Why does AOB scan never work for me?

[mugenishere]

Is there a way for me to attach a screen video recording? 11MB file size. If there's a way then I'll attach the video so that you can see yourself this AOB scan never works.

1. My AOB scan address is unique

• I make sure to enable "scan all memory"

• I make sure I'm not putting double-quotes in the address

• When I create the script it works fine but on restarting the game it can never find the address

• I've tried after attaching the debugger. Makes no difference.

What is most surprising is that if I just go through the whole search process of finding that value, attach debugger, create a new AOB script (with a different label) then the earlier script starts working on its own!

Here's the full script that I'm using:

Code: Select all

{ Game   : CargoCommander.exe
  Version: 
  Date   : 2021-08-21
  Author : test

  This script does blah blah blah
}

[ENABLE]

aobscan(nocapsdec, 2B CA 89 88 38 02 00 00 0F B6 47 30 85 C0 75 07) // should be unique
alloc(newmem,$1000)

label(code)
label(return)

newmem:
  mov ecx, 0XFFF

code:

  mov [eax+00000238],ecx
  jmp return

nocapsdec:
  jmp newmem
  nop 3
return:
registersymbol(nocapsdec)

[DISABLE]

nocapsdec:
  db 2B CA 89 88 38 02 00 00

unregistersymbol(nocapsdec)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: 066599D1

066599B0: E8 83 75 94 FF        -  call 05FA0F38
066599B5: 00 00                 -  add [eax],al
066599B7: 00 55 8B              -  add [ebp-75],dl
066599BA: EC                    -  in al,dx
066599BB: 57                    -  push edi
066599BC: 83 EC 04              -  sub esp,04
066599BF: 8B 7D 08              -  mov edi,[ebp+08]
066599C2: 8B 05 94 0A F2 05     -  mov eax,[05F20A94]
066599C8: 8B 88 38 02 00 00     -  mov ecx,[eax+00000238]
066599CE: 8B 57 14              -  mov edx,[edi+14]
// ---------- INJECTING HERE ----------
066599D1: 2B CA                 -  sub ecx,edx
066599D3: 89 88 38 02 00 00     -  mov [eax+00000238],ecx
// ---------- DONE INJECTING  ----------
066599D9: 0F B6 47 30           -  movzx eax,byte ptr [edi+30]
066599DD: 85 C0                 -  test eax,eax
066599DF: 75 07                 -  jne 066599E8
066599E1: C7 47 28 14 00 00 00  -  mov [edi+28],00000014
066599E8: 8B 05 94 0A F2 05     -  mov eax,[05F20A94]
066599EE: 83 EC 0C              -  sub esp,0C
066599F1: 50                    -  push eax
066599F2: 39 00                 -  cmp [eax],eax
066599F4: E8 87 A6 F1 FF        -  call 06574080
066599F9: 83 C4 10              -  add esp,10
}

[LeFiXER]

Code: Select all

newmem:
  mov ecx, 0XFFF

"0X" isn't required. CE assumes the values are hexadecimal unless specified within parentheses i.e. (int), (float) etc...

Try this:

Code: Select all

[ENABLE]
066599D1:
 db 90 90

[DISABLE]
066599D1:
 db 2B CA

It will prevent value from decreasing.

[mugenishere]

Code: Select all

newmem:
  mov ecx, 0XFFF

"0X" isn't required. CE assumes the values are hexadecimal unless specified within parentheses i.e. (int), (float) etc...

Try this:

Code: Select all

[ENABLE]
066599D1:
 db 90 90

[DISABLE]
066599D1:
 db 2B CA

It will prevent value from decreasing.

Thanks for replying. But this isn't the problem. I tried with your solution anyhow but I'm still unable to activate the script.

This is the part which doesn't work -->

Code: Select all

2B CA 89 88 38 02 00 00 0F B6 47 30 85 C0 75 07

However, if I search for that memory region + attach debugger --> Then the same search above works!

Here's a video -->

[Marc]

Just an idea, but is it possible that the code you are looking for is loaded on demand - so you have to buy something, and only then the code gets loaded into memory? That would explain that going through the whole process of searching lets the AOB work again.

[Rhark]

Looking at your video for one second I see "Mono" at the top, which means it uses Mono symbols and some mono games do not initialise the symbols until they are needed (which is basically what Marc said)

Try enabling Mono & then using aobscanregion. There are plenty of Mono tutorials on YT.

[mugenishere]

Just an idea, but is it possible that the code you are looking for is loaded on demand - so you have to buy something, and only then the code gets loaded into memory? That would explain that going through the whole process of searching lets the AOB work again.

You nailed it! This was the thing. I tried buying once and after that I was able to activate the AOB script. Thank you so much!!

Looking at your video for one second I see "Mono" at the top, which means it uses Mono symbols and some mono games do not initialise the symbols until they are needed (which is basically what Marc said)

Try enabling Mono & then using aobscanregion. There are plenty of Mono tutorials on YT.

Another great catch! The game indeed uses Mono but unfortunately, enabling mono didn't bring up that section of the code into memory. It seems I need to perform that action once and after that I was able to enable the script.

The problem is solved. Thanks so much to both of you for replying!

Lastly... Yerrrrrrhaawww!!!

[EpicBirdi]

You can use mono_initialize() and LaunchMonoDataCollector() in a script to automatically start Mono.

Furthering that, you can force a method to be accessible by compiling it yourself. You just need to know the path to that method, which you can find in the Mono Dissector. Enabling Mono in the memory viewer will give you the method name, just search for that method in the dissector and you'll have the full path to it.

Example:

Code: Select all

if syntaxcheck then return end
if LaunchMonoDataCollector() ~= 0 then
   local m_id = mono_findMethod('Assembly-CSharp','PlayerStatus','HandleDamage')
   mono_compile_method(m_id)
end

Then you can use your AOBscan, as long as it compiles correctly, without needing to use the method first.

[mugenishere]

You can use mono_initialize() and LaunchMonoDataCollector() in a script to automatically start Mono.

Furthering that, you can force a method to be accessible by compiling it yourself. You just need to know the path to that method, which you can find in the Mono Dissector. Enabling Mono in the memory viewer will give you the method name, just search for that method in the dissector and you'll have the full path to it.

Example:

Code: Select all

if syntaxcheck then return end
if LaunchMonoDataCollector() ~= 0 then
   local m_id = mono_findMethod('Assembly-CSharp','PlayerStatus','HandleDamage')
   mono_compile_method(m_id)
end

Then you can use your AOBscan, as long as it compiles correctly, without needing to use the method first.

I can make out the meaning for this but I'm not sure how to do this. Thanks for suggesting it though. Hopefully I'll come across a tutorial one day which will show me how to do it. Till then I'll know something like this is possible.

[LeFiXER]

On the main Cheat Engine window click Table on the menu followed by Show Lua Cheat Table Script, then paste that code there. Every time you open your table you will be asked (you can choose not to be asked, automatically run the script, or ask every time) whether you want to run that script or not for that particular table. I would select yes given it is specific to that game.

[mugenishere]

On the main Cheat Engine window click Table on the menu followed by Show Lua Cheat Table Script, then paste that code there. Every time you open your table you will be asked (you can choose not to be asked, automatically run the script, or ask every time) whether you want to run that script or not for that particular table. I would select yes given it is specific to that game.

Got it! Thanks for sharing this. I will try it out later this week.

[LeFiXER]

Np