 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Kotlin
!BEWARE! Deletes post on answer
![]() Reputation: 0
Joined: 13 Mar 2019
Posts: 3
|
 Posted: Wed Mar 13, 2019 1:00 pm Post subject: Replacing multiple AoBs |
 |
|
Hi all,
I've spent a good amount of time researching this topic but have not had any success on my own. I am pretty new to cheat engine scripting but I believe I'm heading in the right direction.
I'm currently working on a table for a game that does some weird stuff. The cheat I'm currently trying to create is unlimited mana. I am able to find the value and the area in memory that needs to be modified. I found the instruction that sets mana but this instruction exists about 50 times and the game seems to randomly choose which to use. I have created an AoB signature that is as unique as I possibly can get it but it still returns the 50 addresses each time.
Since the game uses one of these addresses at random for mana, my goal is to use LUA to AoB scan for all of the matching addresses and then replace each of them with a jump to set the value of mana before the value is copied into the address that holds mana.
I hope what I'm trying to achieve makes sense.
TLDR:
Need to perform an AOB scan and replace the same instruction in like 50 different places in the same way I can do it with the auto assembler. My issue is I don't know how to iterate over each AoB result and replace the necessary bytes with the new bytes that my auto assembler code would replace with.
I believe I'll need to maybe use this script:
Topic: 5620925 (Sorry, can't post links yet.)
Script from that topic:
| Code: | {$lua}
if syntaxcheck then return end
cheat_name = "MyCheat"
[ENABLE]
local pattern = "48 83 EC 28 E8 ?? ?? ?? ?? 48 83 C4 28"
local replace = "?? ?? ?? ?? 90 90 90 90 90 ?? ?? ?? ??"
-- edit the name of the cheat
-- edit the pattern to search
-- edit the replacement bytes
-- use ?? to ignore the bytes
-- do not edit the code below
local scans = AOBScan(pattern)
if scans == nil then
showMessage("Unable to find pattern:\n"..pattern)
else
local saved = {}
local length = (#replace + 1) / 3
for i = 0, scans.Count - 1 do
local backup = readBytes(scans[i], length, true)
local bytes = {}
for hex in string.gmatch(replace, "%S+") do
local size = #bytes + 1
if hex == "??" then
bytes[size] = backup[size]
else
bytes[size] = tonumber(hex, 16)
end
end
saved[i] = backup
writeBytes(scans[i], bytes)
end
_G[cheat_name] = {
["scans"] = scans,
["saved"] = saved
}
end
[DISABLE]
local vars = _G[cheat_name]
if vars ~= nil then
local scans = vars.scans
local saved = vars.saved
for i = 0, scans.Count - 1 do
writeBytes(scans[i], saved[i])
end
scans.Destroy()
vars.scans = nil
vars.saved = nil
vars = nil
_G[cheat_name] = nil
end |
I think I'll need to combine that script with some autoAssemble instruction and then change the 'replace' value to point at the newly allocated address from the autoAssemble code.
This is my pattern:
| Code: | | 0F B7 47 14 F3 0F 11 44 24 18 8B 4C 24 18 81 F1 ?? ?? F4 59 89 0C 87 0F B7 47 14 40 F7 F3 0F B7 C2 66 89 47 14 89 0C 87 0F B7 47 14 39 0C 87 74 1C 83 EC 28 |
I would want to make the jump here (first occurrence):
| Code: | | 89 0C 87 0F B7 47 14 |
So I know I would need to replace those with something like this:
| Code: | | E9 18 CB DB FF 90 90 |
The part I need to change dynamically depending on what address is allocated is
But I'm not sure how I can get that new address dynamically once I allocate the memory using autoAssemble. I know getAddress is available but I need the bytes.
Any help would be greatly appreciated..
|
|
| Back to top |
|
 |
AylinCE
Grandmaster Cheater Supreme
 Reputation: 37
Joined: 16 Feb 2017
Posts: 1516
|
| Posted: Wed Mar 13, 2019 2:17 pm Post subject: |
|
|
Find the correct value with 4 bytes.
example: 1000
right click and select: "Browse this memory recion"
Aob: E8 03 00 00
Including the front and back of the code,
Extend until you create a unique Aob.
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 98 30 75 AC D9 D4 01 E8 03 00 00 00 00 00 00 00 74 62 06 80 F8 FF FF 04 00 00 00 00 00 00 00 4C 0A 00 00 00 00 00 00 08 00 00 00 08 00 00 00 01
replace variables with "??" use.
Search Aob:
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? E8 03 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01
Replace:
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 10 27 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01
When you create a robust Aob code, the scenario can be translated.
AAScript:
| Code: | [ENABLE]
Aobscan(_Healt,0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? E8 03 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01)
_Healt:
db 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 10 27 00 00
[DISABLE] |
etc.. etc.. etc..
_________________
|
|
| Back to top |
|
|
Kotlin
!BEWARE! Deletes post on answer
![]() Reputation: 0
Joined: 13 Mar 2019
Posts: 3
|
| Posted: Wed Mar 13, 2019 2:22 pm Post subject: |
|
|
| Aylin wrote: | Find the correct value with 4 bytes.
example: 1000
right click and select: "Browse this memory recion"
Aob: E8 03 00 00
Including the front and back of the code,
Extend until you create a unique Aob.
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 98 30 75 AC D9 D4 01 E8 03 00 00 00 00 00 00 00 74 62 06 80 F8 FF FF 04 00 00 00 00 00 00 00 4C 0A 00 00 00 00 00 00 08 00 00 00 08 00 00 00 01
replace variables with "??" use.
Search Aob:
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? E8 03 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01
Replace:
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 10 27 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01
When you create a robust Aob code, the scenario can be translated.
AAScript:
| Code: | [ENABLE]
Aobscan(_Healt,0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? E8 03 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01)
_Healt:
db 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 10 27 00 00
[DISABLE] |
etc.. etc.. etc.. |
The problem is if I extend the AOB pattern to be completely unique, it will only match one. This sounds good, but the problem is the game switches between the different matches randomly so I basically would have a 1 in 50 chance of matching the correct AoB. Does this make sense?
I need to replace the bytes at all locations I believe.
|
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1516
|
| Posted: Wed Mar 13, 2019 2:39 pm Post subject: |
|
|
Can you pause the game?
I can give you a script that you can use right now.
But I have to propose a unique Aob code for that.
For example: You stopped the game, what was Healt,
there is a scenario in which you can write and change it.
But since the long Aob will be processed, you must find the correct code.
or "Healt" You will then encoded as a variable.
0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01
_________________
|
|
| Back to top |
|
|
Kotlin
!BEWARE! Deletes post on answer
![]() Reputation: 0
Joined: 13 Mar 2019
Posts: 3
|
| Posted: Wed Mar 13, 2019 3:00 pm Post subject: |
|
|
Yes I can pause the game. I'm not completely sure what you are asking/telling me to do with the AoB pattern in your post. Could you elaborate please?
Thank you for your help
|
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
Reputation: 37
Joined: 16 Feb 2017
Posts: 1516
|
| Posted: Wed Mar 13, 2019 4:05 pm Post subject: |
|
|
1) Paste the following code into "Lua Script: Cheat Table".
Click "Execute Script".
2) Open the game and select the current game process in CE.
3) Stop the game flow. (Checkbox.checked = True)
4) Write the current Healt value to "e1.Text".
5) Click the "Enable" button.
6) After the button "ON", change the game flow to normal.
| Code: | form = createForm(true)
form.Position = poDesktopCenter
form.Width = 260
form.Height = 100
l1 = createLabel(form)
l1.Left = 5
l1.Top = 53
l1.caption = "Healt?"
e1 = createEdit(form)
e1.Height = 24
e1.Left = 50
e1.Top = 50
e1.Width = 90
b1 = createButton(form)
b1.Height = 24
b1.Left = 150
b1.Top = 48
b1.Width = 100
b1.caption = "Enable"
c1 = createCheckBox(form)
c1.Height = 24
c1.Left = 152
c1.Top = 10
c1.Width = 100
c1.caption = "Game Pause"
c1.OnClick = function()
if c1.checked==true then
pause()
else
unpause()
end
end
----------------------------------------------
----------------------------------------------
function DEC_HEX(IN)
local B,K,OUT,I,D=16,"0123456789ABCDEF","",0
if IN<1 then
OUT=0
return OUT
end
while IN>0 do
I=I+1
IN,D=math.floor(IN/B),math.fmod(IN,B)+1
OUT=string.sub(K,D,D)..OUT
end
return OUT
end
function Aobswap(search, change)
aobs = AOBScan(search)
if(aobs ~= nil) then
j = stringlist_getCount(aobs)
for i = 1, j do
address=stringlist_getString(aobs,i-1)
for i = 1, string.len(change), 3 do
z = string.sub(change, i, i+2)
x, y = string.find(z, "%?+")
if (x == nil) then
script=[[
]]..address.."+"..(DEC_HEX((i-1)/3))..[[:
db ]]..z..[[
]]
autoAssemble(script)
end
end
end
object_destroy(aobs);
aobs=nil
end
end
function AobswapC(search, change)
aobs = AOBScan(search)
if(aobs == nil) then AobSwapCheck=false else
j = stringlist_getCount(aobs)
for i = 1, j do
address=stringlist_getString(aobs,i-1)
for i = 1, string.len(change), 3 do
z = string.sub(change, i, i+2)
x, y = string.find(z, "%?+")
if (x == nil) then
script=[[
]]..address.."+"..(DEC_HEX((i-1)/3))..[[:
db ]]..z..[[
]]
autoAssemble(script)
end
end
end
object_destroy(aobs);
aobs=nil
AobSwapCheck=true
end
end
------------------------------------------------
function byteTableToAobString(t)
for k,v in ipairs(t) do
t[k] = ('%02X'):format(v)
end
return table.concat(t, ' ')
end
----------------Search - Replace --------------
b1.OnClick = function()
b1.Caption="Wait";
--local format = ('%s %s'):format:format(newvalue, newvalue)
newvalue = e1.Text
newvalue = tonumber(newvalue)
if not newvalue then return end
newvalue = dwordToByteTable(newvalue)
newvalue = byteTableToAobString(newvalue)
---Find the long aob code and paste it down. Cut 4 bytes to replace the code "Healt" and put it in its place %s (This sign is the same as "e1.Text".)
codescan1 = (('0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? %s 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? 00 00 00 ?? 00 00 00 01'):format(newvalue))
Aobswap(codescan1,('0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 10 27 00 00'))
b1.Caption="ON";
end |
_________________
|
|
| Back to top |
|
|
Corroder
Grandmaster Cheater Supreme
 Reputation: 75
Joined: 10 Apr 2015
Posts: 1668
|
| Posted: Wed Mar 13, 2019 8:32 pm Post subject: |
|
|
| Quote: | I would want to make the jump here (first occurrence):
Code:
89 0C 87 0F B7 47 14
So I know I would need to replace those with something like this:
Code:
E9 18 CB DB FF 90 90
|
| Code: | your_pattern = '0F B7 47 14 F3 0F 11 44 24 18 8B 4C 24 18 81 F1 ?? ?? F4 59 89 0C 87 0F B7 47 14 40 F7 F3 0F B7 C2 66 89 47 14 89 0C 87 0F B7 47 14 39 0C 87 74 1C 83 EC 28'
your_pattern+20
db:
E9 18 CB DB FF 90 90
-- will change your_pattern to :
'0F B7 47 14 F3 0F 11 44 24 18 8B 4C 24 18 81 F1 ?? ?? F4 59 E9 18 CB DB FF 90 90'
|
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
