[Help] Pattern scanning
[Help] Pattern scanning
Hi I have been wondering how to search for a pattern in an array of byte in a process.
For example searching for:
In CoD.
What it is supposed to do is make it unnessecary to update my program when the game updates, because the program will atomaticly find the new offset.
I actually allready found a way to search for patterns, but it doesn't work since my pattern contains ?'s(wildcards).
Here is the code I found on the web. Credits to iNTANGiBLE.
How to use it:
I simply am not a good enough coder to make the code support wildcards so I am hoping that you can help me.
For example searching for:
Code:
E8 ???????? 83C4 1C 80???? 10 00 74 39
What it is supposed to do is make it unnessecary to update my program when the game updates, because the program will atomaticly find the new offset.
I actually allready found a way to search for patterns, but it doesn't work since my pattern contains ?'s(wildcards).
Here is the code I found on the web. Credits to iNTANGiBLE.
Code:
Public Declare Function OpenProcess Lib "KERNEL32" _
(ByVal DesiredAccess As Int32, _
ByVal InheritHandle As Boolean, _
ByVal ProcessId As Int32) _
As Int32
Private Declare Function ReadProcessMemory Lib "KERNEL32" _
(ByVal Handle As Int32, _
ByVal address As Int32, _
ByRef Value As Int32, _
Optional ByVal Size As Int32 = 4, _
Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
As Long
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Public Function GetProcessId(ByVal game_name As String) As Boolean
Dim Processes() As Process = Process.GetProcesses
Dim process_name As String
Dim i As Byte
For i = LBound(Processes) To UBound(Processes)
process_name = Processes(i).ProcessName
If process_name = game_name Then
process_id = Processes(i).Id
pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
Return True
End If
Next
If process_id = 0 Then
Return False
End If
Return False
End Function
Public Function ReadByte(ByVal address As Int32) As Integer
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 1, 0)
Return value
End Function
Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte()) As Integer
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) Then
If i = Signature.Length - 1 Then
MsgBox(curAddr.ToString("X"))
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function
Code:
If GetProcessId("CoD something") = False Then
Exit Sub
Else : AOBSCAN("CoD", "CoD.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2})
End If
well, try to put em as a string value....
yes it will probably work
Code:
New Byte() {&H98, "??", &H5, &H6A}
Originally Posted by 3Li0
well, try to put em as a string value....
yes it will probably work
Code:
New Byte() {&H98, "??", &H5, &H6A}
The error is in danish, but it says: The conversion from the string "??" to byte is invalid.
Originally Posted by pyton789
Thanks but it didn't work.
The error is in danish, but it says: The conversion from the string "??" to byte is invalid.
The error is in danish, but it says: The conversion from the string "??" to byte is invalid.
Binary->Copy
And paste the bytes on notepad....The bytes will probably not change during the updates..Depends on your current address
Originally Posted by 3Li0
well, open Olly and find the addie which is compatible with your siggy.Then right click and go to:
Binary->Copy
And paste the bytes on notepad....The bytes will probably not change during the updates..Depends on your current address
Code:
E8 13 9E 29 00
Is a calls binary calculate by
1. How far it jumps or.....................(For example the call is at current addres + 13AE)
2. Where it jumps to......................(F.x. call is at 7589AE7)
If it is 1 then will the new sig work, but if its 2 then I need to use wildcards.
Edit: I guess that will work, but I have another problem:
How to use the address after the program has found it. I mean the function will display the function in a msgBox, but I need to use for memory hacking.
So how should I do this?
It would be nice if it was possible to do something like this:
Code:
Dim Something = "&H" + AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
Originally Posted by pyton789
The problem is that it is a call so it might change after an update.
That is what I got from binary copy, but know I don't know if:
Is a calls binary calculate by
1. How far it jumps or.....................(For example the call is at current addres + 13AE)
2. Where it jumps to......................(F.x. call is at 7589AE7)
If it is 1 then will the new sig work, but if its 2 then I need to use wildcards.
Edit: I guess that will work, but I have another problem:
How to use the address after the program has found it. I mean the function will display the function in a msgBox, but I need to use for memory hacking.
So how should I do this?
It would be nice if it was possible to do something like this:
Code:
E8 13 9E 29 00
Is a calls binary calculate by
1. How far it jumps or.....................(For example the call is at current addres + 13AE)
2. Where it jumps to......................(F.x. call is at 7589AE7)
If it is 1 then will the new sig work, but if its 2 then I need to use wildcards.
Edit: I guess that will work, but I have another problem:
How to use the address after the program has found it. I mean the function will display the function in a msgBox, but I need to use for memory hacking.
So how should I do this?
It would be nice if it was possible to do something like this:
Code:
Dim Something = "&H" + AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
Originally Posted by 3Li0
delete the msgbox func and you're done. If it doesn't have the &H when it will be returned, then add the "&H" & Hex(blablabla)
Code:
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
If GetProcessId("BlackOps") = False Then
Exit Sub
Else
Dim a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
Dim aa = a + &H40
Dim ab = a + &HF7
End If
End Sub
Is there anything I can use instead of "dim" or do I need to put the code somewhere else?
To create a global variable declare it at class level rather than in a method body. I.e
[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
'...
End Class
[/highlight]
[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
'...
End Class
[/highlight]
Originally Posted by Jason
To create a global variable declare it at class level rather than in a method body. I.e
[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
'...
End Class
[/highlight]
[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
'...
End Class
[/highlight]
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})[/highlight]
But I did
[highlight=vb.net]MsgBox(a)[/highlight]
And it was zero
Originally Posted by pyton789
[highlight=vb.net]
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})[/highlight]
But I did
[highlight=vb.net]MsgBox(a)[/highlight]
And it was zero
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})[/highlight]
But I did
[highlight=vb.net]MsgBox(a)[/highlight]
And it was zero
Code:
Dim a As Integer = blalblablalblalbla
Did you make sure to actually re-assign the value of a in the sub-procedure? All class-level variables evaluate original values as the form is starting up. If you want to update it's value, you'll have to reassign it.
Replace AOBScan with this:
Usage:
AOBScan("BlackOps", "BlackOps.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2}, New Byte() {&HFF, &H0, &HFF, &H0, &HFF, &H0, &H0, &H0})
The last parameter is a masking parameter. &H0 means that the byte is optional and &HFF (or any byte value other than &H0) means that the byte is required. Make sure the Signature and the Mask are the same length. I don't understand why the logic in that is so hard to figure out. :/
Code:
Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) or Mask(i) = &H0 Then
If i = Signature.Length - 1 Then
MsgBox(curAddr.ToString("X"))
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function
AOBScan("BlackOps", "BlackOps.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2}, New Byte() {&HFF, &H0, &HFF, &H0, &HFF, &H0, &H0, &H0})
The last parameter is a masking parameter. &H0 means that the byte is optional and &HFF (or any byte value other than &H0) means that the byte is required. Make sure the Signature and the Mask are the same length. I don't understand why the logic in that is so hard to figure out. :/
Thanks master131.
[highlight=VB.net]Module Module3
Public Declare Function OpenProcess Lib "KERNEL32" (ByVal DesiredAccess As Int32, ByVal InheritHandle As Boolean, ByVal ProcessId As Int32) As Int32
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal Handle As Int32, ByVal address As Int32, ByRef Value As Int32, Optional ByVal Size As Int32 = 4, Optional ByVal lpNumberOfBytesWritten As Int64 = 0) As Long
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Public Function GetProcessId(ByVal game_name As String) As Boolean
Dim Processes() As Process = Process.GetProcesses
Dim process_name As String
Dim i As Byte
For i = LBound(Processes) To UBound(Processes)
process_name = Processes(i).ProcessName
If process_name = game_name Then
process_id = Processes(i).Id
pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
Return True
End If
Next
If process_id = 0 Then
Return False
End If
Return False
End Function
Public Function ReadByte(ByVal address As Int32) As Integer
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 1, 0)
Return value
End Function
Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) Or Mask(i) = &H0 Then
If i = Signature.Length - 1 Then
MsgBox(curAddr.ToString("X"))
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function
End Module[/highlight]
That is how the module looks. It can scan for patterns and it supports wildcards.
How to use:
[highlight=VB.net]If GetProcessId("BlackOps") = False Then
Exit Sub
Else : AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})
End If[/highlight]
The problem is:
It returns the address in a msgbox without "&H" in front of it.
I would like it to be returned like readmemory.(You know Return Buff*)
That would allow me to use the function like this:
[highlight=VB.net]Dim a as integer = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})[/highlight]
[highlight=VB.net]Module Module3
Public Declare Function OpenProcess Lib "KERNEL32" (ByVal DesiredAccess As Int32, ByVal InheritHandle As Boolean, ByVal ProcessId As Int32) As Int32
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal Handle As Int32, ByVal address As Int32, ByRef Value As Int32, Optional ByVal Size As Int32 = 4, Optional ByVal lpNumberOfBytesWritten As Int64 = 0) As Long
Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32
Private process_id As Int32 = 0
Public pHandle As Integer = 0
Public Function GetProcessId(ByVal game_name As String) As Boolean
Dim Processes() As Process = Process.GetProcesses
Dim process_name As String
Dim i As Byte
For i = LBound(Processes) To UBound(Processes)
process_name = Processes(i).ProcessName
If process_name = game_name Then
process_id = Processes(i).Id
pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
Return True
End If
Next
If process_id = 0 Then
Return False
End If
Return False
End Function
Public Function ReadByte(ByVal address As Int32) As Integer
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 1, 0)
Return value
End Function
Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) Or Mask(i) = &H0 Then
If i = Signature.Length - 1 Then
MsgBox(curAddr.ToString("X"))
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function
End Module[/highlight]
That is how the module looks. It can scan for patterns and it supports wildcards.
How to use:
[highlight=VB.net]If GetProcessId("BlackOps") = False Then
Exit Sub
Else : AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})
End If[/highlight]
The problem is:
It returns the address in a msgbox without "&H" in front of it.
I would like it to be returned like readmemory.(You know Return Buff*)
That would allow me to use the function like this:
[highlight=VB.net]Dim a as integer = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})[/highlight]
You declared a as an Integer, which automatically evaluates the hex (&Hxxxxx) into an integer value. If you want it to be returned as Hex create it as string so it doesn't evaluate the hex.
Simply Use Built-In Hex Function:
Code:
Hex(Number / String To Convert)