aobscanmodule or any scan fails after enabling/disabling a script

Anything Cheat Engine related, bugs, suggestions, helping others, etc..
Post Reply
User avatar
SunBeam
Administration
Administration
Posts: 2440
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 955

aobscanmodule or any scan fails after enabling/disabling a script

Post by SunBeam » Tue Jan 08, 2019 6:44 pm

Hi there.

Stumbled across a quirky situation the other day, while using a script in Strange Brigade. The below is my script:

Code: Select all

[ENABLE]

aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )

Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5

pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0

GetBaseStuff:
jmp Hook

[DISABLE]

GetBaseStuff:
readmem( GetBaseStuff_o, 5 )

unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
The script itself works wonders. However, if you were to disable it, then re-enable it, you'll find that it doesn't work anymore. Additionally, searching for the array of byte separately in CE's GUI will return 0 results. Did some trial & error after talking to Dark Byte and found the below is occurring:
  • before the script is enabled, the memory at the hook location looks like this:
Image
  • notice the address at which the array starts -> 14B2CBFF3; notice the protection -> Protect:Execute/Write Copy
  • once you enable the script this happens:
Image
  • notice how protection changes to -> Protect:Execute/Read/Write
  • if you now click on the C2 byte and scroll the window, you'll find that past our write, the rest remains to Protect:Execute/Write Copy
  • also notice how the C2 byte is now part of a 00-aligned address, starting a new memory block -> 14B2CC000
Image
  • if you now disable the script, which restores the 5 hooked bytes back, this happens:
Image
  • CE restores the bytes, but it doesn't restore the protection; considering the array of bytes we search for spans across the end of a memory block and start of another memory block, any type of scan will now fail
Image

The solution is to force CE to copy more bytes via readmem to include at least 1 byte from the next block of memory (that C2 +1). So I chose this:

Image

And now the script looks like this:

Code: Select all

[ENABLE]

aobscanmodule( GetBaseStuff, StrangeBrigade_DX12.exe, F64439??010F85????????803D????????000F85????????4885FF0F84????????486348??0F2F7C39 )
registersymbol( GetBaseStuff )
label( GetBaseStuff_o )
registersymbol( GetBaseStuff_o )
alloc( Hook, 0x1000, StrangeBrigade_DX12.exe )
label( pEntity )
registersymbol( pEntity )
label( dwEntityId )
registersymbol( dwEntityId )
label( pActor )
registersymbol( pActor )

label( GetBaseStuff_ext )
registersymbol( GetBaseStuff_ext )

Hook:
push rax
mov [pEntity],rdi
mov [dwEntityId],edx
mov rax,[rdi+8B0]
mov [pActor],rax
pop rax
GetBaseStuff_o:
readmem( GetBaseStuff, 5 )
jmp GetBaseStuff+5
GetBaseStuff_ext:
readmem( GetBaseStuff, 15 )

pEntity:
dq 0
dwEntityId:
dd 0
pActor:
dq 0

GetBaseStuff:
jmp Hook

[DISABLE]

GetBaseStuff:
//readmem( GetBaseStuff_o, 5 )
readmem( GetBaseStuff_ext, 15 )

unregistersymbol( GetBaseStuff_ext )

unregistersymbol( pActor )
unregistersymbol( dwEntityId )
unregistersymbol( pEntity )
dealloc( Hook )
unregistersymbol( GetBaseStuff_o )
unregistersymbol( GetBaseStuff )
Having done this, both sections will now be restored to their original Protect:Execute/Write Copy when you disable the script.

Hope this helps those lucky enough to trip over this :P

Best regards,
Sun

User avatar
aanpsx
Table Makers
Table Makers
Posts: 93
Joined: Thu Apr 12, 2018 4:53 am
Reputation: 133

Re: aobscanmodule or any scan fails after enabling/disabling a script

Post by aanpsx » Wed Jan 09, 2019 1:18 am

can you give me some insight about how to specify "#" as in:
alloc (SomeName, #), globalalloc (SomeName, #), or readmem (SomeName, #) ???
is the higher the value will make script better or vice versa ??

because all this time I was only guessing..

User avatar
SunBeam
Administration
Administration
Posts: 2440
Joined: Sun Feb 04, 2018 7:16 pm
Reputation: 955

Re: aobscanmodule or any scan fails after enabling/disabling a script

Post by SunBeam » Wed Jan 09, 2019 5:09 pm

I believe CE by default allocates 0x1000 (4096 bytes); try it yourself :P alloc(game.exe, 1) == alloc(game.exe, 0x1000). As far as the amount to allocate, that depends on what you want to use the space for and how much you need. It's not a guess thing if you considerably assign sufficient enough (that's why the default's on 1MB).

Eric
Hall of Famer
Hall of Famer
Posts: 94
Joined: Thu Mar 02, 2017 11:01 pm
Reputation: 34

Re: aobscanmodule or any scan fails after enabling/disabling a script

Post by Eric » Wed Jan 09, 2019 7:59 pm

Code: Select all

alloc(var1,4)
alloc(var2,8)
alloc(mycode,256)
still allocates 4096 bytes

User avatar
aanpsx
Table Makers
Table Makers
Posts: 93
Joined: Thu Apr 12, 2018 4:53 am
Reputation: 133

Re: aobscanmodule or any scan fails after enabling/disabling a script

Post by aanpsx » Wed Jan 09, 2019 8:54 pm

SunBeam wrote:
Wed Jan 09, 2019 5:09 pm
I believe CE by default allocates 0x1000 (4096 bytes); try it yourself :P alloc(game.exe, 1) == alloc(game.exe, 0x1000). As far as the amount to allocate, that depends on what you want to use the space for and how much you need. It's not a guess thing if you considerably assign sufficient enough (that's why the default's on 1MB).
I get it..
Thanks for answering SB,
I really appreciate it...

Post Reply

Who is online

Users browsing this forum: No registered users