Array-Of-Byte Scan

**[MPGH]master131** · 03-19-2011

I've been playing with WinAPI today and I was wondering if there is a way to search for an array of bytes in a process' memory. I've tried coding my own one but it didn't work (kept returning the starting address I specified).

Anyone got ideas? btw, these are not assembly bytes.

**Void** · 03-19-2011

If ya' add me on MSN I can prolly help o:

davidm_44@hotmail.com

PS: opcodes are still part of memory and you see them in the hex-viewer, you just don't see the instructions.

**freedompeace** · 03-19-2011

Umm,
byte[] yourbytearray;

for (i = 0 ; i < maxaddress - length; i++)
if ((byte[]*)(i) == yourbytearray)
// match?

**[MPGH]master131** · 03-20-2011

ugh, I tried and failed hardcore despite your help. It's alot easier in VB.

**♪~ ᕕ(ᐛ)ᕗ** · 03-20-2011

It's BYTE YourByteArray[<MaxLen>]...
And Just to make it easy make it viod*

Code:

BYTE B[] = {0x80, 0x8, 0xA4};
for(int i = 0; i < MaxAddie - Len; i++)
{
      if((void*)(i) == (void*)((BYTE*)B) //Result
}

**[MPGH]master131** · 03-20-2011

Maybe I should've added that I'm not injecting a DLL to do this. I'm doing it externally via a Win32 C++ app.

**Hell_Demon** · 03-20-2011

ReadProcessMemory into an array then use this:

Code:

//credits to Dominik & Patrick

bool bDataCompare( const unsigned char* pData, const unsigned char* bMask, const char* szMask );
unsigned long dwFindPattern( unsigned char *bMask,char * szMask, unsigned long dw_Address = dwStartAddress, unsigned long dw_Len = dwLen );

bool bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask )
            return false;
    return (*szMask) == 0;
}

unsigned long dwFindPattern( unsigned char *bMask,char * szMask, unsigned long dw_Address = 0x00401000, unsigned long dw_Len = 0x00861FFF )
{
    for(unsigned long i=0; i < dw_Len; i++)
		if( bDataCompare( (unsigned char*)( dw_Address+i ),bMask,szMask) )
            return (unsigned long)(dw_Address+i);
    return 0;
}

Substract the array start address off the address it returns, then add the start address of where you started reading and you'll have the offset in the games memory.

Code usage:

Code:

char lolwat[512] = {0,};
ReadProcMemory(0x1337, lolwat, 512);//i know this one is wrong, but you get the picture >.>
unsigned long foundAddy = dwFindPattern( "\x15\x20\x30\x40\x90","x?x?x", &lolwat, 512 );

foundAddy -= &lolwat;
foundAddy += 0x1337;

**[MPGH]master131** · 03-22-2011

Alrighties all fixed. :3

Thread: Array-Of-Byte Scan

Thread Tools

Display

Array-Of-Byte Scan

The Following User Says Thank You to Hell_Demon For This Useful Post: