How to search for Array of Bytes

[bobsyuruncle]

So we use a tool here that monitors phone statistics, but in short.... it sucks.

I want to build a client side tool that monitors the state this app is in and times how long each state is engaged.

Now the timer and all that I'm sure I can figure out on my own with the help file and the many other good posts on the forum. It's the memory search I'm stuck at and asking for help.

I have found an address in memory of this app that holds a value I can use to track these stats, however this value's address changes on every launch of the application.

I checked through _WinAPI_ReadProcessMemory but it needs the address of the value I'm looking for.

What I do have that I know never changes is a string of bytes

8A 00 00 00 98 00 00 00 9B

This string is the same on every launch of the application, even though its location changes.

How can I find this string of bytes to get the address so I can use _WinAPI_ReadProcessMemory to get the value I need for my app?

[SmOke_N]

I posted this in the general section, but I realize it may be more of an advanced .dll type of support question, s I'm posting it here instead. I apologize for duplicates.

So we use a tool here that monitors phone statistics, but in short.... it sucks.

I want to build a client side tool that monitors the state this app is in and times how long each state is engaged.

Now the timer and all that I'm sure I can figure out on my own with the help file and the many other good posts on the forum. It's the memory search I'm stuck at and asking for help.

I have found an address in memory of this app that holds a value I can use to track these stats, however this value's address changes on every launch of the application.

I checked through _WinAPI_ReadProcessMemory but it needs the address of the value I'm looking for.

What I do have that I know never changes is a string of bytes

8A 00 00 00 98 00 00 00 9B

This string is the same on every launch of the application, even though its location changes.

How can I find this string of bytes to get the address so I can use _WinAPI_ReadProcessMemory to get the value I need for my app?

The ActiveX/COM forum is for the ActiveX.dll (Use of autoit with other langagues).

Moving back to your other thread.

[SmOke_N]

last bump!

I really hope somebody knows this one.

I know nothing about the memory functions, although they seem to be fairly strong.

What I do know is that it's hard to help you with 0 information. You posted information on something that "doesn't" change... personally I'd be looking for something that does .

Try a memory editor online to see if you can find specific values, then it should have the address of those values.

Again... I'm more of a "noob" at these functions than you are (Because I've never even tried them), but that's where I would start.

[bobsyuruncle]

I know nothing about the memory functions, although they seem to be fairly strong.

What I do know is that it's hard to help you with 0 information. You posted information on something that "doesn't" change... personally I'd be looking for something that does .

Try a memory editor online to see if you can find specific values, then it should have the address of those values.

Again... I'm more of a "noob" at these functions than you are (Because I've never even tried them), but that's where I would start.

okie dokie... so lets call the software "itsucks.exe"

If I do a mem search on the software using a mem search utility such as 'cheatengine.exe' I can find the value I want.

When I am logged into the phone on "itsucks.exe" that value would be a 4 byte value of '152' and the address of that value is 0x01F19160.

if I take that address and look it up in RAW memory, that area of bytes would look like: 8A 00 00 00 99 00 00 00 99

Now here's the puzzle... if I exit "itsucks.exe" and relaunch it, my special value of '152' has moved to another address...

Lets say the NEW address is now 0x04B1139C = '152'

I think this is called Dynamic Memory Allocation. It means this program assigns memory 'Dynamically' instead of 'Static' so the location can change.

I can't just search for a 4 byte value of '152' because there are hundreds, HOWEVER there is only ONE spot in memory that has the byte array mentioned before that looks like 8A 00 00 00 99 00 00 00 99.

If I could do a search for those bytes in the program memory from autoit, I could use that location to plug in the address of '152'.

Extra Info: 152 converted to array of bytes = 99 00 00 00 99

8A 00 00 00 is like a place marker.. it doesn't affect the value of 152 and it never changes in the program. The reason why I add it to the array of bytes is because there is only ONE place in the entire "itsucks.exe" that this array or string of bytes exists.

So in short. what 'changes' is the address for my value. Hope this helps explain my delima further because after two or three days now of searching i'm in desperate need of advice.

Edited March 21, 2008 by bobsyuruncle

[Siao]

Have you tried this? http://www.autoitscript.com/forum/index.php?showtopic=66210

[bobsyuruncle]

Have you tried this? http://www.autoitscript.com/forum/index.php?showtopic=66210

Actually I have, but there is one line of it that screws me up and perhaps it is simply because I didn't know how to work around it.

In their code they have an if statement that narrows their search down because they know exactly what area of memory contains their value.

If $mbi[4] = 4096 And $mbi[5] = 4 And $mbi[6] = 16777216 Then ;a.k.a MEM_COMMIT + PAGE_READWRITE + MEM_IMAGE

Maybe somebody could explain to me how to set that if statement for mbi to a new program?

Simply taking it out hangs the script indefinately, so apparently I need to narrow it down somewhat.

Edited March 21, 2008 by bobsyuruncle

[Siao]

Change that line to

If $mbi[4] = 4096 Then

This will search in all commited page blocks.

Edited March 21, 2008 by Siao

[bobsyuruncle]

Change that line to

If $mbi[4] = 4096 Then

This will search in all commited page blocks.

Awesome! I definately think this is the right direction!

problem now is still that there are too many results for autoit to handle.. AutoIT: Error allocating memory

The reason for this error I think is that there are currently 2,465 addresses that contain the number '152' in 'itsucks.exe' however if I can sieve those results down by one more search for a different value, I know there will be only 1 result.

Somehow I guess I need to limit my first search in memory somehow in order for autoit to be able to handle the number of results returned....

Now I may have a couple other bits of info that I might be able to use to narrow the search more, but I wouldn't know how to implement them. Memory viewer on the cheatengine for the current values address reports this:

AllocationProtect=Read/Write

AllocationBase=045B0000 <-- this does appear to be the same on each launch

RegionSize=1B000 <--- This number changes on each launch, so I don't think this one can be useful

Edited March 21, 2008 by bobsyuruncle