Findpattern Masks

[Neffarian]

Ok Basically i cant find anything, and been looking around trying to understand findpatter by just mocking other bases etc

Now for this
World of Warcraft v4.1.0.13914
FrameScript_GetTop
55 8b ec 8b 4d ?? 8b 41 ?? 2b 41 ?? c1 f8 ?? 5d c3


Is it trying to find the Chunk of data and the ?? are things that change, do the ?? store the offsets?

any resources are apprechated

Ide apprechate a non "OMFUGAHD l2LIFE"

I can refrence in ida what the specific bytes?? are in the function im trying to mask. just not sure what im doing with it : /

---------- Post added at 11:46 AM ---------- Previous post was at 11:20 AM ----------

Win
http://www.vivid-abstractions.net/do...20Scanning.htm

[Cypher]

OMFUGAHD l2LIFE

amidoinitrite?

[sitnspinlock]

lol he beat me to it ;p

but as for your post OP, WUT?

[Neffarian]

Basically trying to use cleancore. which is fail
Im trying to make a photon acelerator, when all my society knows is how to rape women and beat each other with stones.

I think cleancores byte check is broken Anyways
stay#

[_Mike]

Re that 'tutorial':
Why is it that everyone seems to be using brute force byte scanning?

[Bananenbrot]

photon acelerator

wtf? the raptor knows..

cleanCore will fail for you if you don't have the patience for reading and understanding how to use the pattern module.
Ever tried using the IModifier interface?
Did you even know that you can only use cleanCore if you are injected?
Thereby you have to be too dumb to convert it into a proper out of process implementation.

In its current implemenation, cleanCore does little more than a naive Linq query, which is really hard to screw up (and to misunderstand).

So please, if you decide to roll you own version, just do it, but don't blame other people's code to be
broken or wrong just because you don't have the knowledge to grasp it.

Edit: Everyone uses brute force because it's sufficient and not much slower in most cases. Also, I found that Boyer-Moore (as opposed to Boyer-Moore-Horspool) is a little complicated to implement with wildcards.

[Cypher]

I tried using a custom Boyer-Moore-Horspool implementation which I added wildcard support to, but std::search ended up being slightly faster anyway (no surprises their algorithm is better tuned than my naive attempt). Both beat the crap out of a brute force scan tho.

Is there no .NET equivalent?

[_Mike]

I tried using a custom Boyer-Moore-Horspool implementation which I added wildcard support to, but std::search ended up being slightly faster anyway (no surprises their algorithm is better tuned than my naive attempt). Both beat the crap out of a brute force scan tho.

Yeah I've had similar results when I tested BMH compared to dwFindPattern. One thing to note though is that you will take a performance hit if the pattern ends with wildcard(s). So add an extra static byte in that case.

But the smart thing to do imo would be to store search results somewhere and only rescan if the binary has changed since last scan so execution times shouldn't be that much of an issue. Hardly anyone seems to be doing this though from my experience. They either scan at compile time and hardcode the offsets, or scan every time.

[Bananenbrot]

@the thing with trailing wildcards: If your pattern ends or starts in wildcards, you may just simply trim your pattern.
For BMH a "worst" case is when the second before last character is a wildcard, which is still beneficial compared to a naive approach.

I wonder how you support wildcards while using std::search, Cypher? Do you split your pattern at wildcards and do partial scans?

I don't think that there is a similar algorithm like std::search in C#, simply because it has to be performant and versatile.

Most (not all) aspects of .Net's BCL favor versatility, so there comes linq at your help: See cleanPattern, it's really... clean.
When I compared the linq thing to a normal for loop, I figured out that the compiler didn't inline the lambda method (for whatever stupid reason...), so it was massively slower than the unrolled loop (in release ofc).

What else comes to my mind is abusing regex matching, but yeah... it's too versatile and therefore (probably) not performant enough for us.

That's when I would love to code with STL/boost... basic versatility AND performance by more or less heavily leveraging templates.

TLDR: I came up with my own Pattern class, with customizable algorithm interface. I persist my patterns in a special xml file where I also save the offset for each build.
I intend to share it when I have thouroughly tested it.