[C# (BlackMagic 1.1)] FindPattern - How, exactly?

[Nexilus]

Hey there!

I'm having issues getting the BlackMagic FindPattern to do my biding, probably due to not in full understanding how it works.

Say i have an integer im looking for:

77342372

Which is stored inside a UInt64, i.e:

Code:

UInt64 somenumber = 77342372;

So, i wish to find this inside some programs memory, okay so i :

Code:

// Create and instantiate 
BlackMagic app = new BlackMagic();
app.OpenProcessAndThread(SProcess.GetProcessFromProcessName("someprogram.exe"));

After which i created a string to hex function (which may be where im led astray with tutorials?)

Code:

// Little function i came up with to create the actual mask (i want all bits and bytes to match of my string, so i send in a number and get that ammount of x's hehe
        public string GetMaskedLocks(int len)
        {
            string locks = "";
            for (int i = 0; i < len; i++)
            {
                locks = locks + "x";
            }
            return locks;
        }
// Function i stole from the internets, some page somewhere dunno
        public string ConvertToHex(string asciiString)
        {
            string hex = "";
            foreach (char c in asciiString)
            {
                int tmp = c;
                hex += String.Format(" {0:x2}", (uint)System.Convert.ToUInt32(tmp.ToString()));
            }
            return hex;
        }

And lastly i try to FindPattern inside the program to find my little string:

Code:

try {
    string B_PATTERN = ConvertToHex(somenumber.ToString());
    string B_MASK = GetMaskedLocks(somenumber.ToString().Length);
    uint location = app.FindPattern(B_PATTERN, B_MASK);
}
catch {
    // However, this is where i _always_ end up, it never seems to be able to do a findpattern for me
}

So, i've tried using FindPattern this way (as per some tutorial i read out there in the aether) aswell as using CE to browse memory regions and read the bytes some piece of code uses just prior to where this variable is stored in memory, but both of them end up in the catch statement :/

Could someone be so kind as to explain what im doing wrong, and how to do it right?

Brg
Nexilus

[DarkLinux]

Create your own.. Then you will understand

This is a basic function i just coded up for you

Code:

		DWORD PatterScan(Byte Patter[], char Mask[], DWORD StartAdress)
		{

			DWORD Offset;
			Byte A;
			Byte B;
			int i;
			DWORD SizeOf = sizeof(Patter);

			if (StartAdress == 0)
				Offset = BaseAddr;
			else
				Offset = BaseAddr + StartAdress;

			for(int x=BaseAddr; x < 0xFFFFFFFF; x++, Offset++)
			{
				if (i == SizeOf)
					return (Offset-BaseAddr-i);

				ReadByte(Offset, &A);
				if(Mask[i] == '?')
					B = A;
				else 
					B = Patter[i];

				if(A == B)
					i++;
				else
					i = 0;
			}
			return 1;
		}

All you would do is send it an array for chars, aka you string and then the mask. The mask is only used if value could change.

example:

Code:

BYTE fly1x[]={0xF7,0x41,0x44,0x00,0x02,0x00,0x20,0x75,0x34,0xF7,0x41,0x44,0x00,0x00,0x10,0x01,0x75};
char fly1y[]={'x' ,'x' ,'x' ,'?' ,'?' ,'?' ,'?' ,'x' ,'?' ,'x' ,'x' ,'x' ,'?' ,'?' ,'?' ,'?' ,'x'};
DWORD AdressX[100];
AdressX[0]=0;
int x=0;
do
{
  x++;		
  AdressX[x] = wow.PatterScan(fly1x,fly1y, (AdressX[x-1]+1));
  MessageBox::Show("Fly1 Offset x:" + AdressX[x]);

}while(AdressX[x] != 1);

But you would use all X. Hope this helps.. if not.. ill try again

[Nexilus]

Hey there DarkLinux, thanks for the reply

Got a few questions here,

first off, what are you searching for in your example? According to my understanding it would be a string: "?AD??? u4?AD????u" which kinda made no sense for me, the questionmarks are due to the 0xXX not being a valid ascii character so im sure it means something else, ASM code perhaps? (some push, pop, whatnot bytecodes?)

Secondly i just thought to clarify, the while(AdressX[x] != 1) part, that's just a loop so that it loops untill the reader has reached 0xFFFFFFFF aswell as SizeOf being so small that there is no possible way to fit the match there anylonger, right?

And lastly, the way you wrote this thing up is more or less just made to spit out all the occurances in messageboxes right?

Again, thank you for taking the time

[DarkLinux]

1)
In this example im looking for a function. This function was for an old fly hack. So if you have a string in ascii just convert it into bytes. This function is from an old program that writes a string to memory, but you can change it up to write to a byte array.

Code:

String^ Buffer;

UTF8Encoding^ utf8 = gcnew UTF8Encoding;
			
// Encode the string.
array<Byte>^encodedBytes = utf8->GetBytes( Buffer );

IEnumerator^ myEnum = encodedBytes->GetEnumerator();
int i=0;
while ( myEnum->MoveNext() )
{
	Byte b = safe_cast<Byte>(myEnum->Current);

	WriteByte((DWORD)AllocateAddress+i, (Byte)b);
	i++;
}

2)
I dont really understand what your asking, but ill try
I coded that function some time back... My C++/CLR phase... Anyways, the function returns 1 if it can not find anything. If you search for a sting like " Hello" you could find 100 locations with that string. Thats why its in a loop. But if it reaches the end it will return 1 to tell the caller it could not find anything. The SizeOf int is for the function to know its reached the end of the string u sent. My new copy uses the p header so it does not read into the heap.

3)
Yes, but you could easy out put that into a file or listbox.

[Nexilus]

Thanx for the reply,

Did some mods and remade it for pure C# but so far i've been unsuccessfull in implementing it properly, did a few checks and it does start reading at the right location and "steps along" but somehow it never finds any matches.. which is weird, more or less same problem that i'm having with the BlackMagic Read stuffs :S

[DarkLinux]

Then your not converting your message into byte properly... What string are u looking for?