[Help] Pattern scanning

[pyton789]

Hi I have been wondering how to search for a pattern in an array of byte in a process.
For example searching for:

Code:

E8 ???????? 83C4 1C 80???? 10 00 74 39

In CoD.
What it is supposed to do is make it unnessecary to update my program when the game updates, because the program will atomaticly find the new offset.
I actually allready found a way to search for patterns, but it doesn't work since my pattern contains ?'s(wildcards).

Here is the code I found on the web. Credits to iNTANGiBLE.

Code:

Public Declare Function OpenProcess Lib "KERNEL32" _
    (ByVal DesiredAccess As Int32, _
     ByVal InheritHandle As Boolean, _
     ByVal ProcessId As Int32) _
    As Int32

    Private Declare Function ReadProcessMemory Lib "KERNEL32" _
    (ByVal Handle As Int32, _
     ByVal address As Int32, _
     ByRef Value As Int32, _
     Optional ByVal Size As Int32 = 4, _
     Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
    As Long

    Public PROCESS_VM_OPERATION As Int32 = 8
    Public PROCESS_VM_READ As Int32 = 16
    Public PROCESS_VM_WRITE As Int32 = 32

 Private process_id As Int32 = 0
    Public pHandle As Integer = 0

    Public Function GetProcessId(ByVal game_name As String) As Boolean
        Dim Processes() As Process = Process.GetProcesses
        Dim process_name As String
        Dim i As Byte
        For i = LBound(Processes) To UBound(Processes)
            process_name = Processes(i).ProcessName
            If process_name = game_name Then
                process_id = Processes(i).Id
                pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
                Return True
            End If
        Next
        If process_id = 0 Then
            Return False
        End If
        Return False
    End Function

 Public Function ReadByte(ByVal address As Int32) As Integer
        Dim value As Integer
        ReadProcessMemory(pHandle, address, value, 1, 0)
        Return value
    End Function

Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte()) As Integer
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) Then
                    If i = Signature.Length - 1 Then
                        MsgBox(curAddr.ToString("X"))
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function

How to use it:

Code:

If GetProcessId("CoD something") = False Then
            Exit Sub
        Else : AOBSCAN("CoD", "CoD.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2})
        End If

I simply am not a good enough coder to make the code support wildcards so I am hoping that you can help me.

[♪~ ᕕ(ᐛ)ᕗ]

well, try to put em as a string value....

Code:

New Byte() {&H98, "??", &H5, &H6A}

yes it will probably work

[pyton789]

well, try to put em as a string value....

Code:

New Byte() {&H98, "??", &H5, &H6A}

yes it will probably work

Thanks but it didn't work.

The error is in danish, but it says: The conversion from the string "??" to byte is invalid.

[♪~ ᕕ(ᐛ)ᕗ]

Thanks but it didn't work.

The error is in danish, but it says: The conversion from the string "??" to byte is invalid.

well, open Olly and find the addie which is compatible with your siggy.Then right click and go to:
Binary->Copy
And paste the bytes on notepad....The bytes will probably not change during the updates..Depends on your current address

[pyton789]

well, open Olly and find the addie which is compatible with your siggy.Then right click and go to:
Binary->Copy
And paste the bytes on notepad....The bytes will probably not change during the updates..Depends on your current address

The problem is that it is a call so it might change after an update.

Code:

E8 13 9E 29 00

That is what I got from binary copy, but know I don't know if:
Is a calls binary calculate by
1. How far it jumps or.....................(For example the call is at current addres + 13AE)
2. Where it jumps to......................(F.x. call is at 7589AE7)

If it is 1 then will the new sig work, but if its 2 then I need to use wildcards.



Edit: I guess that will work, but I have another problem:
How to use the address after the program has found it. I mean the function will display the function in a msgBox, but I need to use for memory hacking.
So how should I do this?
It would be nice if it was possible to do something like this:

Code:

Dim Something = "&H" + AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})

[♪~ ᕕ(ᐛ)ᕗ]

The problem is that it is a call so it might change after an update.

Code:

E8 13 9E 29 00

That is what I got from binary copy, but know I don't know if:
Is a calls binary calculate by
1. How far it jumps or.....................(For example the call is at current addres + 13AE)
2. Where it jumps to......................(F.x. call is at 7589AE7)

If it is 1 then will the new sig work, but if its 2 then I need to use wildcards.



Edit: I guess that will work, but I have another problem:
How to use the address after the program has found it. I mean the function will display the function in a msgBox, but I need to use for memory hacking.
So how should I do this?
It would be nice if it was possible to do something like this:

Code:

Dim Something = "&H" + AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})

delete the msgbox func and you're done. If it doesn't have the &H when it will be returned, then add the "&H" & Hex(blablabla)

[pyton789]

delete the msgbox func and you're done. If it doesn't have the &H when it will be returned, then add the "&H" & Hex(blablabla)

Thanks 3lio It works but I have one last problem:

Code:

    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        If GetProcessId("BlackOps") = False Then
            Exit Sub
        Else
            Dim a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})
            Dim aa = a + &H40
            Dim ab = a + &HF7
        End If
    End Sub

If I dim it inside of a sub then I won't be able to use it inside of another sub.
Is there anything I can use instead of "dim" or do I need to put the code somewhere else?

[Jason]

To create a global variable declare it at class level rather than in a method body. I.e

[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})

'...
End Class
[/highlight]

[pyton789]

To create a global variable declare it at class level rather than in a method body. I.e

[highlight=vb.net]
Public Class Form1
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})

'...
End Class
[/highlight]

[highlight=vb.net]
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})[/highlight]

But I did
[highlight=vb.net]MsgBox(a)[/highlight]
And it was zero

[♪~ ᕕ(ᐛ)ᕗ]

[highlight=vb.net]
Private a = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C})[/highlight]

But I did
[highlight=vb.net]MsgBox(a)[/highlight]
And it was zero

It won't solve anything but try to put 'Dim' instead of Public, and make it as a Integer...

Code:

Dim a As Integer = blalblablalblalbla

You can use Dim outside Sub's or function's....

[Jason]

Did you make sure to actually re-assign the value of a in the sub-procedure? All class-level variables evaluate original values as the form is starting up. If you want to update it's value, you'll have to reassign it.

[[MPGH]master131]

Replace AOBScan with this:

Code:

Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) or Mask(i) = &H0 Then
                    If i = Signature.Length - 1 Then
                        MsgBox(curAddr.ToString("X"))
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function

Usage:
AOBScan("BlackOps", "BlackOps.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2}, New Byte() {&HFF, &H0, &HFF, &H0, &HFF, &H0, &H0, &H0})

The last parameter is a masking parameter. &H0 means that the byte is optional and &HFF (or any byte value other than &H0) means that the byte is required. Make sure the Signature and the Mask are the same length. I don't understand why the logic in that is so hard to figure out. :/

[pyton789]

Thanks master131.
[highlight=VB.net]Module Module3
Public Declare Function OpenProcess Lib "KERNEL32" (ByVal DesiredAccess As Int32, ByVal InheritHandle As Boolean, ByVal ProcessId As Int32) As Int32
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal Handle As Int32, ByVal address As Int32, ByRef Value As Int32, Optional ByVal Size As Int32 = 4, Optional ByVal lpNumberOfBytesWritten As Int64 = 0) As Long

Public PROCESS_VM_OPERATION As Int32 = 8
Public PROCESS_VM_READ As Int32 = 16
Public PROCESS_VM_WRITE As Int32 = 32

Private process_id As Int32 = 0
Public pHandle As Integer = 0

Public Function GetProcessId(ByVal game_name As String) As Boolean
Dim Processes() As Process = Process.GetProcesses
Dim process_name As String
Dim i As Byte
For i = LBound(Processes) To UBound(Processes)
process_name = Processes(i).ProcessName
If process_name = game_name Then
process_id = Processes(i).Id
pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
Return True
End If
Next
If process_id = 0 Then
Return False
End If
Return False
End Function

Public Function ReadByte(ByVal address As Int32) As Integer
Dim value As Integer
ReadProcessMemory(pHandle, address, value, 1, 0)
Return value
End Function


Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
Dim BaseAddress, EndAddress As Int32
For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
If ModuleName = PM.ModuleName Then
BaseAddress = PM.BaseAddress
EndAddress = BaseAddress + PM.ModuleMemorySize
End If
Next
Dim curAddr As Int32 = BaseAddress
Do
For i As Integer = 0 To Signature.Length - 1
If ReadByte(curAddr + i) = Signature(i) Or Mask(i) = &H0 Then
If i = Signature.Length - 1 Then
MsgBox(curAddr.ToString("X"))
Return curAddr
End If
Continue For
End If
Exit For
Next
curAddr += 1
Loop While curAddr < EndAddress
Return 0
End Function

End Module[/highlight]
That is how the module looks. It can scan for patterns and it supports wildcards.

How to use:
[highlight=VB.net]If GetProcessId("BlackOps") = False Then
Exit Sub
Else : AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})
End If[/highlight]

The problem is:
It returns the address in a msgbox without "&H" in front of it.
I would like it to be returned like readmemory.(You know Return Buff*)
That would allow me to use the function like this:
[highlight=VB.net]Dim a as integer = AOBSCAN("BlackOps", "BlackOps.exe", New Byte() {&HE8, &H13, &H9E, &H29, &H0, &H83, &HC4, &H1C}, New Byte() {&HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF, &HFF})[/highlight]

[Jason]

You declared a as an Integer, which automatically evaluates the hex (&Hxxxxx) into an integer value. If you want it to be returned as Hex create it as string so it doesn't evaluate the hex.

[Hassan]

Simply Use Built-In Hex Function:

Code:

Hex(Number / String To Convert)