public IntPtr GetGlobalAddressFromPattern(string pattern, int offset, int size)
{
var scanResult = _patternScanner.Find(new DwordPattern(pattern));
if (!scanResult.Found)
{
return(IntPtr.Zero);
}
return(IntPtr.Add(scanResult.ReadAddress, _processSharp.Memory.Read <int>(scanResult.ReadAddress + offset)) +
offset + size);
}
private void OnLoad(object sender, EventArgs e)
{
try
{
var telegramProcess = System.Diagnostics.Process.GetProcessesByName("Telegram").FirstOrDefault();
if (telegramProcess == null)
{
throw new Exception("telegram isn't running");
}
_processSharp = new ProcessSharp(telegramProcess, MemoryType.Local);
_processSharp.Memory = new ExternalProcessMemory(_processSharp.Handle);
var scanner = new PatternScanner(_processSharp.ModuleFactory.MainModule);
// why do they keep changing this specific function
var pattern = new DwordPattern("85 F6 74 48 8B CB");
var scanResult = scanner.Find(pattern);
if (!scanResult.Found)
{
throw new Exception("something broke");
}
_address = scanResult.ReadAddress + 2;
}
catch (Exception exception)
{
MessageBox.Show(exception.Message);
}
}
private object LoadDescriptionMembers(PatternScanner scanner, Type type, object parent, object instance, object[] procedureConstructorParams = null)
{
Type procItfType = typeof(IProcedure);
if (parent == null)
{
instance = Activator.CreateInstance(type, procedureConstructorParams);
}
//else if (instance == null)
//{
// var constructor = type.GetConstructor(new[] { parent.GetType() });
// if (constructor != null)
// instance = constructor.Invoke(new[] { parent });
// else
// instance = Activator.CreateInstance(type);
//}
var props = type.GetProperties(BindingFlags.Public | BindingFlags.Instance);
foreach (var prop in props)
{
if (procItfType.IsAssignableFrom(prop.PropertyType))
{
IProcedure proc = (IProcedure)prop.GetValue(instance);
var hintAddr = CachedAddresses.ContainsKey(proc.Pattern.PatternText)
? CachedAddresses[proc.Pattern.PatternText]
: 0;
var scanRes = scanner.Find(proc.Pattern, hintAddr);
if (scanRes.Found == false)
{
throw new ArgumentException($"Procedure {prop.DeclaringType.Name}.{prop.Name} could not be found.");
}
proc.Factory = Factory;
proc.BaseAddr = scanRes.BaseAddress;
CachedAddresses[proc.Pattern.PatternText] = scanRes.Offset;
}
else if (prop.PropertyType.GetTypeInfo().IsClass)
{
var propInstance = prop.GetValue(instance);
if (propInstance != null)
{
LoadDescriptionMembers(scanner, prop.PropertyType, instance, propInstance);
}
//if (propInstance == null)
// prop.SetValue(instance, subClassInst);
}
}
return(instance);
}
//
// Native calls
protected void SetupNativeMethods()
{
var scanner = new PatternScanner(SMProcess.ModuleFactory.MainModule);
var hintAddrs = SMInject.Instance.Callback.GetPatternsHintAddresses();
foreach (var methodPattern in SMNatives.MethodsPatterns)
{
int hintAddr = 0;
if (hintAddrs.ContainsKey(methodPattern.Value.PatternText))
{
hintAddr = hintAddrs[methodPattern.Value.PatternText];
}
var scanRes = scanner.Find(methodPattern.Value,
hintAddr);
var procAddr = scanRes.BaseAddress.ToInt32();
hintAddrs[methodPattern.Value.PatternText] = scanRes.Offset;
CallTable[methodPattern.Key] = procAddr;
}
SMInject.Instance.Callback.SetPatternsHintAddresses(hintAddrs);
//CallTable[NativeMethod.TSMMainSelectDefaultConcept] =
// scanner.Find(SMNatives.TSMMain.SelectDefaultConceptCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TRegistryAddMember] = scanner.Find(SMNatives.TRegistry.AddMember).BaseAddress.ToInt32();
//CallTable[NativeMethod.TRegistryImportFile] = scanner.Find(SMNatives.TRegistry.ImportFile).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwGoToElement] = scanner.Find(SMNatives.TElWind.GoToElementCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwPasteElement] = scanner.Find(SMNatives.TElWind.PasteElementCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwAppendElement] = scanner.Find(SMNatives.TElWind.AppendElementCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwAddElementFromText] = scanner.Find(SMNatives.TElWind.AddElementFromTextCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwDeleteCurrentElement] = scanner.Find(SMNatives.TElWind.DeleteCurrentElementCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwGetText] = scanner.Find(SMNatives.TElWind.GetTextCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwEnterUpdateLock] = scanner.Find(SMNatives.TElWind.EnterUpdateLockCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwQuitUpdateLock] = scanner.Find(SMNatives.TElWind.QuitUpdateLockCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwDone] = scanner.Find(SMNatives.TElWind.DoneSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwPasteArticle] = scanner.Find(SMNatives.TElWind.PasteArticleSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.ElWdwSetText] = scanner.Find(SMNatives.TElWind.SetTextCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataGetType] =
// scanner.Find(SMNatives.TElWind.TComponentData.GetTypeCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataGetText] =
// scanner.Find(SMNatives.TElWind.TComponentData.GetTextCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataSetText] =
// scanner.Find(SMNatives.TElWind.TComponentData.SetTextCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataGetTextRegMember] =
// scanner.Find(SMNatives.TElWind.TComponentData.GetTextRegMemberCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataSetTextRegMember] =
// scanner.Find(SMNatives.TElWind.TComponentData.SetTextRegMemberCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataGetImageRegMember] =
// scanner.Find(SMNatives.TElWind.TComponentData.GetImageRegMemberCallSig).BaseAddress.ToInt32();
//CallTable[NativeMethod.TCompDataSetImageRegMember] =
// scanner.Find(SMNatives.TElWind.TComponentData.SetImageRegMemberCallSig).BaseAddress.ToInt32();
}
public void TestLocalDwordPattern()
{
var process = new ProcessSharp(System.Diagnostics.Process.GetCurrentProcess(), Memory.MemoryType.Local);
var module = process.ModuleFactory.MainModule;
var scanner = new PatternScanner(module);
Assert.NotNull(scanner, "Failed to instantiate PatternScanner object.");
Assert.NotNull(scanner.Data, "Failed to read local memory in to Data object.");
var pattern = new DwordPattern("E8 ? ? ? ? 83 C4"); //Most common x86 signature. CALL DWORD ADD ESP, X.
var result = scanner.Find(pattern);
Assert.IsTrue(result.Found, "Failed to find signature in TestLocalDwordPattern.");
Assert.IsNotNull(result.Offset, "Offset was null in TestLocalDwordPattern.");
}
public void TestUnfindableNaivePattern()
{
System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName("notepad++");
Assert.Greater(processes.Length, 0, "Failed to find a running instance of Notepad++.");
var process = new ProcessSharp(processes[0], Process.NET.Memory.MemoryType.Remote);
var module = process.ModuleFactory.MainModule;
var scanner = new PatternScanner(module);
Assert.NotNull(scanner, "Failed to instantiate PatternScanner object.");
Assert.NotNull(scanner.Data, "Failed to read MainModule from Notepad++ in to Data object.");
var pattern = new DwordPattern("69 42 06 66 11 22 33 44 55 66 77 88 99"); //Most common x86 signature. CALL DWORD ADD ESP, X.
var result = scanner.Find(pattern);
Assert.IsFalse(result.Found, "TestUnfindableNaivePattern yielded an offset when it wasn't supposed to.");
Assert.That(result.Offset == 0, "Offset was not special number 0");
}
public void TestRemoteNaivePattern()
{
System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName("notepad++");
Assert.Greater(processes.Length, 0, "Failed to find a running instance of Notepad++.");
var process = new ProcessSharp(processes[0], Process.NET.Memory.MemoryType.Remote);
var module = process.ModuleFactory.MainModule;
var scanner = new PatternScanner(module);
Assert.NotNull(scanner, "Failed to instantiate PatternScanner object.");
Assert.NotNull(scanner.Data, "Failed to read MainModule from Notepad++ in to Data object.");
var pattern = new DwordPattern("E8 ? ? ? ? 83 C4", PatternScannerAlgorithm.Naive); //Most common x86 signature. CALL DWORD ADD ESP, X.
var result = scanner.Find(pattern);
Assert.IsTrue(result.Found, "Failed to find signature in TestRemoteDwordPattern.");
Assert.That(result.Offset > -1, "TestRemoteNaivePattern offset was not greater than -1.");
}
public void TestRemoteDwordDataBMHPattern()
{
System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName("notepad++");
Assert.Greater(processes.Length, 0, "Failed to find a running instance of Notepad++.");
var process = new ProcessSharp(processes[0], Process.NET.Memory.MemoryType.Remote);
var module = process.ModuleFactory.MainModule;
var scanner = new PatternScanner(module);
Assert.NotNull(scanner, "Failed to instantiate PatternScanner object.");
Assert.NotNull(scanner.Data, "Failed to read MainModule from Notepad++ in to Data object.");
var pattern = new DwordPatternData("E8 ? ? ? ? 83 C4", 1, PatternScannerAlgorithm.BoyerMooreHorspool); //Most common x86 signature. CALL DWORD ADD ESP, X.
var result = scanner.Find(pattern);
Assert.IsTrue(result.Found, "Failed to find signature in TestRemoteDwordDataPattern.");
Assert.IsNotNull(result.Offset, "Offset was null in TestRemoteDwordDataPattern.");
Assert.IsNotNull(result.ReadAddress, "Failed to read from retrieved pattern address in TestRemoteDwordDataBMHPattern.");
}
protected void ScanSMMethods(NativeData nativeData)
{
var scanner = new PatternScanner(_smProcess.ModuleFactory.MainModule);
var hintAddrs = SMA.GetPatternsHintAddresses();
foreach (var(method, pattern) in nativeData.GetAllMemoryPatterns())
{
int hintAddr = 0;
if (hintAddrs.ContainsKey(pattern.PatternText))
{
hintAddr = hintAddrs[pattern.PatternText];
}
var scanRes = scanner.Find(pattern,
hintAddr);
var procAddr = scanRes.BaseAddress.ToInt32();
hintAddrs[pattern.PatternText] = scanRes.Offset;
_callTable[method] = procAddr;
}
SMA.SetPatternsHintAddresses(hintAddrs);
}
/// <summary>
/// Attempts to patch the client executable.
/// </summary>
/// <param name="patchName">Name of the patch to be applied.</param>
/// <param name="pattern">The pattern to search for.</param>
/// <param name="replacementBytes">The bytes to insert at the found location.</param>
/// <returns>A <see>Boolean</see> value indicating whether or not the patching succeeded.</returns>
private bool Patch(string patchName, byte?[] pattern, byte[] replacementBytes)
{
Contract.Requires(!string.IsNullOrEmpty(patchName));
Contract.Requires(pattern != null);
Contract.Requires(replacementBytes != null);
var offset = _scanner.Find(pattern);
if (offset == null)
{
Console.WriteLine("{0}: Offset not found.", patchName);
return(false);
}
var ofs = (long)offset;
Console.WriteLine("{0}: Offset found at: 0x{1}", patchName, ofs.ToString("X8", CultureInfo.InvariantCulture));
try
{
var stream = File.Open(_fileName, FileMode.Open, FileAccess.Write, FileShare.None);
using (var writer = new BinaryWriter(stream))
{
Contract.Assume(ofs >= 0);
stream.Position = ofs;
writer.Write(replacementBytes);
}
}
catch (Exception ex)
{
Console.WriteLine("{0}: Error: {1}", patchName, ex.Message);
return(false);
}
return(true);
}
protected void ScanSMMethods()
{
var scanner = new PatternScanner(_smProcess.ModuleFactory.MainModule);
var hintAddrs = SMA.GetPatternsHintAddresses();
foreach (var methodPattern in SM17Natives.MethodsPatterns)
{
int hintAddr = 0;
if (hintAddrs.ContainsKey(methodPattern.Value.PatternText))
{
hintAddr = hintAddrs[methodPattern.Value.PatternText];
}
var scanRes = scanner.Find(methodPattern.Value,
hintAddr);
var procAddr = scanRes.BaseAddress.ToInt32();
hintAddrs[methodPattern.Value.PatternText] = scanRes.Offset;
_callTable[methodPattern.Key] = procAddr;
}
SMA.SetPatternsHintAddresses(hintAddrs);
}
private static IntPtr GetAddressFromPattern(string pattern, int offset, int size)
{
var scanResult = PatternScanner.Find(new DwordPattern(pattern));
return(IntPtr.Add(scanResult.ReadAddress, ProcessSharp.Memory.Read <int>(scanResult.ReadAddress + offset)) + offset + size);
}
internal static PatternScanResult Find(string moduleName, IMemoryPattern pattern, ProcessSharp prcss)
{
var scanner = new PatternScanner(prcss[moduleName]);
return(scanner.Find(pattern));
}
public PatternScanResult Find(string moduleName, string pattern)
{
var scanner = new PatternScanner(proc[moduleName]);
return(scanner.Find(new DwordPattern(pattern)));
}