"??" [Problems]

06/08/2015 02:19 HaMaDa..#1

#Solved

06/08/2015 12:55 lolkop#2

Quote:

Originally Posted by HaMaDa..

Why autoit don't "??"

you might try to explain what you are actually talking about.

what are you trying to do, and what are the problems you've got while trying to do that...

06/08/2015 17:49 HaMaDa..#3

Sorry, i mean why autoit dont support "??" For the aob scan :)

06/08/2015 19:50 elmarcia#4

What?, that depends on the function that u use or you code to do array of bytes search here's a simple example of how to implement. Sorry for the awful code :D

Spoiler

Code:

#include <NomadMemory.au3>
#include <WinAPI.au3>
#include <WinAPIProc.au3>
#include <Array.au3>



Global $open = _MemoryOpen(ProcessExists("Test.exe")); test exe is a c++ test program

#cs
Test.cpp

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main()
{
float life = 100;
printf("Hit shift to downgrade life \n");
printf("Your current life is: %.2f",life);
srand(time(NULL));
while(1)
{
    Sleep(20);
    if (GetAsyncKeyState(VK_SHIFT)&1)
    {
        system("cls");
        life -=  rand()%10;
if (life < 0)
{
    printf("you are dead :( \n");
break;
}else
    printf("U get hurt, your life now is %.2f",life);
    }

}
system("pause");
    return 0;
}
#ce

$yourPattern = "\0x00\0x00\0x00\0x42\0x60\0x19\0x40" ;search with cheat engine or something
$byteMask = "???xxxx"

$Addr = FindPattern($yourPattern, $byteMask,0x0022FAFF,0x4000000) ;(pattern,mask,initAddr,finalAddr)
MsgBox(0, "", "pattern finded at: " & Hex($Addr, 8))


Func GetModuleInfo($pid)
	$str = _WinAPI_GetModuleInformation($pid[1], Null)
	Return $str
EndFunc   ;==>GetModuleInfo


Func FindPattern($pattern, $mask,$from,$to)

	$ModuleData = GetModuleInfo($open)
	$lpBase = DllStructGetData($ModuleData,1)
	$sizeOfImage = DllStructGetData($ModuleData, 2)
	$EntryPoint = DllStructGetData($ModuleData, 3) ;some data sometimes useful don't know :p

	Local $Pat = PattArray($pattern)
	Local $M = MaskArray($mask)
	MsgBox(0,"","LPBASE: " & $lpBase & @CRLF & _
				"size: "  & $sizeOfImage & @CRLF & _
				"Entry point: "& $EntryPoint )

	$patternLen = StringLen($mask)
	For $i = $from To $to;$sizeOfImage - $patternLen - 1
		$found = True
		ToolTip("Searching: " & Hex($lpBase + $i, 8), 0, 0)
		For $j = 0 To $patternLen - 1
			$bool = $M[$j] = "?" Or Hex($Pat[$j], 2) = MemReadHexChar($lpBase + $i + $j) ;our bool expresion, will be 1 if the byte that we are reading is a ? in the mask, or are the same bytes, else is a 0
			$found = BitAND($found, $bool) ;we and the values , if all the bytes match then we find our pattern, else we don't
		Next
		If $found Then Return $lpBase + $i ;founded ? yey
	Next

EndFunc   ;==>FindPattern


Func PattArray($pattern) ;crap func to make the pattern an array to work with
	$split = StringSplit(StringMid($pattern, 2, StringLen($pattern)), "\", 2)
	Return $split
EndFunc   ;==>PattArray

Func MaskArray($mask) ;crap func to make the mask an array to work with
	Local $array[StringLen($mask)]
	For $i = 0 To UBound($array) - 1
		$array[$i] = StringMid($mask, $i + 1, 1)
	Next
	Return $array
EndFunc   ;==>MaskArray


Func MemReadHexChar($addres) ;crap func to get byte value at memory pos
	$byte = Hex(_MemoryRead($addres, $open, "byte"), 2)
	Return $byte
EndFunc   ;==>MemReadHexChar

Not my own code get some of here [Only registered and activated users can see links. Click Here To Register...]
and implement with autoit some adaptions to make it work faster then...

Wonder why that page is blocked here... , replace the 5 with S

06/08/2015 20:33 HaMaDa..#5

I Mean when the aob scan start if the aob have "??" all the aob won't work
So what i must replace "??" With :)
Help please :)

06/08/2015 21:32 elmarcia#6

why not?, what aob scan method are u using, maybe something bad implemented in the code thought.
If the memory region is non accessible the search should continue anyway...

06/08/2015 22:35 HaMaDa..#7

Code:

$Nothing_Array = "123??67??89??" ;That won't work if it with "12345678911" That's will work that's only for example
$NothingAddress =
_MEMSCAN($OPEN,$Nothing_Array,0x0000000000000000,0x7fffffffffffffff)

 Func _MEMSCAN($AH_HANDLE, $AB_ARRAY, $BASE_ADD = 0x00400000, $STOP_ADD = 0xFFFFFFFF)
    For $ADD = $BASE_ADD To $STOP_ADD Step 51200 - (StringLen($AB_ARRAY) / 2)
        StringRegExp(_MREAD($ADD, $AH_HANDLE, "byte[" & 51200 & "]"), $AB_ARRAY, 1, 2)
        If Not @Error Then
            Return StringFormat("0x%.8X", $ADD + ((@extended - StringLen($AB_ARRAY) - 2) / 2))
        EndIf
    Next
 EndFunc

 Func _MOPEN($IV_PID, $IV_DESIREDACCESS = 2035711, $IV_INHERITHANDLE = 1)
    If Not ProcessExists($IV_PID) Then
        SetError(1)
        Return 0
    EndIf
    Local $AH_HANDLE[2] = [DllOpen("kernel32.dll")]
    If @error Then
        SetError(2)
        Return 0
    EndIf
    Local $AV_OPENPROCESS = DllCall($AH_HANDLE[0], "int", "OpenProcess", "int", $IV_DESIREDACCESS, "int", $IV_INHERITHANDLE, "int", $IV_PID)
    If @error Then
        DllClose($AH_HANDLE[0])
        SetError(3)
        Return 0
    EndIf
    $AH_HANDLE[1] = $AV_OPENPROCESS[0]
    Return $AH_HANDLE
 EndFunc

 Func _MREAD($IV_ADDRESS, $AH_HANDLE, $SV_TYPE = "dword")
    If Not IsArray($AH_HANDLE) Then
        SetError(1)
        Return 0
    EndIf
    Local $V_BUFFER = DllStructCreate($SV_TYPE)
    If @error Then
        SetError(@error + 1)
        Return 0
    EndIf
    DllCall($AH_HANDLE[0], "int", "ReadProcessMemory", "int", $AH_HANDLE[1], "int", $IV_ADDRESS, "ptr", DllStructGetPtr($V_BUFFER), "int", DllStructGetSize($V_BUFFER), "int", "")
    If Not @error Then
        Local $V_VALUE = DllStructGetData($V_BUFFER, 1)
        Return $V_VALUE
    Else
        SetError(6)
        Return 0
    EndIf
 EndFunc

 Func _MCLOSE($AH_HANDLE)
    If Not IsArray($AH_HANDLE) Then
        SetError(1)
        Return 0
    EndIf
    DllCall($AH_HANDLE[0], "int", "CloseHandle", "int", $AH_HANDLE[1])
    If Not @error Then
        DllClose($AH_HANDLE[0])
        Return 1
    Else
        DllClose($AH_HANDLE[0])
        SetError(2)
        Return 0
    EndIf
 EndFunc

 Func Hide ()
   GUISetState(@SW_HIDE)
EndFunc

Func Show ()
   GUISetState(@SW_Show)
EndFunc

06/10/2015 03:05 elmarcia#8

That method that u use is faster because searchs a lot of memory per step but, when reading non-access memory the method fails and the reading returns 0x000000000000000000000000000000000000000000000000 000000000000000...
U will have to skip non-acess memory, and about the ?? if you want to search for a pattern you need a mask where the ? will replace any value that could change.
For example your memory is:
48 65 6c 6c 6f 20 57 6f 72 6c 64 20 31 30 31 (Hello World 101) and lets say that the word World never changes but the rest does.
Your aob array will be $SearchAoB="48 65 6c 6c 6f 20 57 6f 72 6c 64 20 31 30 31"
and your mask: $mask = "??????xxxxx????"
each ? represents a changing byte and each x represents a static one.

06/10/2015 18:13 HaMaDa..#9

So u mean for $Mask = "???xxx???"
It will replace it self the aob that need to change to mask? :)

06/10/2015 19:53 elmarcia#10

Replace the ?? in your $Nothing_Array = "123??67??89??" with .. means any character
$Nothing_Array = "123..67..89.."

That should work

06/11/2015 02:07 HaMaDa..#11

Thanks now it works :)
Thanks for your Time :)

06/11/2015 03:23 elmarcia#12

Np i'm here to help :)