Difference between revisions of "Tutorials:AOBs"

From Cheat Engine
Jump to navigation Jump to search
(Replaced content with '<span style="font-size:25px;color:red">Sorry! Content not available.</span>')
Line 1: Line 1:
<!-- Tutorials:AOBs -->
+
<span style="font-size:25px;color:red">Sorry! Content not available.</span>
[[Category:Tutorial]]
 
[[Category:Auto Assembler]]
 
{{DISPLAYTITLE:Auto Assembler - AOBs}}
 
<!-- https://forum.cheatengine.org/viewtopic.php?t=570083 -->
 
What is an AOB? An AOB is just an ''Array of Bytes'', it tends to be used as a signature. A signature is really only an AOB with wild cards. A signature can be found even if the address where it is changes, so long as the signature still exists.
 
 
 
So if we look at the code for step 8 of the CE tutorial (x32), we see some code like this.
 
<pre>
 
Tutorial-i386.exe+26180 - E8 7B85FEFF          - call Tutorial-i386.exe+E700
 
Tutorial-i386.exe+26185 - 8B 55 DC              - mov edx,[ebp-24] //// AOB starts here
 
Tutorial-i386.exe+26188 - 89 42 18              - mov [edx+18],eax //// Injecting here
 
Tutorial-i386.exe+2618B - 8B 45 DC              - mov eax,[ebp-24]
 
Tutorial-i386.exe+2618E - 8B 40 18              - mov eax,[eax+18]
 
Tutorial-i386.exe+26191 - 8D 55 B0              - lea edx,[ebp-50]
 
Tutorial-i386.exe+26194 - E8 073C0100          - call Tutorial-i386.exe+39DA0
 
 
 
</pre>
 
 
 
So we could just inject at the address ''Tutorial-i386.exe+26188'', but let's setup an AOB.
 
 
 
And we could just try ''89 42 18 8B 45 DC 8B 40 18 8D 55 B0'', but what if the registry changes or the offset.
 
 
 
So let's say that we always have a CALL, MOV, MOV, MOV, LEA, CALL, ...
 
Then we could make an AOB like this:
 
<pre>8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx</pre>
 
:Note: Any none byte characters are wild cards, so ''X'' and ''?'' are wild cards.
 
:Note: Any wild cards at the end of an AOB are really pointless, but they are left here to better show the instruction size for clarity.
 
:<pre>8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8B</pre>
 
 
 
So let's setup CE for an AOB scan.<br>
 
[[File:Tutorials-AOBs.01.png|border]]
 
 
 
 
 
And after clicking ''first scan'' we are looking to get just one result.<br>
 
[[File:Tutorials-AOBs.02.png|border]]
 
 
 
If you get more results then one just add more bytes to the ''signature''.
 
 
 
So to use this ''signature'' we'll need to use an offset. Let's look at a script using the ''signature''.
 
 
 
<pre>define(step8WrtBytes, 89 42 18 8B 45 DC)
 
////
 
//// ------------------------------ ENABLE ------------------------------
 
[ENABLE]
 
aobScanModule(aobStep8WrtHook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
 
//// or with aobScan
 
//aobScan(aobStep8WrtHook, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
 
 
 
define(injStep8WrtHook, aobStep8WrtHook+3)
 
//// Here the offset is set, to be used for enabling and disabling.
 
 
 
assert(injStep8WrtHook, step8WrtBytes)
 
//// Here the bytes are asserted to be compatable with the process version.
 
 
 
registerSymbol(injStep8WrtHook)
 
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
 
//...
 
 
 
////
 
//// ---------- Injection Point ----------
 
injStep8WrtHook:
 
jmp step8wrtn_code
 
nop
 
step8wrtreturn:
 
 
 
////
 
//// ------------------------------ DISABLE ------------------------------
 
[DISABLE]
 
////
 
//// ---------- Injection Point ----------
 
injStep8WrtHook:
 
db step8WrtBytes
 
unregisterSymbol(injStep8WrtHook)
 
unregisterSymbol(ptrStep8WrtHook)
 
dealloc(memStep8WrtHook)
 
</pre>
 
And that's really the basics of AOB signatures.
 
 
 
But with step 8 we could also use an AOB to pull a pointer.
 
<pre>Tutorial-i386.exe+25FB1 - A1 60D65F00          - mov eax,[Tutorial-i386.exe+1FD660]
 
Tutorial-i386.exe+25FB6 - 89 45 E8              - mov [ebp-18],eax
 
Tutorial-i386.exe+25FB9 - 8B 45 E8              - mov eax,[ebp-18]
 
Tutorial-i386.exe+25FBC - 8B 55 E8              - mov edx,[ebp-18]
 
Tutorial-i386.exe+25FBF - 8B 00                - mov eax,[eax]
 
Tutorial-i386.exe+25FC1 - 3B 42 04              - cmp eax,[edx+04]
 
Tutorial-i386.exe+25FC4 - 74 02                - je Tutorial-i386.exe+25FC8
 
Tutorial-i386.exe+25FC6 - EB 4F                - jmp Tutorial-i386.exe+26017
 
</pre>
 
<pre>////
 
//// ------------------------------ ENABLE ------------------------------
 
[ENABLE]
 
aobScanModule(aobStep8Hook, Tutorial-i386.exe, A1xxxxxxxx89xxxx8Bxxxx8Bxxxx8Bxx3Bxxxx74xxEBxx8Bxxxx8Bxxxx8Bxxxx3Bxxxx)
 
define(ptrStep8Hook, aobStep8Hook+1)
 
registerSymbol(ptrStep8Hook)
 
////
 
//// ------------------------------ DISABLE ------------------------------
 
[DISABLE]
 
unregisterSymbol(ptrStep8Hook)
 
</pre>
 
 
 
 
 
== See also ==
 
* [[Tutorials|Tutorials]]
 
* [[Tutorials:Value_types|Value types]]
 
* [[Tutorials:Pointers|Pointers]]
 
 
 
== External links ==
 
* [https://forum.cheatengine.org/viewtopic.php?t=570083 Rydian's Guide To Basic AOBs And Scripts]
 

Revision as of 16:06, 16 March 2019

Sorry! Content not available.