Sign in to follow this  
Followers 0
WarheadsOnForeheads

Searching memory for values (non-static addressing)

2 posts in this topic

Hey guys, got something here I wanted to get some more brains looking at to see if I'm missing something.

Basically, I have this program that I'm trying to get a few values from. The controls aren't standard windows controls so I have to attemp a memory scrape. Thats where the difficulty is. The address changes randomly. And to top it off, on different computers the addressing seems very different.

Example of addresses used:

Windows Server 2003 64-bit (my PC)

022ED954

022ED788

022ED760

On XP Pro 64-bit

01EF40B0

On XP Pro 32-bit

0133DAAC

The address does seem to linger around the same "area" on each computer. But, each computer has a different "area". What I need is a way to better predict the area to be used by the computer, or develop a faster memory search. Does anybody have any suggestions or ideas?

My current search code (works but slow):

Func SearchMemory($sSearchValue, $sType, $hLow, $hHi, $iRange, ByRef $iMaxRecursions)
    O("Expanding Search from " & Hex($hLow) & " to " & Hex($hHi) & " by " & $iRange & ".")
    For $h=($hLow-$iRange) To $hLow Step 0x00000001
        If $h <= 0x00400000 Then
            ExitLoop
        ElseIf $sSearchValue=_MemoryRead($h, $dll, $sType) Then
            O("Located. " & Hex($h) & " = " & $sSearchValue)
            Return $h
            ExitLoop
        EndIf
    Next
    For $h=$hHi To ($hHi+$iRange) Step 0x00000001
        If $h >= 0x7FFFFFFF Then
            ExitLoop
        ElseIf $sSearchValue=_MemoryRead($h, $dll, $sType) Then
            O("Located. " & Hex($h) & " = " & $sSearchValue)
            Return $h
            ExitLoop
        EndIf
    Next
    $iMaxRecursions -= 1
    If 0 = $iMaxRecursions Then
        O("Giving up search. Recursion limit reached.")
        Return 0
    Else
        Return SearchMemory($sSearchValue, $sType, ($hLow-$iRange), ($hHi+$iRange), $iRange, $iMaxRecursions)
    EndIf
EndFunc

Some notes about the code; a typical call to the search routine looks like this:

Local $h=0x022EC5D8
Local $sSrch = "CISCO-7960"
Local $iRec = 10
SearchMemory($sSrch, 'char[10]', $h, $h, 10000, $iRec)

All help appreciated!

Share this post


Link to post
Share on other sites



Improved performance some what through an alogrithm change. Now, I only try to match letter for letter and advance with a match. This makes the comparisons smaller and always advances the part of the memory be 'searched' so that multiple reads of the same parts of memory are not required.

The downside is that its not really 'area' friendly searching. Like previous alogrithm (starting from one point and expanding outwards from there).

Still SLOW however. In comparison, "Cheat Engine 5.4" screams through memory scans way faster than this does. Has anybody automated memory scans through the cheat engine instead of NomadMemory?

Func SearchTxtLoop($sSrchVal, ByRef $aFndVals)
; start from one address and loop around back to it. also, search only for exact character match by character match.
    O(@MIN & ":" & @SEC)
;0x022ED788
    Dim $hStart = 0x022E0000;0x01300000
    Dim $hEnd = 0x022EF000;0x04000000
    $aFndVals[0] = $hStart
    For $h=$hStart To $hEnd Step 0x00000001
        GUICtrlSetData($iLoggerEdit,Hex($h) & @CRLF,"")
        If 1=SearchTxtMemory($sSrchVal, $h) Then
            Dim $hTmp = $h-StringLen($sSrchVal)+1
            _ArrayAdd($aFndVals, $hTmp)
        EndIf
    Next
    O(@MIN & ":" & @SEC)
EndFunc

Func SearchTxtMemory($sSrchVal, ByRef $hAdrs)
    Dim $sChar = StringLeft($sSrchVal, 1)
    If $sChar = _MemoryRead($hAdrs, $dll, 'char[1]') Then
    ; Match, continue if needed.
        If 1=StringLen($sSrchVal) Then
        ; Full match.
            Return 1
        Else
        ; Part match so far, continue with recursion.
            $hAdrs += 0x00000001
            Return SearchTxtMemory(StringRight($sSrchVal, StringLen($sSrchVal)-1), $hAdrs)
        EndIf
    Else
    ; No match.
        Return 0
    EndIf
EndFunc

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0