Sign in to follow this  
Followers 0
H5O2OH

[Q]Searching bytes in memory,possible?

11 posts in this topic

#1 ·  Posted (edited)

Hello,

I was curious if I can do my future school presentation using AutoIt3.I must Search for specified bytes in a specified process ,get the offset and replace the bytes.

I haven't expirienced myself much in AutoIt,so that's why i'm here asking for help.

I guess i would need _MEMORYOPEN and _MEMORYWRITE functions,but really i'm not really that good in AutoIt.

An example would be really nice

Greetz,

H5O2OH

Edited by H5O2OH

Share this post


Link to post
Share on other sites



Several ways to do it.

_WinAPI_ReadProcessMemory($hProcess, $pBaseAddress, $pBuffer, $iSize, ByRef $iRead)

And

_WinAPI_WriteProcessMemory($hProcess, $pBaseAddress, $pBuffer, $iSize, ByRef $iWritten[, $sBuffer = "ptr"])

Can also use the NormadMemory UDF (Search for it)

I'm sure there are several other ways


Share this post


Link to post
Share on other sites

Process is ABCD(for example)

Offset is 0073F52E,but we do not know the offset,it's unknown at first place.

What I do know is the bytes at 0073F52C(previous line),0073F52Е(our offset) and 0073F534(next offset).

The bytes are 84 c0(previous offset), 0f 85 9e 00 84 c0(our offset) and 68(next offset)

I do need to patch the bytes at our offset(0F 85 9E 00 84 C0 -> C0 84 00 9E 85 0F for example).

The problem is that i do not know the offset,so i do need to find the offset by searching the bytes of these three offsets and patch one of them.

As i mentioned,my AutoIt knowledge is not really good,so an example would be nice,you just gave me the function header.

I will be really thankful if you help me do my presentation.

Thank you in advance,

H5O2OH

Share this post


Link to post
Share on other sites

Bring Up My Post,please help me figure this out!

Share this post


Link to post
Share on other sites

;==================================================================================
; Function:         _MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
; Description:      Reads the value located in the memory address specified.
; Parameter(s):     $iv_Address - The memory address you want to read from. It must
;                                 be in hex format (0x00000000).
;                   $ah_Handle - An array containing the Dll handle and the handle
;                                of the open process as returned by _MemoryOpen().
;                   $sv_Type - (optional) The "Type" of value you intend to read.
;                               This is set to 'dword'(32bit(4byte) signed integer)
;                               by default.  See the help file for DllStructCreate
;                               for all types.  An example: If you want to read a
;                               word that is 15 characters in length, you would use
;                               'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):  On Success - Returns the value located at the specified address.
;                   On Failure - Returns 0
;                   @Error - 0 = No error.
;                            1 = Invalid $ah_Handle.
;                            2 = $sv_Type was not a string.
;                            3 = $sv_Type is an unknown data type.
;                            4 = Failed to allocate the memory needed for the DllStructure.
;                            5 = Error allocating memory for $sv_Type.
;                            6 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):          Values returned are in Decimal format, unless specified as a
;                   'char' type, then they are returned in ASCII format.  Also note
;                   that size ('char[size]') for all 'char' types should be 1
;                   greater than the actual size.
;==================================================================================

The description says stright i need to type in a specified address.

I couldn't find any WoW devolopment topic,please link me up.

Share this post


Link to post
Share on other sites

;==================================================================================
; Function:         _MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
; Description:      Reads the value located in the memory address specified.
; Parameter(s):     $iv_Address - The memory address you want to read from. It must
;                                 be in hex format (0x00000000).
;                   $ah_Handle - An array containing the Dll handle and the handle
;                                of the open process as returned by _MemoryOpen().
;                   $sv_Type - (optional) The "Type" of value you intend to read.
;                               This is set to 'dword'(32bit(4byte) signed integer)
;                               by default.  See the help file for DllStructCreate
;                               for all types.  An example: If you want to read a
;                               word that is 15 characters in length, you would use
;                               'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):  On Success - Returns the value located at the specified address.
;                   On Failure - Returns 0
;                   @Error - 0 = No error.
;                            1 = Invalid $ah_Handle.
;                            2 = $sv_Type was not a string.
;                            3 = $sv_Type is an unknown data type.
;                            4 = Failed to allocate the memory needed for the DllStructure.
;                            5 = Error allocating memory for $sv_Type.
;                            6 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):          Values returned are in Decimal format, unless specified as a
;                   'char' type, then they are returned in ASCII format.  Also note
;                   that size ('char[size]') for all 'char' types should be 1
;                   greater than the actual size.
;==================================================================================

The description says stright i need to type in a specified address.

I couldn't find any WoW devolopment topic,please link me up.

If you don't know what memory address your looking for.. download TSearch or Cheat Engine.. i can't really help you any further.

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

If you don't know what memory address your looking for.. download TSearch or Cheat Engine.. i can't really help you any further.

I do know the address of the current project,but i don't know what the address would be in any future release.However i know the bytes I want to patch ,that will be the same in the next release for example,so I want the script to search for specified bytes and replace them.Is it so hard to do?

Please help me out!

Edited by H5O2OH

Share this post


Link to post
Share on other sites

Not helping,all i found was scripts using NomadMemory.au3 with 0xffsets included.

Share this post


Link to post
Share on other sites

There are currently no AutoIt UDF for that. However, if you don't mind doing it in C++, take a look at CFindPattern. You specify your pattern with bytes and you can do a memcpy + memset on the specified block of memory pointed.

However, this is done via injection.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0