private static IntPtr FindGengine()
{
var pattens = hMemory.GetPatternManager();
var mybase = hMemory.ProcessMemory.MainModule.BaseAddress;
var mypages = new PageManager(hMemory);
//get gengne
var returnvalue = pattens.FindPattern(mybase,
"?? ?? ?? ?? 48 8B 88 ?? ?? 00 00 48 85 C9 74 ?? 48 8B 49 ?? 48 85 C9");
//next portion finds the correct mov instruct
var subbed = returnvalue + 3000;
var specialreturn = pattens.FindPatternCBase(subbed, PatternManager.ParsePattern("48 8B 05").ToArray());
//extract mov bytes
var secondOFfset = BitConverter.ToInt32(hMemory.ReadBytes(specialreturn, 7).Skip(3).ToArray(), 0);
//get address stored for gengine jump
var nextPosition = specialreturn + secondOFfset + 7;
var MegaJump = hMemory.Read <IntPtr>(nextPosition);
return(MegaJump);
}
private static void FindGnameHard()
{
ulong found = 0;
var pattens = hMemory.GetPatternManager();
var mypages = new PageManager(hMemory);
var allpages = mypages.GetAllPages().Where(Result =>
Result.RegionSize == 0x40000 && Result.Protect == (int)AllocationProtect.PAGE_READWRITE).ToList();
var ByteChecked = allpages.Where(delegate(MEMORY_BASIC_INFORMATION Result)
{
var bytes = hMemory.ReadBytes((IntPtr)Result.BaseAddress, 32);
return(pattens.FindPatternBuff(bytes, PatternManager.ParsePattern("4E 6F 6E 65 00").ToArray()) != 0);
}).ToList();
if (ByteChecked.Count == 1)
{
found = ByteChecked.First().BaseAddress;
}
var realBase = pattens.FindPatternCBase((IntPtr)found, PatternManager.ParsePattern("4E 6F 6E 65 00").ToArray());
GNameParsing(found);
}
public bool ReadGnameArray(ulong address)
{
var ptrSize = IntPtr.Size;
// Calc AnsiName offset
var none_sig = this.SigScanInstance.GetPatternManager().FindPatternCBase((IntPtr)G_GnamePtr, PatternManager.ParsePattern("4E 6F 6E 65 00").ToArray());
var byte_sig = this.SigScanInstance.GetPatternManager().FindPatternCBase((IntPtr)G_GnamePtr,
PatternManager.ParsePattern("42 79 74 65 50 72 6F 70 65 72 74 79 00").ToArray());
var NameOffset = (byte_sig.ToInt64() - none_sig.ToInt64()) - 4;
var GchunkAddress = new PageManager(SigScanInstance)[none_sig - (int)NameOffset].AllocationBase;
// Get GNames Chunks
//std::vector<uintptr_t> gChunks;
var gNamesChunks = new IntPtr[0].ToList();
for (var iAIndex = 0; iAIndex < 30; ++iAIndex)
{
var offset = ptrSize * iAIndex;
var addr = SigScanInstance.Read <IntPtr>((IntPtr)(GchunkAddress + (ulong)offset));
//addr = Utils::MemoryObj->ReadAddress(address + offset);
//if (!IsValidAddress(addr)) break;
if (addr.ToInt64() == 0)
{
break;
}
gNamesChunks.Add(addr);
}
// Dump GNames
var i = 0;
foreach (var chunkAddress in gNamesChunks)
{
for (var j = 0; j < chunkCount; ++j)
{
var tmp = new FNameEntity();
var offset = ptrSize * j;
var fNameAddress = SigScanInstance.Read <IntPtr>(chunkAddress + offset);
//if (!IsValidAddress(fNameAddress))
//{
// // Push Empty, if i just skip will case a problems, so just add empty item
// tmp.Index = (ulong) (i + 1); // FNameEntity Index look like that 0 .. 2 .. 4 .. 6
// tmp.AnsiName = this.SigScanInstance.ReadString(f)
//
// Gnames.Add(tmp);
// ++i;
// continue;
//}
tmp.Index = (ulong)(i + 1);
tmp.AnsiName = this.SigScanInstance.ReadString(fNameAddress + (int)NameOffset);
// Read FName
//if (!tmp.ReadData(fNameAddress, nameOffset)) return false;
Gnames.Add(tmp);
++i;
}
}
return(true);
}