Difference between revisions of "Lua:AOBScan"

From Cheat Engine
Jump to navigation Jump to search
m (fixed formatting, restored accidentally deleted references)
m (Syntax Highlighting.)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
[[Category:Lua]]
 
[[Category:Lua]]
'''function''' AOBScan('''''...''''')
+
{{CodeBox|'''function''' AOBScan(''aobstring'', ''protectionflags'', ''alignmenttype'', ''alignmentparam'') ''':''' StringList}}
 +
{{CodeBox|'''function''' AOBScan(''byte1'', ''byte2'', ''...'') ''':''' StringList}}
  
'''function''' AOBScan(''AOBString'', ''ProtectionFlags'' OPTIONAL, ''AlignmentType'' OPTIONAL, ''AlignmentParam'' HALFOPTIONAL)
+
Scans the currently opened process for an array of bytes and returns a StringList containing all matching addresses.
  
Scans the currently opened process memory for a byte pattern (Array of Bytes) and returns a [[Lua:Class:Stringlist|StringList]] object containing all matching addresses as hexadecimal strings.
+
The returned StringList must be destroyed when it is no longer needed.
  
* '''Returns:''' A [[Lua:Class:Stringlist|StringList]] containing the addresses found, or '''nil''' if no matches are found.
+
===Function Parameters===
* '''Important:''' Always call '''list.destroy()''' when done to free memory and prevent leaks.
+
====String Pattern Form====
 
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
=== Two Calling Modes ===
 
 
 
'''Mode 1: Pattern String''' - Provide an AOB pattern as a hex string with optional wildcards
 
AOBScan(AOBString, ProtectionFlags, AlignmentType, AlignmentParam)
 
 
 
'''Mode 2: Varargs Bytes''' - Pass individual byte values as separate arguments
 
AOBScan(byte1, byte2, byte3, ...)
 
 
In varargs mode:
 
* Values 0-255 are treated as literal bytes
 
* '''nil''', non-numeric values, or values > 255 become wildcards
 
* Zero (0) is written as "00" if it's a number, or as a wildcard if nil/non-numeric
 
 
 
 
 
=== Function Parameters ===
 
 
 
==== Mode 1: Pattern String ====
 
 
 
{|width="85%" cellpadding="10%" cellpadding="5%" cellspacing="0" border="0"
 
 
!align="left"|Parameter
 
!align="left"|Parameter
 
!align="left"|Type
 
!align="left"|Type
!style="width: 80%;" align="left"|Description
+
!style="width: 80%;background-color:white;" align="left"|Description
 
|-
 
|-
|AOBString
+
|aobstring
|string
+
|String
|A hex byte pattern with space/comma/dash separators. Use '''??''' or '''*''' for full-byte wildcards. Supports nibble wildcards like '''7?''' or '''?A'''
+
|The array-of-bytes pattern to scan for. Wildcards can be used in the pattern.
 
|-
 
|-
|ProtectionFlags
+
|protectionflags
|string
+
|String (optional)
|'''Optional.''' Memory protection filter (see below). Default: "" (scan all memory)
+
|A string that controls which memory regions are scanned based on executable, writable, and copy-on-write protection flags.
 
|-
 
|-
|AlignmentType
+
|alignmenttype
|integer
+
|Integer (optional)
|'''Optional.''' Alignment mode: 0=None, 1=Divisible, 2=Last digits. Default: 0
+
|Controls the address alignment check.
 
|-
 
|-
|AlignmentParam
+
|alignmentparam
|string
+
|String
|'''Optional.''' Hex value for alignment checking. Default: "1"
+
|The alignment parameter. Required when the selected alignment type needs a value.
 
|}
 
|}
  
==== Mode 2: Varargs Bytes ====
+
====Byte Parameter Form====
 
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
{|width="85%" cellpadding="10%" cellpadding="5%" cellspacing="0" border="0"
 
 
!align="left"|Parameter
 
!align="left"|Parameter
 
!align="left"|Type
 
!align="left"|Type
!style="width: 80%;" align="left"|Description
+
!style="width: 80%;background-color:white;" align="left"|Description
 
|-
 
|-
|...
+
|byte1, byte2, ...
|'''varargs'''
+
|Integer
|Individual byte values (0-255). Use '''nil''' or values > 255 for wildcards
+
|The byte values to scan for. Values higher than 255 or values that are not integers are treated as wildcards.
 
|}
 
|}
  
 +
===Returns===
 +
StringList — A StringList containing all matching addresses as strings.
  
=== Protection Flags ===
+
The returned list must be destroyed manually when it is no longer needed.
  
The '''''ProtectionFlags''''' parameter is a string that filters which memory regions to scan based on their protection attributes:
+
===Protection Flags===
 +
The protectionflags parameter is a string made from memory protection flags.
  
'''Syntax:''' Prefix each flag with:
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
* '''+''' = Region MUST have this flag set
+
!align="left"|Flag
* '''-''' = Region MUST NOT have this flag set 
+
!align="left"|Meaning
* '''*''' = Don't care (default)
+
|-
 +
|X
 +
|Executable memory.
 +
|-
 +
|W
 +
|Writable memory.
 +
|-
 +
|C
 +
|Copy-on-write memory.
 +
|}
  
'''Flags:'''
+
Each flag can be prefixed with one of the following operators:
* '''X''' = Executable
 
* '''W''' = Writable
 
* '''C''' = Copy On Write
 
* '''D''' = Dirty (macOS only)
 
  
'''Examples:'''
+
{|cellpadding="10%" cellspacing="0" border="0"
  "+W-C"    Writable memory excluding copy-on-write (don't care about executable)
+
!align="left"|Operator
  "+X-W-C"  Readonly executable memory (code sections)
+
!align="left"|Meaning
  "+X"      All executable memory (typical for code scanning)
+
|-
  "-W"      Non-writable memory only
+
|'''+'''
  ""        Scan everything (equivalent to "*X*W*C")
+
|The flag must be set.
  "*X*W*C"  Explicitly scan everything (don't care about any flags)
+
|-
 +
|'''-'''
 +
|The flag must not be set.
 +
|-
 +
|'''*'''
 +
|The flag does not matter.
 +
|}
  
 +
===Protection Flag Examples===
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Protection Flags
 +
!style="width: 80%;background-color:white;" align="left"|Description
 +
|-
 +
|'''+W-C'''
 +
|Scans writable memory, excludes copy-on-write memory, and does not care about the executable flag.
 +
|-
 +
|'''+X-C-W'''
 +
|Scans read-only executable memory.
 +
|-
 +
|'''+W'''
 +
|Scans writable memory and does not care about copy-on-write or executable memory.
 +
|-
 +
|
 +
|Scans everything. This is the same as *X*C*W.
 +
|}
  
=== Alignment Parameters ===
+
===Alignment Types===
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Value
 +
!align="left"|Name
 +
!style="width: 80%;background-color:white;" align="left"|Description
 +
|-
 +
|0
 +
|No alignment check
 +
|No alignment restriction is applied.
 +
|-
 +
|1
 +
|Divisible alignment
 +
|The address must be divisible by alignmentparam.
 +
|-
 +
|2
 +
|Last digits alignment
 +
|The address must end with the digits specified by alignmentparam.
 +
|}
  
Use '''''AlignmentType''''' and '''''AlignmentParam''''' to constrain addresses and improve scan performance:
+
===Alignment Parameter===
 +
The alignmentparam parameter is a string.
  
'''AlignmentType values:'''
+
Its meaning depends on alignmenttype:
* '''0''' = fsmNotAligned - No alignment check (default)
 
* '''1''' = fsmAligned - Address must be divisible by AlignmentParam
 
* '''2''' = fsmLastDigits - Address must end with specific hex digits
 
 
 
'''AlignmentParam:'''
 
* Interpreted as a '''hexadecimal''' value
 
* For '''AlignmentType=1''': Alignment boundary (e.g., "10" = 16-byte aligned, "4" = 4-byte aligned)
 
* For '''AlignmentType=2''': Required ending hex digits (e.g., "00" = addresses ending in ...00, "F0" = ending in ...F0)
 
 
 
'''Examples:'''
 
  AlignmentType=1, AlignmentParam="10"  Only 16-byte aligned addresses (0x...0, 0x...10, 0x...20, etc.)
 
  AlignmentType=1, AlignmentParam="4"    Only 4-byte aligned addresses
 
  AlignmentType=2, AlignmentParam="00"  Only addresses ending with 00 (0x...00)
 
  AlignmentType=2, AlignmentParam="F0"  Only addresses ending with F0 (0x...F0)
 
 
 
 
 
=== Wildcard Syntax ===
 
 
 
'''Full-byte wildcards:''' Match any byte value
 
* '''??''' - Most common notation
 
* '''*''' - Alternative notation
 
* Any non-hex characters in a byte position
 
 
 
'''Nibble wildcards:''' Match specific half-byte (4 bits)
 
* '''7?''' - High nibble is 7, low nibble can be anything (matches 70-7F)
 
* '''?A''' - High nibble can be anything, low nibble is A (matches 0A, 1A, 2A, ..., FA)
 
 
 
'''Examples:'''
 
  "48 8B ?? ?? ?? 89"        Full wildcards for bytes 3-5
 
  "DE AD ?? EF"              Wildcard for byte 3
 
  "7? A? ?3"                Nibble wildcards: 7x, Ax, x3
 
  
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Alignment Type
 +
!style="width: 80%;background-color:white;" align="left"|alignmentparam Meaning
 +
|-
 +
|0
 +
|Not used.
 +
|-
 +
|1
 +
|The value the address must be divisible by.
 +
|-
 +
|2
 +
|The last digits the address must end with.
 +
|}
  
=== Usage Examples ===
+
===Wildcard Behavior===
 +
In the byte parameter form, every value higher than 255 or every value that is not an integer is treated as a wildcard.
  
'''Basic scan - find all matches:'''
+
In the string pattern form, use the normal array-of-bytes wildcard syntax inside the pattern string.
local results = AOBScan("48 8B 05 ?? ?? ?? 89")
 
if results then
 
  print("Found " .. results.Count .. " matches")
 
  for i = 0, results.Count - 1 do
 
    print(string.format("%X", results[i]))
 
  end
 
  results.destroy()
 
else
 
  print("Pattern not found")
 
end
 
  
'''Scan executable memory only (faster for code patterns):'''
+
===Examples===
local results = AOBScan("55 8B EC", "+X")
+
<syntaxhighlight lang="lua" line>
if results then
+
local results = AOBScan("48 8B ?? ?? ?? 89")
  print("First match: " .. results[0])
 
  results.destroy()
 
end
 
  
'''Scan with alignment (16-byte aligned addresses):'''
+
if results ~= nil then
local results = AOBScan("FF 15 ?? ?? ?? ??", "+X", 1, "10")
+
  print("Results found: " .. tostring(results.Count))
if results then
 
  results.destroy()
 
end
 
  
'''Scan for addresses ending in 00:'''
+
  for i = 0, results.Count - 1 do
local results = AOBScan("DE AD BE EF", "", 2, "00")
+
    print(results[i])
if results then
+
  end
  results.destroy()
 
end
 
  
'''Varargs mode with wildcards:'''
+
  results.destroy()
local results = AOBScan(0x48, 0x8B, nil, nil, nil, 0x89)  -- nil = wildcard
+
end
if results then
+
</syntaxhighlight>
  results.destroy()
 
end
 
  
'''Helper function to get first match:'''
+
<syntaxhighlight lang="lua" line>
function findAOB(pattern, flags)
+
local results = AOBScan("48 8B ?? ?? ?? 89", "+X-C-W")
  local results = AOBScan(pattern, flags or "+X")
 
  if results and results.Count > 0 then
 
    local addr = results[0]
 
    results.destroy()
 
    return addr
 
  end
 
  return nil
 
end
 
 
local address = findAOB("48 8B ?? ?? ?? 89")
 
if address then
 
  print("Found at: " .. address)
 
end
 
  
 +
if results ~= nil then
 +
  print("Executable read-only results: " .. tostring(results.Count))
 +
  results.destroy()
 +
end
 +
</pre>
  
=== Performance Tips ===
+
<syntaxhighlight lang="lua" line>
 +
local results = AOBScan("48 8B ?? ?? ?? 89", "+W-C", 1, "4")
  
* Use '''+X''' protection flag when scanning for code to dramatically reduce scan time
+
if results ~= nil then
* Use alignment when you know the address characteristics (e.g., function pointers are often aligned)
+
  print("Writable aligned results: " .. tostring(results.Count))
* Keep patterns as specific as possible - avoid excessive wildcards
+
  results.destroy()
* For single-result scans, consider using '''AOBScanUnique''' or module-specific variants
+
end
* Always destroy the StringList after use to prevent memory leaks
+
</syntaxhighlight>
  
 +
<syntaxhighlight lang="lua" line>
 +
local results = AOBScan(0x48, 0x8B, 999, 0x89)
  
=== Return Value ===
+
if results ~= nil then
 
+
  print("Results found: " .. tostring(results.Count))
* '''Success:''' Returns a [[Lua:Class:Stringlist|StringList]] object containing hex address strings
+
  results.destroy()
* '''Failure:''' Returns '''nil''' (no matches found or invalid pattern)
+
end
 
+
</syntaxhighlight>
'''Note:''' The returned addresses are strings in hexadecimal format (e.g., "7FF12340"). Convert with tonumber(addr, 16) if you need numeric values.
 
  
 +
===Notes===
 +
* AOBScan scans the currently opened process.
 +
* The returned StringList must be destroyed when it is no longer needed.
 +
* The string pattern form is usually easier to read and maintain.
 +
* The byte parameter form treats values higher than 255 or non-integer values as wildcards.
 +
* An empty protectionflags string scans all memory regions.
 +
* Use protection flags and alignment when you want to reduce false positives or improve scan performance.
  
 
{{LuaSeeAlso}}
 
{{LuaSeeAlso}}
  
=== Related Functions ===
+
{{Scanning}}
 
 
* [[Lua:AOBScanUnique|AOBScanUnique]] - Returns a single address or nil (no cleanup needed)
 
* [[Lua:AOBScanModuleUnique|AOBScanModuleUnique]] - Find unique pattern in a module
 
 
 
* [[Lua:autoAssemble|autoAssemble]]
 
* [[Lua:disassemble|disassemble]]
 
* [[Lua:getInstructionSize|getInstructionSize]]
 
* [[Lua:getPreviousOpcode|getPreviousOpcode]]
 
* [[Lua:allocateSharedMemory|allocateSharedMemory]]
 
* [[Lua:mapMemory|mapMemory]]
 
* [[Lua:unmapMemory|unmapMemory]]
 
* [[Lua:readBytes|readBytes]]
 
* [[Lua:readPointer|readPointer]]
 
* [[Lua:writeBytes|writeBytes]]
 
* [[Lua:readBytesLocal|readBytesLocal]]
 
* [[Lua:readPointerLocal|readPointerLocal]]
 
* [[Lua:writeBytesLocal|writeBytesLocal]]
 
* [[Lua:wordToByteTable|wordToByteTable]]
 
* [[Lua:dwordToByteTable|dwordToByteTable]]
 
* [[Lua:qwordToByteTable|qwordToByteTable]]
 
* [[Lua:floatToByteTable|floatToByteTable]]
 
* [[Lua:doubleToByteTable|doubleToByteTable]]
 
* [[Lua:stringToByteTable|stringToByteTable]]
 
* [[Lua:wideStringToByteTable|wideStringToByteTable]]
 
* [[Lua:byteTableToWord|byteTableToWord]]
 
* [[Lua:byteTableToDword|byteTableToDword]]
 
* [[Lua:byteTableToQword|byteTableToQword]]
 
* [[Lua:byteTableToFloat|byteTableToFloat]]
 
* [[Lua:byteTableToDouble|byteTableToDouble]]
 
* [[Lua:byteTableToString|byteTableToString]]
 
* [[Lua:byteTableToWideString|byteTableToWideString]]
 
  
 
=== Readonly Classes ===
 
=== Readonly Classes ===
 
* [[Lua:Class:Stringlist|StringList]] - String list object documentation
 
* [[Lua:Class:Stringlist|StringList]] - String list object documentation

Latest revision as of 16:23, 25 June 2026

<> Lua API Reference

function AOBScan(aobstring, protectionflags, alignmenttype, alignmentparam) : StringList

<> Lua API Reference

function AOBScan(byte1, byte2, ...) : StringList

Scans the currently opened process for an array of bytes and returns a StringList containing all matching addresses.

The returned StringList must be destroyed when it is no longer needed.

Function Parameters[edit]

String Pattern Form[edit]

Parameter Type Description
aobstring String The array-of-bytes pattern to scan for. Wildcards can be used in the pattern.
protectionflags String (optional) A string that controls which memory regions are scanned based on executable, writable, and copy-on-write protection flags.
alignmenttype Integer (optional) Controls the address alignment check.
alignmentparam String The alignment parameter. Required when the selected alignment type needs a value.

Byte Parameter Form[edit]

Parameter Type Description
byte1, byte2, ... Integer The byte values to scan for. Values higher than 255 or values that are not integers are treated as wildcards.

Returns[edit]

StringList — A StringList containing all matching addresses as strings.

The returned list must be destroyed manually when it is no longer needed.

Protection Flags[edit]

The protectionflags parameter is a string made from memory protection flags.

Flag Meaning
X Executable memory.
W Writable memory.
C Copy-on-write memory.

Each flag can be prefixed with one of the following operators:

Operator Meaning
+ The flag must be set.
- The flag must not be set.
* The flag does not matter.

Protection Flag Examples[edit]

Protection Flags Description
+W-C Scans writable memory, excludes copy-on-write memory, and does not care about the executable flag.
+X-C-W Scans read-only executable memory.
+W Scans writable memory and does not care about copy-on-write or executable memory.
Scans everything. This is the same as *X*C*W.

Alignment Types[edit]

Value Name Description
0 No alignment check No alignment restriction is applied.
1 Divisible alignment The address must be divisible by alignmentparam.
2 Last digits alignment The address must end with the digits specified by alignmentparam.

Alignment Parameter[edit]

The alignmentparam parameter is a string.

Its meaning depends on alignmenttype:

Alignment Type alignmentparam Meaning
0 Not used.
1 The value the address must be divisible by.
2 The last digits the address must end with.

Wildcard Behavior[edit]

In the byte parameter form, every value higher than 255 or every value that is not an integer is treated as a wildcard.

In the string pattern form, use the normal array-of-bytes wildcard syntax inside the pattern string.

Examples[edit]

 1 local results = AOBScan("48 8B ?? ?? ?? 89")
 2 
 3 if results ~= nil then
 4   print("Results found: " .. tostring(results.Count))
 5 
 6   for i = 0, results.Count - 1 do
 7     print(results[i])
 8   end
 9 
10   results.destroy()
11 end

 1 local results = AOBScan("48 8B ?? ?? ?? 89", "+X-C-W")
 2 
 3 if results ~= nil then
 4   print("Executable read-only results: " .. tostring(results.Count))
 5   results.destroy()
 6 end
 7 </pre>
 8 
 9 <syntaxhighlight lang="lua" line>
10 local results = AOBScan("48 8B ?? ?? ?? 89", "+W-C", 1, "4")
11 
12 if results ~= nil then
13   print("Writable aligned results: " .. tostring(results.Count))
14   results.destroy()
15 end

1 local results = AOBScan(0x48, 0x8B, 999, 0x89)
2 
3 if results ~= nil then
4   print("Results found: " .. tostring(results.Count))
5   results.destroy()
6 end

Notes[edit]

  • AOBScan scans the currently opened process.
  • The returned StringList must be destroyed when it is no longer needed.
  • The string pattern form is usually easier to read and maintain.
  • The byte parameter form treats values higher than 255 or non-integer values as wildcards.
  • An empty protectionflags string scans all memory regions.
  • Use protection flags and alignment when you want to reduce false positives or improve scan performance.

Main Pages

Core Lua documentation entry points

Lua
Script Engine

Related Pages

Readonly Classes[edit]



Retrieved from "https://wiki.cheatengine.org/index.php?title=Lua:AOBScan&oldid=8226"