Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


AOB Scan Script Enigma

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 37

PostPosted: Thu May 12, 2022 9:47 pm    Post subject: AOB Scan Script Enigma Reply with quote

Hey all. So I was wondering what's up with this game and if there's any way to solve this rather annoying issue.

Basically what's happening is, when I load the game and attach the table and then proceed to load into the world and perform the related action at least once to get it loaded into findable memory for the script to activate - that half or dare I even say 75% of the time it just simply doesn't activate.

The thing is, if I search for the value in question again, find it, and repeat the exact same process to re-create an alternate version of the AOB scan script, it produces an exact clone of the original script - the same array of bytes in the enable and disable sections and everything. Yet the game just ignores it in this alternate state.

The only fix I've found is to completely close the game and spend another 100 - 120 seconds loading the game and world back up and repeating the process for another 25-50% chance that it will work.

I've loaded this table at least 50 times over the years so I can confirm this behavior is accurate, I'm just getting sick of not knowing why this happens and seeking help and advice from the professionals here.

This isn't just for one value either, if this alternate instance enigma occurs, none of the other AOB scan scripts will activate either, even if I try re-creating them. The game is Valheim on Steam by the way.

Does anyone have any ideas?

Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 110

Joined: 06 Jul 2014
Posts: 3347

PostPosted: Fri May 13, 2022 2:19 am    Post subject: Reply with quote

You probably can't directly address `findweight`- the globalalloc needs to be within 2GiB of the instruction addressing the memory location. I forget if globalalloc can take a third parameter or not, but you might be able to forego it and use registersymbol instead.
Code:
...
label(findweight)
registersymbol(findweight)

code:
  mov [findweight],rsi
  movss [rsi+3C],xmm5
  jmp return

align 8 CC
findweight:
  dq 0
...
(don't forget unregistersymbol in disable)
Alternatively, indirectly address it:
Code:
...
push rax
mov rax,findweight
mov [rax],rsi
pop rax
movss ...

If it still doesn't work, maybe the alloc fails because there isn't any free memory within 2GiB of the injection point.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
LeFiXER
Grandmaster Cheater
Reputation: 9

Joined: 02 Sep 2011
Posts: 675
Location: 0x90

PostPosted: Fri May 13, 2022 4:51 am    Post subject: Reply with quote

ParkourPenguin wrote:
I forget if globalalloc can take a third parameter or not


It can take a third parameter
Code:

globalAlloc(Symbol, Size, AllocateNearThisAddress OPTIONAL)
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 37

PostPosted: Fri May 13, 2022 12:23 pm    Post subject: Reply with quote

LeFiXER wrote:
ParkourPenguin wrote:
I forget if globalalloc can take a third parameter or not


It can take a third parameter
Code:

globalAlloc(Symbol, Size, AllocateNearThisAddress OPTIONAL)


Thank you. So in the script it would look like this?

globalAlloc(findweight, 8, AllocateNearThisAddress OPTIONAL)

ParkourPenguin wrote:
You probably can't directly address `findweight`- the globalalloc needs to be within 2GiB of the instruction addressing the memory location. I forget if globalalloc can take a third parameter or not, but you might be able to forego it and use registersymbol instead.
Code:
...
label(findweight)
registersymbol(findweight)

code:
  mov [findweight],rsi
  movss [rsi+3C],xmm5
  jmp return

align 8 CC
findweight:
  dq 0
...
(don't forget unregistersymbol in disable)
Alternatively, indirectly address it:
Code:
...
push rax
mov rax,findweight
mov [rax],rsi
pop rax
movss ...

If it still doesn't work, maybe the alloc fails because there isn't any free memory within 2GiB of the injection point.


Thanks for that, I will try them tonight when I have time.

Is there any downside to having it reach further than 2GiB from the injection point?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 110

Joined: 06 Jul 2014
Posts: 3347

PostPosted: Fri May 13, 2022 12:40 pm    Post subject: Reply with quote

Branch instructions (call, jmp, jcc) can address memory locations using a signed 32-bit relative displacement (i.e. give or take 2 GiB). They can't directly address most memory locations further away. CE can do a little bit of trickery to jump to addresses further than 2 GiB away, but CE uses a 14-byte jump instead of a 5-byte jump. If you don't account for these extra bytes in your script, it will almost certainly crash the process.
This is what the third parameter to alloc is for: CE will only allocate memory within 2 GiB of the specified address so that a 5-byte jump can be ensured.

Other instructions that address memory locations (e.g. mov) use something that's practically the same called RIP-relative addressing. This allows instructions to directly address a memory location within 2 GiB of where the instruction is located. If the addressed memory location is further away, the instruction can't be assembled and the script will fail.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Coreveen
Cheater
Reputation: 0

Joined: 12 May 2011
Posts: 37

PostPosted: Sat May 14, 2022 2:38 am    Post subject: Reply with quote

Well the alternate version managed to find the weight, which is a success and a great extra tool to add to the old script toolbelt!

It's just unfortunate that I don't quite grasp an understanding of what is happening. I get the push and pop instruction section but i've never seen this align function nor do I have any idea why 8 CC is used and what I would change to make it work correctly in other scripts where it gets used.

Thanks for taking the time to explain these things, trying to wrap my head around them.
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 110

Joined: 06 Jul 2014
Posts: 3347

PostPosted: Sat May 14, 2022 10:57 am    Post subject: Reply with quote

CE's align pseudoinstruction simply inserts bytes in memory (i.e. 0xCC) until the next address is aligned to some specified amount (i.e. 0x8).
It's unnecessary most of the time- the CPU will resolve most "problems" that can occur with unaligned accesses. I just find it annoying when data access is unaligned as it goes against the information I've learned from compilers.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
luplay2
How do I cheat?
Reputation: 0

Joined: 18 May 2022
Posts: 1

PostPosted: Wed May 18, 2022 12:47 am    Post subject: Reply with quote

Thanks for your discussion! I have learned a log.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites