[ASM] Pointer Updater

[quote name='KaosDevelopment' timestamp='1297548242' post='3285']

Kod:

unsigned char CharRelatedBaseBytes[] = {0x83, 0x3D, '?', '?', '?', 0x00, 0x00, 0x74, 0x31, 0x8b, 0x06, 0x8B, 0xCE, 0xFF, 0x50, 0x1C, 0x83, 0xF8, 0x0A};



Kod:


 unsigned long CharAddy = FindPattern((unsigned char*)CharRelatedBaseBytes, "xx???xxxxxxxxxxxxx", 0);

Then to get the pointer, you'll have to do something like this

Kod:

CharAddy = *(DWORD*)(CharAddy + 2);

Kod:

bool Check(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(; *szMask; ++szMask, ++pData, ++bMask)
        if(*szMask == 'x' && *pData != *bMask )
            return false;
   
    return (*szMask) == NULL;
}

//Find Address
DWORD FindPattern(BYTE *bMask, char* szMask, DWORD dwOffset)
{
    DWORD dwAddress = 0x00400000;
    DWORD dwLen        = 0x01FFFFFF;

    for(DWORD i=0; i < dwLen; i++)
        if( Check ((BYTE*)( dwAddress + i ), bMask, szMask) )
            return (DWORD)(dwAddress + i + dwOffset);

    MissingAddy = true;
    return 0x00400000;
}

[/quote]

[quote name='twostars' timestamp='1306657853' post='11134']
What exactly are you stuck on? This is the programming section, not the leeching section. If you can't implement sample code, either ask for help in doing so or reconsider your attempt in the first place.

Requesting is forbidden. Consider this a verbal warning.

PS: The above example looks like it could be simplified a lot - theoretically, you could get away with using the one pattern, as how often is '?' (0x3F) going to crop up, and then produce a false positive with the rest of the entire pattern? It's very unlikely that could happen, as the rest of the pattern would have to be well, not unique (which, as a pattern, it shouldn't be in the first place).

I propose something like the following:

Kod:

bool isPatternMatch(const BYTE* pData, const BYTE *bPattern, DWORD patternLength)
{
    // Loop through the entire pattern
    for (int i = 0; i < patternLength; i++, pData++, bPattern++)
    {
        // If the pattern isn't up to a dynamic byte (represented by ?, 0x3F), make sure it matches (otherwise it doesn't have to).
        if (*bPattern != '?' && *pData != *bPattern)
            return false;
    }

    // We didn't return false to indicate a mismatch, so it must match.
    return true;
}

DWORD FindPattern(BYTE *bPattern, DWORD patternLength)
{
    DWORD dwAddress    = 0x00400000;
    DWORD dwLen    = 0x01FFFFFF;

    for (DWORD i = 0; i < dwLen; i++)
    {
        if (isPatternMatch((BYTE*)(dwAddress + i), bPattern, patternLength))
                        return (DWORD)(dwAddress + i);
    }

    return NULL;
}

...

BYTE patternCharPtr[] = { 0x83, 0x3D, '?', '?', '?', 0x00, 0x00, 0x74, 0x31, 0x8b, 0x06, 0x8B, 0xCE, 0xFF, 0x50, 0x1C, 0x83, 0xF8, 0x0A };
DWORD addrCharPtr = FindPattern((BYTE*)patternCharPtr, sizeof(patternCharPtr));

However, then it's still scanning byte-by-byte. Perhaps it could be devised so that it doesn't need to scan starting from every byte for the pattern - that'd be faster, although I'd have to think a little more about how that would be achieved without potentially losing valid matches (by scanning over it). Thoughts?
[/quote]