AOBscan question/help to just fetch an address?

[LCHLH]

Heya, I'm not new to CE, but I'm completely useless when it comes to assembly/scripts, so I've got a question about AOBscan but no idea how I can even search for an answer if it was given in a different thread:

can AOBscan be used to simply fetch an address (of the first byte maybe) and register a name for it to be used as a base in the table?

Here's a visual:

scan for pattern, get address of first byte, set a name for it, and it's used in the group with +4+8+etc. children

Initially, I tried doing something like in this post, to get a mouseover pointer address and just work from there for quantities/item IDs etc., but I suck and every single thing that I found that reads that address will crash the game once activated, so I'm back to trying this.

I hoped the whole "code" part that messes with memory isn't needed, so I winged it and tried to do something simple, but...

this evidently doesn't work

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40) // should be unique
label(Inv_Start)
registersymbol(Inv_Start)

Inv_Start:
dq 0

[DISABLE]
unregistersymbol(Inv_Start)

My brain just doesn't work with code and I'm not looking to learn the intricacies of how such a thing can be accomplished, I just need a quick fix to automate the whole manual scanning part... can a kind soul please share a simple AOBscan code that does what I said and maybe can be changed simply by modifying the exe name and the pattern for other games? or is that not possible at all?

I'd love to not make a new thread for this and just find the answer, but I really don't know how to query the search engines in this case, and I can't figure it out myself. (heck I don't even know if this is the right forum to ask this question, apologies if it isn't)

Thank you.

[Marc]

You are almost there What should work is:

Code: Select all

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40) // just for searching
registersymbol(InventoryStart) // then publish the found address under this name

[DISABLE]
unregistersymbol(InventoryStart)

have fun,
Marc

[VampTY]

Hi,

Code: Select all

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40)  
alloc(Inv_Start,4)
registersymbol(InventoryStart Inv_Start)

[DISABLE]
dealloc(*)
unregistersymbol(*)

Where is "alloc(Inv_Start,4)" it could also be "alloc(Inv_Start,8)", change to "4" if the game is for 32, or change it to "8" if the games is for 64.
Where is "registersymbol(InventoryStart Inv_Start)" you don't need to add a new line with "registersymbol(...)", just add it next to your main address, just make sure to have a "space" between them, this work for whatever, meaning if you'd add it another one, like "registersymbol(InventoryStart Inv_Start Items)", just add another space and add it.
Where is "dealloc(*)" and "unregistersymbol(*)" like this, this will work for whatever you'll add, even is a single one, or multiple added, see what i've explained at point 2, no need to add "n" lines of "unregistersymbol(...)", just this and will unregister all

And most of all:
newmem:
mov [Inv_Start],...

Or add it in:
code:
mov [Inv_Start],...

Where is "...." just add from where the value is located, in your case.Also make sure to add that "Inv_Start" right, plus any offset(s), i'd make sure although to use only one word, like "inv" or "_inv", keep them shorter, but all is your choice!

Take care!

Or paste here your entire aob, see what is does, then paste that here!

[LCHLH]

You are almost there What should work is:

Code: Select all

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40) // just for searching
registersymbol(InventoryStart) // then publish the found address under this name

[DISABLE]
unregistersymbol(InventoryStart)

have fun,
Marc

Hey, thanks for replying!

AOBscan seems to not find anything, but the normal scan works fine; am I missing something? (fresh instance of the game and CE, no other scripts or anything else to mess up something)

Hi,

Code: Select all

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40)  
alloc(Inv_Start,4)
registersymbol(InventoryStart Inv_Start)

[DISABLE]
dealloc(*)
unregistersymbol(*)

Where is "alloc(Inv_Start,4)" it could also be "alloc(Inv_Start,8)", change to "4" if the game is for 32, or change it to "8" if the games is for 64.
Where is "registersymbol(InventoryStart Inv_Start)" you don't need to add a new line with "registersymbol(...)", just add it next to your main address, just make sure to have a "space" between them, this work for whatever, meaning if you'd add it another one, like "registersymbol(InventoryStart Inv_Start Items)", just add another space and add it.
Where is "dealloc(*)" and "unregistersymbol(*)" like this, this will work for whatever you'll add, even is a single one, or multiple added, see what i've explained at point 2, no need to add "n" lines of "unregistersymbol(...)", just this and will unregister all

And most of all:
newmem:
mov [Inv_Start],...

Or add it in:
code:
mov [Inv_Start],...

Where is "...." just add from where the value is located, in your case.Also make sure to add that "Inv_Start" right, plus any offset(s), i'd make sure although to use only one word, like "inv" or "_inv", keep them shorter, but all is your choice!

Take care!

Or paste here your entire aob, see what is does, then paste that here!

I don't think I'm doing this right, same "Error: Not all results found", which is weird since that array is unique and I can find it easily with a normal array scan

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<CheatTable>
  <CheatEntries>
    <CheatEntry>
      <ID>1337050446</ID>
      <Description>"InventoryStart 2"</Description>
      <LastState/>
      <VariableType>Auto Assembler Script</VariableType>
      <AssemblerScript>{ Game   : No Process Selected
  Version: 
  Date   : 2022-02-28
  Author : VampTY

  This script does blah blah blah
}

[ENABLE]
aobscanmodule(InventoryStart,eldenring.exe,73 00 00 B0 73 00 00 40)
alloc(Inv_Start,8)
registersymbol(InventoryStart Inv_Start)
newmem:
mov [Inv_Start],0
code:
mov [Inv_Start],0
[DISABLE]
dealloc(*)
unregistersymbol(*)
</AssemblerScript>
    </CheatEntry>
  </CheatEntries>
</CheatTable>

I'm probably not understanding how the AOBscan script itself works, since it seems to be much more than the normal scanner, hence the "newmem: mov [Inv_Start],..." and "code: mov [Inv_Start],..." not ringing any bells for me so I just plopped a 0 :X

[VampTY]

Well example was ok, you just copy and pasted like that, look at that page again you pasted, second one:
viewtopic.php?f=16&t=18929&start=15

Look at that video..IN YOUR AOB YOU'LL ADD THOSE!

I did mentioned up, paste your AOB.

Best of luck!

================================

Or look at this video:


I don't know how much it will help you, since you're at starting point, but if you'll master the first video, you'll do this as well (not the first time, will take some experience).

Take care!

[LCHLH]

Well example was ok, you just copy and pasted like that, look at that page again you pasted, second one:
viewtopic.php?f=16&t=18929&start=15

Look at that video..IN YOUR AOB YOU'LL ADD THOSE!

I did mentioned up, paste your AOB.

Best of luck!

================================

Or look at this video:
-snip-

I don't know how much it will help you, since you're at starting point, but if you'll master the first video, you'll do this as well (not the first time, will take some experience).

Take care!

This worked in the end:

Code: Select all

[ENABLE]
aobscan(InventoryStart,73 00 00 B0 73 00 00 40)
registersymbol(InvStart)
label(InvStart)
InventoryStart:
InvStart:

[DISABLE]
unregistersymbol(InvStart)

It's funny, aobscanmodule just will not work, it can't find the array. aobscan works fine, even though it takes like 30 seconds to find it, it works.

Is there something about aobscanmodule that just requires more stuff to work for such a simple thing? does aobscan have a way to limit the range (starting with 7FF000000000 for example) to make it faster?

Anyway, I got my answer, and even if it takes longer it's more convenient to automate it, so cheers! thanks for the help ♫

[VampTY]

Ok, it's cool you did it.Well AOB is more reliable {in most case, if some updates are involved, having some aob script, that could work, in most cases}.

In your case, if you want "speed", code injection is the case.Code injection is way faster than aobscan or aobscanmodule or aobscanregion.

AOB Scan can and will "skip" some "ckecks" as well, no need to add the ".exe's name"also in the script! That's why!

Good luck, i'm not the best in explaining, all the best!

EDIT:

That with "starting with 7FF000000000" , it depends of the mem allocated to dump files or those used when searching, you can lower the number though.Now, you're not at the level, yet, , you can skip or jump some bytes to make it faster!

[LCHLH]

Ok, it's cool you did it.Well AOB is more reliable {in most case, if some updates are involved, having some aob script, that could work, in most cases}.

In your case, if you want "speed", code injection is the case.Code injection is way faster than aobscan or aobscanmodule or aobscanregion.

AOB Scan can and will "skip" some "ckecks" as well, no need to add the ".exe's name"also in the script! That's why!

Good luck, i'm not the best in explaining, all the best!

EDIT:

That with "starting with 7FF000000000" , it depends of the mem allocated to dump files or those used when searching, you can lower the number though.Now, you're not at the level, yet, , you can skip or jump some bytes to make it faster!

Awesome, aobscanregion was what I was looking for to narrow down the scan, and this one's even simpler; thanks a bunch!

Code: Select all

[ENABLE]
aobscanregion(InvStart,eldenring.exe-4C0D00000,eldenring.exe-2C0D00000,73 00 00 B0 73 00 00 40) // just for searching
registersymbol(InvStart) // then publish the found address under this name

[DISABLE]
unregistersymbol(InvStart)

Funny thing again, don't the addresses start at 0 for "process.exe" and you can offset them with +12345? this one seems to need negative offsets for the regions. The addresses for eldenring.exe+0 start at 7FF7xxxxxxxx, while the editable inventory is somewhere between 7FF3xxxxxxxx or 7FF4xxxxxxxx, meaning it's outside the exe? maybe that's why aobscanmodule can't find shit, cause it's not scanning backwards in the memory or something while the normal aobscan doesn't look only at the exe... bleh, I won't even try to comprehend what's wrong here...

[LeFiXER]

Funny thing again, don't the addresses start at 0 for "process.exe" and you can offset them with +12345?

In executables produced for Windows NT, the default image base is 0x10000. For DLLs, the default is 0x400000. In Windows 95, the address 0x10000 can't be used to load 32-bit EXEs because it lies within a linear address region shared by all processes. As a result of this, Microsoft changed the default base address for Win32 executables to 0x400000. Windows operating systems now implement something called ASLR (Address Space Layout Randomization) in a bid to make things more secure; this feature basically places code at random locations in virtual memory which is why sometimes you see an address that has a positive or negative offset.