| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Fri May 07, 2010 9:38 pm Post subject: Scanning for Byte Signatures |
 |
|
Hey CEF Community,
The title says it all, how would I go by scanning for byte signatures with my own hard-coded function (not a header to use) so I can understand whats happening when I search for a byte signature?
What are the methods, or windows api I should use?
Thanks,
- iPromise[/code]
|
|
| Back to top |
|
 |
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Fri May 07, 2010 9:43 pm Post subject: |
|
|
| I hear 'for' loops and 'if' statements are pretty cool.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri May 07, 2010 9:46 pm Post subject: |
|
|
Assuming you're not using wildcards, you would compare dword at a time. If the length to be compared is less than 4, compare word at a time, else it's a byte scan. So let's say you have an array of 15 bytes. You would scan for 3 sets of DWORD and 1 WORD and 1 BYTE. If at any point there is no match, increase by the start address by one and try again.
This is known as the bruteforce method.
Consider looking at Boyer-Moore and Knuth-Morris-Pratt algorithms..
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri May 07, 2010 10:38 pm Post subject: |
|
|
Thanks, so would this be right:
| Code: |
// Coded this on the spot
// Scanning for 53, 54, 55, 56
SYSTEM_INFO SI;
GetSystemInfo(&SI);
DWORD dwStartApp, dwStopApp;
dwStartApp = (DWORD) SI.lpMinimumApplicationAddress;
dwStopApp = (DWORD) SI.lpMaximumApplicationAddress;
MEMORY_BASIC_INFORMATION MBI = {0};
for (DWORD i = dwStartApp; i <= dwStopApp; i ++)
{
VirtualQuery((LPCVOID) i, &MBI, sizeof(MEMORY_BASIC_INFORMATION));
if (MBI.Protect == PAGE_READWRITE)
{
for (DWORD Addr = (DWORD) MBI.BaseAddress; Addr <= (((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize) - 1 - sizeof(DWORD) // 4); Addr ++)
{
__try
{
if (*(DWORD*) Addr == {53, 54, 55, 57})
{
MessageBoxA(0, "Found", "Isn't accurate scan though", MB_OK);
}
}
__except(true)
{
Addr = (DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize;
}
}
}
else
{
i = (DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize;
}
i = (DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize;
}
|
This isn't the best scan because you never know how many addresses will have a signature of 53, 54, 55 and 56. But is the way I did it correct?
|
|
| Back to top |
|
|
hcavolsdsadgadsg
I'm a spammer
![]() Reputation: 26
Joined: 11 Jun 2007
Posts: 5801
|
| Posted: Fri May 07, 2010 11:05 pm Post subject: |
|
|
off the top of my head, read a page, memchr to find the first byte of the sig, memcmp to confirm its the right thing.
why are you asking if your code is right, you're the one writing it. start the debugger and check for yourself.
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Fri May 07, 2010 11:26 pm Post subject: |
|
|
| @slovach I meant the way I did it.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat May 08, 2010 7:02 am Post subject: |
|
|
not really. fix your indentation. you're saying try to find a match. if it matches, display a messagebox. if fail, go to next region. else.. go to next region. and when code passes through both of these 'oh let's add MBI.BaseAddress to MBI.RegionSize again'. you only need one loop invariant, no idea why you decided to use two. and you need to fix your code, yes. because unless the first dword you scan for each time is a match it's not gonna work
Note.. bruteforce is the most 'stupid' way you can implement a substring search. You should really look into the two algorithms I put above.
|
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Sat May 08, 2010 6:38 pm Post subject: |
|
|
Okay so this is what I have, it doesn't work for me at all.
The bytes of the original address is 01 30 8B, i'm looking for this + the bytes of the next address just to be a little more safe and accurate, together i'm looking for 01, 30, 8B, D8, 01, 1C, F3.
So, my plan is to scan for memory regions whose flags are the same to the flags of my current addresses, so that would be:
State: MEM_COMMIT
Type: MEM_PRIVATE
Protect: PAGE_EXECUTE_READWRITE
So after research and understanding how signatures work, I came up with this code:
| Code: |
// iPromise, coded this in a dll.
DWORD Address;
BYTE *Read;
const BYTE *Signature = (BYTE*) "\x01\x30\x8B\xD8\x01\x1C\xF3";
MEMORY_BASIC_INFORMATION MBI = {0};
while (VirtualQuery((LPCVOID) ((DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize), &MBI, sizeof(MEMORY_BASIC_INFORMATION))
{
if ((MBI.State == MEM_COMMIT) && (MBI.Type == MEM_PRIVATE) && (MBI.Protect == PAGE_EXECUTE_READWRITE))
{
DWORD EndOfRegion = (DWORD) MBI.BaseAddress + (DWORD) MBI.RegionSize;
for (DWORD i = (DWORD) MBI.BaseAddress; i <= (EndOfRegion - 1 - sizeof(BYTE)); i++)
{
__try
{
*Read = (BYTE*) i;
if (*Read == *Signature)
{
Address = i;
}
}
__except (true)
{
i = EndOfRegion;
}
}
}
}
|
I'm having trouble with this code, I rechecked the memory regions flags to make sure I had the right ones. I tried debugging it myself, but no luck whatsoever. So please tell me where in my code i'm going astray so I can fix it 
Thanks guys.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Sat May 08, 2010 7:29 pm Post subject: |
|
|
| Learn to use a debugger and step your code and come back and yell us why it's not working. Part of mastering a language is learning how to effectively debug in it
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
