AOBMaker: Smart AOB & AA Script Generator
AOBMaker - AOBMaker: An Automated AA Scripting Utility for Advanced Pattern Generation and Relocation
AOBMaker helps you create AutoAssembler (AA) scripts from Cheat Engine disassembly. It can auto generate AOB pattern, mask registers or offsets, check injection safety, and help in game-update AOB relocation. You don't need to do manual AOB hex mask work. A .ct table stability check tool is included. Run it when CE is attached to the same process without any script enabled will be perfect.
Also include auto-script for multiplier / address capture / clamp asm code generation. Create basic structure of script with criteria.
Technical note
Spoiler
AOBMaker — quick run-through
So basically AOBMaker is a desktop tool that takes CE Memory Viewer disassembly text and spits out a working AutoAssembler script. Saves you the manual work of AOB scan, register masking, displacement wildcarding, jump injection, restore code, all that boilerplate. Just paste, click Generate, copy back to CE.
What it does
| Input | Output |
|---|---|
| CE disassembly snippet around your injection point | Complete [ENABLE] / [DISABLE] AA script |
| Selected injection address | aobscanmodule(...) + alloc(...) + jump + restore + // ORIGINAL CODE block |
Yeah, that direct. The interesting stuff is how it builds the AOB — that's where most of the engineering went.
Mask modes
Different aggressiveness for what bytes to wildcard:
Mode A— most aggressive. Wildcards stack-relative displacement, all register-dependent bytes. Best AOB cross-version stability.Mode B / C— more conservative if A makes the AOB too short.Mode E / F— hardcoded bytes (use when you need exact patch).Auto— let the tool pick (default).Mode D(separate checkbox, "Live Mode") — attaches to the running process and runs dynamic optimization to find the shortest unique AOB. Usually want this on if the game is already open.
After generating, the tool actually scans memory to verify the AOB matches exactly 1 location. If not, it warns; in Mode D it extends the AOB automatically until unique. No more "AOB not found" or "16 matches" surprises after restart.
Auto Script features
In the Auto Script flyout menu, can stack any combo:
- Multiplier — wrap injected math op with configurable multiplier (x2, x5, etc.) for DPS/EXP boost. Handles register state, XMM preservation, flags, zero-floor, negative-delta check, friend/foe filter.
- Clamp — clamp value to min/max. Useful for capping HP/MP/qty.
- Addr Capture — emit
registersymbolthat captures the runtime base register, single or list mode (for "browse all items" scripts). - Offset Symbols — emit
base + offset registersymbolpairs (i_aob_base_addr_xxxxxx) for pointer chains in CT. Opt-in now — was always-on in older builds.
All combinable. Toggle each independently.
Relocation engine (the meat)
Game gets patched, your AA script breaks. Open the Relocation window, paste the old // ORIGINAL CODE block, attach to the patched process, get candidate addresses ranked by similarity score.
8 anchor types running in parallel:
| Anchor | What it catches |
|---|---|
Stable / REX | Opcode + ModR/M baseline |
Suffix | Wildcard prefix/opcode, keep ModR/M+disp+imm tail (SSE → VEX re-encoding) |
ModRmAlt | disp8 ↔ disp32 promotion (struct grew, [reg+68] → [reg+F0]) |
ShortBranch | Strict 2-byte Jcc/JMP anchor |
RipPair | Two RIP-relative instructions pointing to the same global |
Boundary | Function prologue after CC or multi-byte NOP padding |
Immediate | Distinctive imm32 constants (Burst magic numbers, e.g. 0000270F) |
Plus 3 opt-in tuning toggles in Settings → Relocation tuning (default off):
- Expand Immediate anchor to context instructions
- Tolerate uniform offset shift (struct grow case)
- Prefer candidates near original address — for incremental-build engines like Crimson Desert, Atelier series, The Legend of Heroes series; turn off for UE titles
How well does it actually relocate?
Ran a probe across hundred of my game CTs (Crimson Desert, Stellaris, Starfield, Atelier series, FFXVI, MHR, Core Keeper, EVERSPACE, Farthest Frontier, etc.) over years of git history.
Net coverage: 74.8% of script-update pairs auto-relocate with all tuning toggles on. The remaining 25% are mostly:
- Function fully rewritten / inlined elsewhere (true bucket-c) - Maintainer manually moved the inject point to a different instruction
No static byte-pattern analysis can recover those. Need runtime-assisted relocation, which is a different architecture entirely.
Per-anchor hit rate (when applicable):
| Anchor | Hit rate |
|---|---|
OffsetShift (tuning) | 67.4% |
Immediate (tuning) | 64.6% |
ShortBranch | 61.4% |
Suffix | 40.8% |
REX | 34.1% |
Boundary | 33.9% |
Stable | 27.4% |
RipPair | 4.1% |
Other tools bundled in
- Scanner — a CE-independent simple memory scanner. Value scan + Sequence Pattern scan (ordered value chains with stride, AC-safe mode for Denuvo-style concurrent reads).
- RIP Scan — find all RIP-relative references to a target address.
- CT Stability Analyzer — check whether AOBs in an existing CT still match the current process. Batch sanity check before sharing.
- List Gen — generate Lua scripts that iterate captured pointer arrays (for dynamic item / unit / weapon lists).
Random useful stuff
- Multi-language UI: English / 繁體中文 / 日本語
- Far jump support (14-byte) for cases where 5-byte jump won't fit in the overwritten region
- Settings: strip comments, hardcode instructions, custom author string, custom pipe name (for CE Plugin)
- (still in working) IL2CPP support — point at
global-metadata.dat+GameAssembly.dll, inject names get resolved - CE Plugin (C++ DLL) for tighter CE integration (previousOpcode, pipe-based commands, etc.)
Bottom line
If you make CTs on Windows and you're tired of crafting AOBs manually
— especially the displacement masking math — try it. Works best for:
- Native x64 game scripts
Mode Abaseline withLive Mode (D)on for shortest unique AOB- Auto Script features when you want quick DPS / clamp / capture
- Relocating old CT scripts after game patches (75% hit rate, beats redoing them by hand)
Less useful for:
- Pure Lua scripts (this tool doesn't generate those)
- Anti-cheat-heavy games (still need to deal with detection separately)
- IL2CPP-only metadata exploration
Automated AOB Scripting & Relocation Tool for Advanced Cheat Engine Users
AOB Abilities: Hand made vs AOBMaker
| Ability | Hand made | AOBMaker |
|---|---|---|
| Relative CALL/JMP wildcard | Manual | Auto-detect and set wildcard |
| RIP-relative displacement | Manual | Auto-detect and set wildcard |
| Register-dependent byte identfy | N/A | Auto re-encode + diff |
| REX prefix: register bit | N/A | Auto-detect and set wildcard |
| VEX prefix: register encoding | N/A | Auto-detect and set wildcard |
| Stack displacement (RSP/RBP offset) | N/A | Mode-A Auto wildcard |
| ModRM/SIB register encoding | N/A | Auto re-encode identify |
Auto Script: multiplier
Sample output
Table of contents
Spoiler
-
Installation
-
Quick Start
-
Main Window
-
CE Plugin
-
Relocation Window
-
Settings
-
Log Window
-
Component Masking Modes
-
Offline Mode vs Live Mode
-
Workflow Examples
-
Tips & Troubleshooting
1. INSTALLATION
Spoiler
AOBMaker (application)
Just extract the zip file to any folder you like.
-
Run AOBMaker.UI.exe
-
Already no need installer. Single-instance is locked by mutex.
CE Plugin
- Copy
AOBMaker_CEPlugin.dllto your CE folder (usually wherecheatengine.exeis, orplugins/subfolder. Actually any folder is OK because you need to add it from CE settings). - Copy
lua53-64.dllfromplugins/CEPlugin/lib/to same location if CE don't have it. (Normally this step is no need). - In Cheat Engine: Go to Settings -> Plugin -> Add plugin.
2. QUICK START
Spoiler
Very easy workflow (Offline mode, no plugin):
-
Open game in Cheat Engine.
-
Go to Memory Viewer, find code you want to inject.
-
Select instructions (about 10-16 lines above and below). Copy them.
-
Open AOBMaker. Click "Paste" (or Ctrl+V in input box).
-
In "Injection Address", type the hex address (example: 178BE72).
-
Click "Generate".
-
Script will show in output box. Click "Copy".
-
Paste to CE Auto Assembler window and test it.
-
Warning: Offline mode AOB may not be unique.
Using CE Plugin (Recommended, more fast):
-
Open game in CE. Make sure AOBMaker is running.
-
In CE Memory Viewer, right-click instruction you want to inject.
-
Click "Send to AOBMaker" (or use Ctrl+Shift+A).
-
AOBMaker will get everything automatically with correct markers.
-
Click "Generate" in AOBMaker.
-
Copy output and paste to CE. Already done!
-
If mode D is not checked, AOB may not be unique.
3. MAIN WINDOW

Spoiler
Main window is where you generate scripts.
SETTINGS PANEL (Top side)
Inject Name
-
Set your script inject label. It will show in aobscanmodule and alloc name.
-
Default is "INJECT".
-
Example: if you type "GET_HEALTH", you get
INJECT_GET_HEALTH.
Mode (Dropdown)
-
Select masking strategy:
-
Auto -- AOBMaker choose the best mode for you.
-
A -- Opcode & Displacement Priority (Good for game update).
-
B -- Opcode & Destination Priority.
-
C -- In-place NOP (No code cave).
Please see section 8 for detail.
Injection Address
-
Optional. If your text don't have "INJECTING HERE" marker, type hex address here (like "178BE72"). If you have marker, just ignore this.
Mode D (Dynamic Shortest AOB)
-
This will scan live memory to find shortest unique AOB.
-
Need game running. See section 9.
Far Jump (14 bytes)
-
Use 14-byte jump (push/ret or mov+jmp) instead of 5-byte near JMP.
-
Use this if:
-
- Target address is too far from code cave.
-
- Code cave is more than +/-2GB range.
Language button
-
Switch between English ("EN"), Traditional Chinese and Japanese.
Settings / Relocation / Log Window buttons
-
Open other windows.
INPUT SECTION
Just paste or type CE disassembly. We support:
Format A (With hex bytes):
-
Game.exe+178BE72 - 48 8B 44 24 48 - mov rax,[rsp+48]
Format B (No hex bytes):
-
Game.exe+178BE72 - mov rax,[rsp+48]
Format C (Use colon):
-
Game.exe+178BE72: 48 8B 44 24 48 - mov rax,[rsp+48]
Injection markers:
-
Use
// INJECTING HEREline to mark start. -
Use
// DONE INJECTINGline to mark end. -
Code between these two is your injection block.
OUTPUT SECTION
Generated script include:
- [ENABLE]: aobscan, alloc, label, newmem, jump patch.
- [DISABLE]: restore bytes (readmem or db).
- Original code comments (for check).
Click "Copy" to copy everything.
WARNINGS PANEL
Orange box will show if something is dangerous:
- Other jump/call land inside your injection bytes (Very dangerous!).
- Strange code pattern.
- Parse error.
If you see warning, please check manually. Warnings do not block generation.
4. CE PLUGIN
Spoiler
Plugin will add two menu items in CE Memory Viewer. AOBMaker must be running.
ITEM 1: "Send to AOBMaker" (Ctrl+Shift+A)
- It reads about 16 lines before and after your selection.
- Marks your selection as injection point.
- Auto format to "Module+Offset - Hex - Mnemonic".
- Send everything to AOBMaker input box.

ITEM 2: "Navigate to Relocation Result" (Ctrl+Shift+R)
- Get relocation result from AOBMaker.
- CE will jump to that address.
- Press again to go to next result (looping).
- Very useful to check if relocation is correct.
5. RELOCATION WINDOW
5.A .CT STABILITY WINDOW
6. SETTINGS
7. LOG WINDOW
Show all messages for debug. If something wrong, check here.
You can click "Clear Log" to reset. Log is not saved to file unless you check application folder.
8. COMPONENT MASKING MODES (AOB Masking)
9. OFFLINE MODE vs LIVE MODE
10. WORKFLOW EXAMPLES
11. TIPS & TROUBLESHOOTING
Notice for UnrealEngine games: in some case: if R15, R14, R13... is used in AA code, even with push/pop protection -- It may cause game crash. In this case, use RAX..RDX, RSI, RDI will be fine. This is based on personal experience, not tool's bug.
Download:
Microsoft VC runtime is needed: https://aka.ms/vs/17/release/vc_redist.x64.exe


