panraven Grandmaster Cheater Reputation: 55
Joined: 01 Oct 2008 Posts: 942
|
Posted: Fri Nov 24, 2017 8:34 pm Post subject: Progressive AobScan(Ex) |
|
|
Execution of AA Script follow some separated step, related to this topic is the step of CE doing AobScan .
AobScan commands (aobscan, aobscanModule, aobscanRegion) generated Defined symbol, but Defined symbol only can be use after AobScan step, so Defined symbol generated by a aobscan cannot be used by another aobscan normally.
There is another step that parsing custom AA command (registerAutoAssemblerCommand), this happened after above Aobscan step, and can use Defined Symbol as input (note: this step cannot use local Label symbol, including the Alloc command symbol).
By moving the standard aobscan command to a custom AA command, it is possible to do progressive aobscan which its parameter using previous scan result. That behaviour is best for AobScanRegion command.
The attached script provide such command, AobScanEx.
format:
Code: |
AobScanEx(symbolName [:ScanType], original_AobScan_parameters)
default ScanType is 'Region'
eg.
AobScanEx(sym , addrStart, addrEndExclusive, aob pattern) ->
AobScanRegion(sym, addrStart, addrEndExclusive, aob pattern )
AobScanEx(sym: , aob pattern) ->
AobScan(sym, aob pattern )
AobScanEx(sym: Module , moduleName, aob pattern) ->
AobScanModule(sym, moduleName, aob pattern)
AobScanEx(sym:Region , addrStart, addrEndExclusive, aob pattern) ->
AobScanRegion(sym, addrStart, addrEndExclusive, aob pattern )
|
to install, put the *.lua in autorun directory
to include in a *.ct, paste the script content in a suppose-run-once AA script, wrap by {$lua}...{$asm} tags.
bye~
Updated 2018-3-3:
add some support function,
AA custom command calc(symbol, <$>expression)
evaluate an expression, prefix '$' to evaluate Lua expression
return a 'define(symbol,value)' line,
if the result value from Lua expression is a integer it is convert to hexform.
s2aob(s)
lua function to convert a string to aob
n2aob(n, fms, bigend)
lua function to convert a number to aob, 1-8 bytes integer (fms=1-, float (fms='f')_, double(fms='d'), bigEndian or not (bigend is not false or nil)
Example:
to scan a static string, then scan the code that reference this string, like this (32 bit process only, 64 bit reference use RIP, which hard to identify by aob)
sample process: Tutorial-i386.exe , reference string" "languages"
Code: |
globalalloc(RESULT,64)
[ENABLE]
calc(sStr,$s2aob"languages") /// double quote to prevent symbol expansion
/// convert a string to aob for that string, that aob can be use in aobscan command
/// address of ^str
aobscanEx(addrStr:Module, $process, sStr 00) // aobscanmodule
/// AA aobscan only scan 1st result, in actual running with multiple results, this scan may not hit the one used by code reference.
/// convert address of ^str as aob
calc(aobStr, $n2aob('addrStr',4)) /// type size 4 is defualt,
// single quote to allow symbol expansion, used to transfer defined symbol to lua function
/// 1st reference of addrStr in code
aobscanEx(ref_1:Module, $process, b8 aobStr) // aobscanmodule
/// 2nd reference of addrStr in code and etc
aobscanEx(ref_2, ref_1+1, ref_1+1000000, b8 aobStr) // aobscanRegion
aobscanEx(ref_3, ref_2+1, ref_2+1000000, b8 aobStr) // aobscanRegion
aobscanEx(ref_4, ref_3+1, ref_3+1000000, b8 aobStr) // aobscanRegion
Result:
dq addrStr
dq ref_1, ref_2, ref_3, ref_4
db sStr
db aobStr
[DISABLE]
|
Description: |
updated 2018-3-3 add some support function |
|
Download |
Filename: |
progressiive_aobscanex.lua |
Filesize: |
2.8 KB |
Downloaded: |
910 Time(s) |
Description: |
|
Download |
Filename: |
progressiive_aobscanex.lua |
Filesize: |
1.2 KB |
Downloaded: |
971 Time(s) |
_________________
- Retarded. |
|