Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Trying to make a controlled variable.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Mon Jul 02, 2018 10:32 pm    Post subject: Trying to make a controlled variable. Reply with quote

Hey guys, I'm trying to make an assembly AOB script not need to be constantly activated and de-activated (Which takes 5 - 10 seconds in this particular game) that utilizes a variable I can set on the table after initial activation.

This is the script that works:

Code:
[ENABLE]

aobscan(INJECT,F3 0F 11 6E 30 E9 D6)
alloc(newmem,$1000,INJECT)

label(code)
label(return)

newmem:

code:
  movss [rsi+30],xmm5
  mov [rsi+30],(float)0.7
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 6E 30

unregistersymbol(INJECT)
dealloc(newmem)


Which just automatically sets it to the static specified float every time this instruction is called. Works okay.

My goal is to get something like this working instead:


Code:
[ENABLE]

aobscan(INJECT,F3 0F 11 6E 30 E9 D6)
alloc(newmem,$1000,INJECT)

label(code)
label(return)
label(MK)
registersymbol(MK)

MK:
dd (float)1.0

newmem:

code:
  movss [rsi+30],xmm5
  mov [rsi+30],MK
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 6E 30

unregistersymbol(INJECT)
unregistersymbol(MK)
dealloc(newmem)


And then on the table I can add a Float address called MK and use hotkeys etc to modify the variable without needing to de-activate and alter the script. But for reasons beyond my understanding when I tried to activate it, it doesn't work. Even if I try to activate the working script afterward, it is no longer working either, which is strange..

Am I on the right track for converting this to the desired effect? Thanks for your time everyone.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jul 03, 2018 4:17 am    Post subject: Reply with quote

add MK as an address, set hotkeys to increase or decrease. (display type 4-byte)
Code:
[ENABLE]

aobscan(INJECT,F3 0F 11 6E 30 E9 D6)
alloc(newmem,$1000,INJECT)

label(code)
label(return)
registersymbol(MK)

newmem:
  cvtsi2ss xmm5,[MK]

code:
  movss [rsi+30],xmm5
  jmp return

MK:
dd 01

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 6E 30

unregistersymbol(MK)
unregistersymbol(INJECT)
dealloc(newmem)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Tue Jul 03, 2018 6:02 am    Post subject: Reply with quote

I appreciate the reply, OldCheatEngineUser, but that script does not work. When the instruction is called the value does not change to what I set it to, as if ignoring it completely.

Does anyone know how I can set this up as a variable on the table?

Edit: The value needs to be a float unfortunately, any way to get it to work like that? I need the hotkeys to increment it by 0.1 each time for testing purposes.


Last edited by Coreveen on Tue Jul 03, 2018 6:12 am; edited 1 time in total
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jul 03, 2018 6:12 am    Post subject: This post has 1 review(s) Reply with quote

(previous post)
forgot to add LABEL(MK)
now add MK as an address.
Code:
[ENABLE]

aobscan(INJECT,F3 0F 11 6E 30 E9 D6)
alloc(newmem,$1000,INJECT)

label(code)
label(return)
label(MK)
registersymbol(MK)

newmem:
  movss xmm5,[MK]

code:
  movss [rsi+30],xmm5
  jmp return

MK:
dd (float)1.0

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db F3 0F 11 6E 30

unregistersymbol(MK)
unregistersymbol(INJECT)
dealloc(newmem)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Tue Jul 03, 2018 6:19 am    Post subject: Reply with quote

That did it! Thank you, kind sir!

If it isn't too much of a bother, would you mind tossing me an explanation of what this is exactly?

Code:
cvtsi2ss
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jul 03, 2018 6:22 am    Post subject: Reply with quote

convert signed dword to scalar signle precision floating point value.

note that if you wish to increase it by 0.1 float, then use the last script.
(the first script for non-decimal values)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jul 03, 2018 6:30 am    Post subject: Reply with quote

cvt si 2 ss = ConVerT Scalar Integer To Scalar Single (float), it's an SSE instruction like movss is.


you seem to have a working solution now but "takes 5 - 10 seconds in this particular game" perhaps aobscanmodule or aobscanregion can help, if nothing else (probably unnecessary now but) you could have one script that does the aobscan and registers the symbol, and another that actually does the hook so that you only ever have to do the scan once (because the symbol isn't unregistered) or use some lua to achieve the same effect
Code:
{$lua}
if not getAddressSafe('symbol') then
  return [[aobscan(...)
  registerSymbol('symbol')]]
end
{$asm}
and don't unregister the symbol. Possible you could just not unregister it but I haven't tried that recently and feel like that doesn't work, can't say for certain however.
_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Tue Jul 03, 2018 7:03 am    Post subject: Reply with quote

@OldCheatEngineUser & @FreeER:

Much obliged for the explanations that makes sense why you would use it then in the first script. Good to know when I want to use an integer instead of a float in similar situations.

@OldCheatEngineUser: I would offer you a +rep but I do not see a button anywhere to do that for you, but know I am grateful!

@FreeER: Yeah I have about 8 custom AOB scripts that all take about 5 - 10 seconds EACH to load in and then they find the values I have them displaying on the table for viewing and testing purposes. I am in no way good or great at code or table making so if you didn't mind explaining how aobscanmodule or aobscanregion could help I would be all ears (and eyes)!

Here is an example script:

[ ] Find Money
Code:
[ENABLE]

aobscan(INJECT,48 63 40 58 89 45 F4)
alloc(newmem,$1000,INJECT)

label(code)
label(return)
label(money)
registersymbol(money)

newmem:

code:
  mov [money],rax
  movsxd  rax,dword ptr [rax+58]
  mov [rbp-0C],eax
  jmp return

money:
dq 0
INJECT:
  jmp newmem
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 48 63 40 58 89 45 F4

unregistersymbol(INJECT)
unregistersymbol(money)
dealloc(newmem)


Then in the table I added an address '[money]+58' and it shows me the money in situations I need to see it update in realtime.

Almost every other script apart from the one I was requesting help with above, use this same method to relay visual information to the table for viewing... but they all take 5 - 10 seconds to load. Sometimes after a fresh reboot of the PC they load almost instantly but that has only happened once out of the 30 or so times I have done testing/playing with this particular game and table.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Tue Jul 03, 2018 7:24 am    Post subject: Reply with quote

Code:
AOBSCANMODULE(inject, somemodule.exe, 00 11 22 33 44 55)
Will scan the specific module for the given AOB

AOBSCANREGION(inject, $00458800, $00460000, 00 11 22 33 44 55)
Will scan the specific range for the given AOB

AOBSCANREGION(inject, "somemodule.exe"+4800, "somemodule.exe"+4900, 00 11 22 33 44 55)
another version of aobscanregion


you can find region address and size here:

memory viewer -> view -> memory region
memory viewer -> CTRL+R (hotkey)

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jul 03, 2018 7:44 am    Post subject: Reply with quote

aobscanmodule and aobscanregion by work by specifying what memory to scan instead of scanning the entire process like aobscan does, the first takes a module name like game.exe or msvcrt.dll while the second takes the start and end addresses of a "region" to scan.

Many games now days use more dynamic memory and jitting that allocate outside of a named module so aobscanmodule may not work, but if you can find a pointer or just a single aob to that memory region then you can use aobscanregion.

Eg. for step2 of the x86 tutorial you can use a script like this
Code:
[ENABLE]
aobscan(BASE_REGION,EE FF EE FF 02 00 00 00 10 00 ?? ?? A4 00 ?? ?? 00 00 ?? ?? 00 00 ?? ??)
registerSymbol(BASE_REGION)
[DISABLE]
unregisterSymbol(BASE_REGION)
to find the base region that the step2 value is allocated in, and most likely many other values you care about as well. Once you find the value you can look in CE's memory regions window (from the memory viewer's view menu) to find the start and size, though 6.8 will tell you the start at the top of the hex view if you go to that address in it, then you copy the first few bytes and repeat until you get a reliable AOB. Then you repeat for the value, in this case I got (note you have to click next and be on step2 before the values are set and the aobscan to find them, and it assumes the value is still at 100 though you could likely make an aob in this case that works when it's not by masking the first 4 bytes)
Code:
[ENABLE]
aobscanregion(step2,BASE_REGION,BASE_REGION+FF000,64 00 00 00 90 04 00 00 ?? ?? ?? 03 92 02 00 00 48 62 5E 00 00 00 00 00 7C 1E 5B 00)
registerSymbol(step2)
[DISABLE]
unregisterSymbol(step2)
(and then add a memory record with the addres of "step2" to see/change the value)

Obviously this would work for code as well, probably even a little better since it's easier to construct an aob for code than it is for data that may be randomized or changing (eg. timers) but obviously the code in the tutorial exists in a module so you could just use aobscanmodule(step2check,Tutorial-i386.exe,81 BB 80 04 00 00 E8 03 00 00)in that case (which is what CE does by default for the AOB template)

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Tue Jul 03, 2018 8:15 am    Post subject: Reply with quote

This is some really helpful information, thank you! I will check this out after I return from work tonight. I see mentions of 'the tutorial', would you care to link that here? I must have missed it.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jul 03, 2018 11:11 am    Post subject: Reply with quote

As far as the tutorial, open CE and click the Help menu. 6.8 will list 3 (at least if your computer supports x64/64bit which almost all do, the original tutorial v3.3 in x86 and x64 (floating point instructions in particular are different), and the new gui Game tutorial which will run whatever version of CE is launched, so CE x86 will launch the x86 version while CE x64 will launch the x64 just like previous versions of CE did for the original tutorial).

Alternatively you can open CE's install directory and find the 4 tutorial exes there with the 3 CE exes (the launcher exe and the 2 x86/x64 specific ones it runs)

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 39

PostPosted: Wed Jul 04, 2018 3:26 am    Post subject: Reply with quote

I wasn't able to find anything on the aob region scanning method in the tutorial or tutorials from Google searches. Perhaps I am not searching with the right keywords.

I tried to figure this out to apply to some of my scripts but I don't really understand what I am looking for.

I assumed I had to go to the part of the memory viewer that the AOB script was currently generated from (via what accesses and show disassembler) and then pressed the Ctrl + R shortcut there. This is what I see:

https://i.imgur.com/FGZbHXc.png

I have no idea how to apply this though. Forgive my lack of understanding, I am quite tired tonight.

This is the working unmodified standard AOB script from that screenshot above:

Code:
[ENABLE]

aobscan(INJECT,48 63 56 34 48 8B C8 41)
alloc(newmem,$1000,INJECT)

label(code)
label(return)
label(RTL)
registersymbol(RTL)

newmem:

code:
  mov [RTL],rsi
  movsxd  rdx,dword ptr [rsi+34]
  mov rcx,rax
  jmp return

RTL:
dq 0
INJECT:
  jmp newmem
  nop
  nop
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 48 63 56 34 48 8B C8

unregistersymbol(INJECT)
unregistersymbol(RTL)
dealloc(newmem)
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Wed Jul 04, 2018 6:10 am    Post subject: Reply with quote

see the 4th one
region:

address - 00400000 - image - size 1000
address - 00401000 - image - size 15000

00400000 <- start of this region ... end of this region -> 00400FFF
here another region starts 00401000 how large is region? 15000!

imagine them as blocks of instructions, every 100 or 10000 instructions in one block.
so your instruction (according to your image) should starts somewhere here, 23877547000 (im just guessing, you have to look at mem-region)

and you dont really have to look at memory region, if your instruction address starts here: (example)
00406080 mov dword ptr [eax-edx],ecx
... ; some instructions
00406100 cmp byte ptr [ebx],01

aobscanregion(symbol, 00406000, 00406200, 00 11 22 33 44 55)

will work fine, you dont really need to give it the BASE ADDRESS of region and the LAST ADDRESS

however, saying you have multiple scripts and hooking multiple instructions AND all of these instruction fall under 1 memory region ... then getting starting address and ending address can be good.

remember:
aobscan -> slow
aobscanmodule -> normal
aobscanregion -> fast
address injection -> super fast



(most likely you wont get any luck if the game doesnt use module addresses / symbols, CODE section must be in static / fixed place in virtual memory in order to use aobscanregion or address injection)

make sure you have symbols and module addresses checked:
memory view -> view -> "show module addresses & show symbols"

and if its a mono game, you can enable "mono features" so you can use address injection for mono type games.

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Jul 04, 2018 8:30 am    Post subject: Reply with quote

^ every process has multiple sections in it, a "text" section for code a "data" section for some data etc. these are generally going to have different permissions (you don't usually want to run data as code, A) it'd generally crash and B) it allows people to manipulate that data into code they want to run and then run it to do what they want, though that used to be the default lol). Each of these sections can be loaded as a memory "region". The process then is going to load a number of shared libraries, some from the operating system like user32.dll and gdi.dll and others from third parties like directx.dll etc, which are going to have their own sections and end up creating their own memory regions. Sometimes the process (or even a dll) may then create additional memory regions for other things like jitted code. The memory regions window shows a list of these and information about them, what "image"/file they are copied from, if they weren't created at runtime, the start, size, permissions etc.

The problem with aobscanregion(symbol, 00406000, 00406200, 00 11 22 33 44 55) is that it relies on it being in a certain address, which probably won't be true in other versions but if it was it'd probably be in a module and you could just scan that module pretty quickly.

Quote:
CODE section must be in static / fixed place in virtual memory in order to use aobscanregion or address injection)
not necessarily for aobscanregion (though on it's own yeah), my example on the tutorial uses a combination of aobscan + aobscanregion to find a region that moves around in memory and then to find a variable within that region (which in theory could move around as long as the entire aob for it moves, which is what would happen with an entire function rather than a single 4 byte value). I've also found it useful when I wanted to make a hook for a mono game's function that doesn't just return at the start, get the start+size from mono with lua and then scan the function's code for the specific bytes I want to change so it works even if those bytes get moved around inside the function because of other code changing but I can be far more specific because the bytes only have to be unique within that function not all of the process's memory. So it doesn't need to be static, you just need to have some way to get the start and end of the region.

aobscan -> slow - scan everything until AOB is found, slow if at end of memory, particularly slow in x64 which has a much larger memory range than x86.
aobscanmodule -> normal - scan a single module, usually relatively small and fast enough
aobscanregion -> fast - scan only the given range, fast if range is small
address injection -> super fast - no scan, just go to the given address

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites