CompactDisc wrote: ↑Sun Oct 25, 2020 2:33 pm
scan the prologue first
I wasn't talking to you in that post. The author of the table you're debating (Csimbi) should change the way he scans for aobs. I didn't look at his table, though what I suggested is this:
Code: Select all
local prologue = getAddress( "BattleTech.UI:CombatDebugHUD:SetGodMode" )
local getJMP = AOBScanEx( "45 33 ED E9 ?? ?? ?? ??", nil, nil, nil, prologue, prologue+0x100 )
local jmp = tonumber( getJMP[0], 16 ) + 0x3
local destination = jmp + readInteger( jmp + 0x1 ) + 0x5
local getRET = AOBScanEx( "C3", nil, nil, nil, destination, destination+0x100 )
local epilogue = tonumber( getRET[0], 16 )
local getMOVSS = AOBScanEx( "F3 0F 10 05 ?? ?? ?? ?? F3", nil, nil, nil, prologue, epilogue )
if getMOVSS.Count == 4 then
I am going to a KNOWN function (e.g.: BattleTech.UI:CombatDebugHUD:SetGodMode), then I am doing a scan for "45 33 ED E9 ?? ?? ?? ??" array between the prologue (start) of the function and start+0x100 bytes. I am looking for a JMP (E9 xx xx xx xx). Once found, I calculate its destination, go there, then scan for a "C3" byte. Which gives me the epilogue (end) of the function I'm looking for. Then between "prologue" and "epilogue" I am scanning for whateverthefuck I am interested in; which is "F3 0F 10 05 ?? ?? ?? ?? F3". This way.. instead of using this "F3 0F 10 05 ?? ?? ?? ?? F3" directly and potentially not finding it from the first try (cuz I bet in Csimbi's table aobs are scanned in the WHOLE memory space), I narrow down where I wanna find it in.
Like I said, you have the table, there's a [ Debug ] section. Make use of my shit
BR,
Sun
P.S.: If your known function isn't JIT-ed, you can have CE do it for you. Which will remove that need to perform some action to trigger Unity to JIT it. How.. you will have to learn some Lua.. or check other people's tables and understand how they do it. Here's one:
viewtopic.php?p=137839#p137839
