| View previous topic :: View next topic |
| Author |
Message |
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
 Posted: Tue Aug 02, 2016 12:47 am Post subject: Using Lua to find what address is accessed by an instruction |
 |
|
So I have an instruction which reads some addresses.I need the addresses that are accessed by the instruction as they point to some data I want to use in some lua script.Is it possible to get those addresses using lua? If so, then how?
The addresses I need are highlighted in the screenshot.
| Description: |
|
| Filesize: |
51.97 KB |
| Viewed: |
15321 Time(s) |
|
|
|
| Back to top |
|
 |
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Tue Aug 02, 2016 1:27 am Post subject: |
|
|
asm part: hook the instruction, cmp if the value at address is 0 to sort out the highlighted address, store the addresses at a symbol address.
lua part: use getAddress() to get address of symbol. then readInteger() to get the stored addresses.
|
|
| Back to top |
|
|
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
| Posted: Tue Aug 02, 2016 2:45 am Post subject: |
|
|
| predprey wrote: | | asm part: hook the instruction, cmp if the value at address is 0. |
Umm.. can you explain in more detail ? I don't really understand.
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Tue Aug 02, 2016 2:56 am Post subject: |
|
|
| Der5t wrote: | | predprey wrote: | | asm part: hook the instruction, cmp if the value at address is 0. |
Umm.. can you explain in more detail ? I don't really understand. |
do you know how to write autoassembler scripts for CE?
|
|
| Back to top |
|
|
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
| Posted: Tue Aug 02, 2016 3:13 am Post subject: |
|
|
| predprey wrote: |
do you know how to write autoassembler scripts for CE? |
yes.. ?
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Tue Aug 02, 2016 3:28 am Post subject: |
|
|
| Der5t wrote: | | predprey wrote: |
do you know how to write autoassembler scripts for CE? |
yes.. ? |
there are two scripts you need, an autoassembler script and your lua script. you need to write an AA script that stores the addresses the instruction accesses, then use Lua to read the stored addresses. for Lua to know where the stored addresses are, you use registersymbol() in your AA script to denote them as symbols which can be used by getAddress() in Lua.
e.g. alloc(stored_address,4)
registersymbol(stored_address)
cmp checks to store only the highlighted addresses. check if the value == 0.
mov [stored_address],register with address
then in lua
local stored = getAddress("stored_address") would give you the address of "stored_address". then readInteger(stored) would give you the stored addresses.
|
|
| Back to top |
|
|
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
| Posted: Tue Aug 02, 2016 4:04 am Post subject: |
|
|
| predprey wrote: |
there are two scripts .... stored addresses. |
If I use code injection it will be like this.
| Code: |
alloc(newmem,300) //300 bytes is probably more than enough
label(returnhere)
label(originalcode)
globalalloc(AddressIwant,4) // 4 bytes to store the address.
newmem:
push eax
cmp [ebx+40],0 //If value of an address is zero
je originalcode //Continue with original code
mov eax,[ebx+40] //Copy address that I want to EAX register
mov [AddressIwant], eax
pop eax
originalcode:
cmp [ebx+40],0 //Yes this was the original code.
jne ...
exit:
jmp returnhere
CodeInjectionLocationAddress:
jmp newmem
returnhere:
|
This will work if the address I wanted was just 1.But there were multiple address with a non-zero value then the 'AddressIwant' will keep changing and will cause problems.After modifying this a little maybe I can get around two addresses which won't change (by checking if the allocated memory location has already an address in it).
But the thing is.. the original code (cmp [ebx+40],0) accesses more than 2 addresses which point to some location.I mean in the screenshot I had attached earlier, there were only two addresses at that moment which the instruction accessed.BUT that instruction accesses around 100 (valid) pointers which point to the base of NPCs in the game.
So to me using an assembly script seems almost impossible!
So what I am asking is - How do I get all the valid pointers (around 100) which are accessed by an instruction and store them in something like maybe a table/array in Lua ?
EDIT: I m using this as a shortcut to getting all enemy addresses for coding an aimbot.
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Tue Aug 02, 2016 4:35 am Post subject: |
|
|
what i would do is setup an array with AA, not forgetting a counter for array size. then, code a function to parse the array for existing addresses and call this function to determine whether to write an addresss into the array.
then with lua, copy the array into a table with the array size provided.
alloc(arr_size,4)
alloc(arr,$1000)
alloc(parseArray,$1000)
parseArray:
pushad
mov ebx,[arr_size]
xor ecx,ecx //loop counter
@@:
cmp [arr+ecx*4],eax //eax still holds stored address
je @f
add ecx,1
cmp ecx,ebx
jb @b
@@:
popad
ret
newmem:
...
...
mov eax,[eax+40]
call parseArray
je originalcode
push ebx
mov ebx,[arr_size]
add ebx,1
mov [arr_size],ebx
mov [arr+ebx*4],eax
original code:
...
...
|
|
| Back to top |
|
|
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
| Posted: Tue Aug 02, 2016 8:31 am Post subject: |
|
|
It will be very nice if someone commented out that code to help me understand what exactly is happening (I m not that good in ASM)
Also, what is that '@@' and jumping to '@b' / '@f' ?
EDIT: Is it supposed to be like this ?
| Code: | alloc(arr_size,4)
alloc(arr,$1000)
alloc(parseArray,$1000)
parseArray:
pushad
mov ebx,[arr_size]
mov ecx,0
xor ecx,ecx //loop counter
@b:
cmp [arr+ecx*4],eax //eax still holds stored address
je @f
add ecx,1
cmp ecx,ebx
jb @b
@f:
popad
ret |
I am very confused with what is happening in the whole code.
|
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Tue Aug 02, 2016 11:28 am Post subject: |
|
|
You can also do it all in LUA:
http://wiki.cheatengine.org/index.php?title=Lua_Debugging
You seem versed enough to make the necessary modification to either store the values in a table or at a pre-established symbol. (Table if it could be 0-100 nonzero values, memory if it will always be 2 values)
| predprey wrote: |
| Code: |
alloc(arr_size,4) //reserves memory for the size of the array
alloc(arr,$1000) //reserves lots of memory for the array
alloc(parseArray,$1000)
parseArray:
pushad
mov ebx,[arr_size]
xor ecx,ecx //zeros out the counter
@@: //generic label
cmp [arr+ecx*4],eax //searching the array one slot at a time to see if eax exists
je @f //if eax exists, we dont want to do something to the array, jump forward to first symbol
add ecx,1 //increment the counter so the compare is on next slot
cmp ecx,ebx //check if array bounds exeeded
jb @b //if not exceeded jump back to the above generic label
@@: //new generic label
popad
ret
newmem:
...
...
mov eax,[eax+40] //stores value into placeholder for the array
call parseArray //runs the above code,
je originalcode //runs the original code
push ebx
mov ebx,[arr_size]
add ebx,1
mov [arr_size],ebx //increments the size of the array
mov [arr+ebx*4],eax //Store new address at the end of the array
original code:
...
...
|
|
Overall, I think that script forgot to set a value if eax already existed in the array to prevent it from being written twice.
|
|
| Back to top |
|
|
Der5t
Newbie cheater
![]() Reputation: 0
Joined: 10 Mar 2014
Posts: 14
|
| Posted: Tue Aug 02, 2016 12:45 pm Post subject: |
|
|
Oh...I can do it easily in lua.
Anyway I will do it in lua AND I will try it in assembly too!
Thank you guys for your help! 
|
|
| Back to top |
|
|
predprey
Master Cheater
![]() Reputation: 24
Joined: 08 Oct 2015
Posts: 486
|
| Posted: Tue Aug 02, 2016 3:40 pm Post subject: |
|
|
i did thought about debug lua features but i was afraid it would introduce too much lag like how "find out what addresses this instruction accesses" does when it reads in thousands of addresses per second.
the downside of using the asm way is that the lua script might not be fast enough to read a constantly changing stored address, but that was fixed with the array method.
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Tue Aug 02, 2016 5:17 pm Post subject: |
|
|
It's probable that the debug method may cause lag, but it's simple enough to implement and find out.
| Code: | enemy_addresses = {}
debug_setBreakpoint(address, 1, bptExecute, function()
enemy_addresses[EAX] = true
debug_continueFromBreakpoint(co_run)
return 1
end) |
While parsing through the list:
| Code: | for enemy_address in pairs(enemy_addresses) do
local enemy = getAddress(enemy_address)
if enemy == nil then -- some check to see if it's no longer a valid address
enemy_addrseses[enemy_address] = nil
end
end |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
