cheatengine 5.8.28 → 5.8.30

package/README.md

@@ -139,12 +139,16 @@ Read a single memory value.
 - `type` (string, required): `byte`, `word`, `dword`, `qword`, `float`, `double`, `string`, `bytes`
 - `size` (integer, optional): Size for string/bytes type (default: 100)
 
+**Returns:** `{value}`
+
 #### `ce_read_memory_batch(requests)`
 Read multiple addresses in one call. **Always prefer this over multiple ce_read_memory calls.**
 
 **Parameters:**
 - `requests` (array, required): Array of `{address, type, id?, size?}`
 
+**Returns:** `{results: {id_or_address: {value, error?}}}`
+
 #### `ce_write_memory(address, type, value)`
 Write a value to memory.
 
@@ -153,6 +157,8 @@ Write a value to memory.
 - `type` (string, required): Value type
 - `value` (string, required): Value to write
 
+**Returns:** `{success, address}`
+
 ---
 
 ### Scanning & Search
@@ -208,6 +214,8 @@ List all active scan sessions.
 #### `ce_enum_modules`
 List all loaded modules (DLLs).
 
+**Returns:** `{count, modules: [{name, address, size, path, source}], used_fallback}`
+
 ---
 
 ### Symbols & Addresses
@@ -250,6 +258,8 @@ Disassemble instructions.
 #### `ce_get_instruction_info(address)`
 Get detailed info about a single instruction.
 
+**Returns:** `{address, opcode, params, bytes, bytesStr, size, isCall, isJump, isRet, isConditionalJump, parameterValue}`
+
 #### `ce_analyze_code(address, count?)`
 Static analysis of code block (calls, jumps, refs).
 
@@ -315,6 +325,8 @@ Detect function start and end by analyzing prologue/epilogue patterns.
 #### `ce_generate_signature(address)`
 Generate unique AOB signature for an address. Useful for game updates.
 
+**Returns:** `{address, signature, offset_from_start, byte_count, usage_hint}`
+
 ---
 
 ### Advanced Analysis
@@ -346,9 +358,16 @@ Lightweight symbolic execution. Interprets instruction semantics without executi
 - `count` (integer, optional): Instructions to trace (default: 30)
 - `initial_state` (object, optional): Initial register symbols, e.g. `{"rcx": "this_ptr", "rdx": "arg1"}`
 
-#### `ce_call_function(address, args?, return_type?, timeout?)`
+#### `ce_call_function(address, args?, call_method?, return_type?, timeout?)`
 Call a function in the target process. **WARNING: Executes real code!**
 
+**Parameters:**
+- `address` (string, required): Target function address
+- `args` (array, optional): Up to 4 arguments (integers or address expressions)
+- `call_method` (integer, optional): Calling method for `executeCodeEx` (e.g. `0`). If omitted, bridge auto-fallbacks for compatibility
+- `return_type` (string, optional): `byte`, `word`, `dword`, `qword`, `float`, `double`, `pointer` (default: `qword`)
+- `timeout` (integer, optional): Timeout in milliseconds (default: `5000`)
+
 ---
 
 ### Function Hooking

package/README_CN.md

@@ -131,27 +131,33 @@ Hook 名称现在会验证以防止 AA 脚本注入:
 
 ### 内存读写
 
-#### `ce_read_memory(address, type, size?)`
-读取单个内存值。
+#### `ce_read_memory(address, type, size?)`
+读取单个内存值。
 
 **参数:**
 - `address` (string, 必需): 地址表达式 (如 `"game.exe+0x1234"`, `"0x140001000"`)
-- `type` (string, 必需): `byte`, `word`, `dword`, `qword`, `float`, `double`, `string`, `bytes`
-- `size` (integer, 可选): string/bytes 类型的大小 (默认: 100)
+- `type` (string, 必需): `byte`, `word`, `dword`, `qword`, `float`, `double`, `string`, `bytes`
+- `size` (integer, 可选): string/bytes 类型的大小 (默认: 100)
+
+**返回:** `{value}`
 
-#### `ce_read_memory_batch(requests)`
-一次调用读取多个地址。**始终优先使用此方法而非多次调用 ce_read_memory。**
+#### `ce_read_memory_batch(requests)`
+一次调用读取多个地址。**始终优先使用此方法而非多次调用 ce_read_memory。**
 
 **参数:**
-- `requests` (array, 必需): `{address, type, id?, size?}` 数组
+- `requests` (array, 必需): `{address, type, id?, size?}` 数组
+
+**返回:** `{results: {id_or_address: {value, error?}}}`
 
-#### `ce_write_memory(address, type, value)`
-向内存写入值。
+#### `ce_write_memory(address, type, value)`
+向内存写入值。
 
 **参数:**
-- `address` (string, 必需): 地址表达式
-- `type` (string, 必需): 值类型
-- `value` (string, 必需): 要写入的值
+- `address` (string, 必需): 地址表达式
+- `type` (string, 必需): 值类型
+- `value` (string, 必需): 要写入的值
+
+**返回:** `{success, address}`
 
 ---
 
@@ -205,8 +211,10 @@ Hook 名称现在会验证以防止 AA 脚本注入:
 #### `ce_scan_list`
 列出所有活动的扫描会话。
 
-#### `ce_enum_modules`
-列出所有已加载的模块 (DLL)。
+#### `ce_enum_modules`
+列出所有已加载的模块 (DLL)。
+
+**返回:** `{count, modules: [{name, address, size, path, source}], used_fallback}`
 
 ---
 
@@ -247,8 +255,10 @@ Hook 名称现在会验证以防止 AA 脚本注入:
 - `count` (integer, 可选): 指令数量 (默认: 10)
 - `direction` (string, 可选): `"forward"` 或 `"backward"` (默认: forward)
 
-#### `ce_get_instruction_info(address)`
-获取单条指令的详细信息。
+#### `ce_get_instruction_info(address)`
+获取单条指令的详细信息。
+
+**返回:** `{address, opcode, params, bytes, bytesStr, size, isCall, isJump, isRet, isConditionalJump, parameterValue}`
 
 #### `ce_analyze_code(address, count?)`
 代码块的静态分析 (调用、跳转、引用)。
@@ -312,8 +322,10 @@ Hook 名称现在会验证以防止 AA 脚本注入:
 #### `ce_find_function_boundaries(address, max_search?)`
 通过分析序言/尾声模式检测函数起止。
 
-#### `ce_generate_signature(address)`
-为地址生成唯一的 AOB 特征码。用于游戏更新。
+#### `ce_generate_signature(address)`
+为地址生成唯一的 AOB 特征码。用于游戏更新。
+
+**返回:** `{address, signature, offset_from_start, byte_count, usage_hint}`
 
 ---
 
@@ -346,8 +358,15 @@ Hook 名称现在会验证以防止 AA 脚本注入:
 - `count` (integer, 可选): 要跟踪的指令数 (默认: 30)
 - `initial_state` (object, 可选): 初始寄存器符号，如 `{"rcx": "this_ptr", "rdx": "arg1"}`
 
-#### `ce_call_function(address, args?, return_type?, timeout?)`
-在目标进程中调用函数。**警告: 执行真实代码!**
+#### `ce_call_function(address, args?, call_method?, return_type?, timeout?)`
+在目标进程中调用函数。**警告: 执行真实代码!**
+
+**参数:**
+- `address` (string, 必需): 目标函数地址
+- `args` (array, 可选): 最多 4 个参数（整数或地址表达式）
+- `call_method` (integer, 可选): `executeCodeEx` 调用方式（如 `0`）。省略时 bridge 会自动走兼容回退
+- `return_type` (string, 可选): `byte`, `word`, `dword`, `qword`, `float`, `double`, `pointer`（默认: `qword`）
+- `timeout` (integer, 可选): 超时毫秒数（默认: `5000`）
 
 ---
 

package/ce_mcp_bridge.lua

@@ -1500,46 +1500,9 @@ Handlers.execute_lua = function(p)
     local ok, result = pcall(fn)
     if not ok then error("Runtime error: " .. tostring(result)) end
     return { result = result }
-end
-
-Handlers.get_selected_address = function()
-    local mv = getMemoryViewForm()
-    if mv then
-        local dv = mv.DisassemblerView
-        if dv and dv.SelectedAddress then
-            return { address = Utils.formatHex(dv.SelectedAddress) }
-        end
-    end
-    error("No address selected in Memory View")
-end
-
--- Handler: get_logs - Retrieve log entries with filtering
-Handlers.get_logs = function(p)
-    local count = p.count or 100
-    local minLevel = p.min_level or p.minLevel or LogLevel.DEBUG
-
-    -- Convert string level to number if needed
-    if type(minLevel) == "string" then
-        local levelMap = {
-            debug = LogLevel.DEBUG,
-            info = LogLevel.INFO,
-            warn = LogLevel.WARN,
-            error = LogLevel.ERROR
-        }
-        minLevel = levelMap[minLevel:lower()] or LogLevel.DEBUG
-    end
-
-    local entries = Logger.getEntries(count, minLevel)
-    local stats = Logger.getStats()
-
-    return {
-        entries = entries,
-        count = #entries,
-        stats = stats
-    }
-end
-
--- Handler: stats - Return comprehensive execution statistics
+end
+
+-- Handler: stats - Return comprehensive execution statistics
 Handlers.stats = function(p)
     local metrics = Metrics.getSummary()
     local logStats = Logger.getStats()
@@ -1729,10 +1692,11 @@ Handlers.aob_scan = function(p)
         scanOk = true
     end)
 
-    if not scanOk then
-        pcall(function() memscan.destroy() end)
-        return { count = 0, results = {}, error = "AOB Scan failed" }
-    end
+    if not scanOk then
+        pcall(function() foundList.deinitialize() end)
+        pcall(function() memscan.destroy() end)
+        return { count = 0, results = {}, error = "AOB Scan failed" }
+    end
 
     foundList.initialize()
     local totalCount = foundList.Count or 0
@@ -1836,10 +1800,11 @@ Handlers.value_scan = function(p)
         memscan.waitTillDone()
     end)
 
-    if not scanOk then
-        pcall(function() memscan.destroy() end)
-        return { count = 0, results = {}, error = "Scan failed" }
-    end
+    if not scanOk then
+        pcall(function() foundList.deinitialize() end)
+        pcall(function() memscan.destroy() end)
+        return { count = 0, results = {}, error = "Scan failed" }
+    end
 
     foundList.initialize()
 
@@ -1860,11 +1825,12 @@ Handlers.value_scan = function(p)
                 isInModule = inModule(addrNum)
             end)
 
-            table_insert(results, {
-                address = Utils.formatHex(addrNum),
-                symbol = symbol,
-                isStatic = symbol and symbol:find("%.exe%+") ~= nil or symbol:find("%.dll%+") ~= nil
-            })
+            table_insert(results, {
+                address = Utils.formatHex(addrNum),
+                symbol = symbol,
+                isStatic = (symbol ~= nil) and
+                    (symbol:find("%.exe%+") ~= nil or symbol:find("%.dll%+") ~= nil)
+            })
         end
     end
 
@@ -1986,10 +1952,11 @@ Handlers.scan_new = function(p)
         memscan.waitTillDone()
     end)
 
-    if not scanOk then
-        pcall(function() memscan.destroy() end)
-        error("First scan failed")
-    end
+    if not scanOk then
+        pcall(function() foundList.deinitialize() end)
+        pcall(function() memscan.destroy() end)
+        error("First scan failed")
+    end
 
     foundList.initialize()
     local totalCount = foundList.Count or 0
@@ -2142,13 +2109,14 @@ Handlers.scan_results = function(p)
                 end
             end)
 
-            table_insert(results, {
-                index = i,
-                address = Utils.formatHex(addrNum),
-                symbol = symbol,
-                value = currentValue,
-                isStatic = symbol and (symbol:find("%.exe%+") ~= nil or symbol:find("%.dll%+") ~= nil)
-            })
+            table_insert(results, {
+                index = i,
+                address = Utils.formatHex(addrNum),
+                symbol = symbol,
+                value = currentValue,
+                isStatic = (symbol ~= nil) and
+                    (symbol:find("%.exe%+") ~= nil or symbol:find("%.dll%+") ~= nil)
+            })
         end
     end
 
@@ -2333,10 +2301,10 @@ Handlers.enum_modules = function()
     if #r == 0 then
         usedFallback = true
         local mzScan = AOBScan("4D 5A 90 00 03 00 00 00")  -- MZ PE header
-        if mzScan and mzScan.Count > 0 then
-            for i = 0, math_min(mzScan.Count - 1, 50) do
-                local addr = tonumber(mzScan[i], 16)
-                if addr then
+        if mzScan and mzScan.Count > 0 then
+            for i = 0, math_min(mzScan.Count - 1, 50) do
+                local addr = tonumber(mzScan[i], 16)
+                if addr then
                     local peOffset = readInteger(addr + 0x3C)
                     local moduleSize = 0
                     local realName = nil
@@ -2376,11 +2344,13 @@ Handlers.enum_modules = function()
                         path = "",
                         source = realName and "export_directory" or "aob_fallback"
                     })
-                end
-            end
-            mzScan.destroy()
-        end
-    end
+                end
+            end
+        end
+        if mzScan then
+            mzScan.destroy()
+        end
+    end
 
     return {
         modules = r,
@@ -6911,12 +6881,25 @@ Handlers.call_function = function(p)
         table_insert(resolvedArgs, 0)
     end
 
-    -- Execute the function using CE's executeCodeEx
-    -- executeCodeEx(timeout, address, param1, param2, ...)
-    local ok, result = pcall(function()
-        return executeCodeEx(timeout, funcAddr,
-            resolvedArgs[1], resolvedArgs[2], resolvedArgs[3], resolvedArgs[4])
-    end)
+    -- Execute function using CE's executeCodeEx.
+    -- If call_method is explicitly provided, use new signature:
+    --   executeCodeEx(callmethod, timeout, address, ...)
+    -- If omitted, try old signature first for backward compatibility:
+    --   executeCodeEx(timeout, address, ...)
+    -- then fallback to new signature.
+    local callMethod = p.call_method
+    local ok, result = false, nil
+    if callMethod ~= nil then
+        ok, result = pcall(executeCodeEx, callMethod, timeout, funcAddr,
+            resolvedArgs[1], resolvedArgs[2], resolvedArgs[3], resolvedArgs[4])
+    else
+        ok, result = pcall(executeCodeEx, timeout, funcAddr,
+            resolvedArgs[1], resolvedArgs[2], resolvedArgs[3], resolvedArgs[4])
+        if not ok then
+            ok, result = pcall(executeCodeEx, 0, timeout, funcAddr,
+                resolvedArgs[1], resolvedArgs[2], resolvedArgs[3], resolvedArgs[4])
+        end
+    end
 
     if not ok then
         return {
@@ -7473,9 +7456,8 @@ local SYNC_COMMANDS = {
     register_symbol = true,
     unregister_symbol = true,
     allocate_memory = true,
-    execute_lua = true,
-    get_selected_address = true,
-    -- Hook commands
+    execute_lua = true,
+    -- Hook commands
     hook_function = true,
     unhook_function = true,
     -- Emulation commands
@@ -7694,12 +7676,27 @@ end
 -- ============ Server Lifecycle ============
 local Server = {}
 
-function Server.stop()
-    Utils.debugPrint("Stopping server...")
-    Context.serverRunning = false
-
-    -- Cleanup all zombie resources (breakpoints, traces, etc.)
-    Utils.cleanupZombieState()
+function Server.stop()
+    Utils.debugPrint("Stopping server...")
+    Context.serverRunning = false
+
+    -- Cleanup UI status timer/label to avoid leaked timers across stop/start cycles
+    if CE_MCP_STATUS_LABEL then
+        pcall(function()
+            if CE_MCP_STATUS_LABEL.timer then
+                CE_MCP_STATUS_LABEL.timer.Enabled = false
+                CE_MCP_STATUS_LABEL.timer.destroy()
+                CE_MCP_STATUS_LABEL.timer = nil
+            end
+            if CE_MCP_STATUS_LABEL.label then
+                CE_MCP_STATUS_LABEL.label.destroy()
+                CE_MCP_STATUS_LABEL.label = nil
+            end
+        end)
+    end
+
+    -- Cleanup all zombie resources (breakpoints, traces, etc.)
+    Utils.cleanupZombieState()
 
     -- Clear address cache
     Utils.clearAddressCache()

package/ce_mcp_server.js

@@ -31,7 +31,6 @@ class CEMCPServer {
     // Check 1: Pipe existence
     let pipeExists = false;
     try {
-      const fs = require('fs');
       // Try to check if pipe exists (Windows specific)
       const testClient = new PipeClient();
       const connected = await testClient.connect(false, 1000);
@@ -270,8 +269,8 @@ class CEMCPServer {
       // Check if error: has error field, success=false, and no partial results
       let isError = false;
       if (typeof result === 'object' && result !== null && result.error) {
-        const hasPartialResult = ['chain', 'path', 'partialCENotation', 'finalAddress'].some(k => k in result);
-        isError = result.success === false && !hasPartialResult;
+        const hasPartialResult = ['chain', 'path', 'partialCENotation', 'finalAddress', 'final_address', 'ceNotation', 'ce_pointer_notation'].some(k => k in result);
+        isError = !hasPartialResult;
       }
 
       const text = isError

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cheatengine",
-  "version": "5.8.28",
+  "version": "5.8.30",
   "description": "Cheat Engine MCP Server - AI-assisted reverse engineering bridge",
   "main": "ce_mcp_server.js",
   "bin": {

package/src/pipe-client.js

@@ -5,7 +5,7 @@
 
 const net = require('net');
 const { EventEmitter } = require('events');
-const { Config, HealthMonitor, Logger, log } = require('./base');
+const { Config, HealthMonitor, TimeoutError, Logger, log } = require('./base');
 
 // Windows error codes
 const ERROR_FILE_NOT_FOUND = 2;
@@ -21,6 +21,7 @@ class PipeClient extends EventEmitter {
     this.socket = null;
     this.healthMonitor = new HealthMonitor(errorThreshold);
     this.reconnectTimer = null;
+    this.reconnectLoopPromise = null;
     this.stopReconnectFlag = false;
     this.connected = false;
     this.connectionAttempts = 0;
@@ -97,6 +98,8 @@ class PipeClient extends EventEmitter {
       this.pendingResponse.reject(new Error(`Invalid response size: ${respLen}`));
       this.pendingResponse = null;
       this.responseBuffer = Buffer.alloc(0);
+      this._close();
+      this.healthMonitor.recordError(`Invalid response frame length: ${respLen}`);
       return;
     }
 
@@ -132,21 +135,25 @@ class PipeClient extends EventEmitter {
     let backoff = 0.5;
     const maxBackoff = 10.0;
 
-    while (!this.stopReconnectFlag) {
-      if (!this.isValid()) {
-        this.connectionAttempts++;
-        this.healthMonitor.recordConnectionAttempt();
-
-        if (await this._tryConnectOnce()) {
-          backoff = 0.5;
+    try {
+      while (!this.stopReconnectFlag) {
+        if (!this.isValid()) {
+          this.connectionAttempts++;
+          this.healthMonitor.recordConnectionAttempt();
+
+          if (await this._tryConnectOnce()) {
+            backoff = 0.5;
+          } else {
+            backoff = Math.min(backoff * 1.5, maxBackoff);
+          }
         } else {
-          backoff = Math.min(backoff * 1.5, maxBackoff);
+          backoff = 0.5;
         }
-      } else {
-        backoff = 0.5;
-      }
 
-      await this._sleep(backoff * 1000);
+        await this._sleep(backoff * 1000);
+      }
+    } finally {
+      this.reconnectLoopPromise = null;
     }
   }
 
@@ -155,9 +162,9 @@ class PipeClient extends EventEmitter {
   }
 
   startBackgroundReconnect() {
-    if (this.reconnectTimer) return;
+    if (this.reconnectLoopPromise) return;
     this.stopReconnectFlag = false;
-    this._reconnectLoop();
+    this.reconnectLoopPromise = this._reconnectLoop();
   }
 
   async connect(force = false, timeout = 3000) {
@@ -245,9 +252,8 @@ class PipeClient extends EventEmitter {
         const lenBuffer = Buffer.alloc(4);
         lenBuffer.writeUInt32LE(jsonBytes.length, 0);
 
-        // Send request
-        this.socket.write(lenBuffer);
-        this.socket.write(jsonBytes);
+        // Send request as one framed buffer to avoid split-frame races
+        this.socket.write(Buffer.concat([lenBuffer, jsonBytes]));
 
         // Wait for response
         const result = await this._waitForResponse();
@@ -268,7 +274,15 @@ class PipeClient extends EventEmitter {
 
   _waitForResponse() {
     return new Promise((resolve, reject) => {
+      const socket = this.socket;
+      let closeHandler = null;
       this.pendingResponse = { resolve, reject };
+
+      const cleanup = () => {
+        if (socket && closeHandler) {
+          socket.removeListener('close', closeHandler);
+        }
+      };
       
       // Check if we already have data in buffer (race condition fix)
       if (this.responseBuffer.length >= 4) {
@@ -281,10 +295,12 @@ class PipeClient extends EventEmitter {
             const decoded = this._decodeResponse(respData);
             const result = JSON.parse(decoded);
             this.pendingResponse = null;
+            cleanup();
             resolve(result);
             return;
           } catch (err) {
             this.pendingResponse = null;
+            cleanup();
             reject(err);
             return;
           }
@@ -292,13 +308,14 @@ class PipeClient extends EventEmitter {
       }
       
       // Set up a one-time close handler to reject if socket closes while waiting
-      const closeHandler = () => {
+      closeHandler = () => {
         this.pendingResponse = null;
+        cleanup();
         reject(new Error('Socket closed while waiting for response'));
       };
       
-      if (this.socket) {
-        this.socket.once('close', closeHandler);
+      if (socket) {
+        socket.once('close', closeHandler);
       }
     });
   }
@@ -308,8 +325,9 @@ class PipeClient extends EventEmitter {
     const startTime = Date.now();
 
     // Create timeout promise
+    let timeoutHandle = null;
     const timeoutPromise = new Promise((_, reject) => {
-      setTimeout(() => {
+      timeoutHandle = setTimeout(() => {
         const elapsedTime = (Date.now() - startTime) / 1000;
         const errorMsg = `Tool execution timed out after ${elapsedTime.toFixed(2)}s (timeout: ${timeoutSeconds}s)`;
         log.error(`Timeout: tool=${toolName || 'unknown'}, params=${JSON.stringify(data.params || {})}, elapsed=${elapsedTime.toFixed(2)}s`);
@@ -337,6 +355,10 @@ class PipeClient extends EventEmitter {
         };
       }
       return { error: err.message };
+    } finally {
+      if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+      }
     }
   }
 
@@ -346,6 +368,7 @@ class PipeClient extends EventEmitter {
 
   stop() {
     this.stopReconnectFlag = true;
+    this.reconnectLoopPromise = null;
     if (this.reconnectTimer) {
       clearTimeout(this.reconnectTimer);
       this.reconnectTimer = null;

package/src/tool-registry.js

@@ -1,6 +1,6 @@
 /**
  * Tool Registry for MCP Tools
- * Defines all 60+ tools available in the Cheat Engine MCP Bridge
+ * Defines all 55 tools available in the Cheat Engine MCP Bridge
  */
 
 const ToolCategory = {
@@ -108,32 +108,12 @@ class ToolRegistry {
 
     this._register(new Tool(
       'ce_execute_lua',
-      'Execute raw Lua code in CE',
+      'Execute Lua code with full access to CE APIs. Returns {result}.',
       'execute_lua',
       ToolCategory.SYSTEM,
       [new ToolParam('code', 'string', 'Lua code to execute', true)]
     ));
 
-    this._register(new Tool(
-      'ce_get_selected_address',
-      'Get the currently selected address in CE Memory View/Disassembler',
-      'get_selected_address',
-      ToolCategory.SYSTEM
-    ));
-
-    this._register(new Tool(
-      'ce_get_logs',
-      'Get log entries from the Cheat Engine MCP Bridge Lua side. ' +
-      'Returns: {entries: [{timestamp, level, category, message, data}], count}. ' +
-      'Useful for debugging and monitoring bridge operations.',
-      'get_logs',
-      ToolCategory.SYSTEM,
-      [
-        new ToolParam('count', 'integer', 'Maximum number of log entries to return (default: 100)', false, 100),
-        new ToolParam('min_level', 'integer', 'Minimum log level to include: 1=DEBUG, 2=INFO, 3=WARN, 4=ERROR (default: 1)', false, 1),
-      ]
-    ));
-
     this._register(new Tool(
       'ce_list_processes',
       'List running processes. Use before ce_attach_process to find available targets. ' +
@@ -173,7 +153,7 @@ class ToolRegistry {
 
     this._register(new Tool(
       'ce_read_memory',
-      'Read a single memory value. Returns: {address, type, value}. ' +
+      'Read a single memory value. Returns: {value}. ' +
       'For reading multiple addresses, use ce_read_memory_batch instead for better performance.',
       'read_memory',
       ToolCategory.MEMORY,
@@ -189,7 +169,7 @@ class ToolRegistry {
       '[PERFORMANCE] Read multiple memory addresses in ONE request. ' +
       'ALWAYS prefer this over multiple ce_read_memory calls for better performance. ' +
       'Example: [{"address": "game.exe+100", "type": "dword", "id": "hp"}, {"address": "game.exe+104", "type": "float", "id": "mp"}]. ' +
-      'Returns: {results: [{id, address, type, value, error?}]}.',
+      'Returns: {results: {id_or_address: {value, error?}}}.',
       'read_memory_batch',
       ToolCategory.MEMORY,
       [new ToolParam('requests', 'array', 'Array of {address, type, id?, size?} objects', true)]
@@ -197,7 +177,7 @@ class ToolRegistry {
 
     this._register(new Tool(
       'ce_write_memory',
-      'Write memory value. Returns: {success: true, address, bytes_written}.',
+      'Write memory value. Returns: {success, address}.',
       'write_memory',
       ToolCategory.MEMORY,
       [
@@ -318,7 +298,7 @@ class ToolRegistry {
 
     this._register(new Tool(
       'ce_enum_modules',
-      'List all loaded modules (DLLs). Returns: {count, modules: [{name, base, size}]}.',
+      'List all loaded modules (DLLs). Returns: {count, modules: [{name, address, size, path, source}], used_fallback}.',
       'enum_modules',
       ToolCategory.SCANNING
     ));
@@ -395,7 +375,7 @@ class ToolRegistry {
       'USE WHEN: You already have base+offsets and want to verify the chain works or read the value. ' +
       'Returns CE notation like \'[[game.exe+123]+10]+20\' for easy copy to CE. ' +
       'NOT FOR: Discovering pointer paths (use ce_find_pointer_path for discovery). ' +
-      'Returns: {base, offsets, final_address, ceNotation, chain: [{level, address, value, symbol}]}.',
+      'Returns: {success, base, offsets, finalAddress, ceNotation, chain: [{level, address, symbol, offset, ptrValue?}], partialCENotation?, failedAtLevel?, error?}.',
       'resolve_pointer',
       ToolCategory.SYMBOLS,
       [
@@ -426,7 +406,7 @@ class ToolRegistry {
 
     this._register(new Tool(
       'ce_get_instruction_info',
-      'Get detailed instruction info. Returns: {address, opcode, parameters, bytes, size, isCall, isJump, isRet, isConditionalJump, readsMemory, writesMemory}.',
+      'Get detailed instruction info. Returns: {address, opcode, params, bytes, bytesStr, size, isCall, isJump, isRet, isConditionalJump, parameterValue}.',
       'get_instruction_info',
       ToolCategory.DEBUG,
       [this.ADDR_PARAM]
@@ -757,7 +737,7 @@ class ToolRegistry {
       'Generate unique AOB signature for code at an address. ' +
       'USE WHEN: Creating version-independent scripts, documenting code locations for future game updates. ' +
       'WORKFLOW: Generate signature here -> after game update, use ce_aob_scan to relocate. ' +
-      'Returns: {address, signature, mask, unique}.',
+      'Returns: {address, signature, offset_from_start, byte_count, usage_hint}.',
       'generate_signature',
       ToolCategory.ANALYSIS,
       [this.ADDR_PARAM]
@@ -842,6 +822,7 @@ class ToolRegistry {
       [
         this.ADDR_PARAM,
         new ToolParam('args', 'array', 'Function arguments (up to 4 for fastcall). Can be integers or address expressions.', false, []),
+        new ToolParam('call_method', 'integer', 'Optional calling method for executeCodeEx (e.g. 0=default/stdcall-like). If omitted, bridge auto-fallbacks for compatibility.'),
         new ToolParam('timeout', 'integer', 'Timeout in milliseconds', false, 5000),
         new ToolParam('return_type', 'string', 'How to interpret return value', false, 'qword', 
           ['byte', 'word', 'dword', 'qword', 'float', 'double', 'pointer']),