 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
 Posted: Wed Mar 18, 2020 3:11 pm Post subject: Find class instances |
  |
|
This code will help you find class instances based on visual studio classnames
| Code: |
s=createMemScan()
s.firstScan(soExactValue, vtString, rtRounded, '.?AV', '', getAddress(process) ,getAddress(process)+getAddress(getModuleSize(process)) ,"*W*X*C" ,fsmNotAligned ,'1' ,false ,true, false, true);
s.waitTillDone()
fl=createFoundList(s)
names={}
fl.initialize()
sll=createStringList()
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
names[i]={}
names[i].name=readString(tonumber(fl[i-1],16)+4)
names[i].address=a-0x10
sll.add(names[i].name)
end
r,selstring=showSelectionList('RTTI Classes','Select the class to find instances of',sll)
if (r==-1) then return end
sll.destroy()
print("You picked "..selstring)
a=names[r+1].address
if targetIs64Bit() then
a=a-getAddress(process)
end
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.firstScan(soExactValue, vtDword, rtRounded, string.format("%x",a), '', getAddress(process) ,getAddress(process)+getAddress(getModuleSize(process)) ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
--print("found "..fl.Count.." results")
RTTIInfo={}
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
a=a-12
if readBytes(a,1)==1 then
table.insert(RTTIInfo,a)
end
end
--print("after checking only "..#RTTIInfo.." left")
if targetIs64Bit() then
scantype=vtQword
pointersize=8
else
scantype=vtDword
pointersize=4
end
vtables={}
for i=1,#RTTIInfo do
a=RTTIInfo[i]
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', getAddress(process) ,getAddress(process)+getAddress(getModuleSize(process)) ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(vtables, tonumber(fl[j-1],16)+pointersize)
end
end
--print(#vtables.." vtables found")
--scan instances
instances={}
for i=1,#vtables do
a=vtables[i]
fl.deinitialize()
print(string.format("Scanning for %x", a))
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(instances, tonumber(fl[j-1],16))
end
end
print("The following instances of the class "..selstring.." where found")
for i=1,#instances do
print(string.format("%x",instances[i]))
end
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
 |
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Thu Feb 22, 2024 5:07 pm Post subject: |
|
|
updated version that also scans other modules (slower at start)
| Code: |
s=createMemScan()
s.firstScan(soExactValue, vtString, rtRounded, '.?AV', '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,false ,true, false, true);
s.waitTillDone()
fl=createFoundList(s)
names={}
fl.initialize()
printf("fl.count=%d",fl.count)
sll=createStringList()
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
if inModule(a) then
--figure out which module
local as=getNameFromAddress(a,true,false,false)
local moduleend=1
while true do
local newend=as:find('%+',moduleend+1)
if newend==nil then break end
moduleend=newend
end
as=as:sub(1,moduleend-1)
local ne={}
ne={}
ne.name=readString(tonumber(fl[i-1],16)+4)
ne.address=a-0x10
ne.modulename=as:sub(1,moduleend-1)
ne.modulebase=getAddress(ne.modulename)
ne.moduleend=ne.modulebase+getModuleSize(ne.modulename)
table.insert(names,ne)
sll.add(ne.name)
end
end
r,selstring=showSelectionList('RTTI Classes','Select the class to find instances of',sll)
if (r==-1) then return end
sll.destroy()
printf("You picked %d: %s in module %s (%x-%x)", r+1,selstring, names[r+1].modulename,names[r+1].modulebase,names[r+1].moduleend)
mstart=names[r+1].modulebase
mstop=names[r+1].moduleend
a=names[r+1].address
if targetIs64Bit() then
a=a-mstart
end
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, vtDword, rtRounded, string.format("%x",a), '', mstart ,mstop ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
--print("found "..fl.Count.." results")
RTTIInfo={}
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
a=a-12
if readBytes(a,1)==1 then
table.insert(RTTIInfo,a)
end
end
--print("after checking only "..#RTTIInfo.." left")
if targetIs64Bit() then
scantype=vtQword
pointersize=8
else
scantype=vtDword
pointersize=4
end
vtables={}
for i=1,#RTTIInfo do
a=RTTIInfo[i]
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', mstart ,mstop ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(vtables, tonumber(fl[j-1],16)+pointersize)
end
end
--print(#vtables.." vtables found")
--scan instances
instances={}
for i=1,#vtables do
a=vtables[i]
fl.deinitialize()
print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(instances, tonumber(fl[j-1],16))
end
end
print("The following instances of the class "..selstring.." where found")
for i=1,#instances do
print(string.format("%x",instances[i]))
end
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
vinay_001
How do I cheat?
![]() Reputation: 0
Joined: 09 Jun 2017
Posts: 2
|
| Posted: Tue Dec 02, 2025 9:11 am Post subject: |
|
|
| Dark Byte wrote: | updated version that also scans other modules (slower at start)
| Code: |
r,selstring=showSelectionList('RTTI Classes','Select the class to find instances of',sll)
if (r==-1) then return end
sll.destroy()
printf("You picked %d: %s in module %s (%x-%x)", r+1,selstring, names[r+1].modulename,names[r+1].modulebase,names[r+1].moduleend)
mstart=names[r+1].modulebase
mstop=names[r+1].moduleend
|
|
This code has a bug if user filters the class list by searching.
Below is proper fixed code:
| Code: |
names={}
local function findByName(target)
for i, ne in ipairs(names) do
--print(tostring(i).." - "..ne.name)
if ne.name == target then
return ne, i
end
end
return nil
end
s=createMemScan()
s.firstScan(soExactValue, vtString, rtRounded, '.?AV', '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,false ,true, false, true);
s.waitTillDone()
fl=createFoundList(s)
fl.initialize()
printf("fl.count=%d",fl.count)
sll=createStringList()
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
if inModule(a) then
--figure out which module
local as=getNameFromAddress(a,true,false,false)
local moduleend=1
while true do
local newend=as:find('%+',moduleend+1)
if newend==nil then break end
moduleend=newend
end
as=as:sub(1,moduleend-1)
local ne={}
ne={}
ne.name=readString(tonumber(fl[i-1],16)+4)
ne.address=a-0x10
ne.modulename=as:sub(1,moduleend-1)
ne.modulebase=getAddress(ne.modulename)
ne.moduleend=ne.modulebase+getModuleSize(ne.modulename)
table.insert(names,ne)
sll.add(ne.name)
end
end
r,selstring=showSelectionList('RTTI Classes','Select the class to find instances of',sll)
if (r==-1) then return end
sll.destroy()
local ent, idx = findByName(selstring)
print("Index of "..ent.name.." in table is "..tostring(idx))
printf("You picked %d(%d in map): %s in module %s (%x-%x)", r+1,idx, selstring, names[idx].modulename,names[idx].modulebase,names[idx].moduleend)
mstart=names[idx].modulebase
mstop=names[idx].moduleend
a=names[idx].address
if targetIs64Bit() then
a=a-mstart
end
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, vtDword, rtRounded, string.format("%x",a), '', mstart ,mstop ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
--print("found "..fl.Count.." results")
RTTIInfo={}
for i=1,fl.Count do
local a=tonumber(fl[i-1],16)
a=a-12
if readBytes(a,1)==1 then
table.insert(RTTIInfo,a)
end
end
--print("after checking only "..#RTTIInfo.." left")
if targetIs64Bit() then
scantype=vtQword
pointersize=8
else
scantype=vtDword
pointersize=4
end
vtables={}
for i=1,#RTTIInfo do
a=RTTIInfo[i]
fl.deinitialize()
--print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', mstart ,mstop ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(vtables, tonumber(fl[j-1],16)+pointersize)
end
end
--print(#vtables.." vtables found")
--scan instances
instances={}
for i=1,#vtables do
a=vtables[i]
fl.deinitialize()
print(string.format("Scanning for %x", a))
s.newScan()
s.firstScan(soExactValue, scantype, rtRounded, string.format("%x",a), '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,true ,true, false, true);
s.waitTillDone()
fl.initialize()
for j=1,fl.Count do
table.insert(instances, tonumber(fl[j-1],16))
end
end
print("The following instances of the class "..selstring.." where found")
for i=1,#instances do
print(string.format("%x",instances[i]))
end
|
Last edited by vinay_001 on Wed Dec 03, 2025 12:54 am; edited 1 time in total |
|
| Back to top |
|
|
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3334
|
| Posted: Tue Dec 02, 2025 2:26 pm Post subject: |
|
|
| vinay_001 wrote: |
This code has a bug if user filters the class list by searching.
Below is proper fixed code:
|
This does not find anything. The previous one from DB works.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25827
Location: The netherlands
|
| Posted: Tue Dec 02, 2025 2:53 pm Post subject: |
|
|
maybe if you replace the .AVbuilding_ part with .AV
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
AylinCE
Grandmaster Cheater Supreme
 Reputation: 37
Joined: 16 Feb 2017
Posts: 1533
|
| Posted: Tue Dec 02, 2025 4:13 pm Post subject: |
|
|
Just an idea...
Make the following additions:
| Code: | function escapePattern(s)
return (s:gsub("[%(%)%.%%%+%-%*%?%[%]%^%$]", "%%%0"))
end
local wantedString = ".AVbuilding_"
local escapedString = escapePattern(wantedString) |
And try changing the lines in the function as given.
| Code: | -- line 15 ..
--s.firstScan(soExactValue, vtString, rtRounded, '.?AVbuilding_', '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,false ,true, false, true);
s.firstScan(soExactValue, vtString, rtRounded, escapedString, '', 0 ,0xffffffffffffffff ,"*W*X*C" ,fsmNotAligned ,'1' ,false ,true, false, true);
-- and line 33 ..
-- local newend=as:find('%+',moduleend+1)
local newend = as:find('%%+', moduleend + 1) |
_________________
|
|
| Back to top |
|
|
vinay_001
How do I cheat?
![]() Reputation: 0
Joined: 09 Jun 2017
Posts: 2
|
| Posted: Wed Dec 03, 2025 12:53 am Post subject: |
|
|
| Csimbi wrote: | | vinay_001 wrote: |
This code has a bug if user filters the class list by searching.
Below is proper fixed code:
|
This does not find anything. The previous one from DB works. |
YOU ARE RIGHT. Its because of .?AVBuilding_. I fixedit now
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
