|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
SuperAndromeda Newbie cheater Reputation: 0
Joined: 30 Jul 2022 Posts: 12
|
Posted: Sun Aug 07, 2022 1:13 pm Post subject: Reading address value with Lua |
|
|
Hello!
I'm trying to write a code that reads the value stored by an instruction (so when it works I'll make it write in a .txt later). With my amateur knowledge, I tried (poorly) to create a script.
I kept the original ASM code and included lines to move the address assigned by the instruction. The ASM lines run in a function inside a Lua code that registers as a symbol the acquired address and prints it. But when I do some tests and print the address it always shows some weird address in decimals with 0 value and I don't know why.
Code: |
scan = AOBScan("45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00")[0]
registerSymbol("INJECT",scan)
mem = allocateMemory(0x1000)
registerSymbol("newmem",mem)
stk = allocateMemory(0x10)
registerSymbol("stock",stk)
script = [[
label(return)
newmem:
push eax
mov [r13+rax+00],r12d //original instruction, my final objective is to obtain the value that's being passed down in this line to [stock]
lea eax,[r13+rax+00]
lea [stock],eax
pop eax
jmp return
INJECT:
jmp newmem
return:
]]
autoAssemble(script)
address = getAddress("stock")
print(address) //tried to print the address for test |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Sun Aug 07, 2022 2:09 pm Post subject: |
|
|
lea doesn't work that way.
Anyway, try {$luacode}. Something like this (haven't tested it)
Code: | {$lua}
if not getAddressSafe('luaclient-x86_64.dll') then
assert(injectDLL('luaclient-x86_64.dll'))
end
-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
add = function(self, address, value)
assert(self and address and value, 'invalid parameters')
address = assert(getAddressSafe(address), 'invalid address')
local vs = self[address] or {}
vs[#vs+1] = value
self[address] = vs
end,
flush = function(self)
-- write to file, clear contents
end,
}
{$asm}
[ENABLE]
aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)
label(return)
registersymbol(INJECT)
newmem:
{$luacode val=r12 base=r13 index=rax}
injection_log:add(base + index, val & 0xFFFFFFFF) -- r12d
{$asm}
mov [r13+rax+00],r12d
jmp return
INJECT:
jmp newmem
return:
[DISABLE]
INJECT:
db 45 89 64 05 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE
// ---------- INJECTING HERE ----------
02C70008: 45 89 64 05 00 - mov [r13+rax+00],r12d
// ---------- DONE INJECTING ----------
02C7000D: 49 8B 87 F0 00 00 00 - mov rax,[r15+000000F0]
02C70014: 49 89 87 00 01 00 00 - mov [r15+00000100],rax
} |
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SuperAndromeda Newbie cheater Reputation: 0
Joined: 30 Jul 2022 Posts: 12
|
Posted: Mon Aug 08, 2022 7:28 am Post subject: |
|
|
ParkourPenguin wrote: | lea doesn't work that way.
Anyway, try {$luacode}. Something like this (haven't tested it)
Code: | {$lua}
if not getAddressSafe('luaclient-x86_64.dll') then
assert(injectDLL('luaclient-x86_64.dll'))
end
-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
add = function(self, address, value)
assert(self and address and value, 'invalid parameters')
address = assert(getAddressSafe(address), 'invalid address')
local vs = self[address] or {}
vs[#vs+1] = value
self[address] = vs
end,
flush = function(self)
-- write to file, clear contents
end,
}
{$asm}
[ENABLE]
aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)
label(return)
registersymbol(INJECT)
newmem:
{$luacode val=r12 base=r13 index=rax}
injection_log:add(base + index, val & 0xFFFFFFFF) -- r12d
{$asm}
mov [r13+rax+00],r12d
jmp return
INJECT:
jmp newmem
return:
[DISABLE]
INJECT:
db 45 89 64 05 00
unregistersymbol(INJECT)
dealloc(newmem)
{
// ORIGINAL CODE
// ---------- INJECTING HERE ----------
02C70008: 45 89 64 05 00 - mov [r13+rax+00],r12d
// ---------- DONE INJECTING ----------
02C7000D: 49 8B 87 F0 00 00 00 - mov rax,[r15+000000F0]
02C70014: 49 89 87 00 01 00 00 - mov [r15+00000100],rax
} |
|
Hi, thank you so much for your reply!
Sorry for asking, but what are those lines before [enable] for? Is it related to write to txt file?
And by the way, since I'm working with emulator I can't seem to find a unique AOB because they keep changing all the time. Is there a turnaround to that?
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Mon Aug 08, 2022 10:43 am Post subject: |
|
|
The luaclient dll stuff is for {$luacode} (I don't know if you need this, but my setup is kind of weird and I needed it)
The rest is just some convenience functions. I don't know how you want to dump the values written to disk, so you'll need to implement that yourself.
If you don't understand basic Lua, look up a tutorial.
As for a unique AOB pattern, I'm a little surprised it doesn't work for you; although, I'm also surprised whatever kind of assembler the emulator is using decided to output the addressing mode "r13+rax+00". Usual advice would be to expand the pattern, use wildcards, etc., but when faced with a misbehaving JIT compiler, that may be ineffective.
If it's not the instruction that's important but a particular address, you can set a breakpoint on that address and log its value. I made an extension a while ago, but I don't know if it works now:
https://forum.cheatengine.org/viewtopic.php?p=5701879#5701879
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SuperAndromeda Newbie cheater Reputation: 0
Joined: 30 Jul 2022 Posts: 12
|
Posted: Mon Aug 08, 2022 6:13 pm Post subject: |
|
|
Actually, if I shorten the array and search it manually I find hundreds of results that all seem to have the same instruction "[r13+rax+00], r12d" (presumably the script would pick the first result of the search, right?). In my case the instruction is what I should look for, because it points to the address where the value I want is stored.
A friend of mine wrote this code for me with a more straightforward idea of reading instruction and passing down the value to txt, but I'm getting an error message saying it can't be fully compiled.
Code: |
[ENABLE]
aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00)
alloc(newmem,$1000,INJECT)
label(return)
newmem:
mov [r13+rax+00],r12d
{$luacode v=r12}
--[[
File flags:
r - Read-only mode
w - Write, if text exists in file then overwrite all with new data
a - Append to file
r+ - Read and write for an existing file
w+ - All existing data is removed if the file exists, or new file is created with read/write permissions
a+ - Append mode with read mode enabled that opens an existing file, or creates a new file
]]
-- Arguments for io.open are (filename, flag)
local f = io.open('C:\\my_value.txt', "w+")
-- Does the file exist, if so then carry on
if f ~= nil then
-- Write data to our file
io.write(v)
-- Finally close the handle to the file
f:close()
end
{$asm}
jmp return
INJECT:
jmp newmem
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db 45 89 64 05 00
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Mon Aug 08, 2022 6:23 pm Post subject: |
|
|
SuperAndromeda wrote: | (presumably the script would pick the first result of the search, right?) | Not necessarily. aobscans are multi-threaded- it's probably a race condition which gets picked first.
What is the exact error message you get? If it's something about "call CELUA_ExecuteFunctionByReference", that's what the dll stuff was for in my code.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
SuperAndromeda Newbie cheater Reputation: 0
Joined: 30 Jul 2022 Posts: 12
|
Posted: Mon Aug 08, 2022 7:53 pm Post subject: |
|
|
ParkourPenguin wrote: | SuperAndromeda wrote: | (presumably the script would pick the first result of the search, right?) | Not necessarily. aobscans are multi-threaded- it's probably a race condition which gets picked first.
What is the exact error message you get? If it's something about "call CELUA_ExecuteFunctionByReference", that's what the dll stuff was for in my code. |
Hm, as long as the scan picks any of those entries I guess it's fine.
I tried to use your code instead and implemented the write to text function inside the luacode just like in my friend's script and I'm getting the error "unable to open file luaclient-x86_64.dll", which I checked and it's already present inside my CE's folder.
EDIT:
Wait, I've just included the full path of the DLL file and now it seems it works. I'll test it now and see how it goes.
EDIT 2:
Oh, now that I closed everything and retried the script it doesn't work anymore...
I'm getting the error "Failure to allocate memory near 28BCA6855AC", and said address is not even the one I'm trying to inject my code in.
Code: | {$lua}
if not getAddressSafe('C:\\Program Files\\Cheat Engine 7.4\\luaclient-x86_64.dll') then
assert(injectDLL('C:\\Program Files\\Cheat Engine 7.4\\luaclient-x86_64.dll'))
end
-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
add = function(self, address, value)
assert(self and address and value, 'invalid parameters')
address = assert(getAddressSafe(address), 'invalid address')
local vs = self[address] or {}
vs[#vs+1] = value
self[address] = vs
end,
flush = function(self)
-- write to file, clear contents
end,
}
{$asm}
[ENABLE]
aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)
label(return)
registersymbol(INJECT)
newmem:
{$luacode val=r12 base=r13 index=rax}
injection_log:add(base + index, val & 0xFFFFFFFF) -- r12d are (filename, flag)
local f = io.open('C:\\my_value.txt', "w+")
-- Does the file exist, if so then carry on
if f ~= nil then
-- Write data to our file
io.write(val)
-- Finally close the handle to the file
f:close()
end
{$asm}
mov [r13+rax+00],r12d
jmp return
INJECT:
jmp newmem
return:
[DISABLE]
INJECT:
db 45 89 64 05 00
unregistersymbol(INJECT)
dealloc(newmem) |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
|