Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Area of Byte scan


  • Please log in to reply
5 replies to this topic
Spawnova
  • Members
  • 279 posts
  • Last active: Dec 22 2015 03:07 AM
  • Joined: 29 Jun 2011

How would I go about finding the address with an area of bytes array? I've looked around and found nothing myself and I'm not sure where to start.

 

 



girlgamer
  • Moderators
  • 3263 posts
  • Last active: Feb 01 2015 09:49 AM
  • Joined: 04 Jun 2010

finding the address? 

area of bytes array?

the question appears to make no sense.

so no answer I could give would make sense.


The universe is a wondrous place! The faster you create unbreakable code, the faster the universe creates people that can break it. All scripting follows the rule Rule Of Twos -- 1) Good, 2) Fast 3) Cheap -- pick any Two.
I guarantee absolutely nothing about any code I provide except that it works in my machine. ‚óŹ
MMO Fighter   KeyLooperDemo   Key Spammer   TinyClickRecorder  GGs Password Generator.ahk
For the newest version of AutoHotkey and some killer scripts go here.
Rock-on%20kitten.gif


RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

Are you referring to a pattern of bytes in a processes memory? If so, it's not too hard.

 

Here is the basic approach. http://www.autohotke...oid#entry658145

This finds a pattern of bytes in a file, but the search algorithm is the same.

 

With regards to memory, you can speed it up considerably by dumping a large memory area as a buffer and then using the machine code scanInBuf() function to find the bytes. http://www.autohotke...-of-null/page-4  

Even just dumping the buffer is a much faster than reading each byte one at a time via readProcessMemory()

 

I started playing around with a crude pattern scanner which would accept wild cards, but I never got around to making it iterate memory pages or optimising it.



Spawnova
  • Members
  • 279 posts
  • Last active: Dec 22 2015 03:07 AM
  • Joined: 29 Jun 2011

finding the address? 

area of bytes array?

the question appears to make no sense.

so no answer I could give would make sense.

 

Well, I would be using an AoB to match an address instead of using a pointer since I have bytes that never change and the pointer is normally a few levels.

 

 

Are you referring to a pattern of bytes in a processes memory? If so, it's not too hard.

 

Here is the basic approach. http://www.autohotke...oid#entry658145

This finds a pattern of bytes in a file, but the search algorithm is the same.

 

With regards to memory, you can speed it up considerably by dumping a large memory area as a buffer and then using the machine code scanInBuf() function to find the bytes. http://www.autohotke...-of-null/page-4

Even just dumping the buffer is a much faster than reading each byte one at a time via readProcessMemory()

 

I started playing around with a crude pattern scanner which would accept wild cards, but I never got around to making it iterate memory pages or optimising it.

 

Thanks RHCP, it's a bit complex for me but it's at least somewhere to start. =)



RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

I had a go at this today. I haven't done too much research, nor do I have much experience in this area, but it seems to work. 

 

This memory class contains contains the various methods. https://github.com/K...classMemory.ahk

 

The methods of interest here are:

modulePatternScan(module := "", aAOBPattern*) ; scans the memory area of a module

addressPatternScan(startAddress, sizeOfRegionBytes, aAOBPattern*) ; scans a given memory area

processPatternScan(aAOBPattern*) ; scans the memory region of the current process.

patternScan(startAddress, sizeOfRegionBytes, patternMask, byRef needleBuffer) ;The internal method which is used by the above methods.

 

The pattern supports wildcard bytes.

These methods are not finalised, as I will probably tinker with them when I have the time and have done more research.

 

Edit:

The scans now use a machine code function for comparison. This is very fast, well it's orders of magnitude faster than when AHK was doing it.

 

An example script:

#singleinstance force
; Include the file assuming its been saved to a library folder
#include <classmemory>
if (memory.__Class != "Memory")
	msgbox class memory not correctly installed. Or the (global class) variable "Memory" has been overwritten
; This demo will be search for an AOB inside this running AHK script via ReadProcessMemory()
DetectHiddenWindows, On ; As the AHK window is hidden and this class needs to find the window
mem := new memory("ahk_pid " DllCall("GetCurrentProcessId"))
DetectHiddenWindows, Off
return 


f1::
; setformat Hex so the shown addresses are in hex
SetFormat, integerFast, Hex
; lets create a 12 byte array of values inside the variable 'test'
; which we will then search for
VarSetCapacity(test, 12), aAOBPattern := []
loop, 12
{
	; insert the value into 'test'
    numput(A_Index*5, test, A_Index-1, "UChar")
    ; insert the value of the byte into the AOB pattern
    aAOBPattern.insert(A_Index*5)
}
; set a couple of bytes in the AOB pattern to wildcard for demonstration
aAOBPattern.5 := aAOBPattern.6 := "?" 
; If you know the approximate address of the pattern, then you can just
; scan this region of memory using the method addressPatternScan()
; Note: The third parameter is variadic so you can manually pass each byte value
; i.e. mem.addressPatternScan(address, sizeOfArea, byte1Value, byte2Value, byte3Value.....)
; Or you can pass the entire array using '*'
address := mem.addressPatternScan(&test, size := 100,  aAOBPattern*)
if address > 0
{
	msgbox % "patternScan Found address at: " address
		. "`nActual Address: " &test
}
else if address = 0
	msgbox patternScan didn't find the address
else msgbox patternScan failed error: %address%
; Otherwise you can scan the entire process
address := mem.processPatternScan(aAOBPattern*) 
if address > 0
{
	msgbox % "processPatternScan Found address at: " address
		. "`nActual Address: " &test
	SetFormat, integerFast, D ; so we don't have to view the value in hex
	loop, 12
	{
		msgbox % "Byte " A_Index
		. "`nRead: " mem.read(address + A_Index - 1, "UChar")	 
		. "`nAHK: " numget(test, A_Index - 1, "UChar")
	}	
}
else msgbox patternScan failed error: %address%
return



RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

I'm curious if it worked.