PatternBase

**FlaVour** · 04-27-2011

Hey MPGH,
first of all,all creditz go to CypherPresents.
I only post it here because,the last day i posted a AddyLogger and you need the newest Pattern.So This will help you

Information
This is something I made when I had some time over at school after some project. It's more like a base that you can use to search patterns and easily have as a tool for updating your hacks.

It felt like I needed to have something more universal that I could use for my projects as I have some old template I made almost a year ago, it works but not good

So this took me like one and a half hour I think and is in my opinion pretty usefull
or at least it is for me.

How to use
Its pretty straight forward and very easy.
You open up the project, open Wrapper.cpp and to define a new "target" or actually the binary/module that is to be scanned for patterns you edit the function Wrapper::Initialize as for now its Notepad.exe as default because thats what I tested it with.

Secondly to apply more/new patterns you define them in the function
Wrapper::Search in there you can define you pattern like I did and
then call the Pattern_h::Scan function.

Code:

char pzNotepad[] = "\x68\x00\x00\x00\x00\x53\xFF\x15\x00\x00\x00\x00\x8B\xF0\x89\x35\x00\x00\x00\x00";
char szNotepad[] = "x????xxx????xxxx????";

DWORD dwTest = Pat.Scan( "Notepad", (PBYTE)pzNotepad, szNotepad );

Here I have defined a pattern to be used and then I call the scan function.
I you would like a more flexible or be able to search for example two modules in the same project you could define new modules in the Wrapper::Intialize function for example.

Code:

DWORD dwBase2 = Tools.GetModuleBase( "othermodule.dll" );
DWORD dwSize2 = Tools.GetModuleSize( "othermodule.dll" );

and then call the other find function Pattern_h::CustomFind like this

Code:

DWORD dwTest2 = Pat.CustomFind( "NewValue", (DWORD)dwBase2, (DWORD)dwSize2, (PBYTE)pzNewMask, szNewMask );

To search for a pattern using another defined module/binary.

NOTES: All search function automatically prints the found offset into a log that is placed in the same directory as the
PatternBase.dll and the log is named PatternBaseDump.txt. The first parameters of the Pattern_h::Scan
and Pattern::CustomFind functions is actually the name of the offset that is going to placed in the log.

ex.

Code:

DWORD dwTest = Pat.CustomFind( "NotepadOffset", ... );
DWORD dwTest2 = Pat.CustomFind( "blabla", ... );

NOTE AGAIN: Remember that the DWORD's dwTest and dwTest2 still holds the final offsets so that you can do
custom stuff with the offset if you want too but its also automatically logged into the dumped txt file.

So the output of the log should be something like:

Code:

NotepadOffset [ 0x000000 ]
blabla [ 0x000000 ]

So remember that the first parameter is the name that gets logged into the dumped offsets, nice huh

Now this is something that is I think far away for fully complete so feel free to build upon this work and improve something if you wish.
Things that you could add for example is:

Better multi-module compability
Easier to add patterns
Reading patterns from XML/Config file

And ofcourse other things that you can come up with

Credits: I guess the only one needed is dom1n1k for findpattern?

Cheers and have fun, hopefully this will be usefull for some and not only me!
Also forgive my lazy English.

Virusscan1

Virusscan2

**SteamAss** · 04-27-2011

Really works??? all? is it urs?

**FlaVour** · 04-27-2011

Originally Posted by FlaVour

all creditz go to CypherPresents.

yes it works but .... you need to edit the sources....like explained in the video...and you have to get one time the newest pattern for the process you want to get the patterns....