Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Area of Byte scan


  • Please log in to reply
5 replies to this topic
Spawnova
  • Members
  • 279 posts
  • Last active: Dec 22 2015 03:07 AM
  • Joined: 29 Jun 2011

How would I go about finding the address with an area of bytes array? I've looked around and found nothing myself and I'm not sure where to start.

 

 



girlgamer
  • Moderators
  • 3263 posts
  • Last active: Feb 01 2015 09:49 AM
  • Joined: 04 Jun 2010

finding the address? 

area of bytes array?

the question appears to make no sense.

so no answer I could give would make sense.


The universe is a wondrous place! The faster you create unbreakable code, the faster the universe creates people that can break it. All scripting follows the rule Rule Of Twos -- 1) Good, 2) Fast 3) Cheap -- pick any Two.
I guarantee absolutely nothing about any code I provide except that it works in my machine. ●
MMO Fighter   KeyLooperDemo   Key Spammer   TinyClickRecorder  GGs Password Generator.ahk
For the newest version of AutoHotkey and some killer scripts go here.
Rock-on%20kitten.gif


RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

Are you referring to a pattern of bytes in a processes memory? If so, it's not too hard.

 

Here is the basic approach. http://www.autohotke...oid#entry658145

This finds a pattern of bytes in a file, but the search algorithm is the same.

 

With regards to memory, you can speed it up considerably by dumping a large memory area as a buffer and then using the machine code scanInBuf() function to find the bytes. http://www.autohotke...-of-null/page-4  

Even just dumping the buffer is a much faster than reading each byte one at a time via readProcessMemory()

 

I started playing around with a crude pattern scanner which would accept wild cards, but I never got around to making it iterate memory pages or optimising it.



Spawnova
  • Members
  • 279 posts
  • Last active: Dec 22 2015 03:07 AM
  • Joined: 29 Jun 2011

finding the address? 

area of bytes array?

the question appears to make no sense.

so no answer I could give would make sense.

 

Well, I would be using an AoB to match an address instead of using a pointer since I have bytes that never change and the pointer is normally a few levels.

 

 

Are you referring to a pattern of bytes in a processes memory? If so, it's not too hard.

 

Here is the basic approach. http://www.autohotke...oid#entry658145

This finds a pattern of bytes in a file, but the search algorithm is the same.

 

With regards to memory, you can speed it up considerably by dumping a large memory area as a buffer and then using the machine code scanInBuf() function to find the bytes. http://www.autohotke...-of-null/page-4

Even just dumping the buffer is a much faster than reading each byte one at a time via readProcessMemory()

 

I started playing around with a crude pattern scanner which would accept wild cards, but I never got around to making it iterate memory pages or optimising it.

 

Thanks RHCP, it's a bit complex for me but it's at least somewhere to start. =)



RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

I had a go at this today. I haven't done too much research, nor do I have much experience in this area, but it seems to work. 

 

This memory class contains contains the various methods. https://github.com/K...classMemory.ahk

 

The methods of interest here are:

modulePatternScan(module := "", aAOBPattern*) ; scans the memory area of a module

addressPatternScan(startAddress, sizeOfRegionBytes, aAOBPattern*) ; scans a given memory area

processPatternScan(aAOBPattern*) ; scans the memory region of the current process.

patternScan(startAddress, sizeOfRegionBytes, patternMask, byRef needleBuffer) ;The internal method which is used by the above methods.

 

The pattern supports wildcard bytes.

These methods are not finalised, as I will probably tinker with them when I have the time and have done more research.

 

Edit:

The scans now use a machine code function for comparison. This is very fast, well it's orders of magnitude faster than when AHK was doing it.

 

An example script:

#singleinstance force
; Include the file assuming its been saved to a library folder
#include <classmemory>
if (memory.__Class != "Memory")
	msgbox class memory not correctly installed. Or the (global class) variable "Memory" has been overwritten
; This demo will be search for an AOB inside this running AHK script via ReadProcessMemory()
DetectHiddenWindows, On ; As the AHK window is hidden and this class needs to find the window
mem := new memory("ahk_pid " DllCall("GetCurrentProcessId"))
DetectHiddenWindows, Off
return 


f1::
; setformat Hex so the shown addresses are in hex
SetFormat, integerFast, Hex
; lets create a 12 byte array of values inside the variable 'test'
; which we will then search for
VarSetCapacity(test, 12), aAOBPattern := []
loop, 12
{
	; insert the value into 'test'
    numput(A_Index*5, test, A_Index-1, "UChar")
    ; insert the value of the byte into the AOB pattern
    aAOBPattern.insert(A_Index*5)
}
; set a couple of bytes in the AOB pattern to wildcard for demonstration
aAOBPattern.5 := aAOBPattern.6 := "?" 
; If you know the approximate address of the pattern, then you can just
; scan this region of memory using the method addressPatternScan()
; Note: The third parameter is variadic so you can manually pass each byte value
; i.e. mem.addressPatternScan(address, sizeOfArea, byte1Value, byte2Value, byte3Value.....)
; Or you can pass the entire array using '*'
address := mem.addressPatternScan(&test, size := 100,  aAOBPattern*)
if address > 0
{
	msgbox % "patternScan Found address at: " address
		. "`nActual Address: " &test
}
else if address = 0
	msgbox patternScan didn't find the address
else msgbox patternScan failed error: %address%
; Otherwise you can scan the entire process
address := mem.processPatternScan(aAOBPattern*) 
if address > 0
{
	msgbox % "processPatternScan Found address at: " address
		. "`nActual Address: " &test
	SetFormat, integerFast, D ; so we don't have to view the value in hex
	loop, 12
	{
		msgbox % "Byte " A_Index
		. "`nRead: " mem.read(address + A_Index - 1, "UChar")	 
		. "`nAHK: " numget(test, A_Index - 1, "UChar")
	}	
}
else msgbox patternScan failed error: %address%
return



RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

I'm curious if it worked.