Some Questions about Find Pattern menu

User Tag List

Results 1 to 5 of 5
  1. #1
    enteleky's Avatar Member
    Reputation
    3
    Join Date
    May 2008
    Posts
    30
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Some Questions about Find Pattern

    I am looking into making a Find Pattern function for Mac OS and I was wondering if someone can give me a good idea how it works. I have looked at the source for WoWX but I don't really get it. Thanks.

    Some Questions about Find Pattern
  2. #2
    Xarg0's Avatar Member
    Reputation
    61
    Join Date
    Jan 2008
    Posts
    389
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well the find pattern function does a search for a binary pattern, you could just take it as it is and port it to mac, but you'll certainly need to build your own search patterns.
    All you'll need in order to build a search pattern is a binary string inside the target function that is unlikely to change after a patch, memory adresses will change with every patch, but find pattern offers you the ability of ignoring a certain number of bytes in the search string, so you can use code with adresses in it to build a pattern, simply copy the bytes and X out the adress bytes in the search mask, a search mask contains a x for every byte in the string you want to check and a ? for every byte you want to ignore, pretty simple :-)
    I hacked 127.0.0.1

  3. #3
    hypnodok's Avatar Member
    Reputation
    19
    Join Date
    Nov 2007
    Posts
    65
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all, this is how dwFindPattern is implemented codewise (credit where credit is due):
    Code:
    bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
    {
        for(;*szMask;++szMask,++pData,++bMask)
            if(*szMask=='x' && *pData!=*bMask ) 
                return false;
        return (*szMask) == NULL;
    }
    
    DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
    {
        for(DWORD i=0; i < dwLen; i++)
            if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
                return (DWORD)(dwAddress+i);
        
        return 0;
    }
    Lets assume you have indentified a static addresss that contains relevant information (.data:012EF7A0 TlsIndex in this example) Heres a snippet from the code section inside wow:
    Code:
    .text:0046BA53                 mov     eax, TlsIndex
    .text:0046BA58                 mov     eax, [ecx+eax*4]
    .text:0046BA5B                 mov     ecx, [eax+8]
    .text:0046BA61                 mov     edx, [ebp+arg_0]
    .text:0046BA64                 cmp     edx, ecx
    The same snippet in Hex-View
    Code:
    .text:0046BA50  00 00 00 A1 A0 F7 2E 01  8B 04 81 8B 88 08 00 00  ...íá¸.ïüïê..
    .text:0046BA60  00 8B 55 08 3B D1 74 0C  89 0D E4 60 01 01 89 90  .ïU;**të
    õ`ëÉ
    The code starts at 0046BA53 and ends at 0046BA64 so the assembled version of the snippet above would be (I might be off by one byte)
    Code:
    A1         (mov eax)
    A0 F7 2E 01     (012EF7A0)
    8B 04 81 8B 88 08 00 00 00 8B 55 08 3B (all the rest)
    In this snippet, the only thing that will likely change every patch is the address of TLSIndex (012EF7A0), everything else is statically assembled.
    The FindPattern for TLSIndex would look like this:
    Code:
    DWORD address = dwFindPattern(0x40000,0x800000,(BYTE*)"\xA1\xA0\xF7\x2E\x01\x8B\x04\x81\x8B\x88\x08\x00\x00\x00\x8B\x55\x08\x3B","x????xxxxxxxxxxxxx");
    address += 0x1;
    The first paramenter is where to start searching, ideally this would be the programs startaddress. Param2 is the size of the memory to be searching, ideally this would be the programs total size in memory.
    For this example I just assumed two values.
    Param3 is the byte-string we previously extracted, Param4 tells the function which parts in the byte-string to ignore (a '?' means ignore it).
    Lastly we add 1 to the adress it returns because it would point to the beginning of the byte-string which in this case is not the address were looking for (Im actually not very sure on this part but I think it would return an address that points to 0xA1 so adding 0x1 makes it point to TLSIndex).
    Hopefully this gave you an idea on how FindPattern works, I havent actually implemented this into any of my programs yet so I might be wrong on some parts. Please do correct me if Im wrong.
    Last edited by hypnodok; 01-10-2009 at 08:01 AM.

  4. #4
    enteleky's Avatar Member
    Reputation
    3
    Join Date
    May 2008
    Posts
    30
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok thank you so much that was a perfect explanation. +rep.

  5. #5
    hypnodok's Avatar Member
    Reputation
    19
    Join Date
    Nov 2007
    Posts
    65
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just dont count those 'x's :P

Similar Threads

  1. Some questions about AoC
    By Aradroth in forum Age of Conan Exploits|Hacks
    Replies: 5
    Last Post: 06-09-2008, 10:12 PM
  2. Some questions about the new 2.4.2 update
    By arynock in forum WoW Memory Editing
    Replies: 1
    Last Post: 05-17-2008, 05:40 PM
  3. I've got some questions about NCDB
    By Wheeze201 in forum World of Warcraft Emulator Servers
    Replies: 12
    Last Post: 03-08-2008, 06:12 PM
  4. Some questions about skills and stuff.
    By faraon2k in forum WoW EMU Guides & Tutorials
    Replies: 1
    Last Post: 12-25-2007, 02:03 PM
  5. Replies: 1
    Last Post: 01-27-2007, 07:41 AM
All times are GMT -5. The time now is 12:40 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search