david_2000 Posted October 4, 2009 Posted October 4, 2009 hi againthanks for your replayi mean this one:/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103thanks.
CondZero Posted October 4, 2009 Posted October 4, 2009 If anyone is interested, I coded a c program "BMSEARCH" Which utilizesthe Boyer-Moore type search string algorithm which is extremely fast.In it are functions to read forwards / backwards for a string, also usingwildcards (slows down the search a bit).You can get it on the Arteam releases page over at www.accessroot.com.The program is designed to read from a running process by using ReadProcessMemory toload a buffer, then you search the buffer for the string. By knowing the size of thebuffer, you can determine the offset of the search string found in order to useWriteProcessMemory to patch /replace.peace
atom0s Posted October 4, 2009 Posted October 4, 2009 hi againthanks for your replayi mean this one:/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103thanks.That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018
david_2000 Posted October 4, 2009 Posted October 4, 2009 hi againthanks for your replayi mean this one:/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103thanks.That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018thank you very much.i'll check it out.
Departure Posted October 9, 2010 Posted October 9, 2010 BeBoss, While the source is a nice example of how to search bytes, there is a faster example written by Ghandi of ARTeam, his search class is very quick and by memory mapping the executable its even faster.../>http://www.accessroot.com/arteam/forums/index.php?showtopic=9904
skdpeka Posted November 3, 2010 Posted November 3, 2010 Hey atmom0s, i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte eg. c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0 because when im doing it like this: _ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00"); at the found adress the bytes dont match my searchpattern: 681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000 i think the nullbytes are causing this and i dont know how to solve this problem. Hope there is a way
skdpeka Posted November 3, 2010 Posted November 3, 2010 (edited) sry for doublepost, there was an errorpage and i thought the reply wasnt sent Edited November 3, 2010 by skdpeka
chickenbutt Posted November 3, 2010 Posted November 3, 2010 (edited) I think pretty much anything this would be fun to use on has a protection that has it hooked. Most from ring0. It's fun to use on flash and JVM. Edited November 3, 2010 by chickenbutt
atom0s Posted November 3, 2010 Posted November 3, 2010 Hey atmom0s, i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte eg. c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0 because when im doing it like this: _ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00"); at the found adress the bytes dont match my searchpattern: 681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000 i think the nullbytes are causing this and i dont know how to solve this problem. Hope there is a way You are better off using a different method that uses patterns as well. This method is used inside an injected DLL, but you can alter it to do the same thing with dumped memory too from an external process. I can't write up any examples at the moment since I'm a bit busy, sorry. /** * MaskCheck / FindPattern * * Credits: * dom1n1k, Patrick, GameDeception */BOOL MaskCheck( const unsigned char* lpData, const unsigned char* lpMask, const char* szMask ){ for( ; *tszMask; ++tszMask, ++lpData, ++lpMask ) if( *tszMask == 'x' && *lpData != *lpMask ) return FALSE; return (*tszMask) == NULL;}unsigned long FindPattern( unsigned long ulStartAddr, unsigned long ulLength, unsigned char* szPattern, char* szMask ){ for( unsigned long i = 0; i < ulLength; i++ ) { if( MaskCheck( (unsigned char*)( ulStartAddr + i ), szPattern, szMask ) ) return (unsigned long)( ulStartAddr + i ); } return 0;} To use it, you can do: unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "xxxxxxxxxx" ); Each x in the last bit is one byte. You can use ? for wildcards for a single byte if you need to. So: \xc7 = x This is one byte in the pattern. If you want c7 to be able to be anything when you scan you can change it to: unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "?xxxxxxxxx" );
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now