jchilds Posted December 2, 2016 Share Posted December 2, 2016 #RequireAdmin #include <NomadMemory.au3> #include <Array.au3> ; Local $s_pname = 'Memory_String_Search' Local $s_start = 0x0473A528 Local $s_end = 0x0473B548 $n_pid = ProcessExists(InputBox('Give process name, 32-bit exes only!', 'Example : calc.exe', "", "", 200, 120)) If $n_pid < 1 Then Exit MsgBox(16, $s_pname, 'Process not found !') $f_mopen = _MemoryOpen($n_pid) If @error > 0 Then Exit MsgBox(16, $s_pname, 'Process could not be opened !') $s_search = InputBox('Give search string', 'Example : Something', "", "", 200, 120) ConsoleWrite('>Searching...' & @CRLF) For $i_search = $s_start To $s_end ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then MsgBox (4096, $s_pname, 'String found') EndIf Next MsgBox(16, $s_pname, 'String not found !') Trying to just do a simple search in memory for a string. It seems to work, but the problem is there are null characters in the memory. For example here (41 00 63 00 74 00 69 00 76 00 65) is an array that I would try and search for "Active" for, but I am guessing I am unable to find due to there being 00 in between each character. Thanks for any and all help! Link to comment Share on other sites More sharing options...
AndyG Posted December 3, 2016 Share Posted December 3, 2016 Reinventing the wheel ? Why not use the 1000 times faster StringInStr() which can handle the search no matter of the UTF-encoding... 19 hours ago, jchilds said: but I am guessing I am unable to find due to there being 00 in between each character. Search the helpfile for "StringToBinary" $a = "Active" For $i = 1 To 4 $bin = StringToBinary($a, $i) ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $bin = ' & $bin & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console Next Link to comment Share on other sites More sharing options...
j0kky Posted December 3, 2016 Share Posted December 3, 2016 @AndyG: He's trying to read a memory address from another process, how could StringToBinary help? @jchilds: why $s_start is exatly equal to 0x0473A528? How do you know that value? Spoiler Some UDFs I created: Winsock UDF STUN UDF WinApi_GetAdaptersAddresses _WinApi_GetLogicalProcessorInformation Bitwise with 64 bit integers An useful collection of zipping file UDFs Link to comment Share on other sites More sharing options...
Bert Posted December 4, 2016 Share Posted December 4, 2016 Here is a better question - what process is he trying to read the memory from? The exe name please. ANd no, not an example but the real exe you want to read from. I'm asking this for in just about every case you do not need to do memory reading and instead hook into the control. So - whats the name of the exe? The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
AndyG Posted December 4, 2016 Share Posted December 4, 2016 (edited) 16 hours ago, j0kky said: He's trying to read a memory address from another process, how could StringToBinary help? No, he NOT want to read a memory address, he is trying to search a string in memory....and he is looking for the "right" binary similar to the word "Active" which is 0x416374697665 in ANSI, but he needs to "transform" this into 0x410063007400690076006500 (via StringToBinary) to find this string in the memory. And furthermore, StringInStr() is much faster than this piece of **** code: For $i_search = $s_start To $s_end ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then MsgBox (4096, $s_pname, 'String found') EndIf Next I don´t think that slower code exists...convince me! And believe me, even the included UDF´s are not needed... Why not copy the memory into a string and search FAST and EASY? He has the pointer to the memory, could create a bytestruct with the length = end-start, and can easily search with stringinstr(data_from_bytestruct,stringtobinary("Active",the_right_flag_from_my_code_in_the_post_above)).... And yes, a little bit of knowing about the VAD (process's virtual address descriptor)- tree would be helpful too!. But I think, this is far away of his skills.... Edited December 4, 2016 by AndyG Link to comment Share on other sites More sharing options...
Bert Posted December 4, 2016 Share Posted December 4, 2016 Your missing it - I know he is reading memory. I want to know the name of the EXE he is working with. The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now