Script needs improvements! Long Time Loading

[marek1957]

Hello,
I was making this scripts for 3 days and it is working perfectly but I think it needs improvements because it is loading so much because it is searching through all the memory section, not game memory section.

For each track that the hack adds to QSR mode, it needs the address of a unique string. Unfortunately these addresses are not static and not in an area of the memory connected to Asphalt8.exe (so, as said, not static).

My only solution (I tried others that did not work) was to add an AOB scan for each track, which causes the hack to need several seconds to be activated when you select it.
The AOB scans take time because it has to scan ALL memory instead of only the area reserved for Asphalt8.exe.

All AOBs are always inside a small memory region of 0x41000 bytes so if we could find a way to use aobscanregion instead of aobscan , it would improve the time to load the hack. I tried a few things to use aobscanregion but none worked.

My idea was ... I use aobscan to find the first track string; let's say this memory address is X. Then, all other track strings can be found in the regions X-41000 and X+41000 since I know that they are all inside this region of size 0x41000. But I could not find a way to implement such idea.

Please my Dear People, see what you can do to improve the hack, but it works fine as it is, just take time to load.

In short way - this hack is adding missing maps to Quick Race Mode in Asphalt 8 v3.5.0j game PC Version

SCRIPT:

Code: Select all

/// This script adds missing maps to Quick Solo Race - Unlock All Maps


{
There are NINE addresses that ACCESS the first byte of the
"EventDef_XXX_..." string in this order:
1  "Asphalt8.exe"+CD3C0B
2  "Asphalt8.exe"+CD3C16
3  "Asphalt8.exe"+D2E3E0
4  "Asphalt8.exe"+D2E563   << accesses it 2x
5  "Asphalt8.exe"+D2E565
6  "Asphalt8.exe"+A2140    << accesses it 26x
7  "Asphalt8.exe"+CD45E0   @ [ebx]
8  "Asphalt8.exe"+D2E579
9  "Asphalt8.exe"+8D083    @ [ebx+esi]
These addresses access the byte when you enter the Quick Solo Race page
Apparently they access the bytes of ALL "EventDef_XXX_..." strings each time
}

define(address,"Asphalt8.exe"+54762E)
define(bytes,C6 45 FC 02 E8 19 37 B0 FF)

[ENABLE]

aobscan(EDArx01,45 76 65 6E 74 44 65 66 5F 41 72 78 5F 30 31 00)
aobscan(EDArx01R,45 76 65 6E 74 44 65 66 5F 41 72 78 5F 30 31 5F 52 65 76 65 72 73 65 00)
aobscan(EDArx02,45 76 65 6E 74 44 65 66 5F 41 72 78 5F 30 32 00)
aobscan(EDArx02R,45 76 65 6E 74 44 65 66 5F 41 72 78 5F 30 32 5F 52 65 76 65 72 73 65 00)
aobscan(EDRio01,45 76 65 6E 74 44 65 66 5F 52 69 6F 5F 30 31 00)
aobscan(EDRio01R,45 76 65 6E 74 44 65 66 5F 52 69 6F 5F 30 31 5F 52 65 76 65 72 73 65 00)
aobscan(EDRio02,45 76 65 6E 74 44 65 66 5F 52 69 6F 5F 30 32 00)
aobscan(EDRio02R,45 76 65 6E 74 44 65 66 5F 52 69 6F 5F 30 32 5F 52 65 76 65 72 73 65 00)
aobscan(EDPat01,45 76 65 6E 74 44 65 66 5F 50 61 74 5F 30 31 00)
aobscan(EDPat01R,45 76 65 6E 74 44 65 66 5F 50 61 74 5F 30 31 5F 52 65 76 65 72 73 65 00)
aobscan(EDPat02,45 76 65 6E 74 44 65 66 5F 50 61 74 5F 30 32 00)
aobscan(EDPat02R,45 76 65 6E 74 44 65 66 5F 50 61 74 5F 30 32 5F 52 65 76 65 72 73 65 00)
aobscan(EDSub01,45 76 65 6E 74 44 65 66 5F 53 75 62 5F 30 31 00)
aobscan(EDSub01R,45 76 65 6E 74 44 65 66 5F 53 75 62 5F 30 31 5F 52 65 76 65 72 73 65 00)
aobscan(EDSub02,45 76 65 6E 74 44 65 66 5F 53 75 62 5F 30 32 00)
aobscan(EDSub02R,45 76 65 6E 74 44 65 66 5F 53 75 62 5F 30 32 5F 52 65 76 65 72 73 65 00)
registersymbol(EDArx01)
registersymbol(EDArx01R)
registersymbol(EDArx02)
registersymbol(EDArx02R)
registersymbol(EDRio01)
registersymbol(EDRio01R)
registersymbol(EDRio02)
registersymbol(EDRio02R)
registersymbol(EDPat01)
registersymbol(EDPat01R)
registersymbol(EDPat02)
registersymbol(EDPat02R)
registersymbol(EDSub01)
registersymbol(EDSub01R)
registersymbol(EDSub02)
registersymbol(EDSub02R)

assert(address,bytes)
alloc(newmem,$2FD)

label(code)
label(return)

newmem:

code:
  // ========================= AREA 51 =========================
  // starts code to add AREA 51 - 1st track = "TEST SITE: OMEGA"
  mov [ebp+08],00000000 { 0 }
  push EDArx01 { ["EventDef_Arx_01"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],4D { 77 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],4E { 78 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add AREA 51 - 2nd track = "CLASSIFIED"
  mov [ebp+08],00000000 { 0 }
  push EDArx01R { ["EventDef_Arx_01_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],4F { 79 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],50 { 80 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add AREA 51 - 3rd track = "THE SECRET LAB"
  mov [ebp+08],00000000 { 0 }
  push EDArx02 { ["EventDef_Arx_02"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],51 { 81 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],52 { 82 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add AREA 51 - 4th track = "ROUTE 375-1"
  mov [ebp+08],00000000 { 0 }
  push EDArx02R { ["EventDef_Arx_02_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],53 { 83 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],54 { 84 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // ===================== RIO DE JANEIRO =====================
  // starts code to add RJ - 1st track = "IPANEMA SHOWDOWN"
  mov [ebp+08],00000000 { 0 }
  push EDRio01 { ["EventDef_Rio_01"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],55 { 85 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],56 { 86 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add RJ - 2nd track = "RAPIDO PARK"
  mov [ebp+08],00000000 { 0 }
  push EDRio01R { ["EventDef_Rio_01_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],57 { 87 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],58 { 88 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add RJ - 3rd track = "OCEANVIEW DERBY"
  mov [ebp+08],00000000 { 0 }
  push EDRio02 { ["EventDef_Rio_02"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],59 { 89 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],5A { 90 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add RJ - 4th track = "HIGHLAND VIEW"
  mov [ebp+08],00000000 { 0 }
  push EDRio02R { ["EventDef_Rio_02_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],5B { 91 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],5C { 92 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // ======================== PATAGONIA ========================
  // starts code to add Patagonia - 1st track = "CRYSTAL LAKE"
  mov [ebp+08],00000000 { 0 }
  push EDPat01 { ["EventDef_Pat_01"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],5D { 93 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],5E { 94 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Patagonia - 2nd track = "AVALANCHE ALLEY"
  mov [ebp+08],00000000 { 0 }
  push EDPat01R { ["EventDef_Pat_01_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],5F { 95 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],60 { 96 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Patagonia - 3rd track = "THE RIVER FORT"
  mov [ebp+08],00000000 { 0 }
  push EDPat02 { ["EventDef_Pat_02"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],61 { 97 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],62 { 98 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Patagonia - 4th track = "ICE CAVE"
  mov [ebp+08],00000000 { 0 }
  push EDPat02R { ["EventDef_Pat_02_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],63 { 99 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],64 { 100 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // ======================== MUENCHEN ========================
  // starts code to add Munich - 1st track = "MARKET SQUARE"
  mov [ebp+08],00000000 { 0 }
  push EDSub01 { ["EventDef_Sub_01"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],65 { 101 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],66 { 102 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Munich - 2nd track = "MOSAIC MOTORWAY"
  mov [ebp+08],00000000 { 0 }
  push EDSub01R { ["EventDef_Sub_01_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],67 { 103 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],68 { 104 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Munich - 3rd track = "ROOFTOP RACEWAY"
  mov [ebp+08],00000000 { 0 }
  push EDSub02 { ["EventDef_Sub_02"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],69 { 105 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],6A { 106 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  call Asphalt8.exe+4AD50

  // starts code to add Munich - 4th track = "RAPID TRANSIT"
  mov [ebp+08],00000000 { 0 }
  push EDSub02R { ["EventDef_Pat_02_Reverse"] }
  lea ecx,[ebp+08]
  mov byte ptr [ebp-04],6B { 107 }
  call Asphalt8.VSDesignerDllMain+1E470
  lea eax,[ebp+08]
  mov byte ptr [ebp-04],6C { 108 }
  push eax
  mov ecx,edi
  call Asphalt8.exe+54100
  lea ecx,[ebp+08]
  //call Asphalt8.exe+4AD50

  mov byte ptr [ebp-04],02   // ORIGINAL CODE = END OF LIST
  call Asphalt8.exe+4AD50    // ORIGINAL CODE
  jmp return

address:
  jmp newmem
  nop
  nop
  nop
  nop
return:

[DISABLE]

address:
  db bytes
  // mov byte ptr [ebp-04],02
  // call Asphalt8.exe+4AD50

unregistersymbol(EDArx01)
unregistersymbol(EDArx01R)
unregistersymbol(EDArx02)
unregistersymbol(EDArx02R)
unregistersymbol(EDRio01)
unregistersymbol(EDRio01R)
unregistersymbol(EDRio02)
unregistersymbol(EDRio02R)
unregistersymbol(EDPat01)
unregistersymbol(EDPat01R)
unregistersymbol(EDPat02)
unregistersymbol(EDPat02R)
unregistersymbol(EDSub01)
unregistersymbol(EDSub01R)
unregistersymbol(EDSub02)
unregistersymbol(EDSub02E)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "Asphalt8.exe"+54762E

"Asphalt8.exe"+54760B: 68 08 6B F0 01        -  push Asphalt8.exe+16D6B08
"Asphalt8.exe"+547610: 8D 4D 08              -  lea ecx,[ebp+08]
"Asphalt8.exe"+547613: C6 45 FC 4B           -  mov byte ptr [ebp-04],4B
"Asphalt8.exe"+547617: E8 D4 C5 78 00        -  call Asphalt8.exe+CD3BF0
"Asphalt8.exe"+54761C: 8D 45 08              -  lea eax,[ebp+08]
"Asphalt8.exe"+54761F: C6 45 FC 4C           -  mov byte ptr [ebp-04],4C
"Asphalt8.exe"+547623: 50                    -  push eax
"Asphalt8.exe"+547624: 8B CF                 -  mov ecx,edi
"Asphalt8.exe"+547626: E8 D5 CA B0 FF        -  call Asphalt8.exe+54100
"Asphalt8.exe"+54762B: 8D 4D 08              -  lea ecx,[ebp+08]
// ---------- INJECTING HERE ----------
"Asphalt8.exe"+54762E: C6 45 FC 02           -  mov byte ptr [ebp-04],02
"Asphalt8.exe"+547632: E8 19 37 B0 FF        -  call Asphalt8.exe+4AD50
// ---------- DONE INJECTING  ----------
"Asphalt8.exe"+547637: 8B 7D F0              -  mov edi,[ebp-10]
"Asphalt8.exe"+54763A: 8D 45 08              -  lea eax,[ebp+08]
"Asphalt8.exe"+54763D: 50                    -  push eax
"Asphalt8.exe"+54763E: C7 45 08 00 00 00 00  -  mov [ebp+08],00000000
"Asphalt8.exe"+547645: 8D B7 10 03 00 00     -  lea esi,[edi+00000310]
"Asphalt8.exe"+54764B: 8B CE                 -  mov ecx,esi
"Asphalt8.exe"+54764D: E8 AE E4 B3 FF        -  call Asphalt8.exe+85B00
"Asphalt8.exe"+547652: 8D 45 08              -  lea eax,[ebp+08]
"Asphalt8.exe"+547655: C7 45 08 03 00 00 00  -  mov [ebp+08],00000003
"Asphalt8.exe"+54765C: 50                    -  push eax
}

[TimFun13]

I would keep trying the "aobScanRegion". Why isn't it working? What did you try when it didn't work?

Code: Select all

aobScanRegion(SomeSymbol, Tutorial-i386.exe+4000, Tutorial-i386.exe+5000, 89 C7 89 CE 8B 4D 0C 8A 45 08 83 C1 01 89 4D 
FC 8D 4A 01 3B 4D FC)

Note: You can use other AOB symbols for the region addresses

Code: Select all

aobScan(StartRegionAOB, ...)
aobScan(EndRegionAOB, ...)
aobScanRegion(SomeSymbol, StartRegionAOB, EndRegionAOB, ...)

[Link]


That and right click the script and select "Execute asynchronous", this will at lest put it on a different thread so CE won't freeze as badly.

And just to ask, why does a few seconds matter, if it's a few minutes sure but a few seconds? But In short, you may not be able to improve this as much as you would like. But I too would think some improvement is possible, but it may only be by a fraction of a second.

You could use "aobScanModule" if it's in a module, it doesn't have to be the main module for the game, but it sounds like it's just some resources (accessed by some module(s)) and may not be in a module at all.

EDIT:
The table I posted here takes about 3 to 5 seconds to enable the "Main Hooks" (with an i7, and 24G ram), and I have heard no complaints. Well not pertaining to that.
Metal Gear Solid 5 Phantom Pain - table v: 2.0.8 CT

[panraven]

Probably there are no scanning need.
It seems what all need are some references to some known zero terminated strings,
They can be 'created' by your owns.
The sample code below modify your code a bit to loop through a set of tracks data you have to defined,
hope it clear enough to tell the idea.

Sample code

Code: Select all

define(address,"Asphalt8.exe"+54762E)
define(bytes,C6 45 FC 02 E8 19 37 B0 FF)
[ENABLE]
alloc(tracks,$4000)

label(return)

label(done)
//// start of cave code
tracks:
push   esi
  mov  esi,tracks+1000 /// tracks data start

@@: /// start next tracks
  mov  eax,[esi]
  test eax,eax
  jle  done /// -1, mark for end of tracks data

/// YOUR CODE START, with modification
    mov [ebp+08],00000000 { 0 }
  ////push EDArx01 { ["EventDef_Arx_01"] }
      lea  eax,[esi+08]
      push eax
  ////////////////////////

    lea ecx,[ebp+08]
  ////mov byte ptr [ebp-04],4D { 77 }
      mov al,[esi]
      mov byte ptr [ebp-04],al
  ////////////////////////

    call Asphalt8.VSDesignerDllMain+1E470
  ////mov byte ptr [ebp-04],4E { 78 }  ////  swapped with next op, since both use eax as temporary
      mov al,[esi+04]
      mov byte ptr [ebp-04],al
  ////////////////////////
    lea eax,[ebp+08]

    push eax
    mov ecx,edi
    call Asphalt8.exe+54100
    lea ecx,[ebp+08]
    call Asphalt8.exe+4AD50
/// YOUR CODE END


//// advance tracks data by +40
    lea  esi,[esi+40]
jmp @b /// jump back for next tracks, #2,....till end reach

done:
pop    esi

//// your original code
  mov byte ptr [ebp-04],02   // ORIGINAL CODE = END OF LIST
  call Asphalt8.exe+4AD50    // ORIGINAL CODE
  jmp return

//// end of cave code
/////////////////////


//// Inject point
address:
  jmp tracks
  nop
  nop
  nop
  nop
return:


////// define tracks data

tracks+1000:
dd 77 78
db 'EventDef_Arx_01' 0 /// <- remember the last zero to terminate the string
 
tracks+1040:
dd 79 80
db 'EventDef_Arx_01_Reverse' 0

//...
// add +40 (should be enough) to tracks+xxxx: for next tracks
//...
tracks+1080://  end of track data
dd -1 -1

[DISABLE]
address:
  db bytes

dealloc(tracks)

bye~

[marek1957]

Thank you for your tips guys! I already improved my script and now it loads fast!!!
Took me almost two days testing and learning alternatives but I am finally happy with the result.
It is FIVE seconds FASTER. Before, it was taking SIX seconds to load, now it takes ONE.
I managed to get all necessary strings in just one aobscan... before I was doing 16 aobscans.

Code: Select all

define(address,"Asphalt8.exe"+54762B)
define(bytes,8D 4D 08 C6 45 FC 02)

[ENABLE]

assert(address,bytes)
alloc(newmem,$2FD)

label(code)
label(return)

newmem:

code:
{$lua}
  if syntaxcheck then return end
  local cc = "\r\n"
  local nmb = 0x4D
  local j = 0, t
  local s = "EventDef_"
  t = {s .. "Arx_01",s .. "Arx_01_Reverse",s .. "Arx_02",s .. "Arx_02_Reverse",
       s .. "Rio_01",s .. "Rio_01_Reverse",s .. "Rio_02",s .. "Rio_02_Reverse",
       s .. "Pat_01",s .. "Pat_01_Reverse",s .. "Pat_02",s .. "Pat_02_Reverse",
       s .. "Sub_01",s .. "Sub_01_Reverse",s .. "Sub_02",s .. "Sub_02_Reverse",}

  statChangeAddys = AOBScan("45 76 65 6E 74 44 65 66 5F ?? ?? ?? 5F 30 3?")
  if not statChangeAddys then return 0 end
  for _,value in ipairs(t) do
    for i = 0, statChangeAddys.Count - 1 do
      if value == readString(statChangeAddys[i]) then
        cc = cc .. "mov [ebp+08],00000000" .. "\r\n"
        cc = cc .. "push " .. string.format(statChangeAddys[i]) .. " // "
                           .. readString(statChangeAddys[i]) .. "\r\n"
        cc = cc .. "lea ecx,[ebp+08]" .. "\r\n"
        cc = cc .. "mov byte ptr [ebp-04]," .. string.format("%X",nmb+2*j) .. "\r\n"
        cc = cc .. "call Asphalt8.VSDesignerDllMain+1E470" .. "\r\n"
        cc = cc .. "lea eax,[ebp+08]" .. "\r\n"
        cc = cc .. "mov byte ptr [ebp-04]," .. string.format("%X",nmb+2*j+1) .. "\r\n"
        cc = cc .. "push eax" .. "\r\n"
        cc = cc .. "mov ecx,edi" .. "\r\n"
        cc = cc .. "call Asphalt8.exe+54100" .. "\r\n"
        cc = cc .. "lea ecx,[ebp+08]" .. "\r\n"
        j = j + 1
        if j < 16 then cc = cc .. "call Asphalt8.exe+4AD50" .. "\r\n\r\n" end
        break
      end
    end
  end
  return (cc)
{$asm}
  //lea ecx,[ebp+08]            // ORIGINAL CODE
  mov byte ptr [ebp-04],02    // ORIGINAL CODE
  jmp return

address:
  jmp newmem
  nop
  nop
return:

[DISABLE]

address:
  db bytes

dealloc(newmem)

{$lua}
  if syntaxcheck or not statChangeAddys then return end
  statChangeAddys.destroy()
  statChangeAddys = nil
{$asm}