 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
logicallysynced
Newbie cheater
![]() Reputation: 0
Joined: 30 Mar 2016
Posts: 16
|
 Posted: Sat Apr 02, 2016 12:33 am Post subject: [C#] Finding pointer using SigScan |
 |
|
Hi all,
I've been struggling to read a base address/pointer within my C# application using a .CT file as my basis.
I am using the common SigScan class by atom0s to try and do this and the values I need are returned perfectly using the .CT file within Cheat Engine but when I try to replicate it in C# I just a "Pattern not found" debug result.
Here is my C# code implemented:
| Code: |
byte[] toFind = new byte[] { 0xFF, 0xE0, 0xA1, 0x04, 0x37, 0x8F, 0x04, 0x80, 0x78 };
SigScan scanner = new SigScan();
scanner.Process = myProcess;
scanner.Address = new IntPtr(0x0E3B6A5B);
scanner.Size = 9;
IntPtr ptr = scanner.FindPattern(toFind, "xxx????xx", 0);
|
Here is the working autoassemble .CT code:
| Code: |
aobscan(player,FF E0 A1 * * * * 80 78)
label(player_ptr)
player+3:
player_ptr:
registersymbol(player)
registersymbol(player_ptr)
[DISABLE]
unregistersymbol(player)
unregistersymbol(player_ptr)
{
// ORIGINAL CODE - INJECTION POINT: 0E3B6A5B
0E3B6A2D: 0F 85 1D FB FF FF - jne 0E3B6550
0E3B6A33: C7 45 E4 00 00 00 00 - mov [ebp-1C],00000000
0E3B6A3A: C7 45 E8 FC 00 00 00 - mov [ebp-18],000000FC
0E3B6A41: 68 D4 6E 3B 0E - push 0E3B6ED4
0E3B6A46: EB 00 - jmp 0E3B6A48
0E3B6A48: 8D 8D 08 FF FF FF - lea ecx,[ebp-000000F8]
0E3B6A4E: BA F4 D1 78 03 - mov edx,0378D1F4
0E3B6A53: E8 F8 5F FC 61 - call mscorlib.ni.dll+3ACA50
0E3B6A58: 58 - pop eax
0E3B6A59: FF E0 - jmp eax
// ---------- INJECTING HERE ----------
0E3B6A5B: A1 04 37 8F 04 - mov eax,[048F3704]
// ---------- DONE INJECTING ----------
0E3B6A60: 80 78 74 00 - cmp byte ptr [eax+74],00
0E3B6A64: 0F 85 DD 05 00 00 - jne 0E3B7047
0E3B6A6A: 8B 0D 04 37 8F 04 - mov ecx,[048F3704]
0E3B6A70: 39 09 - cmp [ecx],ecx
0E3B6A72: FF 15 F0 14 0C 08 - call dword ptr [080C14F0]
0E3B6A78: 85 C0 - test eax,eax
0E3B6A7A: 0F 85 C7 05 00 00 - jne 0E3B7047
0E3B6A80: A1 F8 36 8F 04 - mov eax,[048F36F8]
0E3B6A85: 89 85 9C F0 FF FF - mov [ebp-00000F64],eax
0E3B6A8B: 8B 0D 04 37 8F 04 - mov ecx,[048F3704]
}
|
Is there something that I'm missing that I've overlooked? If someone can point me in the right direction that would be a great help.
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Apr 02, 2016 1:12 am Post subject: |
|
|
You are using the SigScan class incorrectly. The size is not meant for your pattern size, it is the size of the memory to dump. The address should not be some predefined static address either, it should be an assumed starting address, for example the exe's base address or a module's base address. The size should be the size of the module you are going to dump the memory of.
_________________
- Retired. |
|
| Back to top |
|
|
logicallysynced
Newbie cheater
![]() Reputation: 0
Joined: 30 Mar 2016
Posts: 16
|
| Posted: Sat Apr 02, 2016 1:32 am Post subject: |
|
|
| atom0s wrote: | | You are using the SigScan class incorrectly. The size is not meant for your pattern size, it is the size of the memory to dump. The address should not be some predefined static address either, it should be an assumed starting address, for example the exe's base address or a module's base address. The size should be the size of the module you are going to dump the memory of. |
Alright that actually makes a bit more sense then, I should be able to alter my code to pick up the exe base address:
| Code: |
byte[] toFind = new byte[] { 0xFF, 0xE0, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x78 };
SigScan scanner = new SigScan();
scanner.Process = myProcess;
scanner.Address = myProcess.MainModule.BaseAddress;
scanner.Size = 2220032;
IntPtr ptr = scanner.FindPattern(toFind, "xxx????xx", 3);
|
But I need a little bit more clarification on the size variable. I know by executing some basic lua script within CE that the module size is:
| Code: |
application.exe base: 160000, application.exe size: 2220032 bytes
|
Does that mean the size variable is 2220032? By trying this your script ends on the (!this.DumpMemory()) check.
Sorry for the questions and thanks for your help!! I do appreciate it.
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Apr 02, 2016 2:07 am Post subject: |
|
|
The class was made as a general example and not really for dumping large regions (full modules). Since memory can have different page rights that conflict you can try to dump a full module and hit a region you do not have access to.
You're better off walking the memory regions with VirtualQueryEx and dumping each region, scanning within in, etc. to get a more consistent scanning as well as a protection aware scanning method.
But yes the size should be the size of the region you are scanning. If you want it to be a whole module, use the modules full size. The Process C# class contains all that information.
_________________
- Retired. |
|
| Back to top |
|
|
logicallysynced
Newbie cheater
![]() Reputation: 0
Joined: 30 Mar 2016
Posts: 16
|
| Posted: Sat Apr 02, 2016 8:51 pm Post subject: |
|
|
| atom0s wrote: | The class was made as a general example and not really for dumping large regions (full modules). Since memory can have different page rights that conflict you can try to dump a full module and hit a region you do not have access to.
You're better off walking the memory regions with VirtualQueryEx and dumping each region, scanning within in, etc. to get a more consistent scanning as well as a protection aware scanning method.
But yes the size should be the size of the region you are scanning. If you want it to be a whole module, use the modules full size. The Process C# class contains all that information. |
Alright thanks for your input. I implemented VirtualQueryEx and now I can step through the entire thing and get the values I need. However since I need to do a SigScan on every step of the VirtualQueryEx loop, its taking a considerable amount of time to complete.
Is there anyway to improve the performance that you know of?
Pastebin of code: /mQPaATPf
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Apr 03, 2016 12:17 pm Post subject: |
|
|
You don't need to make separate sigscan objects for the three patterns. You can reuse the first one. Just make 1 sigscan object then do FindPattern with all 3 on that same object.
_________________
- Retired. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
