FireFox Posted September 6, 2009 Share Posted September 6, 2009 Hi, I have already searched but found nothing wich was working to search a STRING in a process memory... If it doesn't exists maybe someone has an idea in order to read all memory adresses until have found the good string; because the adress always change Thanks for anyhelp Cheers, FireFox. Link to comment Share on other sites More sharing options...
Inverted Posted September 6, 2009 Share Posted September 6, 2009 Have you tried dumping all the memory you want to search to a file and then searching there ? I know it's not the optimal way to do it, but it may be good enough. Otherwise you could do a search loop with ReadProcessMemory using NomadMemory.au3. Of course you'll have to search for the first 4 ascii codes of the string and if found, then compare the rest etc, because you'll be working with dwords. Link to comment Share on other sites More sharing options...
FireFox Posted September 6, 2009 Author Share Posted September 6, 2009 Have you tried dumping all the memory you want to search to a file and then searching there ? I know it's not the optimal way to do it, but it may be good enough.Otherwise you could do a search loop with ReadProcessMemory using NomadMemory.au3. Of course you'll have to search for the first 4 ascii codes of the string and if found, then compare the rest etc, because you'll be working with dwords.Maybe could you explain me how to dump all the memory or redirect me to an autoit tutorial post Cheers, FireFox. Link to comment Share on other sites More sharing options...
Inverted Posted September 6, 2009 Share Posted September 6, 2009 (edited) #include <NomadMemory.au3> #include <MemoryGetBaseAddressUDF.au3> $progname = "Memory Reader" $target_pid = ProcessExists ("example.exe") If $target_pid=0 Then MsgBox (16, $progname, "Process not found !") Exit EndIf $Nomad_struct = _MemoryOpen($target_pid) If Not @error=0 Then MsgBox (16, $progname, "Process could not be opened !") Exit EndIf $target_base = _MemoryGetBaseAddress($Nomad_struct) MsgBox(0,"",$target_base) MsgBox(4096, $progname, Hex(_MemoryRead( Dec($target_base),$Nomad_struct))) That's a good example of how to get the base address of an executable and read memory from it. I'm sure you can adapt it, you're skilled in AutoIt ! Let me know how it goes, maybe I'll make a mem dumper, come to think of it :-D Note : If you're on 64-bit it doesn't work on 64-bit executables. Note2 : It also doesn't work if I compile it as 64-bit or if I execute the au3, obviously because it uses the 64bit autoit exe. Edited September 6, 2009 by Inverted Link to comment Share on other sites More sharing options...
FireFox Posted September 6, 2009 Author Share Posted September 6, 2009 (edited) @Inverted I have already a script like that, what do you mean about dumping ? Maybe I have to search from 0x000000 to 0xFFFFFF ? But I dont know how to build a function like this.. Cheers, FireFox. Edited September 6, 2009 by FireFox Link to comment Share on other sites More sharing options...
Inverted Posted September 6, 2009 Share Posted September 6, 2009 Dumping means to save the memory to a file. Anyway, you don't need to do that. Why don't you just make a searching loop to search the memory and compare the 4 bytes you get with the first 4 ascii values of your string ? If it's not the same, then increment the address you're looking at by one. (or by 4 if the string you're looking for is always dword-aligned. Link to comment Share on other sites More sharing options...
FireFox Posted September 6, 2009 Author Share Posted September 6, 2009 Dumping means to save the memory to a file. Anyway, you don't need to do that. Why don't you just make a searching loop to search the memory and compare the 4 bytes you get with the first 4 ascii values of your string ?If it's not the same, then increment the address you're looking at by one. (or by 4 if the string you're looking for is always dword-aligned. I understand anything, sorry...The string that I need to search can have a different length, can you write me a little example (maybe then I will understand what to do )Cheers, FireFox. Link to comment Share on other sites More sharing options...
Inverted Posted September 6, 2009 Share Posted September 6, 2009 (edited) #include <NomadMemory.au3> #include <Array.au3> $progname = "Memory_String_Search" $search_start = 0x400000 $search_end = 0x7fffffff $target_pid = ProcessExists ( InputBox ("Give process name, 32-bit exes only!", "example : example.exe","example.exe") ) If $target_pid=0 Then MsgBox (16, $progname, "Process not found !") Exit EndIf $Nomad_struct = _MemoryOpen($target_pid) If Not @error=0 Then MsgBox (16, $progname, "Process could not be opened !") Exit EndIf $search_string = InputBox ("Give search string", "","somestring") $byte_pattern_array = StringToASCIIArray ($search_string) $byte_pattern = Hex($byte_pattern_array[0]+256*$byte_pattern_array[1]+65536*$byte_pattern_array[2]+16777216*$byte_pattern_array[3]) MsgBox (4096, $progname, $byte_pattern) For $search_address = $search_start To $search_end Step 4 ;ToolTip (Hex($search_address)) ; I've commented out the tooltip because it is too slow If Hex(_MemoryRead( $search_address,$Nomad_struct)) = $byte_pattern Then MsgBox (4096, $progname, "String found at address : " & Hex($search_address)) Exit EndIf Next That's where I am so far, it's not finished I will continue tomorrow. I've tested and it works fine, BUT it only searches for the first 4 bytes (and only with ascii strings,not unicode) It's not that hard to do a comparison for the other bytes as needed. Anyway, the code is very cryptic. Does anyone have a better idea to create an inverse dword out of the first 4 bytes of a string ? Not that it matters too much, since it's a one-time calculation ... it just looks funky This code is only for 32-bit stuff. P.S.: Array.au3 isn't needed for this code, I just use it for testing (_ArrayDisplay etc) Edited September 6, 2009 by Inverted Link to comment Share on other sites More sharing options...
FireFox Posted September 7, 2009 Author Share Posted September 7, 2009 (edited) #include <NomadMemory.au3> #include <Array.au3> $progname = "Memory_String_Search" $search_start = 0x400000 $search_end = 0x7fffffff $target_pid = ProcessExists ( InputBox ("Give process name, 32-bit exes only!", "example : example.exe","example.exe") ) If $target_pid=0 Then MsgBox (16, $progname, "Process not found !") Exit EndIf $Nomad_struct = _MemoryOpen($target_pid) If Not @error=0 Then MsgBox (16, $progname, "Process could not be opened !") Exit EndIf $search_string = InputBox ("Give search string", "","somestring") $byte_pattern_array = StringToASCIIArray ($search_string) $byte_pattern = Hex($byte_pattern_array[0]+256*$byte_pattern_array[1]+65536*$byte_pattern_array[2]+16777216*$byte_pattern_array[3]) MsgBox (4096, $progname, $byte_pattern) For $search_address = $search_start To $search_end Step 4 ;ToolTip (Hex($search_address)) ; I've commented out the tooltip because it is too slow If Hex(_MemoryRead( $search_address,$Nomad_struct)) = $byte_pattern Then MsgBox (4096, $progname, "String found at address : " & Hex($search_address)) Exit EndIf Next That's where I am so far, it's not finished I will continue tomorrow. I've tested and it works fine, BUT it only searches for the first 4 bytes (and only with ascii strings,not unicode) It's not that hard to do a comparison for the other bytes as needed. Anyway, the code is very cryptic. Does anyone have a better idea to create an inverse dword out of the first 4 bytes of a string ? Not that it matters too much, since it's a one-time calculation ... it just looks funky This code is only for 32-bit stuff. P.S.: Array.au3 isn't needed for this code, I just use it for testing (_ArrayDisplay etc) It works fine ! (a little long but im sure we can improve it ) Maybe that's what you've said, I can't search a string that length is smaller than 4... Anyway, thank you for your help Edit1: Why is there two more numbers for the $search_end than for the $search_start ? $search_start = 0x400000 $search_end = 0x7fffffff Cheers, FireFox. Edited September 7, 2009 by FireFox Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted September 7, 2009 Moderators Share Posted September 7, 2009 Edit1: Why is there two more numbers for the $search_end than for the $search_start ? $search_start = 0x400000 $search_end = 0x7fffffff $search_start = 0x00400000 $search_end = 0x7fffffff Better? ... Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
trancexx Posted September 7, 2009 Share Posted September 7, 2009 Why is there two more letters for the $search_start than for the $search_end? ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
FireFox Posted September 8, 2009 Author Share Posted September 8, 2009 (edited) I think I have found a way to search a string in a process memory ! Fixed script is at the #14 replyTell me if that works fine and I will post it in example scripts forum Cheers, FireFox. Edited September 8, 2009 by FireFox Link to comment Share on other sites More sharing options...
Inverted Posted September 8, 2009 Share Posted September 8, 2009 (edited) Have you tested it ? It didn't work here, whereas my script works. Also, it is uber-slow !!! By the way, I got of the "step 4" in my script, turns out dword aligned strings aren't as common as I thought. Oh, almost forgot, you should change the end address to a lot more, like 6fffffff, your 7fffff is ridiculously low, you're missing out on a lot of good memory Edited September 8, 2009 by Inverted Link to comment Share on other sites More sharing options...
FireFox Posted September 8, 2009 Author Share Posted September 8, 2009 Have you tested it ? It didn't work here, whereas my script works. Also, it is uber-slow !!! By the way, I got of the "step 4" in my script, turns out dword aligned strings aren't as common as I thought. Oh, almost forgot, you should change the end address to a lot more, like 6fffffff, your 7fffff is ridiculously low, you're missing out on a lot of good memory I have fixed what was wrong, but it's very,very,very long... #include <NomadMemory.au3> #include <Array.au3> ; Local $s_pname = 'Memory_String_Search' Local $s_start = 0x40000000 Local $s_end = 0x7fffffff $n_pid = ProcessExists(InputBox('Give process name, 32-bit exes only!', 'Example : calc.exe', "", "", 200, 120)) If $n_pid < 1 Then Exit MsgBox(16, $s_pname, 'Process not found !') $f_mopen = _MemoryOpen($n_pid) If @error > 0 Then Exit MsgBox(16, $s_pname, 'Process could not be opened !') $s_search = InputBox('Give search string', 'Example : Something', "", "", 200, 120) ConsoleWrite('>Searching...' & @CRLF) For $i_search = $s_start To $s_end ;~ ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then $f_msg = MsgBox(33, $s_pname, 'String found at address : ' & Hex($i_search) & @CRLF & 'Continue searching ?') If $f_msg = 2 Then Exit EndIf Next MsgBox(16, $s_pname, 'String not found !') Maybe someone has an idea to improve it Your script it an 4 bytes search, mine is a text search. Cheers, FireFox. Link to comment Share on other sites More sharing options...
schnibble Posted December 30, 2010 Share Posted December 30, 2010 there are a lot of good ideas for searching in the memory, but one solution is to slow and the other tho short. i need somthing to search a large hex number: FFFFFF7F00000000000000000000000000000000FFFFFFFF01000000000000000000000001 as example. The value is always at another adress. with cheat engine i find this adress but i would like to have a script to do that for me, is there a solution to search fast in the memory from 00000000 to 7FFFFFFF? thanks and best regards Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now