Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Machine code binary buffer searching regardless of NULL

Started by wOxxOm , Nov 24 2007 01:18 PM

  • Please log in to reply
52 replies to this topic
wOxxOm
  • Members
  • 371 posts
  • Last active: Feb 20 2015 12:10 PM
  • Joined: 09 Feb 2006
widow, this is the answer for your deleted :p post:

;ReplaceByte - replace byte in binary Buffer
;		ret: number of replacements, case-sensitive.
ReplaceByte( hayStackAddr, hayStackSize, ByteFrom=0, ByteTo=1, StartOffset=0, NumReps=-1)
{	Static fun
	IfEqual,fun,
	{
		h=
		( LTrim join
			5589E553515256579C8B4D0C8B451831D229C17E25837D1C00741F8B7D0801C70FB6451
			00FB65D14FCF2AE750D885FFF42FF4D1C740409C975EF9D89D05F5E5A595BC9C21800
		)
		VarSetCapacity(fun,StrLen(h)//2)
		Loop % StrLen(h)//2
			NumPut("0x" . SubStr(h,2*A_Index-1,2), fun, A_Index-1, "Char")
	}
	Return DllCall(&fun
		, "uint",haystackAddr, "uint",hayStackSize, "short",ByteFrom, "short",ByteTo
		, "uint",StartOffset, "int",NumReps)
}

#46 - Posted 06 January 2010 - 07:02 PM
SKAN
  • Administrators
  • 9115 posts
  • Last active:
  • Joined: 26 Dec 2005
Ooh... Great! Thanks..

What is/does NumReps ?
#47 - Posted 06 January 2010 - 07:35 PM
tic
  • Members
  • 1934 posts
  • Last active: Dec 21 2015 01:05 PM
  • Joined: 22 Apr 2007
Number of replacements. -1 for all I guess

Edit:

Could I see the c++/asm please?

Thanks!
#48 - Posted 06 January 2010 - 07:52 PM
wOxxOm
  • Members
  • 371 posts
  • Last active: Feb 20 2015 12:10 PM
  • Joined: 09 Feb 2006
NumReps is of course a limit of replacements to be made.

well the asm is ultimately primitive, however it works pretty fast (10MB zeroes -> 1 in less than 100ms on my old AthlonX2@2600) - I just may assume that P4+ cpus have optimizations for such trivial memory-retrieval/storing schemes

here's the FASM code without compiler definitions for 'segments' and stuff.
BTW, I've tested the code just one time :p

proc ReplaceByte stdcall uses ebx ecx edx esi edi, hayStack, hayStackSize, ByteFrom:WORD, ByteTo:WORD, StartOffset, NumReps
	pushfd

	mov	ecx,[hayStackSize]
	mov	eax,[StartOffset]
	xor	edx,edx
	sub	ecx,eax
	jle	.done
	cmp	[NumReps],0
	jz	.done

	mov	edi,[hayStack]
	add	edi,eax ;edi=&(hayStack[StartOffset])

	movzx	eax,byte [ByteFrom]
	movzx	ebx,byte [ByteTo]
	cld

.rep:
	repne	scasb
	jne	.done

	mov	[edi-1],bl
	inc	edx
	dec	[NumReps]
	jz	.done
	or	ecx,ecx
	jnz	.rep

.done:
	popfd
	mov	eax,edx
	ret
endp

#49 - Posted 06 January 2010 - 11:15 PM
tinku99
  • Members
  • 560 posts
  • Last active: Feb 08 2015 12:54 AM
  • Joined: 03 Aug 2007
Lexikos once wrote a script to enumerate the memory pages: here
Its straightforward to run binary buffer search once for each page in the list...
Then you can search through an entire process for a binary string, similar to this perl module: win32::process::memory.
#50 - Posted 22 January 2011 - 07:56 PM
maraskan_user
  • Members
  • 52 posts
  • Last active: Dec 08 2014 11:18 PM
  • Joined: 20 Jun 2008
Did somebody have any luck with creating MCode for InBuf() that can work in AHK_L x64? :(
#51 - Posted 26 January 2011 - 03:12 PM
RHCP
  • Members
  • 1228 posts
  • Last active: Apr 08 2017 06:17 PM
  • Joined: 29 May 2006

Great function.


#52 - Posted 02 January 2014 - 03:34 PM
Klark92
  • Members
  • 870 posts
  • Last active: Dec 29 2015 09:47 PM
  • Joined: 19 Feb 2012

The InBuf function is not working for me. I tested it on ReadProcessMemory output (string output). Can anyone tell me why is that ? Im using last ver of ahk.


#53 - Posted 23 December 2015 - 07:41 PM

I CAN PROTECT YOUR SCRIPT (ANTI-DECOMPILER by Klark92) (AHK_L*)(PM)
Klark92's Script2Exe Wizard
AHK_L / AHK COMPILED EXE / BIN ICON CHANGER

Back to Scripts and Functions
  1. AutoHotkey Community
  2. AutoHotkey
  3. Scripts and Functions