Issue pulling the offset from a pattern

[Tanaris4]

So I finally have my code correctly finding a given pattern w/a mask from memory. See here:
tanaris4 private pastebin - collaborative debugging tool

My issue is I'm not able to pull the actual offset out, I thought it was as simple as returning it similar to what has been posted elsewhere in the forums. I know for a fact I'm screwing up some fundamental C programming crap here, but I'm lost as to figuring it out.

Anyone have any ideas?

Code:

return (unsigned long)(dw_Address+i);

in theory should be the offset, but it's not. What am I missing here?

Thanks so much!

Edit: I think it's obvious, but dw_Address is the raw Bytes in memory (I pull the data from memory + malloc ReturnedBuffer)

[Apoc]

Shouldn't you be returning startAddress+i?

[Tanaris4]

Shouldn't you be returning startAddress+i?

That is just a "helper", as the dw_address doesn't start at 0, it starts at like 0x1000 (just based on how I'm reading the memory from wow).

But yes the actual start of what I'm scanning for is at startAddress+i (including the xxx before the ???).

so in the above instance startAddress+i is 0x1F3927, which is:


And i need it to return 0xB9BEE0 vs. where the code was found

Full source here (although I think you only need the above):http://code.google.com/p/pocketgnome...c=svn116&r=116

Thanks again, really appreciate it, SOOO close to getting this functional :-)

[Apoc]

Code:

BOOL bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
        for(;*szMask;++szMask,++pData,++bMask){
                if(*szMask=='x' && *pData!=*bMask ){
                        return false;
                }
        }
        return /*(*szMask) == 0;*/ true;
}

[Tanaris4]

Code:

BOOL bDataCompare(const unsigned char* pData, const unsigned char* bMask, const char* szMask)
{
        for(;*szMask;++szMask,++pData,++bMask){
                if(*szMask=='x' && *pData!=*bMask ){
                        return false;
                }
        }
        return /*(*szMask) == 0;*/ true;
}

That function is actually working correctly, so no change is needed there. I'm able to find the exact address of where my pattern with mask STARTS, just not able to find out where the offset is within that - does that make sense?

Edit: More clarification: (dw_Address+i) is actually the start of the pattern, so it's \x8B\x75\x10 etc... (it's the raw bytes)

[Tanaris4]

Modifying findPattern to: tanaris4 private pastebin - collaborative debugging tool

Will actually print out the offset for me (backwards) - Obviously I can reverse the loop to store it correctly, but I still feel like i'm missing something simple here

[MaiN]

Modifying findPattern to: tanaris4 private pastebin - collaborative debugging tool

Will actually print out the offset for me (backwards) - Obviously I can reverse the loop to store it correctly, but I still feel like i'm missing something simple here

Aren't the addresses in memory simply stored as little-endian (or something)?

[Tanaris4]

OK figured it out, but this has to be HORRIBLY inefficient:

Code:

unsigned long dwFindPattern( unsigned char *bMask,char * szMask, Byte*dw_Address, unsigned long dw_Len, unsigned long startAddressOffset )
{
	unsigned long i;
	for(i=0; i < dw_Len; i++)
		if( bDataCompare( (unsigned char*)( dw_Address+i ),bMask,szMask) ){
			PGLog(@"Found signature at 0x%X ", i + startAddressOffset);
			
			const unsigned char* pData = (unsigned char*)( dw_Address+i );
			unsigned long j = 0;
			for ( ;*szMask;++szMask,++pData){
				if ( j && *szMask == 'x' ){
					break;
				}
				if ( *szMask == '?' ){
					j++;
				}
			}
				
			unsigned long offset = 0, k;
			for (k=0;j>0;j--,k++){
				--pData;
				offset <<= 8;  
				offset ^= (long)*pData & 0xFF;   
			}
			
			PGLog(@"Offset: 0x%X", offset);
			
			return offset;
		}
	return 0;
}