MyNameBorat wrote:A quick example of passing the masks to the function?
Code: Select all
Procedure DataCompare(*pData.Byte, *bMask.Byte, *szMask.Ascii)
While *szMask\a
If *szMask\a = 'x' And (*pData\b <> *bMask\b)
ProcedureReturn #False
EndIf
*szMask + 1
*pData + 1
*bMask + 1
Wend
ProcedureReturn Bool( *szMask\a = 0 )
EndProcedure
Procedure FindPattern(dwAddress, dwLen, *bMask.Byte, *szMask.Ascii)
Protected i = 0
While i < dwLen
If DataCompare( dwAddress + i, *bMask, *szMask )
ProcedureReturn dwAddress + i
EndIf
i + 1
Wend
ProcedureReturn 0
EndProcedure
DataSection
bMask:
Data.a $88,$4d,$ff,$0f,$b6,$55,$ff,$85,$d2,$00,$00,$0f,$b6,$45,$0c,$85
szMask:
Data.b 'x','x','x','x','x','x','x','x','x','?','?','x','x','x','x','x'
EndDataSection
*MemoryAddress = AllocateMemory(1024)
If *MemoryAddress
CopyMemory(?bMask,*MemoryAddress+200,16) ; Copy bMask to memory position 200
len = MemorySize(*MemoryAddress)-16
result = FindPattern(*MemoryAddress,len,?bMask,?szMask)
Debug "Result: "+Str(result)
Debug "Result - *MemoryAddress: "+Str(result-*MemoryAddress)
EndIf
Now that I know szMask is a string in form "xxxx??xxx", it can get converted to string and is easier useable (Ascii+Unicode mode):
Code: Select all
Procedure DataCompare(*pData.Byte, *bMask.Byte, szMask.s)
*szMask.Character = @szMask
While *szMask\c
If *szMask\c = 'x' And (*pData\b <> *bMask\b)
ProcedureReturn #False
EndIf
*szMask + SizeOf(Character)
*pData + 1
*bMask + 1
Wend
ProcedureReturn Bool( *szMask\c = 0 )
EndProcedure
Procedure FindPattern(dwAddress, dwLen, *bMask.Byte, szMask.s)
Protected i = 0
While i < dwLen
If DataCompare( dwAddress + i, *bMask, szMask )
ProcedureReturn dwAddress + i
EndIf
i + 1
Wend
ProcedureReturn 0
EndProcedure
DataSection
bytesToSearch_01:
Data.a $88,$4d,$ff,$0f,$b6,$55,$ff,$85,$d2,$00,$00,$0f,$b6,$45,$0c,$85
EndDataSection
*MemoryAddress = AllocateMemory(1024)
If *MemoryAddress
CopyMemory(?bytesToSearch_01,*MemoryAddress+321,16) ; Copy bytesToSearch_01 to memory position 321
len = MemorySize(*MemoryAddress)-16
result = FindPattern(*MemoryAddress,len,?bytesToSearch_01,"xxxxxxxxx??xxxxx")
Debug "Result: "+Str(result)
Debug "Result - *MemoryAddress: "+Str(result-*MemoryAddress)
EndIf
Debug "--------------------"
;
; Example 2
;
Dim memory.b(1000)
memory(800) = 'a'
memory(801) = 'b'
memory(802) = 'c'
memory(803) = 'd'
memory(804) = 'e'
memory(805) = 'f'
Dim bytesToSearch.b(6)
bytesToSearch(0) = 'a'
bytesToSearch(1) = 'b'
bytesToSearch(2) = 'c'
bytesToSearch(3) = 'x'
bytesToSearch(4) = 'x'
bytesToSearch(5) = 'f'
result = FindPattern(@memory(),1000-6,@bytesToSearch(),"xxx??x")
Debug "Result: "+Str(result)
Debug "Result - @memory(): "+Str(result-@memory())
MyNameBorat wrote:Also these functions are suppose to read from memory. To compare the byte code to match up the signature to determine the offset. Isn't there suppose to be some PeekX() functions being used as well?
It uses pointers directly, so no PeekX() required. I just translated the C code as is.
