public static List<Tuple<string, string, int>> Find()
{
var candidates = new List<Tuple<string, string, int>>();
var process = Process.GetProcessesByName("tera").SingleOrDefault();
if (process == null)
throw new ApplicationException("Tera doesn't run");
using (var memoryScanner = new MemoryScanner(process))
{
var memoryRegions = memoryScanner.MemoryRegions();
var relevantRegions = memoryRegions.Where(x => x.State == MemoryScanner.PageState.Commit && x.Protect == MemoryScanner.PageFlags.ExecuteReadWrite);
foreach (var memoryRegion in relevantRegions)
{
var data = memoryScanner.ReadMemory(memoryRegion.BaseAddress, memoryRegion.RegionSize);
//data = data.Skip(0x012F6F46 - 0x00401000).ToArray();
var dataSlice = new byte[300];
var s = Stringify(data);
var index = 0;// 0x016F6EFC - 0x00401000;
while ((index = s.IndexOf("\x00CC\x00CC\x00CC\x00CC\x00CC", index, StringComparison.Ordinal)) >= 0)
{
index++;
while (data[index] == 0xCC)
index++;
Array.Copy(data, index, dataSlice, 0, Math.Min(data.Length - index, dataSlice.Length));
var disasm = new Disassembler(dataSlice, ArchitectureMode.x86_32, (ulong)memoryRegion.BaseAddress + (uint)index, true);
try
{
var instructions = disasm.Disassemble().TakeWhile(x => x.Mnemonic != ud_mnemonic_code.UD_Iint3);
var movs = new List<Instruction>();
foreach (var instruction in instructions)
{
if (instruction.Mnemonic == ud_mnemonic_code.UD_Imov)
movs.Add(instruction);
else
{
var matches = movs.Where(x => regex.IsMatch(x.ToString())).ToList();
if (matches.Count == 8)
{
var keyIv = string.Join(" ", matches.Select(x => x.Operands[1].Value).Select(x => BitConverter.ToString(GetBytes((uint)x)).Replace("-", "")));
var interestingChars = keyIv.Count(c => !"0F ".Contains(c));
var key = keyIv.Substring(0, 32 + 3);
var iv = keyIv.Substring(32 + 4, 32 + 3);
candidates.Add(Tuple.Create(key, iv, interestingChars));
}
movs.Clear();
}
}
}
catch (IndexOutOfRangeException)
{
}
}
}
}
var candidatesByQuality = candidates.OrderByDescending(t => t.Item3).Where(t => t.Item3 >= 32).ToList();
return candidatesByQuality;
}
public static List <Tuple <string, string, int> > Find()
{
var candidates = new List <Tuple <string, string, int> >();
var process = Process.GetProcessesByName("tera").SingleOrDefault();
if (process == null)
{
throw new ApplicationException("Tera doesn't run");
}
using (var memoryScanner = new MemoryScanner(process))
{
var memoryRegions = memoryScanner.MemoryRegions();
var relevantRegions = memoryRegions.Where(x => x.State == MemoryScanner.PageState.Commit && x.Protect == MemoryScanner.PageFlags.ExecuteReadWrite);
foreach (var memoryRegion in relevantRegions)
{
var data = memoryScanner.ReadMemory(memoryRegion.BaseAddress, memoryRegion.RegionSize);
//data = data.Skip(0x012F6F46 - 0x00401000).ToArray();
var dataSlice = new byte[300];
var s = Stringify(data);
var index = 0;// 0x016F6EFC - 0x00401000;
while ((index = s.IndexOf("\x00CC\x00CC\x00CC\x00CC\x00CC", index, StringComparison.Ordinal)) >= 0)
{
index++;
while (data[index] == 0xCC)
{
index++;
}
Array.Copy(data, index, dataSlice, 0, Math.Min(data.Length - index, dataSlice.Length));
var disasm = new Disassembler(dataSlice, ArchitectureMode.x86_32, (ulong)memoryRegion.BaseAddress + (uint)index, true);
try
{
var instructions = disasm.Disassemble().TakeWhile(x => x.Mnemonic != ud_mnemonic_code.UD_Iint3);
var movs = new List <Instruction>();
foreach (var instruction in instructions)
{
if (instruction.Mnemonic == ud_mnemonic_code.UD_Imov)
{
movs.Add(instruction);
}
else
{
var matches = movs.Where(x => regex.IsMatch(x.ToString())).ToList();
if (matches.Count == 8)
{
var keyIv = string.Join(" ", matches.Select(x => x.Operands[1].Value).Select(x => BitConverter.ToString(GetBytes((uint)x)).Replace("-", "")));
var interestingChars = keyIv.Count(c => !"0F ".Contains(c));
var key = keyIv.Substring(0, 32 + 3);
var iv = keyIv.Substring(32 + 4, 32 + 3);
candidates.Add(Tuple.Create(key, iv, interestingChars));
}
movs.Clear();
}
}
}
catch (IndexOutOfRangeException)
{
}
}
}
}
var candidatesByQuality = candidates.OrderByDescending(t => t.Item3).Where(t => t.Item3 >= 32).ToList();
return(candidatesByQuality);
}
public static List <Tuple <string, string, int> > Find()
{
var candidates = new List <Tuple <string, string, int> >();
var process = Process.GetProcessesByName("tera").SingleOrDefault();
if (process == null)
{
throw new ApplicationException("Tera is not runing");
}
using (var memoryScanner = new MemoryScanner(process)) {
bool x64 = memoryScanner.Is64Bit();
var memoryRegions = memoryScanner.MemoryRegions();
var relevantRegions = memoryRegions.Where(x => x.State == MemoryScanner.PageState.Commit && (x.Protect == MemoryScanner.PageFlags.ExecuteReadWrite || x.Protect == MemoryScanner.PageFlags.ExecuteRead));
foreach (var memoryRegion in relevantRegions)
{
var data = memoryScanner.ReadMemory(memoryRegion.BaseAddress, (int)memoryRegion.RegionSize);
var searcher = x64 ? new BoyerMoore(_pattern64) : new BoyerMoore(_pattern32);
var dataSlice = new byte[300];
var index = 0;
while ((index = searcher.Search(data, index)) >= 0)
{
index++;
Array.Copy(data, index, dataSlice, 0, Math.Min(data.Length - index, dataSlice.Length));
var disasm = new Disassembler(dataSlice, x64 ? ArchitectureMode.x86_64 : ArchitectureMode.x86_32, (ulong)memoryRegion.BaseAddress + (uint)index, true);
try
{
var instructions = disasm.Disassemble().TakeWhile(x => !x.Error && x.Mnemonic != ud_mnemonic_code.UD_Iint3);
var movs = new List <Instruction>();
foreach (var instruction in instructions)
{
if (instruction.Mnemonic == ud_mnemonic_code.UD_Imov && x64? instruction.Operands[0].Base == ud_type.UD_R_R11 : instruction.Operands[0].Base == ud_type.UD_R_EBP)
{
movs.Add(instruction);
}
else
{
if (movs.Count == 8)
{
var keyIv = string.Join(" ", movs.Select(x => x.Operands[1].Value).Select(x => BitConverter.ToString(GetBytes((uint)x)).Replace("-", "")));
var interestingChars = keyIv.Count(c => !"0F ".Contains(c));
var key = keyIv.Substring(0, 32 + 3);
var iv = keyIv.Substring(32 + 4, 32 + 3);
candidates.Add(Tuple.Create(key, iv, interestingChars));
movs.Clear();
break;
}
}
}
}
catch (IndexOutOfRangeException)
{
}
}
}
}
var candidatesByQuality = candidates.OrderByDescending(t => t.Item3).Where(t => t.Item3 >= 32).ToList();
return(candidatesByQuality);
}
