FaridAgl Posted February 7, 2012 Share Posted February 7, 2012 Hi folks, I have a function in AutoIt that performs what i want, here it is: Func _MemoryPatternSearch($ProcessHandle, $Pattern, $StartAddress = 0x00400000, $StopAddress = 0x00600000, $Step = 51200) If Not IsArray($ProcessHandle) Then SetError(1) Return -1 EndIf $Pattern = StringRegExpReplace($Pattern, '[^0123456789ABCDEFabcdef.]', '') If StringLen($Pattern) = 0 Then SetError(2) Return -2 EndIf Local $BufferPattern, $FormatedPattern For $i = 0 To ((StringLen($Pattern) / 2) - 1) $BufferPattern = StringLeft($Pattern, 2) $Pattern = StringRight($Pattern, StringLen($Pattern) - 2) $FormatedPattern = $FormatedPattern & $BufferPattern Next $Pattern = $FormatedPattern For $Address = $StartAddress To $StopAddress Step $Step - (StringLen($Pattern) / 2) StringRegExp(_MemoryRead($Address, $ProcessHandle, 'byte[' & $Step & ']'), $Pattern, 1, 2) If Not @error Then Return StringFormat('0x%.8X', $Address + ((@extended - StringLen($Pattern) - 2) / 2)) EndIf Next Return -3 EndFunc ;==>_MemoryPatternSearch Is there a similar function in C++? Any link? Any idea? One thing, i'm coding a Dll that will get injected to a process and patch it, all is done atm ( using memcpy ) but it's really great if i could find a MemoryPatternScanner. I found a FindPattern while googling but i can't get that to work. http://faridaghili.ir Link to comment Share on other sites More sharing options...
trancexx Posted February 7, 2012 Share Posted February 7, 2012 Uhm... Start from the beginning checking one character after another, find first character, then check second, then third, then... ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
FaridAgl Posted February 7, 2012 Author Share Posted February 7, 2012 It's about finding a pattern of bytes in a process memory, from address n1 to n2 ( or to the end ). For example, look at this: It's a process memory, and the memory dump is: 00612000 00 00 00 80 00 00 00 80 00612008 00 00 00 00 00 00 00 00 00612010 00 48 5C 00 00 00 00 00 00612018 2E 3F 41 56 49 53 79 73 00612020 74 65 6D 4E 6F 74 69 66 00612028 79 40 40 00 00 48 5C 00 00612030 00 00 00 00 2E 3F 41 56 00612038 49 50 61 63 6B 65 74 40 00612040 40 00 00 00 00 48 5C 00 00612048 00 00 00 00 2E 3F 41 56 Now the Pattern Scanner should give me 00612018 if i search for pattern 2E 3F 41 56 49 53 79 73. Note that in the AutoIt example i gave in the first post we was opening the process ( ProcessOpen ) and then checking byte by byte usign RPM ( ReadProcessMemory ) but in this case that i'm going to find a solution we do not need this coz we are injecting our Dll to the target process so we can access the whole process memory directly. http://faridaghili.ir Link to comment Share on other sites More sharing options...
ivica1 Posted October 23, 2012 Share Posted October 23, 2012 It's about finding a pattern of bytes in a process memory, from address n1 to n2 ( or to the end ).For example, look at this:It's a process memory, and the memory dump is:00612000 00 00 00 80 00 00 00 8000612008 00 00 00 00 00 00 00 0000612010 00 48 5C 00 00 00 00 0000612018 2E 3F 41 56 49 53 79 7300612020 74 65 6D 4E 6F 74 69 6600612028 79 40 40 00 00 48 5C 0000612030 00 00 00 00 2E 3F 41 5600612038 49 50 61 63 6B 65 74 4000612040 40 00 00 00 00 48 5C 0000612048 00 00 00 00 2E 3F 41 56Now the Pattern Scanner should give me 00612018 if i search for pattern 2E 3F 41 56 49 53 79 73.Note that in the AutoIt example i gave in the first post we was opening the process ( ProcessOpen ) and then checking byte by byte usign RPM ( ReadProcessMemory ) but in this case that i'm going to find a solution we do not need this coz we are injecting our Dll to the target process so we can access the whole process memory directly.Hello and regards to all, my knowledge is poor but I'm ready to learn ...I have just looking for something like this.What I would like to do is to create script that can find a pattern of bytes using RPM and if pattern is there than Msg. "pattern found" else something else.So in theory ....$Process = "Program.exe" ; $pattern = "3200320032003200320032" Msg. "pattern found"Func _MemoryPatternSearchIf some one can tray to help me would much appreciate..Thank you Link to comment Share on other sites More sharing options...
water Posted October 23, 2012 Share Posted October 23, 2012 Hi ivica1, welcome to AutoIt and the forum! Can you please tell us why you start with such a complex subject? What do you need it for? My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
ivica1 Posted October 23, 2012 Share Posted October 23, 2012 (edited) O hello , nice to receive so quick response, Question why, actually there is no special reason maybe the big of all is it I'm curios. And as we now curiosity is what make as to go one. So the best answer would be can this be done. What for can I use it. I would like to see for example if some data on running excel file exist. Thank you for now Just seen you are from Austria so close greetings from Kroatien. Edited October 23, 2012 by ivica1 Link to comment Share on other sites More sharing options...
water Posted October 23, 2012 Share Posted October 23, 2012 Hi ivica, I suspected you are from Croatia. I have heard this name quite often because my ex-girlfriend is from Croatia. Playing with memory makes us suspicious because it's often used for game automation. I'm sure you have read the forum rules and hence know that game automation is a no go on this forum. For Excel automation I would try the builtin Excel UDF (User Defined Functions). My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
ivica1 Posted October 23, 2012 Share Posted October 23, 2012 thx, I'm not sure that in Excel UDF is what I'm searching for but thanx for advice. Will look in it.In mean time if some one can work on my request many thx. About game automatation...last game I have played has been bobble bubble c64 ...I'm little old for that but you never now.So question still stands _MemoryPatternSearch. Or maybe knowledge is hidden in time and patience. Link to comment Share on other sites More sharing options...
FaridAgl Posted October 23, 2012 Author Share Posted October 23, 2012 (edited) Playing with memory makes us suspicious because it's often used for game automation. You have no idea about other usages then. @ivica1: Do you want the Function for AutoIt? Or C++? For AutoIt, here you go: expandcollapse popup#include Global Const $tagSYSTEM_INFO = 'WORD wProcessorArchitecture;' & _ 'WORD wReserved;' & _ 'DWORD dwPageSize;' & _ 'ptr lpMinimumApplicationAddress;' & _ 'ptr lpMaximumApplicationAddress;' & _ 'DWORD_PTR dwActiveProcessorMask;' & _ 'DWORD dwNumberOfProcessors;' & _ 'DWORD dwProcessorType;' & _ 'DWORD dwAllocationGranularity;' & _ 'WORD wProcessorLevel;' & _ 'WORD wProcessorRevision' Func ProcessFindPattern(Const $hProcess, $sPattern, $dwBaseAddress = -1, $dwSize = -1) $sPattern = StringStripWS($sPattern, 8) Local Const $tSYSTEM_INFO = DllStructCreate($tagSYSTEM_INFO) GetSystemInfo(DllStructGetPtr($tSYSTEM_INFO)) If ($dwBaseAddress == -1) Then $dwBaseAddress = DllStructGetData($tSYSTEM_INFO, 4) If ($dwSize == -1) Then $dwSize = DllStructGetData($tSYSTEM_INFO, 5) For $dwAddress = $dwBaseAddress To $dwSize Step DllStructGetData($tSYSTEM_INFO, 3) StringRegExp(ProcessReadMemory($hProcess, $dwAddress, 'BYTE[' & DllStructGetData($tSYSTEM_INFO, 3) & ']'), $sPattern, 1, 2) If (Not @error) Then Return SetError(0, 0, StringFormat('0x%.8X', $dwAddress + ((@extended - StringLen($sPattern) - 2) / 2))) Next Return SetError(1, 0, 0) EndFunc Func GetSystemInfo(Const $lpSystemInfo) DllCall('Kernel32.dll', 'none', 'GetSystemInfo', _ 'ptr', $lpSystemInfo) EndFunc Func ProcessReadMemory(Const $hProcess, Const $dwBaseAddress, Const $sType) Local Const $tagBuffer = DllStructCreate($sType) Local $iNumberOfBytesRead = 0 If (_WinAPI_ReadProcessMemory($hProcess, $dwBaseAddress, DllStructGetPtr($tagBuffer, 1), DllStructGetSize($tagBuffer), $iNumberOfBytesRead)) Then Return SetError(0, $iNumberOfBytesRead, DllStructGetData($tagBuffer, 1)) Else Return SetError(1, 0, 0) EndIf EndFunc Let me know if you had any difficulties using ProcessFindPattern. For C++, let me know if you want, I will reply here. Edited October 23, 2012 by D4RKON3 http://faridaghili.ir Link to comment Share on other sites More sharing options...
water Posted October 23, 2012 Share Posted October 23, 2012 You have no idea about other usages then.I asked because the OP didn't mention it in his post. My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
BrewManNH Posted October 23, 2012 Share Posted October 23, 2012 I'm guessing D4RKON3 doesn't understand the concept of "often used for". If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
water Posted October 23, 2012 Share Posted October 23, 2012 My UDFs and Tutorials: Spoiler UDFs:Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsOutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - DownloadOutlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - WikiPowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - WikiTask Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki Standard UDFs:Excel - Example Scripts - WikiWord - Wiki Tutorials:ADO - WikiWebDriver - Wiki Link to comment Share on other sites More sharing options...
ivica1 Posted October 24, 2012 Share Posted October 24, 2012 Thank you D4RKON3... quick as a flash. Yes I need func for autoit...this relay looks nice the only problem am I. My knowledge is like on a kindergarten kid (shame on me for my years) but what can I do, I understand the concept of your function but don't now how to apply on a sample. Can I ask you to make a sample if you have time for it. Thank you Link to comment Share on other sites More sharing options...
FaridAgl Posted October 24, 2012 Author Share Posted October 24, 2012 Here you go: http://faridaghili.ir Link to comment Share on other sites More sharing options...
ivica1 Posted October 24, 2012 Share Posted October 24, 2012 Wow great , thank you so much ..I throw myself on the job. Going to study it. Thank you again great func Link to comment Share on other sites More sharing options...
fucs Posted July 27, 2014 Share Posted July 27, 2014 (edited) hi Universalist , i need a program that will use the above function (your function in au), let me know how can i contact you , i have alredy added your ym id , but dont know if it is stell active . My ym id is eupedoi -at- yahoo -dot- com pls add me thx Edited July 27, 2014 by Jos changed Email to avoid spamming. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now