Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Is there any way to restrict AoB scan into a certain range?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
ionut_baluca
Newbie cheater
Reputation: 0

Joined: 08 Jan 2016
Posts: 23
PostPosted: Sat Jan 31, 2026 9:57 am    Post subject: Is there any way to restrict AoB scan into a certain range? Reply with quote
Hey guys I'm having troubles with a script here.
Code:

[ENABLE]
aobscan(full_block, E9 ?? ?? ?? ?? 44 8B 52 FF 41 81 FA 15 05 00 00 0F 85 ?? ?? ?? ?? C5 FB 10 4A 03 C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0 E9)
aobscan(health_write, C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0)

alloc(newmem, $500, health_write)
label(return)
label(originalcode)
label(is_player)
label(is_enemy)
label(godhpval)
label(zerohpval)

newmem:
  test bl, 08
  jnz is_player

  test bl, 04
  jnz is_enemy

  jmp originalcode

is_player:
  movsd xmm0, [godhpval]
  jmp originalcode

is_enemy:
  movsd xmm0, [zerohpval]


originalcode:
  db C5 FB 11 40 03
  jmp return

align 10
godhpval:
  dq (double)250000000.0
zerohpval:
  dq (double)0.0

health_write:
  jmp newmem
return:

registersymbol(health_write)

[DISABLE]
health_write:
  db C5 FB 11 40 03

unregistersymbol(health_write)
dealloc(newmem)


Fact is that when the script scan for the shorter second AoB it may give 2 results and inject in the wrong place. Is there any way to limit the range of the second aobscan near the first one since first one always gives only 1 result?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 153

Joined: 06 Jul 2014
Posts: 4731
PostPosted: Sat Jan 31, 2026 1:35 pm    Post subject: Reply with quote
If you use the aobscan template, CE won't generate an aobscan pattern that's not unique. Maybe code was JIT-compiled afterwards that made it not unique- find the correct injection point, regenerate the aobscan template again, and merge the changes.

In this specific case, the second pattern is contained in the first. Replace the second aobscan with `define(health_write,full_block+1B)` and it'll work as expected.


In general, there's the `aobscanregion` AA command, but I don't think you can use other symbols in the range.
Use Lua to scan for both AoBs, and use the result of the first scan for the range of the second.
If you need the result of both AOB scans, then multiple lines would need to be returned in a single {$lua} block. I think that's fine, but I don't know what line separators CE expects to have (LF or CRLF). I think using a stringlist as an intermediary might be best.
Code:
[ENABLE]
{$lua}
local sl = createStringlist()

if syntaxcheck then
  sl.add'define(full_block,0)'
  sl.add'define(health_write,0)'

  local text = sl.Text
  sl.destroy()
  return text
end

local full_block = AOBScanUnique("E9 ?? ?? ?? ?? 44 8B 52 FF 41 81 FA 15 05 00 00 0F 85 ?? ?? ?? ?? C5 FB 10 4A 03 C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0 E9")
if not full_block or full_block == 0 then
  return nil, 'full_block aob pattern failed'
end

local ms = createMemScan()
ms.OnlyOneResult = true
ms.firstScan(soExactValue, vtByteArray, rtRounded, 'C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0', '', full_block-0x1000, full_block+0x1000, '*X*C*W', fsmNotAligned, '', true, true, false, false)
ms.waitTillDone()

local health_write = ms.Result
ms.destroy()

if not health_write or health_write == 0 then
  return nil, 'health_write aob failed'
end

sl.add(('define(full_block,%08X)'):format(full_block))
sl.add(('define(health_write,%08X)'):format(health_write))

local text = sl.Text
sl.destroy()
return text
{$asm}

...

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
ionut_baluca
Newbie cheater
Reputation: 0

Joined: 08 Jan 2016
Posts: 23
PostPosted: Sat Jan 31, 2026 1:44 pm    Post subject: Reply with quote
ParkourPenguin wrote:
If you use the aobscan template, CE won't generate an aobscan pattern that's not unique. Maybe code was JIT-compiled afterwards that made it not unique- find the correct injection point, regenerate the aobscan template again, and merge the changes.

In this specific case, the second pattern is contained in the first. Replace the second aobscan with `define(health_write,full_block+1B)` and it'll work as expected.


In general, there's the `aobscanregion` AA command, but I don't think you can use other symbols in the range.
Use Lua to scan for both AoBs, and use the result of the first scan for the range of the second.
If you need the result of both AOB scans, then multiple lines would need to be returned in a single {$lua} block. I think that's fine, but I don't know what line separators CE expects to have (LF or CRLF). I think using a stringlist as an intermediary might be best.
Code:
[ENABLE]
{$lua}
local sl = createStringlist()

if syntaxcheck then
  sl.add'define(full_block,0)'
  sl.add'define(health_write,0)'

  local text = sl.Text
  sl.destroy()
  return text
end

local full_block = AOBScanUnique("E9 ?? ?? ?? ?? 44 8B 52 FF 41 81 FA 15 05 00 00 0F 85 ?? ?? ?? ?? C5 FB 10 4A 03 C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0 E9")
if not full_block or full_block == 0 then
  return nil, 'full_block aob pattern failed'
end

local ms = createMemScan()
ms.OnlyOneResult = true
ms.firstScan(soExactValue, vtByteArray, rtRounded, 'C5 FB 58 C1 C5 FB 11 40 03 C5 F9 57 C0', '', full_block-0x1000, full_block+0x1000, '*X*C*W', fsmNotAligned, '', true, true, false, false)
ms.waitTillDone()

local health_write = ms.Result
ms.destroy()

if not health_write or health_write == 0 then
  return nil, 'health_write aob failed'
end

sl.add(('define(full_block,%08X)'):format(full_block))
sl.add(('define(health_write,%08X)'):format(health_write))

local text = sl.Text
sl.destroy()
return text
{$asm}

...


Since the game is JIT compiled I did not use the template for a fixed injection point because many stuff would change on every battle changing addresses for example. Not only that but this function is not generated on game start, it's generated once you start a battle and take/give damage. Anyway once it's generated the long AoB scan finds it and the script start injects on the health_write AoB. Anyway with "define(health_write,full_block+1B)" you gave me an idea, what if i set it like on offset on the script and only use the first aob scan to take me to the location? For example:

Code:
health_write+1F:
  jmp newmem
  return:


But when I put this at beginning of the script CE doesn't let me compile it.
Back to top
View user's profile Send private message
Csimbi
I post too much
Reputation: 98

Joined: 14 Jul 2007
Posts: 3353
PostPosted: Mon Feb 02, 2026 1:14 pm    Post subject: Reply with quote
Code:
aobscanregion(aobMyAOB,0x12345678,0x87654321,41 FF D3 4C 8B C0 44 03 45 ?? 49 8B CE 48 8B D7)

This has a start and an end address.

https://wiki.cheatengine.org/index.php?title=Auto_Assembler:aobScanRegion
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites