Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Reading address value with Lua

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
SuperAndromeda
Newbie cheater
Reputation: 0

Joined: 30 Jul 2022
Posts: 12

PostPosted: Sun Aug 07, 2022 1:13 pm    Post subject: Reading address value with Lua Reply with quote

Hello!

I'm trying to write a code that reads the value stored by an instruction (so when it works I'll make it write in a .txt later). With my amateur knowledge, I tried (poorly) to create a script.

I kept the original ASM code and included lines to move the address assigned by the instruction. The ASM lines run in a function inside a Lua code that registers as a symbol the acquired address and prints it. But when I do some tests and print the address it always shows some weird address in decimals with 0 value and I don't know why.

Code:

scan = AOBScan("45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00")[0]
  registerSymbol("INJECT",scan)

  mem = allocateMemory(0x1000)
  registerSymbol("newmem",mem)
  stk = allocateMemory(0x10)
  registerSymbol("stock",stk)

  script = [[
    label(return)

    newmem:
      push eax
      mov [r13+rax+00],r12d  //original instruction, my final objective is to obtain the value that's being passed down in this line to [stock]
      lea eax,[r13+rax+00]
      lea [stock],eax
      pop eax
      jmp return

    INJECT:
      jmp newmem
    return:
  ]]

  autoAssemble(script)
  address = getAddress("stock")
  print(address)  //tried to print the address for test
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sun Aug 07, 2022 2:09 pm    Post subject: Reply with quote

SuperAndromeda wrote:
Code:
lea [stock],eax
lea doesn't work that way.

Anyway, try {$luacode}. Something like this (haven't tested it)
Code:
{$lua}
if not getAddressSafe('luaclient-x86_64.dll') then
  assert(injectDLL('luaclient-x86_64.dll'))
end

-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
  add = function(self, address, value)
    assert(self and address and value, 'invalid parameters')
    address = assert(getAddressSafe(address), 'invalid address')

    local vs = self[address] or {}
    vs[#vs+1] = value
    self[address] = vs
  end,

  flush = function(self)
    -- write to file, clear contents
  end,
}
{$asm}

[ENABLE]

aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)

label(return)
registersymbol(INJECT)

newmem:
{$luacode val=r12 base=r13 index=rax}
  injection_log:add(base + index, val & 0xFFFFFFFF)  -- r12d
{$asm}
  mov [r13+rax+00],r12d
  jmp return

INJECT:
  jmp newmem
return:

[DISABLE]

INJECT:
  db 45 89 64 05 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE

// ---------- INJECTING HERE ----------
02C70008: 45 89 64 05 00        - mov [r13+rax+00],r12d
// ---------- DONE INJECTING  ----------
02C7000D: 49 8B 87 F0 00 00 00  - mov rax,[r15+000000F0]
02C70014: 49 89 87 00 01 00 00  - mov [r15+00000100],rax
}

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SuperAndromeda
Newbie cheater
Reputation: 0

Joined: 30 Jul 2022
Posts: 12

PostPosted: Mon Aug 08, 2022 7:28 am    Post subject: Reply with quote

ParkourPenguin wrote:
SuperAndromeda wrote:
Code:
lea [stock],eax
lea doesn't work that way.

Anyway, try {$luacode}. Something like this (haven't tested it)
Code:
{$lua}
if not getAddressSafe('luaclient-x86_64.dll') then
  assert(injectDLL('luaclient-x86_64.dll'))
end

-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
  add = function(self, address, value)
    assert(self and address and value, 'invalid parameters')
    address = assert(getAddressSafe(address), 'invalid address')

    local vs = self[address] or {}
    vs[#vs+1] = value
    self[address] = vs
  end,

  flush = function(self)
    -- write to file, clear contents
  end,
}
{$asm}

[ENABLE]

aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)

label(return)
registersymbol(INJECT)

newmem:
{$luacode val=r12 base=r13 index=rax}
  injection_log:add(base + index, val & 0xFFFFFFFF)  -- r12d
{$asm}
  mov [r13+rax+00],r12d
  jmp return

INJECT:
  jmp newmem
return:

[DISABLE]

INJECT:
  db 45 89 64 05 00

unregistersymbol(INJECT)
dealloc(newmem)

{
// ORIGINAL CODE

// ---------- INJECTING HERE ----------
02C70008: 45 89 64 05 00        - mov [r13+rax+00],r12d
// ---------- DONE INJECTING  ----------
02C7000D: 49 8B 87 F0 00 00 00  - mov rax,[r15+000000F0]
02C70014: 49 89 87 00 01 00 00  - mov [r15+00000100],rax
}


Hi, thank you so much for your reply!

Sorry for asking, but what are those lines before [enable] for? Is it related to write to txt file?

And by the way, since I'm working with emulator I can't seem to find a unique AOB because they keep changing all the time. Is there a turnaround to that?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Mon Aug 08, 2022 10:43 am    Post subject: Reply with quote

The luaclient dll stuff is for {$luacode} (I don't know if you need this, but my setup is kind of weird and I needed it)

The rest is just some convenience functions. I don't know how you want to dump the values written to disk, so you'll need to implement that yourself.
If you don't understand basic Lua, look up a tutorial.

As for a unique AOB pattern, I'm a little surprised it doesn't work for you; although, I'm also surprised whatever kind of assembler the emulator is using decided to output the addressing mode "r13+rax+00". Usual advice would be to expand the pattern, use wildcards, etc., but when faced with a misbehaving JIT compiler, that may be ineffective.

If it's not the instruction that's important but a particular address, you can set a breakpoint on that address and log its value. I made an extension a while ago, but I don't know if it works now:
https://forum.cheatengine.org/viewtopic.php?p=5701879#5701879

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SuperAndromeda
Newbie cheater
Reputation: 0

Joined: 30 Jul 2022
Posts: 12

PostPosted: Mon Aug 08, 2022 6:13 pm    Post subject: Reply with quote

Actually, if I shorten the array and search it manually I find hundreds of results that all seem to have the same instruction "[r13+rax+00], r12d" (presumably the script would pick the first result of the search, right?). In my case the instruction is what I should look for, because it points to the address where the value I want is stored.

A friend of mine wrote this code for me with a more straightforward idea of reading instruction and passing down the value to txt, but I'm getting an error message saying it can't be fully compiled.

Code:

[ENABLE]
aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00)
alloc(newmem,$1000,INJECT)

label(return)

newmem:
  mov [r13+rax+00],r12d
{$luacode v=r12}
  --[[
  File flags:
  r  - Read-only mode
  w  - Write, if text exists in file then overwrite all with new data
  a  - Append to file
  r+ - Read and write for an existing file
  w+ - All existing data is removed if the file exists, or new file is created with read/write permissions
  a+ - Append mode with read mode enabled that opens an existing file, or creates a new file
  ]]

  -- Arguments for io.open are (filename, flag)
  local f = io.open('C:\\my_value.txt', "w+")
  -- Does the file exist, if so then carry on
  if f ~= nil then
    -- Write data to our file
    io.write(v)
    -- Finally close the handle to the file
    f:close()
  end
{$asm}
  jmp return

INJECT:
  jmp newmem
return:
registersymbol(INJECT)

[DISABLE]

INJECT:
  db 45 89 64 05 00

unregistersymbol(INJECT)
dealloc(newmem)
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Mon Aug 08, 2022 6:23 pm    Post subject: Reply with quote

SuperAndromeda wrote:
(presumably the script would pick the first result of the search, right?)
Not necessarily. aobscans are multi-threaded- it's probably a race condition which gets picked first.

What is the exact error message you get? If it's something about "call CELUA_ExecuteFunctionByReference", that's what the dll stuff was for in my code.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
SuperAndromeda
Newbie cheater
Reputation: 0

Joined: 30 Jul 2022
Posts: 12

PostPosted: Mon Aug 08, 2022 7:53 pm    Post subject: Reply with quote

ParkourPenguin wrote:
SuperAndromeda wrote:
(presumably the script would pick the first result of the search, right?)
Not necessarily. aobscans are multi-threaded- it's probably a race condition which gets picked first.

What is the exact error message you get? If it's something about "call CELUA_ExecuteFunctionByReference", that's what the dll stuff was for in my code.


Hm, as long as the scan picks any of those entries I guess it's fine.

I tried to use your code instead and implemented the write to text function inside the luacode just like in my friend's script and I'm getting the error "unable to open file luaclient-x86_64.dll", which I checked and it's already present inside my CE's folder.


EDIT:

Wait, I've just included the full path of the DLL file and now it seems it works. I'll test it now and see how it goes.

EDIT 2:

Oh, now that I closed everything and retried the script it doesn't work anymore...

I'm getting the error "Failure to allocate memory near 28BCA6855AC", and said address is not even the one I'm trying to inject my code in.

Code:
{$lua}
if not getAddressSafe('C:\\Program Files\\Cheat Engine 7.4\\luaclient-x86_64.dll') then
  assert(injectDLL('C:\\Program Files\\Cheat Engine 7.4\\luaclient-x86_64.dll'))
end

-- this definition should probably be in the main Lua script (if it is, assert
-- injection_log exists here)
injection_log = injection_log or {
  add = function(self, address, value)
    assert(self and address and value, 'invalid parameters')
    address = assert(getAddressSafe(address), 'invalid address')

    local vs = self[address] or {}
    vs[#vs+1] = value
    self[address] = vs
  end,

  flush = function(self)
    -- write to file, clear contents
  end,
}
{$asm}

[ENABLE]

aobscan(INJECT,45 89 64 05 00 49 8B 87 F0 00 00 00 49 89 87 00 01 00 00) // should be unique
alloc(newmem,$1000,INJECT)

label(return)
registersymbol(INJECT)

newmem:
{$luacode val=r12 base=r13 index=rax}
  injection_log:add(base + index, val & 0xFFFFFFFF)  -- r12d are (filename, flag)
  local f = io.open('C:\\my_value.txt', "w+")
  -- Does the file exist, if so then carry on
  if f ~= nil then
    -- Write data to our file
    io.write(val)
    -- Finally close the handle to the file
    f:close()
  end
{$asm}
  mov [r13+rax+00],r12d
  jmp return

INJECT:
  jmp newmem
return:

[DISABLE]

INJECT:
  db 45 89 64 05 00

unregistersymbol(INJECT)
dealloc(newmem)
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites