Esempio n. 1
0
        public static bool Locate(RuntimeProcess runtime, out IntPtr result)
        {
            var namePattern = ByteSearch.ToPattern("ff_ParseTableInfos");

            if (runtime.Search(namePattern, out var nameOffset) == false)
            {
                result = default;
                return(false);
            }
            nameOffset = nameOffset + 1;

            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
                ByteSearch.AnyBytes(4),
                new byte[] { 0x00 },
                new byte[] { 0x75, 0x21 }, // jnz
                0x68,                      // push $
                ByteSearch.AnyBytes(2),
                new byte[] { 0x00, 0x00 },
                0x68,                                        // push "ff_ParseTableInfos"
                BitConverter.GetBytes(nameOffset.ToInt32()),
                new byte[] { 0x6A, 0x00 },                   // push 0
                new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400
                0xE8,                                        // call $
                ByteSearch.AnyBytes(4),
                new byte[] { 0x8B, 0x55, 0x1C, },            // mov edx, [ebp+0x1C]
                new byte[] { 0x83, 0xC4, 0x10 },             // add esp, 0x10
                0xA3,                                        // mov pointer2, eax
                ByteSearch.AnyBytes(4),
            };

            if (runtime.Search(codePattern, out var codeOffset) == false)
            {
                result = default;
                return(false);
            }

            var pointer1 = runtime.ReadValueU32(codeOffset + 2);

            if (pointer1 == 0)
            {
                throw new InvalidOperationException();
            }

            var pointer2 = runtime.ReadValueU32(codeOffset + 38);

            if (pointer2 == 0)
            {
                throw new InvalidOperationException();
            }

            if (pointer1 != pointer2)
            {
                throw new InvalidOperationException();
            }

            result = new IntPtr(pointer1);
            return(true);
        }
        public static bool Locate(RuntimeProcess runtime, out IntPtr result)
        {
            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x55, 0x8B, 0xEC, 0x51 },
                new byte[] { 0x8B, 0x0D },
                ByteSearch.AnyBytes(4),
                new byte[]
                {
                    0x33, 0xC0, 0x89, 0x45, 0xFC, 0x85, 0xC9, 0x74,
                    0x14, 0x8B, 0x55, 0x08, 0x8D, 0x45, 0xFC, 0x50,
                    0x52, 0x51,
                },
                new byte[] { 0xE8 },
                ByteSearch.AnyBytes(4),
                new byte[] { 0x8B, 0x45, 0xFC, 0x83, 0xC4, 0x0C, 0x8B, 0xE5, 0x5D, 0xC3 }
            };

            if (runtime.Search(codePattern, out var codeOffset) == false)
            {
                result = default;
                return(false);
            }

            var pointer = runtime.ReadValueU32(codeOffset + 6);

            if (pointer == 0)
            {
                throw new InvalidOperationException();
            }

            result = new IntPtr(pointer);
            return(true);
        }
Esempio n. 3
0
        public static bool Locate(ProcessMemory memory, out uint result)
        {
            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x55 },
                new byte[] { 0x8B, 0xEC },
                new byte[] { 0x51 },
                new byte[] { 0xA1 },
                ByteSearch.AnyBytes(4),
                new byte[] { 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00 },
                new byte[] { 0x85, 0xC0 },
                new byte[] { 0x74, 0x17 },
                new byte[] { 0x8D, 0x4D, 0xFC },
                new byte[] { 0x51 },
                new byte[] { 0xFF, 0x75, 0x08 },
                new byte[] { 0x50 },
                new byte[] { 0xE8 },
                ByteSearch.AnyBytes(4),
                new byte[] { 0x8B, 0x45, 0xFC },
                new byte[] { 0x83, 0xC4, 0x0C },
                new byte[] { 0x8B, 0xE5 },
                new byte[] { 0x5D },
                new byte[] { 0xC3 },
            };
            uint codeOffset;

            if (memory.Search(codePattern, out codeOffset) == false)
            {
                result = 0;
                return(false);
            }

            var pointer = memory.ReadU32(codeOffset + 5);

            if (pointer == 0)
            {
                throw new InvalidOperationException();
            }

            result = memory.ReadU32(pointer);
            return(true);
        }
Esempio n. 4
0
        public static bool Locate(RuntimeProcess runtime, out IntPtr result)
        {
            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x51 },
                0xA1,
                ByteSearch.AnyBytes(4),
                new byte[] { 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00 },
                new byte[] { 0x85, 0xC0 },
                new byte[] { 0x74, 0x17 },
                new byte[] { 0x8D, 0x0C, 0x24 },
                new byte[] { 0x51 },
                new byte[] { 0xFF, 0x74, 0x24, 0x0C },
                new byte[] { 0x50 },
                0xE8,
                ByteSearch.AnyBytes(4),
                new byte[] { 0x8B, 0x44, 0x24, 0x0C },
                new byte[] { 0x83, 0xC4, 0x0C },
                new byte[] { 0x59 },
                new byte[] { 0xC3 },
            };

            if (runtime.Search(codePattern, out var codeOffset) == false)
            {
                result = default;
                return(false);
            }

            var pointer = runtime.ReadValueU32(codeOffset + 2);

            if (pointer == 0)
            {
                throw new InvalidOperationException();
            }

            result = new IntPtr(pointer);
            return(true);
        }
        public static bool Locate(ProcessMemory memory, out uint result)
        {
            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x55 },       // push ebp
                new byte[] { 0x8B, 0xEC }, // mov ebp, esp
                new byte[] { 0x51 },       // push ecx
                new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
                ByteSearch.AnyBytes(4),
                new byte[] { 0x00 },
                new byte[] { 0x53 }, // push ebx
                new byte[] { 0x56 }, // push esi
                new byte[] { 0x57 }, // push edi
                new byte[] { 0x75 }, // jz
                ByteSearch.AnyBytes(1),
                new byte[] { 0x68 }, // push 0x000000??
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0x68 }, // push 0x????????
                ByteSearch.AnyBytes(4),
                new byte[] { 0x68 }, // push 0x000000??
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0xE8 }, // call 0x????????
                ByteSearch.AnyBytes(4),
                new byte[] { 0x68 }, // push 0x000000??
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0x68 },       // push 0x????????
                ByteSearch.AnyBytes(4),
                new byte[] { 0x6A, 0x00 }, // push 0x00
                new byte[] { 0x6A, 0x20 }, // push 0x20
                new byte[] { 0xA3 },       // mov pointer1, eax
                ByteSearch.AnyBytes(4),
                new byte[] { 0xE8 },       // call 0x????????
                ByteSearch.AnyBytes(4),
            };
            uint codeOffset;

            if (memory.Search(codePattern, out codeOffset) == false)
            {
                result = 0;
                return(false);
            }

            var pointer1 = memory.ReadU32(codeOffset + 6);

            if (pointer1 == 0)
            {
                throw new InvalidOperationException();
            }

            var pointer2 = memory.ReadU32(codeOffset + 51);

            if (pointer2 == 0)
            {
                throw new InvalidOperationException();
            }

            if (pointer1 != pointer2)
            {
                throw new InvalidOperationException();
            }

            result = memory.ReadU32(pointer1);
            return(true);
        }
        public static bool Locate(RuntimeProcess runtime, out IntPtr result)
        {
            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x55 },       // push ebp
                new byte[] { 0x8B, 0xEC }, // mov ebp, esp
                new byte[] { 0x51 },       // push ecx
                new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
                ByteSearch.AnyBytes(4),
                new byte[] { 0x00 },
                new byte[] { 0x53 }, // push ebx
                new byte[] { 0x56 }, // push esi
                new byte[] { 0x57 }, // push edi
                new byte[] { 0x75 }, // jz
                ByteSearch.AnyBytes(1),
                new byte[] { 0x68 }, // push $
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0x68 }, // push $
                ByteSearch.AnyBytes(4),
                new byte[] { 0x68 }, // push $
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0xE8 }, // call $
                ByteSearch.AnyBytes(4),
                new byte[] { 0x68 }, // push $
                ByteSearch.AnyBytes(1),
                new byte[] { 0x00, 0x00, 0x00 },
                new byte[] { 0x68 },       // push $
                ByteSearch.AnyBytes(4),
                new byte[] { 0x6A, 0x00 }, // push 0x00
                new byte[] { 0x6A, 0x20 }, // push 0x20
                new byte[] { 0xA3 },       // mov pointer1, eax
                ByteSearch.AnyBytes(4),
                new byte[] { 0xE8 },       // call $
                //ByteSearch.AnyBytes(4),
            };

            if (runtime.Search(codePattern, out var codeOffset) == false)
            {
                result = default;
                return(false);
            }

            var pointer1 = runtime.ReadValueU32(codeOffset + 6);

            if (pointer1 == 0)
            {
                throw new InvalidOperationException();
            }

            var pointer2 = runtime.ReadValueU32(codeOffset + 51);

            if (pointer2 == 0)
            {
                throw new InvalidOperationException();
            }

            if (pointer1 != pointer2)
            {
                throw new InvalidOperationException();
            }

            result = new IntPtr(pointer1);
            return(true);
        }
Esempio n. 7
0
        public static bool Locate(ProcessMemory memory, out uint result)
        {
            var  namePattern = Helpers.ToPattern("ff_ParseTableInfos");
            uint nameOffset;

            if (memory.Search(namePattern, out nameOffset) == false)
            {
                result = 0;
                return(false);
            }
            nameOffset = nameOffset + 1;

            var codePattern = new ByteSearch.Pattern()
            {
                new byte[] { 0x83, 0x3D }, // cmp pointer1, 0
                ByteSearch.AnyBytes(4),
                new byte[] { 0x00 },
                new byte[] { 0x75, 0x1E }, // jnz
                0x68,                      // push 0x0000????
                ByteSearch.AnyBytes(2),
                new byte[] { 0x00, 0x00 },
                0x68,                                        // push "ff_ParseTableInfos"
                BitConverter.GetBytes(nameOffset),
                new byte[] { 0x6A, 0x00 },                   // push 0
                new byte[] { 0x68, 0x00, 0x04, 0x00, 0x00 }, // push 0x400
                0xE8,                                        // call 0x????????
                ByteSearch.AnyBytes(4),
                new byte[] { 0x83, 0xC4, 0x10 },             // add esp, 10h
                0xA3,
                ByteSearch.AnyBytes(4),                      // mov pointer2, eax
            };
            uint codeOffset;

            if (memory.Search(codePattern, out codeOffset) == false)
            {
                result = 0;
                return(false);
            }

            var pointer1 = memory.ReadU32(codeOffset + 2);

            if (pointer1 == 0)
            {
                throw new InvalidOperationException();
            }

            var pointer2 = memory.ReadU32(codeOffset + 35);

            if (pointer2 == 0)
            {
                throw new InvalidOperationException();
            }

            if (pointer1 != pointer2)
            {
                throw new InvalidOperationException();
            }

            result = memory.ReadU32(pointer1);
            return(true);
        }