AOB Wildcard Generator (v4)

[aSwedishMagyar]

This is a pretty basic tool that just adds a menu item in the disassembler view. It will prompt you for the minimum # of instructions, how many iterations you want it to run for and what type of wildcard you want to use. Then it grabs the first byte of each instruction and fills the rest with wildcards and does a check if that AOB is unique. For now It is super primitive and doesn't check what type of instruction it is but I will be incrementally updating this with some more logic in the future. As it is right now, it should be really convenient for a quick and dirty AOB generator that is relatively update proof.

I will also try to add some logic determining whether it is within a region for mono applications since you can specify function start and end points. <--- Yeah not gonna happen anymore.

Feel free to let me know if it doesn't work in a situation but if you do, please provide me with a .txt file of the bytes and opcodes so I can see what broke it.

To install just extract and place 'generateAOBMenu.lua' in the autorun folder for CE.

Update (v4): Modfied to add the item to the 'Tools' dropdown menu in the disassembler view. Gave it a shortcut of Ctrl+NumPlus (should only be effective in the disassembler view window). Also modified to only show a completion or failure message while copying the AOB to clipboard.

Update (v3): Modified it to only use ?? as the wildcard. You can edit it yourself by changing the parameter: wCardFormat. I don't want to have prompts anymore. It will loop until it finds the smallest AOB (or it gets to 120 instructions) on a separate thread so it wont lag CE.

Update (v2): Modified the search region to only be the module in which the current address is in so you can do aobscanmodule(). Also generalized it so that there are defaults and you have the ability to include spaces or not.

[++METHOS]

This works great. I was not able to use an alternative wildcard format, but that is not so important. Thank you for sharing.

[++METHOS]

Hello, again.

I wonder what your thoughts would be about changing the way that this works, or providing an alternative option for users?

In lieu of printing the AOB results and displaying them in the window where they have to be copied and then window closed, would it be possible to simply copy the AOB result to clipboard? Maybe just have a sound play when it is finished?

Thanks so much.

[aSwedishMagyar]

Hello, again.

I wonder what your thoughts would be about changing the way that this works, or providing an alternative option for users?

In lieu of printing the AOB results and displaying them in the window where they have to be copied and then window closed, would it be possible to simply copy the AOB result to clipboard? Maybe just have a sound play when it is finished?

Thanks so much.

It currently writes the result to the clipboard so you don't actually have to copy it. That was just my method of indicating it is done and showing which region it found the AOB in if you use it in an aobscanmodule() command. You can comment out the print(name) and print(AOBWildCard) lines if you don't want the window to come up. Then you can add something like : speak('AOB result copied to clipboard') where they used to be.

[++METHOS]

You can comment out the print(name) and print(AOBWildCard) lines if you don't want the window to come up. Then you can add something like : speak('AOB result copied to clipboard') where they used to be.

-Awesome! Works great. Thanks so much.

For anyone interested, below is the entire script with revisions included. It will not open any window and will just say 'scan completed' once the AOB is ready to be pasted:

Code: Select all

function getModuleName(base)
	local name = getNameFromAddress(base,true,false)
	local modules = enumModules()
	local currentModule = nil
	local i
	for k = 1,#modules do 
		local startPoint = modules[k].Address
		local endPoint = getModuleSize(modules[k].Name)
		if base > startPoint and base < startPoint+endPoint then 
			currentModule = modules[k]
			break
		end
	end
	if currentModule then return currentModule.Name end
	return nil
end
function checkAOB(bytes,curModule)
	local base = nil
	if curModule then base = curModule.Address else base = 0x0 end
    local moduleStrSize = getModuleSize(curModule)
	moduleStrSize = moduleStrSize and moduleStrSize or 0x7fffffffffff
	local memScanner = createMemScan()
	local memFoundList = createFoundList(memScanner)
	memScanner.firstScan(
	soExactValue,vtByteArray,rtRounded,bytes,nil,
	base,base+moduleStrSize,"",
	fsmNotAligned,"",true,false,false,false)
	memScanner.waitTillDone()
	memFoundList.initialize()
	local foundAdder = nil
	if memFoundList.Count == 1 then
		foundAdder = true
	end
	memScanner.destroy()
	memFoundList.destroy()
	return foundAdder
end
function generateWildcardAOB(base)
	local name = getNameFromAddress(base,true,false)
	local modules = enumModules()
	local currentModule = nil
	local i
	for k = 1,#modules do 
		local startPoint = modules[k].Address
		local endPoint = getModuleSize(modules[k].Name)
		if base > startPoint and base < startPoint+endPoint then 
			currentModule = modules[k]
			break
		end
	end
	if currentModule == nil then showMessage("Unable to Find Module");return end
    local minLen = 2
    local maxLen = 120
	local wCardFormat = '??'
	local addSpace = false
	local AOB = createStringList()
    local AOBWildCard
	local current = 0
    local isX64
	if currentModule then isX64 = currentModule.Is64Bit else isX64 = targetIs64Bit() end
	local done = false
	maxLen = maxLen + minLen
	for i = 1,maxLen do
		local size = getInstructionSize(base+current)
        local byteVal = readBytes(base+current,1)
        local byte = string.format('%02X',byteVal)
		byte = byte=='CC' and wCardFormat or byte
		AOB.add(byte)
        if isX64 and checkOpCode(byteVal) then
        	current = current + 1
            size = size - 1
            byte = string.format('%02X',readBytes(base+current,1))		
            if addSpace then AOB.add(' ') end
			AOB.add(byte)
        end
        AOBWildCard = string.gsub(AOB.text, "%c", "")
        if i > minLen then if checkAOB(AOBWildCard,currentModule) then --print("Ran for ",i-minLen," iterations.")
		;break
		end
		end
		current = current + size
		if addSpace then AOB.add(' ') end
		for j = 1,size-1 do AOB.add(wCardFormat);if addSpace then AOB.add(' ') end end
	end
    AOBWildCard = string.gsub(AOB.text, "%c", "")
    AOB.destroy()
	if i == maxLen then print("Unable to find unique AOB");return nil end
	if currentModule == nil then name = process
	else name = currentModule.Name end
	--print(name)
	--print(AOBWildCard)
	speak('Scan Completed')
	writeToClipboard(AOBWildCard)
	return {AOBWildCard,name}
end
function checkOpCode(byteVal)
    if byteVal >= 0x40 and byteVal <=0x49 then return true end
	if byteVal == 0x0F then return true end
    return false
end
function addGenerateAOBMenu()
  local parent = getMemoryViewForm().Menu.Items
  generateAOBmenuitem = createMenuItem(parent)
  parent.add(generateAOBmenuitem)
  generateAOBmenuitem.Caption = 'Generate AOB'
  generateAOBmenuitem.OnClick = function() createThread( function(th) generateWildcardAOB(getMemoryViewForm().DisassemblerView.SelectedAddress) end) end
end
addGenerateAOBMenu()

Thanks so much. I appreciate it.

[Csimbi]

v3 from aSwedishMagyar works well, thanks!
++METHOS's LUA code does not seem to output anything. (nothing happens when the menu is clicked?)

Any chance to check for the instruction type (so all bytes of the instruction would be taken, not just the first - but leaving out garbage like offsets)?
Or, don't check, but use disassemble(...) and replace the last group (if the there is a last group) with ??s in each instruction.

Could this be a submenu with a hotkey?

[++METHOS]

++METHOS's LUA code does not seem to output anything. (nothing happens when the menu is clicked?)

-That is intentional. I did not want to bother with a window popping up. It should just copy AOB to clipboard and notify you that the scan is complete with an audio output. It was just for my personal use, but I wanted to share it in case anyone else wanted to use it in that way.

[Csimbi]

Oh, ok. I don't have audio
Copying to the clipboard is nice.

[aSwedishMagyar]

Any chance to check for the instruction type (so all bytes of the instruction would be taken, not just the first - but leaving out garbage like offsets)? - Yeah but I'll do that later since I'm lazy

Could this be a submenu with a hotkey? - Done, added to 'Tools' submenu with shortcut of 'Ctrl+NumPlus' (you can change it to whatever in the lua file)

[Aleksey0104]

Cheat engine won't start with this plugin. v.4

[Csimbi]

Cheat engine won't start with this plugin. v.4

It's not a plugin. It's a LUA extention.

[LeFiXER]

Cheat engine won't start with this plugin. v.4

It's likely that you are using an outdated version of Cheat Engine. Update Cheat Engine first, but also Csimbi is correct. It's an extension rather than a plugin .

[Messy6666]

Tyvm for this generator,
it's now my favorite since LeFiXER told me about it!

The only thing I had to change to make it compatible with other software was:


Ofcourse the fact that that variable was there in the first place meant you had already thought of that!
Just mentioning it for others.

Love it
Regards

[3qalves3]

This is a pretty basic tool that just adds a menu item in the disassembler view. It will prompt you for the minimum # of instructions, how many iterations you want it to run for and what type of wildcard you want to use. Then it grabs the first byte of each instruction and fills the rest with wildcards and does a check if that AOB is unique. For now It is super primitive and doesn't check what type of instruction it is but I will be incrementally updating this with some more logic in the future. As it is right now, it should be really convenient for a quick and dirty AOB generator that is relatively update proof.

I will also try to add some logic determining whether it is within a region for mono applications since you can specify function start and end points. <--- Yeah not gonna happen anymore.

Feel free to let me know if it doesn't work in a situation but if you do, please provide me with a .txt file of the bytes and opcodes so I can see what broke it.

To install just extract and place 'generateAOBMenu.lua' in the autorun folder for CE.

Update (v4): Modfied to add the item to the 'Tools' dropdown menu in the disassembler view. Gave it a shortcut of Ctrl+NumPlus (should only be effective in the disassembler view window). Also modified to only show a completion or failure message while copying the AOB to clipboard.

Update (v3): Modified it to only use ?? as the wildcard. You can edit it yourself by changing the parameter: wCardFormat. I don't want to have prompts anymore. It will loop until it finds the smallest AOB (or it gets to 120 instructions) on a separate thread so it wont lag CE.

Update (v2): Modified the search region to only be the module in which the current address is in so you can do aobscanmodule(). Also generalized it so that there are defaults and you have the ability to include spaces or not.

Hey, im getting a error when i try to use the AOB genarator...

''unable to find module''

Anyone know why ?

[Glowmoss]

Hey, im getting a error when i try to use the AOB genarator...

''unable to find module''

Anyone know why ?

It's because aSwedishMagyar has it set up to work within modules, My fix was to just comment out that if statement on line 82 and change

Code: Select all

		local startPoint = modules[k].Address
		local endPoint = getModuleSize(modules[k].Name)

to

Code: Select all

		local startPoint = modules[k].Address or 0x0
		local endPoint = getModuleSize(modules[k].Name) or 0x7fffffffffff

on line 75