Cheat Engine

[descatal]

Hi, I have been trying to create an CE trainer recently, and I was fairly successful in doing so while doing it in the Lua script. However, when I exported it to EXE format, the AoBScans in the script did not work at all.

I tried to recreate the problem in the Lua script, but the function executed successfully.

To simplify the script, I made a template with two buttons and reduced the code to only include the AoBScan sections.

[code]
form_show(exvsfbtrainer)

function CloseClick()
closeCE()
return caFree
end

exvsfbtrainer.OnClose = CloseClick

function CEButton1Click(sender)
if getProcessIDFromProcessName("rpcs3.exe") ~= nil
then
openProcess("rpcs3.exe")
MessageDialog(getOpenedProcessID(), mtError, mbOK)
else
MessageDialog("RPCS3 Proccess not attached!", mtError, mbOK)
end
end


function CEButton2Click(sender)
-- destroy the array (If it exists)
if (AoB)
then
AoB.Destroy()
AoB = nil
end
AoB = AoBScan(40 06 ?? ?? 00 00 00 01 00 00 00 01 ?? ?? 00 00 00 00 00 ?? 4F FF ?? ??)

if (AoB.getCount() > 0)
then
MessageDialog("Found Something :"..AoB.getCount(), mtError, mbOK)
else
MessageDialog("Found Nothing ", mtError, mbOK)
end
end
[/code]

The script just refuses to run the AoBScan function at all, which is very weird. Can anyone help? Thanks.

[noobes]

You could try to make it .cetrainer

[descatal]

[quote="noobesgt"]You could try to make it .cetrainer[/quote]

Thank you for the suggestion, but unfortunately after trying it a few times, I got the same result as I did with EXE.

I did some debugging last night, and I can summarize my findings below:

The process was opened correctly in the EXE, as I was able to use the readByte function.

The AoB scans did take place (noted by the lagging of the trainer when I clicked the button), but weirdly enough it never return any value (it did when I do it within CE lua script).

I tried to use lua engine on both version (EXE and lua script within CE), what I found is that the lua engine from the EXE version refuse to return any AOBScan results, while the lua engine within CE returns the intended results.

I am quite baffled by this as my trainer make heavy use of the function.

Did I do something wrong in the execution?

Any help is appreciated. Thank you for your time.

[Kamd]

Is the process 64 bit or 32 bit?
You have to make sure you compile/generate the CE Trainer with the correct process architecture, otherwise nothing will work properly.

That was my mistake anyhow, after selecting the correct (64 bit) one it worked flawlessly.

[descatal]

The game that I am trying to hack is RPCS3, a PS3 emulator, and it is run on 64 bit.

I attached my configuration for the trainer generator down below.

Just for curiosity's sake, I tried every option in the trainer generator (even 32-bit), and still no luck.

Thanks for the suggestion tho.

[ParkourPenguin]

Are you using any kernel tools?

What type of region is that data located in?
(go to memory viewer -> view -> memory regions, find which region the address is in, and post that information here)

[descatal]

Forgive me that I don't know what is Kernel Tools, and if I had used it in my trainer or not. Is there any place that I can read up on that? Google is not helpful in this case.
Nevertheless, I tried enabling the Kernel Tools option on the trainer generator, still no luck.

As for the memory region, the memory address I am trying to find is located in the 341XX0000 region, with XX changes for different stages. For example the AoBScan that I use for my dummy test stage will return 341DF0014 & 341E40014 as a result.

I have attached the memory region screenshot below. The address that I am trying to find is between the two highlighted regions.

I am not sure if this is what you want for the memory region information, so if I am wrong just tell me and I will try to provide anything you need.

Thank you for your time.

[ParkourPenguin]

Kernel tools like query memory region, read/write memory, and open process (see settings menu).
There's nothing abnormal about that memory region (e.g. it's not mapped).

I just noticed this, but why are you restricting the scan begin / end address so much? That's in dynamically allocated memory, so you can expect it to change when the game is restarted.

Some past versions of CE don't like nil being passed into memscan arguments. If the argument isn't relevant, pass 0, false, or the empty string:

[descatal]

Thank you for the reply.
The reason I restrict the begin / end address is to minimize the AoBScan time. Since I tied the AoB scanning to an event handler (timer) that checks if the stage has been changed, scanning for full addresses (game + emulator) will cause mild lags in games, which is not desirable. However, even when I tried to use the usual AOBScan function (which does not restrict the start and end address), it still yields no result (only in EXE).

Also quick edit: The address will not change after restarts, which I found out by recreating the same conditions in game (same units & map), and every time the address for the array will always be the same. It will only offsets when the map is changed, or the player use different units.

As for the timing of the scanning, the array that I am trying to find is only generated once the player starts a match, and it does not exist in menus.
However, I don't think that's the problem, as I only search for the array when I am in a match.

I will try to play around with the first scan settings. Thanks.

The one thing that troubles me is that why can I use the aob function perfectly when it is still in lua script (i.e. before saving it as EXE), and after I exported the lua script to EXE format it just refuse to scan anything.

[ParkourPenguin]

Is there more than one process with the same name?

Did you give the trainer exe the same name as the game? (don't do that)

[descatal]

No, I did not name the trainer same name as the game.

Rpcs3 (PS3 emulator) has a launcher for launching PS3 games.
However I don't think it counts as a separate proccess, it is still the emulator after all.

Edit: I should word this better. The game actually opens up another window, which has the same ID for both the launcher and the game window, and that is the reason I think that it is the same process. So correct me if I am wrong. Also, selecting either option will open the same Rpcs3.exe process in CE. I have attached the screenshot from my process list below.

Using openProcess("Rpcs3.exe") works for attaching the emulator process with Cheat Engine in Lua Script, and the PID returned from both the lua script and EXE are the same.

At first I am skeptical about the process attachment as well, so I tried to use readBytes on one of the memory addres to see if the process is opened correctly in the EXE version. Surprisingly, the EXE version was able to return the correct value from the readByte function, which shows that attaching the process to the trainer was not the problem.

[ParkourPenguin]

Assuming you're actually running the exact same code (i.e. not attaching manually from the table) and you're testing both on a fresh instance of the game, I don't know what the problem is. Can you read the bytes at that address from a generated exe?

p.s. the code in your first post has a syntax error: the AOB signature should have quotes around it.

[descatal]

As I cannot double post, I will just paste this here.

I might have tracked down the problem.

I would like to apologize to ParkourPenguin as I provided the wrong screenshot for the memory region. The address in the screenshot has one less digit than what I am trying to find, and the actual address region is indeed mapped, as you suspected.

So the problem is actually because of the memory region being mapped, and the EXE does not scan mapped address by default. So I found a way to enable the settings through lua script, but it only causes another problem: The EXE and CETRAINER still failed to scan the mapped region of despite the mem_mapped setting is enabled.

I have attached an image below to showcase the three different scenarios that I experimented with. In lua script, when I disabled the mem_mapped setting, the AoBScan refused to scan the mapped region, and I get the same results on both EXE and CETRAINER (only found 2 results). However, when I enabled the setting, only lua script actually enabled the settings and scanned the mapped region (found 88 results) while the other two does not (only found 2 results), despite showing me that the setting is enabled.

So am I doing something wrong in enabling the settings?


My original comment:
Yeah I know about the syntax error, I just posted the wrong thing. The AoBScans that I tried on has the correct syntax.

And yes I am able to read the bytes using readBytes from a generated exe.


[color=orange]Edit: Out of curiosity, I did an experiment with another process to see if the problem with AoBScan is limited to RPCS3 only.
I chose Discord as my process, found an array which is not changing, tried array of byte scan in the "traditional" and Lua script way, and CE is successful in finding the result. However, when I tried to export it to EXE, same thing happened, so I can conclude that the problem does not originate from the emulator.

I know this is a bit much, but is it possible for you to try and recreate the scenario on your side to see if it is a CE issue? Or perhaps I just did something wrong in the process? Thank you for your time.[/color]

[ParkourPenguin]

Works fine for me.

[descatal]

I tried your code just now, and it seems that the CETRAINER works this time, but not for EXE for some reason. Well I guess I will have to use CETRAINER for the time being and move on to other problems. If you happen to know anything about why the EXE is not working please let me know.

Nevertheless, thank you very much for your help for pointing me in the right direction. I will mark this as solved.

p.s. I found out that protecting the CETRAINER from editing will cause the settings to not work.