public static bool Locate(RuntimeProcess runtime, out IntPtr result) { var namePattern = ByteSearch.ToPattern("ff_ParseTableInfos"); if (runtime.Search(namePattern, out var nameOffset) == false) { result = default; return(false); } nameOffset = nameOffset + 1; var codePattern = new ByteSearch.Pattern() { new byte[] { 0x83, 0x3D }, // cmp pointer1, 0 ByteSearch.AnyBytes(4), new byte[] { 0x00 }, new byte[] { 0x75, 0x21 }, // jnz 0x68, // push $ ByteSearch.AnyBytes(2), new byte[] { 0x00, 0x00 }, 0x68, // push "ff_ParseTableInfos" BitConverter.GetBytes(nameOffset.ToInt32()), new byte[] { 0x6A, 0x00 }, // push 0 new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400 0xE8, // call $ ByteSearch.AnyBytes(4), new byte[] { 0x8B, 0x55, 0x1C, }, // mov edx, [ebp+0x1C] new byte[] { 0x83, 0xC4, 0x10 }, // add esp, 0x10 0xA3, // mov pointer2, eax ByteSearch.AnyBytes(4), }; if (runtime.Search(codePattern, out var codeOffset) == false) { result = default; return(false); } var pointer1 = runtime.ReadValueU32(codeOffset + 2); if (pointer1 == 0) { throw new InvalidOperationException(); } var pointer2 = runtime.ReadValueU32(codeOffset + 38); if (pointer2 == 0) { throw new InvalidOperationException(); } if (pointer1 != pointer2) { throw new InvalidOperationException(); } result = new IntPtr(pointer1); return(true); }
public static bool Locate(RuntimeProcess runtime, out IntPtr result) { var codePattern = new ByteSearch.Pattern() { new byte[] { 0x55, 0x8B, 0xEC, 0x51 }, new byte[] { 0x8B, 0x0D }, ByteSearch.AnyBytes(4), new byte[] { 0x33, 0xC0, 0x89, 0x45, 0xFC, 0x85, 0xC9, 0x74, 0x14, 0x8B, 0x55, 0x08, 0x8D, 0x45, 0xFC, 0x50, 0x52, 0x51, }, new byte[] { 0xE8 }, ByteSearch.AnyBytes(4), new byte[] { 0x8B, 0x45, 0xFC, 0x83, 0xC4, 0x0C, 0x8B, 0xE5, 0x5D, 0xC3 } }; if (runtime.Search(codePattern, out var codeOffset) == false) { result = default; return(false); } var pointer = runtime.ReadValueU32(codeOffset + 6); if (pointer == 0) { throw new InvalidOperationException(); } result = new IntPtr(pointer); return(true); }
public static bool Locate(ProcessMemory memory, out uint result) { var codePattern = new ByteSearch.Pattern() { new byte[] { 0x55 }, new byte[] { 0x8B, 0xEC }, new byte[] { 0x51 }, new byte[] { 0xA1 }, ByteSearch.AnyBytes(4), new byte[] { 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00 }, new byte[] { 0x85, 0xC0 }, new byte[] { 0x74, 0x17 }, new byte[] { 0x8D, 0x4D, 0xFC }, new byte[] { 0x51 }, new byte[] { 0xFF, 0x75, 0x08 }, new byte[] { 0x50 }, new byte[] { 0xE8 }, ByteSearch.AnyBytes(4), new byte[] { 0x8B, 0x45, 0xFC }, new byte[] { 0x83, 0xC4, 0x0C }, new byte[] { 0x8B, 0xE5 }, new byte[] { 0x5D }, new byte[] { 0xC3 }, }; uint codeOffset; if (memory.Search(codePattern, out codeOffset) == false) { result = 0; return(false); } var pointer = memory.ReadU32(codeOffset + 5); if (pointer == 0) { throw new InvalidOperationException(); } result = memory.ReadU32(pointer); return(true); }
public static bool Locate(RuntimeProcess runtime, out IntPtr result) { var codePattern = new ByteSearch.Pattern() { new byte[] { 0x51 }, 0xA1, ByteSearch.AnyBytes(4), new byte[] { 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00 }, new byte[] { 0x85, 0xC0 }, new byte[] { 0x74, 0x17 }, new byte[] { 0x8D, 0x0C, 0x24 }, new byte[] { 0x51 }, new byte[] { 0xFF, 0x74, 0x24, 0x0C }, new byte[] { 0x50 }, 0xE8, ByteSearch.AnyBytes(4), new byte[] { 0x8B, 0x44, 0x24, 0x0C }, new byte[] { 0x83, 0xC4, 0x0C }, new byte[] { 0x59 }, new byte[] { 0xC3 }, }; if (runtime.Search(codePattern, out var codeOffset) == false) { result = default; return(false); } var pointer = runtime.ReadValueU32(codeOffset + 2); if (pointer == 0) { throw new InvalidOperationException(); } result = new IntPtr(pointer); return(true); }
public static bool Locate(ProcessMemory memory, out uint result) { var codePattern = new ByteSearch.Pattern() { new byte[] { 0x55 }, // push ebp new byte[] { 0x8B, 0xEC }, // mov ebp, esp new byte[] { 0x51 }, // push ecx new byte[] { 0x83, 0x3D }, // cmp pointer1, 0 ByteSearch.AnyBytes(4), new byte[] { 0x00 }, new byte[] { 0x53 }, // push ebx new byte[] { 0x56 }, // push esi new byte[] { 0x57 }, // push edi new byte[] { 0x75 }, // jz ByteSearch.AnyBytes(1), new byte[] { 0x68 }, // push 0x000000?? ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0x68 }, // push 0x???????? ByteSearch.AnyBytes(4), new byte[] { 0x68 }, // push 0x000000?? ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0xE8 }, // call 0x???????? ByteSearch.AnyBytes(4), new byte[] { 0x68 }, // push 0x000000?? ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0x68 }, // push 0x???????? ByteSearch.AnyBytes(4), new byte[] { 0x6A, 0x00 }, // push 0x00 new byte[] { 0x6A, 0x20 }, // push 0x20 new byte[] { 0xA3 }, // mov pointer1, eax ByteSearch.AnyBytes(4), new byte[] { 0xE8 }, // call 0x???????? ByteSearch.AnyBytes(4), }; uint codeOffset; if (memory.Search(codePattern, out codeOffset) == false) { result = 0; return(false); } var pointer1 = memory.ReadU32(codeOffset + 6); if (pointer1 == 0) { throw new InvalidOperationException(); } var pointer2 = memory.ReadU32(codeOffset + 51); if (pointer2 == 0) { throw new InvalidOperationException(); } if (pointer1 != pointer2) { throw new InvalidOperationException(); } result = memory.ReadU32(pointer1); return(true); }
public static bool Locate(RuntimeProcess runtime, out IntPtr result) { var codePattern = new ByteSearch.Pattern() { new byte[] { 0x55 }, // push ebp new byte[] { 0x8B, 0xEC }, // mov ebp, esp new byte[] { 0x51 }, // push ecx new byte[] { 0x83, 0x3D }, // cmp pointer1, 0 ByteSearch.AnyBytes(4), new byte[] { 0x00 }, new byte[] { 0x53 }, // push ebx new byte[] { 0x56 }, // push esi new byte[] { 0x57 }, // push edi new byte[] { 0x75 }, // jz ByteSearch.AnyBytes(1), new byte[] { 0x68 }, // push $ ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0x68 }, // push $ ByteSearch.AnyBytes(4), new byte[] { 0x68 }, // push $ ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0xE8 }, // call $ ByteSearch.AnyBytes(4), new byte[] { 0x68 }, // push $ ByteSearch.AnyBytes(1), new byte[] { 0x00, 0x00, 0x00 }, new byte[] { 0x68 }, // push $ ByteSearch.AnyBytes(4), new byte[] { 0x6A, 0x00 }, // push 0x00 new byte[] { 0x6A, 0x20 }, // push 0x20 new byte[] { 0xA3 }, // mov pointer1, eax ByteSearch.AnyBytes(4), new byte[] { 0xE8 }, // call $ //ByteSearch.AnyBytes(4), }; if (runtime.Search(codePattern, out var codeOffset) == false) { result = default; return(false); } var pointer1 = runtime.ReadValueU32(codeOffset + 6); if (pointer1 == 0) { throw new InvalidOperationException(); } var pointer2 = runtime.ReadValueU32(codeOffset + 51); if (pointer2 == 0) { throw new InvalidOperationException(); } if (pointer1 != pointer2) { throw new InvalidOperationException(); } result = new IntPtr(pointer1); return(true); }
public static bool Locate(ProcessMemory memory, out uint result) { var namePattern = Helpers.ToPattern("ff_ParseTableInfos"); uint nameOffset; if (memory.Search(namePattern, out nameOffset) == false) { result = 0; return(false); } nameOffset = nameOffset + 1; var codePattern = new ByteSearch.Pattern() { new byte[] { 0x83, 0x3D }, // cmp pointer1, 0 ByteSearch.AnyBytes(4), new byte[] { 0x00 }, new byte[] { 0x75, 0x1E }, // jnz 0x68, // push 0x0000???? ByteSearch.AnyBytes(2), new byte[] { 0x00, 0x00 }, 0x68, // push "ff_ParseTableInfos" BitConverter.GetBytes(nameOffset), new byte[] { 0x6A, 0x00 }, // push 0 new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400 0xE8, // call 0x???????? ByteSearch.AnyBytes(4), new byte[] { 0x83, 0xC4, 0x10 }, // add esp, 10h 0xA3, ByteSearch.AnyBytes(4), // mov pointer2, eax }; uint codeOffset; if (memory.Search(codePattern, out codeOffset) == false) { result = 0; return(false); } var pointer1 = memory.ReadU32(codeOffset + 2); if (pointer1 == 0) { throw new InvalidOperationException(); } var pointer2 = memory.ReadU32(codeOffset + 35); if (pointer2 == 0) { throw new InvalidOperationException(); } if (pointer1 != pointer2) { throw new InvalidOperationException(); } result = memory.ReadU32(pointer1); return(true); }