Difference between revisions of "Lua:AOBScan"

From Cheat Engine
Jump to navigation Jump to search
m (fixed formatting, restored accidentally deleted references)
(Major overhaul of the post.)
Line 1: Line 1:
 
[[Category:Lua]]
 
[[Category:Lua]]
'''function''' AOBScan('''''...''''')
+
{{CodeBox|'''function''' AOBScan(''aobstring'', ''protectionflags'', ''alignmenttype'', ''alignmentparam'') ''':''' StringList}}
 +
{{CodeBox|'''function''' AOBScan(''byte1'', ''byte2'', ''...'') ''':''' StringList}}
  
'''function''' AOBScan(''AOBString'', ''ProtectionFlags'' OPTIONAL, ''AlignmentType'' OPTIONAL, ''AlignmentParam'' HALFOPTIONAL)
+
Scans the currently opened process for an array of bytes and returns a StringList containing all matching addresses.
  
Scans the currently opened process memory for a byte pattern (Array of Bytes) and returns a [[Lua:Class:Stringlist|StringList]] object containing all matching addresses as hexadecimal strings.
+
The returned StringList must be destroyed when it is no longer needed.
  
* '''Returns:''' A [[Lua:Class:Stringlist|StringList]] containing the addresses found, or '''nil''' if no matches are found.
+
===Function Parameters===
* '''Important:''' Always call '''list.destroy()''' when done to free memory and prevent leaks.
+
====String Pattern Form====
 
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
=== Two Calling Modes ===
 
 
 
'''Mode 1: Pattern String''' - Provide an AOB pattern as a hex string with optional wildcards
 
AOBScan(AOBString, ProtectionFlags, AlignmentType, AlignmentParam)
 
 
 
'''Mode 2: Varargs Bytes''' - Pass individual byte values as separate arguments
 
AOBScan(byte1, byte2, byte3, ...)
 
 
In varargs mode:
 
* Values 0-255 are treated as literal bytes
 
* '''nil''', non-numeric values, or values > 255 become wildcards
 
* Zero (0) is written as "00" if it's a number, or as a wildcard if nil/non-numeric
 
 
 
 
 
=== Function Parameters ===
 
 
 
==== Mode 1: Pattern String ====
 
 
 
{|width="85%" cellpadding="10%" cellpadding="5%" cellspacing="0" border="0"
 
 
!align="left"|Parameter
 
!align="left"|Parameter
 
!align="left"|Type
 
!align="left"|Type
!style="width: 80%;" align="left"|Description
+
!style="width: 80%;background-color:white;" align="left"|Description
 
|-
 
|-
|AOBString
+
|aobstring
|string
+
|String
|A hex byte pattern with space/comma/dash separators. Use '''??''' or '''*''' for full-byte wildcards. Supports nibble wildcards like '''7?''' or '''?A'''
+
|The array-of-bytes pattern to scan for. Wildcards can be used in the pattern.
 
|-
 
|-
|ProtectionFlags
+
|protectionflags
|string
+
|String (optional)
|'''Optional.''' Memory protection filter (see below). Default: "" (scan all memory)
+
|A string that controls which memory regions are scanned based on executable, writable, and copy-on-write protection flags.
 
|-
 
|-
|AlignmentType
+
|alignmenttype
|integer
+
|Integer (optional)
|'''Optional.''' Alignment mode: 0=None, 1=Divisible, 2=Last digits. Default: 0
+
|Controls the address alignment check.
 
|-
 
|-
|AlignmentParam
+
|alignmentparam
|string
+
|String
|'''Optional.''' Hex value for alignment checking. Default: "1"
+
|The alignment parameter. Required when the selected alignment type needs a value.
 
|}
 
|}
  
==== Mode 2: Varargs Bytes ====
+
====Byte Parameter Form====
 
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
{|width="85%" cellpadding="10%" cellpadding="5%" cellspacing="0" border="0"
 
 
!align="left"|Parameter
 
!align="left"|Parameter
 
!align="left"|Type
 
!align="left"|Type
!style="width: 80%;" align="left"|Description
+
!style="width: 80%;background-color:white;" align="left"|Description
 
|-
 
|-
|...
+
|byte1, byte2, ...
|'''varargs'''
+
|Integer
|Individual byte values (0-255). Use '''nil''' or values > 255 for wildcards
+
|The byte values to scan for. Values higher than 255 or values that are not integers are treated as wildcards.
 
|}
 
|}
  
 +
===Returns===
 +
StringList — A StringList containing all matching addresses as strings.
  
=== Protection Flags ===
+
The returned list must be destroyed manually when it is no longer needed.
  
The '''''ProtectionFlags''''' parameter is a string that filters which memory regions to scan based on their protection attributes:
+
===Protection Flags===
 +
The protectionflags parameter is a string made from memory protection flags.
  
'''Syntax:''' Prefix each flag with:
+
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
* '''+''' = Region MUST have this flag set
+
!align="left"|Flag
* '''-''' = Region MUST NOT have this flag set 
+
!align="left"|Meaning
* '''*''' = Don't care (default)
+
|-
 +
|X
 +
|Executable memory.
 +
|-
 +
|W
 +
|Writable memory.
 +
|-
 +
|C
 +
|Copy-on-write memory.
 +
|}
  
'''Flags:'''
+
Each flag can be prefixed with one of the following operators:
* '''X''' = Executable
 
* '''W''' = Writable
 
* '''C''' = Copy On Write
 
* '''D''' = Dirty (macOS only)
 
  
'''Examples:'''
+
{|cellpadding="10%" cellspacing="0" border="0"
  "+W-C"    Writable memory excluding copy-on-write (don't care about executable)
+
!align="left"|Operator
  "+X-W-C"  Readonly executable memory (code sections)
+
!align="left"|Meaning
  "+X"      All executable memory (typical for code scanning)
+
|-
  "-W"      Non-writable memory only
+
|'''+'''
  ""        Scan everything (equivalent to "*X*W*C")
+
|The flag must be set.
  "*X*W*C"  Explicitly scan everything (don't care about any flags)
+
|-
 +
|'''-'''
 +
|The flag must not be set.
 +
|-
 +
|'''*'''
 +
|The flag does not matter.
 +
|}
  
 +
===Protection Flag Examples===
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Protection Flags
 +
!style="width: 80%;background-color:white;" align="left"|Description
 +
|-
 +
|'''+W-C'''
 +
|Scans writable memory, excludes copy-on-write memory, and does not care about the executable flag.
 +
|-
 +
|'''+X-C-W'''
 +
|Scans read-only executable memory.
 +
|-
 +
|'''+W'''
 +
|Scans writable memory and does not care about copy-on-write or executable memory.
 +
|-
 +
|
 +
|Scans everything. This is the same as *X*C*W.
 +
|}
  
=== Alignment Parameters ===
+
===Alignment Types===
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Value
 +
!align="left"|Name
 +
!style="width: 80%;background-color:white;" align="left"|Description
 +
|-
 +
|0
 +
|No alignment check
 +
|No alignment restriction is applied.
 +
|-
 +
|1
 +
|Divisible alignment
 +
|The address must be divisible by alignmentparam.
 +
|-
 +
|2
 +
|Last digits alignment
 +
|The address must end with the digits specified by alignmentparam.
 +
|}
  
Use '''''AlignmentType''''' and '''''AlignmentParam''''' to constrain addresses and improve scan performance:
+
===Alignment Parameter===
 +
The alignmentparam parameter is a string.
  
'''AlignmentType values:'''
+
Its meaning depends on alignmenttype:
* '''0''' = fsmNotAligned - No alignment check (default)
 
* '''1''' = fsmAligned - Address must be divisible by AlignmentParam
 
* '''2''' = fsmLastDigits - Address must end with specific hex digits
 
 
 
'''AlignmentParam:'''
 
* Interpreted as a '''hexadecimal''' value
 
* For '''AlignmentType=1''': Alignment boundary (e.g., "10" = 16-byte aligned, "4" = 4-byte aligned)
 
* For '''AlignmentType=2''': Required ending hex digits (e.g., "00" = addresses ending in ...00, "F0" = ending in ...F0)
 
 
 
'''Examples:'''
 
  AlignmentType=1, AlignmentParam="10"  Only 16-byte aligned addresses (0x...0, 0x...10, 0x...20, etc.)
 
  AlignmentType=1, AlignmentParam="4"    Only 4-byte aligned addresses
 
  AlignmentType=2, AlignmentParam="00"  Only addresses ending with 00 (0x...00)
 
  AlignmentType=2, AlignmentParam="F0"  Only addresses ending with F0 (0x...F0)
 
 
 
 
 
=== Wildcard Syntax ===
 
 
 
'''Full-byte wildcards:''' Match any byte value
 
* '''??''' - Most common notation
 
* '''*''' - Alternative notation
 
* Any non-hex characters in a byte position
 
 
 
'''Nibble wildcards:''' Match specific half-byte (4 bits)
 
* '''7?''' - High nibble is 7, low nibble can be anything (matches 70-7F)
 
* '''?A''' - High nibble can be anything, low nibble is A (matches 0A, 1A, 2A, ..., FA)
 
 
 
'''Examples:'''
 
  "48 8B ?? ?? ?? 89"        Full wildcards for bytes 3-5
 
  "DE AD ?? EF"              Wildcard for byte 3
 
  "7? A? ?3"                Nibble wildcards: 7x, Ax, x3
 
  
 +
{|width="85%" cellpadding="10%" cellspacing="0" border="0"
 +
!align="left"|Alignment Type
 +
!style="width: 80%;background-color:white;" align="left"|alignmentparam Meaning
 +
|-
 +
|0
 +
|Not used.
 +
|-
 +
|1
 +
|The value the address must be divisible by.
 +
|-
 +
|2
 +
|The last digits the address must end with.
 +
|}
  
=== Usage Examples ===
+
===Wildcard Behavior===
 +
In the byte parameter form, every value higher than 255 or every value that is not an integer is treated as a wildcard.
  
'''Basic scan - find all matches:'''
+
In the string pattern form, use the normal array-of-bytes wildcard syntax inside the pattern string.
local results = AOBScan("48 8B 05 ?? ?? ?? 89")
 
if results then
 
  print("Found " .. results.Count .. " matches")
 
  for i = 0, results.Count - 1 do
 
    print(string.format("%X", results[i]))
 
  end
 
  results.destroy()
 
else
 
  print("Pattern not found")
 
end
 
  
'''Scan executable memory only (faster for code patterns):'''
+
===Examples===
local results = AOBScan("55 8B EC", "+X")
+
<pre>
if results then
+
local results = AOBScan("48 8B ?? ?? ?? 89")
  print("First match: " .. results[0])
 
  results.destroy()
 
end
 
  
'''Scan with alignment (16-byte aligned addresses):'''
+
if results ~= nil then
local results = AOBScan("FF 15 ?? ?? ?? ??", "+X", 1, "10")
+
  print("Results found: " .. tostring(results.Count))
if results then
 
  results.destroy()
 
end
 
  
'''Scan for addresses ending in 00:'''
+
  for i = 0, results.Count - 1 do
local results = AOBScan("DE AD BE EF", "", 2, "00")
+
    print(results[i])
if results then
+
  end
  results.destroy()
 
end
 
  
'''Varargs mode with wildcards:'''
+
  results.destroy()
local results = AOBScan(0x48, 0x8B, nil, nil, nil, 0x89)  -- nil = wildcard
+
end
if results then
+
</pre>
  results.destroy()
 
end
 
  
'''Helper function to get first match:'''
+
<pre>
function findAOB(pattern, flags)
+
local results = AOBScan("48 8B ?? ?? ?? 89", "+X-C-W")
  local results = AOBScan(pattern, flags or "+X")
 
  if results and results.Count > 0 then
 
    local addr = results[0]
 
    results.destroy()
 
    return addr
 
  end
 
  return nil
 
end
 
 
local address = findAOB("48 8B ?? ?? ?? 89")
 
if address then
 
  print("Found at: " .. address)
 
end
 
  
 +
if results ~= nil then
 +
  print("Executable read-only results: " .. tostring(results.Count))
 +
  results.destroy()
 +
end
 +
</pre>
  
=== Performance Tips ===
+
<pre>
 +
local results = AOBScan("48 8B ?? ?? ?? 89", "+W-C", 1, "4")
  
* Use '''+X''' protection flag when scanning for code to dramatically reduce scan time
+
if results ~= nil then
* Use alignment when you know the address characteristics (e.g., function pointers are often aligned)
+
  print("Writable aligned results: " .. tostring(results.Count))
* Keep patterns as specific as possible - avoid excessive wildcards
+
  results.destroy()
* For single-result scans, consider using '''AOBScanUnique''' or module-specific variants
+
end
* Always destroy the StringList after use to prevent memory leaks
+
</pre>
  
 +
<pre>
 +
local results = AOBScan(0x48, 0x8B, 999, 0x89)
  
=== Return Value ===
+
if results ~= nil then
 
+
  print("Results found: " .. tostring(results.Count))
* '''Success:''' Returns a [[Lua:Class:Stringlist|StringList]] object containing hex address strings
+
  results.destroy()
* '''Failure:''' Returns '''nil''' (no matches found or invalid pattern)
+
end
 
+
</pre>
'''Note:''' The returned addresses are strings in hexadecimal format (e.g., "7FF12340"). Convert with tonumber(addr, 16) if you need numeric values.
 
  
 +
===Notes===
 +
* AOBScan scans the currently opened process.
 +
* The returned StringList must be destroyed when it is no longer needed.
 +
* The string pattern form is usually easier to read and maintain.
 +
* The byte parameter form treats values higher than 255 or non-integer values as wildcards.
 +
* An empty protectionflags string scans all memory regions.
 +
* Use protection flags and alignment when you want to reduce false positives or improve scan performance.
  
 
{{LuaSeeAlso}}
 
{{LuaSeeAlso}}
  
=== Related Functions ===
+
{{Scanning}}
 
 
* [[Lua:AOBScanUnique|AOBScanUnique]] - Returns a single address or nil (no cleanup needed)
 
* [[Lua:AOBScanModuleUnique|AOBScanModuleUnique]] - Find unique pattern in a module
 
 
 
* [[Lua:autoAssemble|autoAssemble]]
 
* [[Lua:disassemble|disassemble]]
 
* [[Lua:getInstructionSize|getInstructionSize]]
 
* [[Lua:getPreviousOpcode|getPreviousOpcode]]
 
* [[Lua:allocateSharedMemory|allocateSharedMemory]]
 
* [[Lua:mapMemory|mapMemory]]
 
* [[Lua:unmapMemory|unmapMemory]]
 
* [[Lua:readBytes|readBytes]]
 
* [[Lua:readPointer|readPointer]]
 
* [[Lua:writeBytes|writeBytes]]
 
* [[Lua:readBytesLocal|readBytesLocal]]
 
* [[Lua:readPointerLocal|readPointerLocal]]
 
* [[Lua:writeBytesLocal|writeBytesLocal]]
 
* [[Lua:wordToByteTable|wordToByteTable]]
 
* [[Lua:dwordToByteTable|dwordToByteTable]]
 
* [[Lua:qwordToByteTable|qwordToByteTable]]
 
* [[Lua:floatToByteTable|floatToByteTable]]
 
* [[Lua:doubleToByteTable|doubleToByteTable]]
 
* [[Lua:stringToByteTable|stringToByteTable]]
 
* [[Lua:wideStringToByteTable|wideStringToByteTable]]
 
* [[Lua:byteTableToWord|byteTableToWord]]
 
* [[Lua:byteTableToDword|byteTableToDword]]
 
* [[Lua:byteTableToQword|byteTableToQword]]
 
* [[Lua:byteTableToFloat|byteTableToFloat]]
 
* [[Lua:byteTableToDouble|byteTableToDouble]]
 
* [[Lua:byteTableToString|byteTableToString]]
 
* [[Lua:byteTableToWideString|byteTableToWideString]]
 
  
 
=== Readonly Classes ===
 
=== Readonly Classes ===
 
* [[Lua:Class:Stringlist|StringList]] - String list object documentation
 
* [[Lua:Class:Stringlist|StringList]] - String list object documentation

Revision as of 20:27, 24 June 2026

<> Lua API Reference

function AOBScan(aobstring, protectionflags, alignmenttype, alignmentparam) : StringList

<> Lua API Reference

function AOBScan(byte1, byte2, ...) : StringList

Scans the currently opened process for an array of bytes and returns a StringList containing all matching addresses.

The returned StringList must be destroyed when it is no longer needed.

Function Parameters

String Pattern Form

Parameter Type Description
aobstring String The array-of-bytes pattern to scan for. Wildcards can be used in the pattern.
protectionflags String (optional) A string that controls which memory regions are scanned based on executable, writable, and copy-on-write protection flags.
alignmenttype Integer (optional) Controls the address alignment check.
alignmentparam String The alignment parameter. Required when the selected alignment type needs a value.

Byte Parameter Form

Parameter Type Description
byte1, byte2, ... Integer The byte values to scan for. Values higher than 255 or values that are not integers are treated as wildcards.

Returns

StringList — A StringList containing all matching addresses as strings.

The returned list must be destroyed manually when it is no longer needed.

Protection Flags

The protectionflags parameter is a string made from memory protection flags.

Flag Meaning
X Executable memory.
W Writable memory.
C Copy-on-write memory.

Each flag can be prefixed with one of the following operators:

Operator Meaning
+ The flag must be set.
- The flag must not be set.
* The flag does not matter.

Protection Flag Examples

Protection Flags Description
+W-C Scans writable memory, excludes copy-on-write memory, and does not care about the executable flag.
+X-C-W Scans read-only executable memory.
+W Scans writable memory and does not care about copy-on-write or executable memory.
Scans everything. This is the same as *X*C*W.

Alignment Types

Value Name Description
0 No alignment check No alignment restriction is applied.
1 Divisible alignment The address must be divisible by alignmentparam.
2 Last digits alignment The address must end with the digits specified by alignmentparam.

Alignment Parameter

The alignmentparam parameter is a string.

Its meaning depends on alignmenttype:

Alignment Type alignmentparam Meaning
0 Not used.
1 The value the address must be divisible by.
2 The last digits the address must end with.

Wildcard Behavior

In the byte parameter form, every value higher than 255 or every value that is not an integer is treated as a wildcard.

In the string pattern form, use the normal array-of-bytes wildcard syntax inside the pattern string.

Examples

local results = AOBScan("48 8B ?? ?? ?? 89")

if results ~= nil then
  print("Results found: " .. tostring(results.Count))

  for i = 0, results.Count - 1 do
    print(results[i])
  end

  results.destroy()
end

local results = AOBScan("48 8B ?? ?? ?? 89", "+X-C-W")

if results ~= nil then
  print("Executable read-only results: " .. tostring(results.Count))
  results.destroy()
end

local results = AOBScan("48 8B ?? ?? ?? 89", "+W-C", 1, "4")

if results ~= nil then
  print("Writable aligned results: " .. tostring(results.Count))
  results.destroy()
end

local results = AOBScan(0x48, 0x8B, 999, 0x89)

if results ~= nil then
  print("Results found: " .. tostring(results.Count))
  results.destroy()
end

Notes

  • AOBScan scans the currently opened process.
  • The returned StringList must be destroyed when it is no longer needed.
  • The string pattern form is usually easier to read and maintain.
  • The byte parameter form treats values higher than 255 or non-integer values as wildcards.
  • An empty protectionflags string scans all memory regions.
  • Use protection flags and alignment when you want to reduce false positives or improve scan performance.

Main Pages

Core Lua documentation entry points

Lua
Script Engine

Related Pages

Readonly Classes



Retrieved from "https://wiki.cheatengine.org/index.php?title=Lua:AOBScan&oldid=8062"