Searching for value in Memory

[streppel]

Hey again

so after 2 days of searching for static pointers for the lotting stuff of my game and not finding anything i got at least close to a solution for my problem.
i know that the baseadresse of an object has a special value and changes as soon as it isn't valid anymore, so i'd want to search in the game ram for this value.

I tryed it with a simple for loop,reading every integer and comparing it to my value,but that's a really slow method.

the next method i tryed was to read a few bytes at once(like 512 or 1024) and searching for the value inside this bytearray. it was faster, but to find all the adresses i wanted(~5 or 6 at a time at different locations in memory) it still takes more time then i want to spend(maybe 5 secs,more makes it more obvious that i'm botting,not?)

so my question would be if there is anything i missed or any hint you could give me to get the job done faster.

i'm using c# as programming language aswell as blackmagic for the reading stuff

thanks for your help once again
streppel


EDIT:
ok so i did work on this for a little time. the function itself is from a quick googlesearch,i changed it so it works out best on my pc (reading bigger parts of the memory at once,looking for a good middle between speed and ram+cpu usage)
if you need the 2 helper classes too jsut let me know. another google search will bring em up in no time.
function takes the value you want to find as argument and returns a list of the adresses where this value was find.
you might want to adjust the start+end adresse so make the search even faster

Code:

public List<uint> FindAdresse(uint val)
        {
            Process p = Process.GetProcessById(BM.ProcessId);
            byte[] searchedBytes = BitConverter.GetBytes(val);
            List<uint> addrList = new List<uint>();
            int addr = 0;
            int speed = 1024 * 128; //16 = 6 sek //32=6sek //64=5sek //128==5sek //256==5sek //testing i did with several chunk sizes
            for (int j = 0x400000; j < 0x16FFFFFF; j += speed)
            {
                ManagedWinapi.ProcessMemoryChunk mem = new ManagedWinapi.ProcessMemoryChunk(p, (IntPtr)j, speed + searchedBytes.Length);

                byte[] bigMem = mem.Read();

                for (int k = 0; k < bigMem.Length - searchedBytes.Length; k++)
                {
                    bool found = true;
                    for (int l = 0; l < searchedBytes.Length; l++)
                    {
                        if (bigMem[k + l] != searchedBytes[l])
                        {
                            found = false;
                            break;
                        }
                    }
                    if (found)
                    {
                        addr = k + j;
                        break;
                    }
                }
                if (addr != 0)
                {
                    addrList.Add((uint)addr);
                    addr = 0;

                }
            }
            return addrList;
        }

here we go

[Bananenbrot]

What you are doing is a simple brute force pattern match. For a more efficient algorithms see Boyer.
You should only search in the address range range of wow's main module. Hard coding 0x400000 is plain stupid, especially if you would switch ASLR on one day.
You can copy WoW's main module into your address space as a whole. It should be under 10 mb to copy, so there's no need to break it into small chunks (which should be at least memory page sized for efficiency).

[streppel]

hey
thanks for your help. i forgot to mention that this isn't wow-related.
thanks for your hint on the boyer algorythm. i'll see if i can implement it in my code and if it will work any faster then(even tho the length of my bytearray may not be long enough to make any significant changes)
hopefully i'll learn about more of those algorythms once my studying starts in september

greets from germany