Page 1 of 1

AOBMaker: Smart AOB & AA Script Generator

Posted: Thu Feb 12, 2026 9:23 am
by bbfox

AOBMaker - AOBMaker: An Automated AA Scripting Utility for Advanced Pattern Generation and Relocation

AOBMaker helps you create AutoAssembler (AA) scripts from Cheat Engine disassembly. It can auto generate AOB pattern, mask registers or offsets, check injection safety, and help in game-update AOB relocation. You don't need to do manual AOB hex mask work. A .ct table stability check tool is included. Run it when CE is attached to the same process without any script enabled will be perfect.

Also include auto-script for multiplier / address capture / clamp asm code generation. Create basic structure of script with criteria.


 ! Message from: bbfox

Many futures relay on AutoAssembler asm code comments for code analysis. Quality will fail / or function will not work if script didn't have the data.


Technical note

Spoiler

AOBMaker — quick run-through

So basically AOBMaker is a desktop tool that takes CE Memory Viewer disassembly text and spits out a working AutoAssembler script. Saves you the manual work of AOB scan, register masking, displacement wildcarding, jump injection, restore code, all that boilerplate. Just paste, click Generate, copy back to CE.

What it does

InputOutput
CE disassembly snippet around your injection pointComplete [ENABLE] / [DISABLE] AA script
Selected injection addressaobscanmodule(...) + alloc(...) + jump + restore + // ORIGINAL CODE block

Yeah, that direct. The interesting stuff is how it builds the AOB — that's where most of the engineering went.

Mask modes

Different aggressiveness for what bytes to wildcard:

  • Mode A — most aggressive. Wildcards stack-relative displacement, all register-dependent bytes. Best AOB cross-version stability.
  • Mode B / C — more conservative if A makes the AOB too short.
  • Mode E / F — hardcoded bytes (use when you need exact patch).
  • Auto — let the tool pick (default).
  • Mode D (separate checkbox, "Live Mode") — attaches to the running process and runs dynamic optimization to find the shortest unique AOB. Usually want this on if the game is already open.

After generating, the tool actually scans memory to verify the AOB matches exactly 1 location. If not, it warns; in Mode D it extends the AOB automatically until unique. No more "AOB not found" or "16 matches" surprises after restart.

Auto Script features

In the Auto Script flyout menu, can stack any combo:

  • Multiplier — wrap injected math op with configurable multiplier (x2, x5, etc.) for DPS/EXP boost. Handles register state, XMM preservation, flags, zero-floor, negative-delta check, friend/foe filter.
  • Clamp — clamp value to min/max. Useful for capping HP/MP/qty.
  • Addr Capture — emit registersymbol that captures the runtime base register, single or list mode (for "browse all items" scripts).
  • Offset Symbols — emit base + offset registersymbol pairs (i_aob_base_addr_xxxxxx) for pointer chains in CT. Opt-in now — was always-on in older builds.

All combinable. Toggle each independently.

Relocation engine (the meat)

Game gets patched, your AA script breaks. Open the Relocation window, paste the old // ORIGINAL CODE block, attach to the patched process, get candidate addresses ranked by similarity score.

8 anchor types running in parallel:

AnchorWhat it catches
Stable / REXOpcode + ModR/M baseline
SuffixWildcard prefix/opcode, keep ModR/M+disp+imm tail (SSE → VEX re-encoding)
ModRmAltdisp8 ↔ disp32 promotion (struct grew, [reg+68] → [reg+F0])
ShortBranchStrict 2-byte Jcc/JMP anchor
RipPairTwo RIP-relative instructions pointing to the same global
BoundaryFunction prologue after CC or multi-byte NOP padding
ImmediateDistinctive imm32 constants (Burst magic numbers, e.g. 0000270F)

Plus 3 opt-in tuning toggles in Settings → Relocation tuning (default off):

  • Expand Immediate anchor to context instructions
  • Tolerate uniform offset shift (struct grow case)
  • Prefer candidates near original address — for incremental-build engines like Crimson Desert, Atelier series, The Legend of Heroes series; turn off for UE titles

How well does it actually relocate?

Ran a probe across hundred of my game CTs (Crimson Desert, Stellaris, Starfield, Atelier series, FFXVI, MHR, Core Keeper, EVERSPACE, Farthest Frontier, etc.) over years of git history.

Net coverage: 74.8% of script-update pairs auto-relocate with all tuning toggles on. The remaining 25% are mostly:

  • Function fully rewritten / inlined elsewhere (true bucket-c) - Maintainer manually moved the inject point to a different instruction

No static byte-pattern analysis can recover those. Need runtime-assisted relocation, which is a different architecture entirely.

Per-anchor hit rate (when applicable):

AnchorHit rate
OffsetShift (tuning)67.4%
Immediate (tuning)64.6%
ShortBranch61.4%
Suffix40.8%
REX34.1%
Boundary33.9%
Stable27.4%
RipPair4.1%

Other tools bundled in

  • Scanner — a CE-independent simple memory scanner. Value scan + Sequence Pattern scan (ordered value chains with stride, AC-safe mode for Denuvo-style concurrent reads).
  • RIP Scan — find all RIP-relative references to a target address.
  • CT Stability Analyzer — check whether AOBs in an existing CT still match the current process. Batch sanity check before sharing.
  • List Gen — generate Lua scripts that iterate captured pointer arrays (for dynamic item / unit / weapon lists).

Random useful stuff

  • Multi-language UI: English / 繁體中文 / 日本語
  • Far jump support (14-byte) for cases where 5-byte jump won't fit in the overwritten region
  • Settings: strip comments, hardcode instructions, custom author string, custom pipe name (for CE Plugin)
  • (still in working) IL2CPP support — point at global-metadata.dat + GameAssembly.dll, inject names get resolved
  • CE Plugin (C++ DLL) for tighter CE integration (previousOpcode, pipe-based commands, etc.)

Bottom line

If you make CTs on Windows and you're tired of crafting AOBs manually
— especially the displacement masking math — try it. Works best for:

  • Native x64 game scripts
  • Mode A baseline with Live Mode (D) on for shortest unique AOB
  • Auto Script features when you want quick DPS / clamp / capture
  • Relocating old CT scripts after game patches (75% hit rate, beats redoing them by hand)

Less useful for:

  • Pure Lua scripts (this tool doesn't generate those)
  • Anti-cheat-heavy games (still need to deal with detection separately)
  • IL2CPP-only metadata exploration

Automated AOB Scripting & Relocation Tool for Advanced Cheat Engine Users

► Show Spoiler


AOB Abilities: Hand made vs AOBMaker

AbilityHand madeAOBMaker
Relative CALL/JMP wildcardManualAuto-detect and set wildcard
RIP-relative displacementManualAuto-detect and set wildcard
Register-dependent byte identfyN/AAuto re-encode + diff
REX prefix: register bitN/AAuto-detect and set wildcard
VEX prefix: register encodingN/AAuto-detect and set wildcard
Stack displacement (RSP/RBP offset)N/AMode-A Auto wildcard
ModRM/SIB register encodingN/AAuto re-encode identify

Auto Script: multiplier

► Show Spoiler

Sample output

► Show Spoiler

Table of contents

Spoiler
  1. Installation

  2. Quick Start

  3. Main Window

  4. CE Plugin

  5. Relocation Window

  6. Settings

  7. Log Window

  8. Component Masking Modes

  9. Offline Mode vs Live Mode

  10. Workflow Examples

  11. Tips & Troubleshooting

1. INSTALLATION

Spoiler

AOBMaker (application)

  • Just extract the zip file to any folder you like.

  • Run AOBMaker.UI.exe

  • Already no need installer. Single-instance is locked by mutex.

CE Plugin

  • Copy AOBMaker_CEPlugin.dll to your CE folder (usually where cheatengine.exe is, or plugins/ subfolder. Actually any folder is OK because you need to add it from CE settings).
  • Copy lua53-64.dll from plugins/CEPlugin/lib/ to same location if CE don't have it. (Normally this step is no need).
  • In Cheat Engine: Go to Settings -> Plugin -> Add plugin.

2. QUICK START

Spoiler

Very easy workflow (Offline mode, no plugin):

  1. Open game in Cheat Engine.

  2. Go to Memory Viewer, find code you want to inject.

  3. Select instructions (about 10-16 lines above and below). Copy them.

  4. Open AOBMaker. Click "Paste" (or Ctrl+V in input box).

  5. In "Injection Address", type the hex address (example: 178BE72).

  6. Click "Generate".

  7. Script will show in output box. Click "Copy".

  8. Paste to CE Auto Assembler window and test it.

  9. Warning: Offline mode AOB may not be unique.

Using CE Plugin (Recommended, more fast):

  1. Open game in CE. Make sure AOBMaker is running.

  2. In CE Memory Viewer, right-click instruction you want to inject.

  3. Click "Send to AOBMaker" (or use Ctrl+Shift+A).

  4. AOBMaker will get everything automatically with correct markers.

  5. Click "Generate" in AOBMaker.

  6. Copy output and paste to CE. Already done!

  7. If mode D is not checked, AOB may not be unique.

3. MAIN WINDOW
Image

Spoiler

Main window is where you generate scripts.

SETTINGS PANEL (Top side)

Inject Name

  • Set your script inject label. It will show in aobscanmodule and alloc name.

  • Default is "INJECT".

  • Example: if you type "GET_HEALTH", you get INJECT_GET_HEALTH.

Mode (Dropdown)

  • Select masking strategy:

  • Auto -- AOBMaker choose the best mode for you.

  • A -- Opcode & Displacement Priority (Good for game update).

  • B -- Opcode & Destination Priority.

  • C -- In-place NOP (No code cave).

Please see section 8 for detail.

Injection Address

  • Optional. If your text don't have "INJECTING HERE" marker, type hex address here (like "178BE72"). If you have marker, just ignore this.

Mode D (Dynamic Shortest AOB)

  • This will scan live memory to find shortest unique AOB.

  • Need game running. See section 9.

Far Jump (14 bytes)

  • Use 14-byte jump (push/ret or mov+jmp) instead of 5-byte near JMP.

  • Use this if:

  • - Target address is too far from code cave.

  • - Code cave is more than +/-2GB range.

Language button

  • Switch between English ("EN"), Traditional Chinese and Japanese.

Settings / Relocation / Log Window buttons

  • Open other windows.

INPUT SECTION

Just paste or type CE disassembly. We support:

Format A (With hex bytes):

  • Game.exe+178BE72 - 48 8B 44 24 48 - mov rax,[rsp+48]

Format B (No hex bytes):

  • Game.exe+178BE72 - mov rax,[rsp+48]

Format C (Use colon):

  • Game.exe+178BE72: 48 8B 44 24 48 - mov rax,[rsp+48]

Injection markers:

  • Use // INJECTING HERE line to mark start.

  • Use // DONE INJECTING line to mark end.

  • Code between these two is your injection block.

OUTPUT SECTION
Generated script include:

  • [ENABLE]: aobscan, alloc, label, newmem, jump patch.
  • [DISABLE]: restore bytes (readmem or db).
  • Original code comments (for check).

Click "Copy" to copy everything.

WARNINGS PANEL

Orange box will show if something is dangerous:

  • Other jump/call land inside your injection bytes (Very dangerous!).
  • Strange code pattern.
  • Parse error.
    If you see warning, please check manually. Warnings do not block generation.

4. CE PLUGIN

Spoiler

Plugin will add two menu items in CE Memory Viewer. AOBMaker must be running.

ITEM 1: "Send to AOBMaker" (Ctrl+Shift+A)

  • It reads about 16 lines before and after your selection.
  • Marks your selection as injection point.
  • Auto format to "Module+Offset - Hex - Mnemonic".
  • Send everything to AOBMaker input box.
    Image

ITEM 2: "Navigate to Relocation Result" (Ctrl+Shift+R)

  • Get relocation result from AOBMaker.
  • CE will jump to that address.
  • Press again to go to next result (looping).
  • Very useful to check if relocation is correct.

5. RELOCATION WINDOW

► Show Spoiler

5.A .CT STABILITY WINDOW

► Show Spoiler

6. SETTINGS

► Show Spoiler

7. LOG WINDOW

Show all messages for debug. If something wrong, check here.
You can click "Clear Log" to reset. Log is not saved to file unless you check application folder.

8. COMPONENT MASKING MODES (AOB Masking)

► Show Spoiler

9. OFFLINE MODE vs LIVE MODE

► Show Spoiler

10. WORKFLOW EXAMPLES

► Show Spoiler

11. TIPS & TROUBLESHOOTING

► Show Spoiler

Notice for UnrealEngine games: in some case: if R15, R14, R13... is used in AA code, even with push/pop protection -- It may cause game crash. In this case, use RAX..RDX, RSI, RDI will be fine. This is based on personal experience, not tool's bug.

Download:
Microsoft VC runtime is needed: https://aka.ms/vs/17/release/vc_redist.x64.exe

Hidden Content
This board requires you to be registered and logged-in to view hidden content.