public static bool Locate(RuntimeProcess runtime, out IntPtr result)
{
var namePattern = ByteSearch.ToPattern("ff_ParseTableInfos");
if (runtime.Search(namePattern, out var nameOffset) == false)
{
result = default;
return(false);
}
nameOffset = nameOffset + 1;
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
ByteSearch.AnyBytes(4),
new byte[] { 0x00 },
new byte[] { 0x75, 0x21 }, // jnz
0x68, // push $
ByteSearch.AnyBytes(2),
new byte[] { 0x00, 0x00 },
0x68, // push "ff_ParseTableInfos"
BitConverter.GetBytes(nameOffset.ToInt32()),
new byte[] { 0x6A, 0x00 }, // push 0
new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400
0xE8, // call $
ByteSearch.AnyBytes(4),
new byte[] { 0x8B, 0x55, 0x1C, }, // mov edx, [ebp+0x1C]
new byte[] { 0x83, 0xC4, 0x10 }, // add esp, 0x10
0xA3, // mov pointer2, eax
ByteSearch.AnyBytes(4),
};
if (runtime.Search(codePattern, out var codeOffset) == false)
{
result = default;
return(false);
}
var pointer1 = runtime.ReadValueU32(codeOffset + 2);
if (pointer1 == 0)
{
throw new InvalidOperationException();
}
var pointer2 = runtime.ReadValueU32(codeOffset + 38);
if (pointer2 == 0)
{
throw new InvalidOperationException();
}
if (pointer1 != pointer2)
{
throw new InvalidOperationException();
}
result = new IntPtr(pointer1);
return(true);
}
public static bool Locate(RuntimeProcess runtime, out IntPtr result)
{
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x55, 0x8B, 0xEC, 0x51 },
new byte[] { 0x8B, 0x0D },
ByteSearch.AnyBytes(4),
new byte[]
{
0x33, 0xC0, 0x89, 0x45, 0xFC, 0x85, 0xC9, 0x74,
0x14, 0x8B, 0x55, 0x08, 0x8D, 0x45, 0xFC, 0x50,
0x52, 0x51,
},
new byte[] { 0xE8 },
ByteSearch.AnyBytes(4),
new byte[] { 0x8B, 0x45, 0xFC, 0x83, 0xC4, 0x0C, 0x8B, 0xE5, 0x5D, 0xC3 }
};
if (runtime.Search(codePattern, out var codeOffset) == false)
{
result = default;
return(false);
}
var pointer = runtime.ReadValueU32(codeOffset + 6);
if (pointer == 0)
{
throw new InvalidOperationException();
}
result = new IntPtr(pointer);
return(true);
}
public static bool Locate(ProcessMemory memory, out uint result)
{
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x55 },
new byte[] { 0x8B, 0xEC },
new byte[] { 0x51 },
new byte[] { 0xA1 },
ByteSearch.AnyBytes(4),
new byte[] { 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00 },
new byte[] { 0x85, 0xC0 },
new byte[] { 0x74, 0x17 },
new byte[] { 0x8D, 0x4D, 0xFC },
new byte[] { 0x51 },
new byte[] { 0xFF, 0x75, 0x08 },
new byte[] { 0x50 },
new byte[] { 0xE8 },
ByteSearch.AnyBytes(4),
new byte[] { 0x8B, 0x45, 0xFC },
new byte[] { 0x83, 0xC4, 0x0C },
new byte[] { 0x8B, 0xE5 },
new byte[] { 0x5D },
new byte[] { 0xC3 },
};
uint codeOffset;
if (memory.Search(codePattern, out codeOffset) == false)
{
result = 0;
return(false);
}
var pointer = memory.ReadU32(codeOffset + 5);
if (pointer == 0)
{
throw new InvalidOperationException();
}
result = memory.ReadU32(pointer);
return(true);
}
public static bool Search(this RuntimeProcess runtime, ByteSearch.Pattern pattern, out IntPtr result)
{
const int blockSize = 0x00A00000;
var data = new byte[blockSize];
var address = runtime.Process.MainModule.BaseAddress;
var totalSize = runtime.Process.MainModule.ModuleMemorySize;
for (int i = 0; i < totalSize; i += blockSize - pattern.Count)
{
int size = Math.Min(blockSize, totalSize - i);
runtime.Read(address + i, data, 0, size);
int offset;
if (ByteSearch.Match(data, 0, size, pattern, out offset) == true)
{
result = address + i + offset;
return(true);
}
}
result = default;
return(false);
}
public static bool Locate(RuntimeProcess runtime, out IntPtr result)
{
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x51 },
0xA1,
ByteSearch.AnyBytes(4),
new byte[] { 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00 },
new byte[] { 0x85, 0xC0 },
new byte[] { 0x74, 0x17 },
new byte[] { 0x8D, 0x0C, 0x24 },
new byte[] { 0x51 },
new byte[] { 0xFF, 0x74, 0x24, 0x0C },
new byte[] { 0x50 },
0xE8,
ByteSearch.AnyBytes(4),
new byte[] { 0x8B, 0x44, 0x24, 0x0C },
new byte[] { 0x83, 0xC4, 0x0C },
new byte[] { 0x59 },
new byte[] { 0xC3 },
};
if (runtime.Search(codePattern, out var codeOffset) == false)
{
result = default;
return(false);
}
var pointer = runtime.ReadValueU32(codeOffset + 2);
if (pointer == 0)
{
throw new InvalidOperationException();
}
result = new IntPtr(pointer);
return(true);
}
public static bool Locate(ProcessMemory memory, out uint result)
{
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x55 }, // push ebp
new byte[] { 0x8B, 0xEC }, // mov ebp, esp
new byte[] { 0x51 }, // push ecx
new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
ByteSearch.AnyBytes(4),
new byte[] { 0x00 },
new byte[] { 0x53 }, // push ebx
new byte[] { 0x56 }, // push esi
new byte[] { 0x57 }, // push edi
new byte[] { 0x75 }, // jz
ByteSearch.AnyBytes(1),
new byte[] { 0x68 }, // push 0x000000??
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0x68 }, // push 0x????????
ByteSearch.AnyBytes(4),
new byte[] { 0x68 }, // push 0x000000??
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0xE8 }, // call 0x????????
ByteSearch.AnyBytes(4),
new byte[] { 0x68 }, // push 0x000000??
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0x68 }, // push 0x????????
ByteSearch.AnyBytes(4),
new byte[] { 0x6A, 0x00 }, // push 0x00
new byte[] { 0x6A, 0x20 }, // push 0x20
new byte[] { 0xA3 }, // mov pointer1, eax
ByteSearch.AnyBytes(4),
new byte[] { 0xE8 }, // call 0x????????
ByteSearch.AnyBytes(4),
};
uint codeOffset;
if (memory.Search(codePattern, out codeOffset) == false)
{
result = 0;
return(false);
}
var pointer1 = memory.ReadU32(codeOffset + 6);
if (pointer1 == 0)
{
throw new InvalidOperationException();
}
var pointer2 = memory.ReadU32(codeOffset + 51);
if (pointer2 == 0)
{
throw new InvalidOperationException();
}
if (pointer1 != pointer2)
{
throw new InvalidOperationException();
}
result = memory.ReadU32(pointer1);
return(true);
}
public static bool Locate(RuntimeProcess runtime, out IntPtr result)
{
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x55 }, // push ebp
new byte[] { 0x8B, 0xEC }, // mov ebp, esp
new byte[] { 0x51 }, // push ecx
new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
ByteSearch.AnyBytes(4),
new byte[] { 0x00 },
new byte[] { 0x53 }, // push ebx
new byte[] { 0x56 }, // push esi
new byte[] { 0x57 }, // push edi
new byte[] { 0x75 }, // jz
ByteSearch.AnyBytes(1),
new byte[] { 0x68 }, // push $
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0x68 }, // push $
ByteSearch.AnyBytes(4),
new byte[] { 0x68 }, // push $
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0xE8 }, // call $
ByteSearch.AnyBytes(4),
new byte[] { 0x68 }, // push $
ByteSearch.AnyBytes(1),
new byte[] { 0x00, 0x00, 0x00 },
new byte[] { 0x68 }, // push $
ByteSearch.AnyBytes(4),
new byte[] { 0x6A, 0x00 }, // push 0x00
new byte[] { 0x6A, 0x20 }, // push 0x20
new byte[] { 0xA3 }, // mov pointer1, eax
ByteSearch.AnyBytes(4),
new byte[] { 0xE8 }, // call $
//ByteSearch.AnyBytes(4),
};
if (runtime.Search(codePattern, out var codeOffset) == false)
{
result = default;
return(false);
}
var pointer1 = runtime.ReadValueU32(codeOffset + 6);
if (pointer1 == 0)
{
throw new InvalidOperationException();
}
var pointer2 = runtime.ReadValueU32(codeOffset + 51);
if (pointer2 == 0)
{
throw new InvalidOperationException();
}
if (pointer1 != pointer2)
{
throw new InvalidOperationException();
}
result = new IntPtr(pointer1);
return(true);
}
public static bool Locate(ProcessMemory memory, out uint result)
{
var namePattern = Helpers.ToPattern("ff_ParseTableInfos");
uint nameOffset;
if (memory.Search(namePattern, out nameOffset) == false)
{
result = 0;
return(false);
}
nameOffset = nameOffset + 1;
var codePattern = new ByteSearch.Pattern()
{
new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
ByteSearch.AnyBytes(4),
new byte[] { 0x00 },
new byte[] { 0x75, 0x1E }, // jnz
0x68, // push 0x0000????
ByteSearch.AnyBytes(2),
new byte[] { 0x00, 0x00 },
0x68, // push "ff_ParseTableInfos"
BitConverter.GetBytes(nameOffset),
new byte[] { 0x6A, 0x00 }, // push 0
new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400
0xE8, // call 0x????????
ByteSearch.AnyBytes(4),
new byte[] { 0x83, 0xC4, 0x10 }, // add esp, 10h
0xA3,
ByteSearch.AnyBytes(4), // mov pointer2, eax
};
uint codeOffset;
if (memory.Search(codePattern, out codeOffset) == false)
{
result = 0;
return(false);
}
var pointer1 = memory.ReadU32(codeOffset + 2);
if (pointer1 == 0)
{
throw new InvalidOperationException();
}
var pointer2 = memory.ReadU32(codeOffset + 35);
if (pointer2 == 0)
{
throw new InvalidOperationException();
}
if (pointer1 != pointer2)
{
throw new InvalidOperationException();
}
result = memory.ReadU32(pointer1);
return(true);
}
