now anyone can use the found "cplayer" address... if that's what you intended.
Code: | define(cplayer_vftable, C8 9D 45 42 01 00 00 00)
[ENABLE]
aobscan(cplayer, cplayer_vftable)
registersymbol(cplayer)
[DISABLE]
unregistersymbol(cplayer) |
|
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 6:39 pm Post subject: |
|
|
That's what I had originally, but I changed it to the code in my post after I started experiencing the bug I described above.
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 6:44 pm Post subject: |
|
|
Don't use "[cplayer]"
Use "cplayer"
???
|
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 6:46 pm Post subject: |
|
|
(Sorry if I was unclear previously.)
I tried the code in your post again, but cplayer now holds 1B29A1A08 (as [cplayer] and tmp did with the code in my post.)
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 6:49 pm Post subject: |
|
|
Why don't you explain what that AOB is to you.
Then explain how you're trying to use it within your table.
What address and value are you expecting it to be?
What address and value is it coming out as?
|
|
Back to top |
|
 |
ParkourPenguin I post too much
Reputation: 152
Joined: 06 Jul 2014 Posts: 4702
|
Posted: Thu Jul 07, 2016 6:55 pm Post subject: |
|
|
Perhaps the value at the address it found is changing, but that shouldn't be the case for a vtable. Are you sure that AoB signature is unique? Scan through all memory (not just writable).
Open the Lua script window and execute this code:
Code: | local res = AOBScan("C8 9D 45 42 01 00 00 00")
if not res then
print("AoB not found.")
return
end
print("Count: ", res.Count)
for i=0, res.Count-1 do
print(string.format(" Address: %s\tValue: %X", res[i], readQword(res[i])))
end
res.destroy() |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 6:59 pm Post subject: |
|
|
I've used AoB a lot before, so I'm think I'm remembering correctly, but just to be clear:
AoB searches through memory for the bytes in the second parameter, at which point it saves the address at which the bytes were found in the symbol that is the first parameter.
I'm using it to find the CPlayer singleton in memory, which always contains a pointer to its vftable (the bytes I specified in aobscan.) I wish to store this address, either in a symbol directly (as in your code) or at a location that a symbol points to (as in my code.)
In your code, I would expect cplayer to hold 92654C400, which is the sole address returned by doing a manual scan with "Value Type: Array of Byte."
Unfortunately, after running your code, cplayer holds 1B29A1A08. [1B29A1A08] is not C8 9D 45 42 01 00 00 00 (i.e. what I searched for.)
Thanks for the help.
ParkourPenguin, I just saw your post as I previewed mine. After running your code, this is printed:
Code: | Count: 1
Address: 92654C400 Value: 142459DC8 |
That address is the same as the one I found when doing my manual scan, and is what I want to store in cplayer (or at [cplayer].)
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 7:05 pm Post subject: |
|
|
Add a new memory record to your table. Just a normal one, not a pointer.
Set the address equal to "cplayer". Do not use the brackets.
Is this the address you think you should have?
|
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 7:17 pm Post subject: |
|
|
Don't use that define statement, plug the AOB in directly.
|
|
Back to top |
|
 |
BanCheese Cheater
Reputation: 0
Joined: 22 Oct 2014 Posts: 49
|
Posted: Thu Jul 07, 2016 7:20 pm Post subject: |
|
|
That fixed it! Thanks!
Was that a bug, or was I doing something wrong?
_________________
A guy who likes memory hacking. |
|
Back to top |
|
 |
Zanzer I post too much
Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Thu Jul 07, 2016 7:25 pm Post subject: |
|
|
CE resolves the "aobscan" lines before the "define" lines.
So it was converting "cplayer_vftable" into something and managed to find that address instead.
|
|
Back to top |
|
 |
|