Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Finding address of a certain push in LUA

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting
View previous topic :: View next topic  
Author Message
Exoodus
How do I cheat?
Reputation: 0

Joined: 11 Jun 2018
Posts: 4

PostPosted: Mon Jun 11, 2018 9:32 pm    Post subject: Finding address of a certain push in LUA Reply with quote

Hey what I want to do is find the address of a push command that pushes the address of a string to the stack. I want to do this in LUA. I used AOBScan to find all instances of the push opcode but now what? I'm very new to this guys. Can someone provide me with some sample code if this is possible? Surprised

Code:

function findPush()
    local push = AOBScan("68")
         if(push == nil) then
             print("Push is Nil")
         end
         push.destroy()
end


And I know part of the string. The command I want to find looks is this:

push Game.00401000

Game.00401000 is the address of the string that I have part of.

Even though I already know the address of this push through x32dbg, I would like to do it this way because I am following a book.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jun 12, 2018 8:15 am    Post subject: Reply with quote

is 00401000 the address that's being pushed? if so then simply search for that reversed after the 68, eg AOBScan("68 00 01 40 00") because that's how a push instruction is encoded, 68 + address (backwards by byte because little endian).

If you don't have the address of the string then I guess the only thing you could do would be read the 4 bytes after the push and then try to read that address as a string and see if that matches the string you wanted... but at that point you might as well just scan for the bytes of the string you wanted in the first place (there's going to be a _lot_ of pushes in a x86 program)

Or better, use CE's Dissect Code / Referenced Strings feature to analyze all the pushes for you and then just loop over those eg.

Code:

local dc = getDissectCode()
-- note references can be duplicated if you rescan the same memory
-- dc.clear() removes all references

dc.dissect('Game') -- module name or base,size to dissect

for k,v in pairs(dc.getReferencedStrings()) do
  v = readString(k) -- workaround for bug causing empty strings to be returned
  if v == 'whatever string you're looking for' then
    local addressesThatUseString = getReferences(v)
    -- k = address, v = type vtDword etc.
    break -- don't keep looking through the references
  end
end


edit: though that probably covers more than just push like mov and lea now that I think about it.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Exoodus
How do I cheat?
Reputation: 0

Joined: 11 Jun 2018
Posts: 4

PostPosted: Tue Jun 12, 2018 11:55 am    Post subject: Reply with quote

Thx alot. I tried the dissect code route and it's saying

"attempt to call a nil value (global 'getReferences')"

I'm new to LUA so what exactly does this mean? Surprised

-edit- it's now saying failure to determine what my string means. Here is my code...

Code:

  local dc = getDissectCode()
  -- note references can be duplicated if you rescan the same memory
  -- dc.clear() removes all references

  dc.dissect("Chapter5_AdvancedMemoryForensics_Scanning.exe") -- module name or base,size to dissect

  for k,v in pairs(dc.getReferencedStrings()) do
    v = readString(k) -- workaround for bug causing empty strings to be returned
    if (v == "Health: %d of %d\n") then
      local addressesThatUseString = dc.getReferences(v)
      -- k = address, v = type vtDword etc.
      print(addressesThatUseString)
      --break -- don't keep looking through the references
    end
  end


-edit- ok i escaped the backslash in the string now it gives no output. I know the string exists though...i can find it scanning with CE.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jun 12, 2018 12:56 pm    Post subject: Reply with quote

my bad, as you discovered, that should be dc.getReferences()... I actually tested it but then manually typed it instead of copy-pasting the code Rolling Eyes

Hm... perhaps print all the strings with just print(v) outside the if statement to see if you can find it listed? It's also possible that it's being accessed indirectly in a way that the dissect isn't detecting so it's not in the references.

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Exoodus
How do I cheat?
Reputation: 0

Joined: 11 Jun 2018
Posts: 4

PostPosted: Tue Jun 12, 2018 6:48 pm    Post subject: Reply with quote

If I print v it's in there but

if (v == "Health: %d of %d")

is failing. Surprised

Code:
  local dc = getDissectCode()
  -- note references can be duplicated if you rescan the same memory
  -- dc.clear() removes all references

  dc.dissect("Chapter5_AdvancedMemoryForensics_Scanning.exe") -- module name or base,size to dissect

  for k,v in pairs(dc.getReferencedStrings()) do
    v = readString(k) -- workaround for bug causing empty strings to be returned
    if (v == "Health: %d of %d") then
    print(v) else
     print("didn't find string")
    end
  end


It shows a newline char in x32dbg so I tried with and without that.
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Tue Jun 12, 2018 9:52 pm    Post subject: Reply with quote

does it perhaps start with a space or anything like that? Maybe try if v.find('Health: ') then
_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
Exoodus
How do I cheat?
Reputation: 0

Joined: 11 Jun 2018
Posts: 4

PostPosted: Tue Jun 12, 2018 11:48 pm    Post subject: Reply with quote

lol weird...exact same code that was failing now its working. Shocked

But the k value is giving me the address of the string. This book says that I should be able to get the address that pushes the string to the stack with LUA. The k value is giving me 405120. The push is 4010F0 and it looks like

push 405120 //pushing the address of the string, this is what I want to find automatically

Is this possible or how do I do this? The purpose of it (the book says) is to get values that are close to the push (the health and the currenthealth) automatically if the game ever updated or something. Or should I even worry about this because I'm thinking there are other ways to automatically find these two values...like find the green base pointers in a scan. Like I said I'm new to all this. Cool

Thx again for your help man. Shocked
Back to top
View user's profile Send private message
FreeER
Grandmaster Cheater Supreme
Reputation: 53

Joined: 09 Aug 2013
Posts: 1091

PostPosted: Wed Jun 13, 2018 9:50 am    Post subject: Reply with quote

Yeah the index, k, is the address of the string itself dc.getReferences(k) will return a table of addresses that use the string's address.

Quote:
Or should I even worry about this because I'm thinking there are other ways to automatically find these two values
yeah there definitely are lol static addresses, pointers (static addresses that store dynamic addresses to what you want, perhaps at an offset), assembly scripts to copy the dynamic addresses into your own allocated memory (creating your own pointer), and just plain AA scripts that change the code to do (or not do) what you want so you don't even need the addresses.

Certainly finding a related string and where it's used it can be helpful to track down a value/address initially which is why CE does have the find referenced strings feature in the first place, but I don't think I've seen anyone suggest relying on that if the game updated since you then have to read code that could have changed from what you expected... makes more sense to use an AOB + readmem imo, and for a one time use it makes more sense to use the existing GUI rather than write lua code (except perhaps as an exercise in using lua).

_________________
https://github.com/FreeER/ has a few CE related repos
Back to top
View user's profile Send private message
jgoemat
Master Cheater
Reputation: 22

Joined: 25 Sep 2011
Posts: 252

PostPosted: Wed Jun 13, 2018 4:17 pm    Post subject: Reply with quote

I did something similar for Heat Signature. Check out the table script:
https://fearlessrevolution.com/threads/heat-signature.4956/#post-49211

It uses Game Maker Studio and all the script names were there. I did an aobscan for the script name to find it, then did an aobscan for that address in the code, then did an aobscan for the code signature where I wanted to inject and injected at the closest match to where the string pointer was in the game code...

Another thing I've done for static pointers that show up in code is to use an AOBScan for surrounding code, then assign a symbol to the static address in the game code. In an old version of FTL for instance I found this code:

Code:
"FTLGame.exe"+EB63B: A1 80846D00       - mov eax,[FTLGame.exe+2D8480]
"FTLGame.exe"+EB640: 2B 05 7C846D00    - sub eax,[FTLGame.exe+2D847C]           // static pointing directly to used energy (max at this + 4)
// ---------- INJECTING HERE ----------
"FTLGame.exe"+EB646: C1 F8 05          - sar eax,05
"FTLGame.exe"+EB649: 39 44 24 40       - cmp [esp+40],eax
// ---------- DONE INJECTING  ----------
"FTLGame.exe"+EB64D: 7C 48             - jnge FTLGame.exe+EB697


The bytes for the instructions after the mov from the static address were unique and might survive game updates when the static would change, so I had a script like this:

Code:

LABEL(STATIC_ENERGY)

AOBSCAN(AOB_ENERGY,C1 F8 05 39 44 24 40)
AOB_ENERGY-4:
STATIC_ENERGY:

REGISTERSYMBOL(STATIC_ENERGY)


So AOB_ENERGY points to "FTLGame.exe"+EB646 and I assigned STATIC_ENERGY to 4 bytes earlier, which is the static pointer I was looking for.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Lua Scripting All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites