Thread: Scan Process For Byte Pattern

Hey all,

I am trying to make an anti-game hack to protect my app from being tampered with.

I need to loop through all running processes and scan their memory for a byte pattern.

This is the byte pattern for Cheat Engine 6.1

{0x775BD0, {0xc6, 0x05, 0x20, 0x50, 0x9d, 0x00, 0x00, 0xe8, 0xb4, 0xff, 0xff, 0xff, 0xb8, 0x30, 0xce, 0x9d, 0x00, 0xe8, 0x0a, 0xc6, 0xc9, 0xff, 0xc3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, {"cheatengine-i386.exe"}}, // Cheat Engine 6.1

As you can see, 0x775BD0 = address

Could someone by any chance show me an example of how to scan through cheatengine-i386.exe and see if it contains {0xc6, 0x05, 0x20, 0x50, 0x9d, 0x00, 0x00, 0xe8, 0xb4, 0xff, 0xff, 0xff, 0xb8, 0x30, 0xce, 0x9d, 0x00, 0xe8, 0x0a, 0xc6, 0xc9, 0xff, 0xc3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}


I would really appreciate it and could possibly learn something new too.

Thank you for taking the time to read my thread

Regards


NOTE:

I have done some searching and found these examples BUT HERES THE PROBLEM : THEY ALL ASK FOR A START AND END ADDRESS!!!

Code:

interface

uses
  TlHelp32,
  windows,
  sysutils;

Procedure CheckKill;

var
szBlockList: array[0..12] of String = ('dm9xcHpwaydteGc=', 'and3YGBjbCdteGc=', 'Y3ZibmdoJmxwZQ==', 'ZXp0b2d0bXsmZXph', 'ZGdoc2BvOzsmZXph', 'ZHVpLW1+bQ==', 'bWt2YCZjcGw=', 'Vk9zYnpjXHtpeSxhe20=', 'Vk9zYnpjXXptcixhe20=', 'VFJFdnxpS2ZmbmdndyZjcGw=', 'YWtpLW1+bQ==', 'bXFpZHoobXFt', 'cGtgZGFoJmxwZQ==');
szBot: array[0..15] of string = (
'VkxHI1tlaWdmaWxjI0ppfA==',
'UlpGbHw=',
'UlpGbHw=',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA==',
'SVBHI0ppfA=='
);
szString: array[0..15] of string = (
'XHoxMVR+PD9UeDY2X3A0OFVwMzJYezs2VHE7M158MU1acDo4XHo3M1R+OzFUeDJF',
'W1FHQkZb',
'W0RQU1U=',
'W1dXQnQ=',
'W1FSTXQ=',
'W0ZBVnQ=',
'W0FFTXQ=',
'W0xIR3Q=',
'W1hFRXQ=',
'W0tXUXQ=',
'W0tIUHQ=',
'W0BWQnQ=',
'W0RWQnQ=',
'W0NRUHQ=',
'W1FTRnQ=',
'W0VGUXQ='
);

implementation

Procedure DecryptStrings();
Var
i: integer;
begin
for i := 0 to 15 do szString[i] := Decrypt(szString[i], '02dsh68ih');
end;

Procedure DecryptBlocklist();
Var
i: integer;
begin
for i := 0 to 12 do szBlockList[i] := Decrypt(szBlockList[i], '02dsh68ih');
end;

Procedure DecryptBotlist();
Var
i: integer;
begin
for i := 0 to 15 do szBot[i] := Decrypt(szBot[i], '02dsh68ih');
end;

procedure KillBot(pe32 : PROCESSENTRY32);
var
  me32:MODULEENTRY32;
  hPath:THANDLE;
  hKillProcess:THANDLE;
  bRetval:BOOLEAN;
begin
   hPath := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pe32.th32ProcessID);

   me32.dwSize := sizeof(me32);

   bRetval := Module32First(hPath, me32);

   while(bRetval) do
    begin
      if(Pos(me32.szModule, pe32.szExeFile) = 1) then
      begin

         SetFileAttributes(me32.szExePath, FILE_ATTRIBUTE_NORMAL);

         hKillProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
         TerminateProcess(hKillProcess, 0);

         Sleep(500);

         if(DeleteFile(me32.szExePath)) then
            PrivateMessageChannel('Terminated and deleted ' + me32.szExePath);
      end;

      bRetval := Module32Next(hPath, me32);

    end;

   CloseHandle(hKillProcess);
   CloseHandle(hPath);
end;


procedure DoSearch(uStartAddr:string; uEndAddr:string; pe32:PROCESSENTRY32);
var
   szBigBuffer:string;
   Curbuff: Char;
   hProcess: THANDLE;
   uCurAddr: integer;
   bRead: string;
   NULL: cardinal;
   c: DWORD;

begin
DecryptStrings();
DecryptBotlist();
bRead := '';
  hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);

  for uCurAddr := strtoint(uStartAddr) to  strtoint(uEndAddr) do
    begin
     if ReadProcessMemory(hProcess, Pointer(uCurAddr), @Curbuff, sizeof(Curbuff), NULL) then bRead := bRead + Curbuff;
       end;

         for c := 0 to sizeof(szString) do
          begin

            if(Pos(szString[c],bRead) <> 0) then
              begin
               KillBot(pe32);
            end;

         end;

   CloseHandle(hProcess);
end;

Procedure checkkill;
var
  szFile:string;
  hProcess: Thandle;
  pe32: PROCESSENTRY32;
  bRetval: boolean;
  bDoSearch: boolean;
  i: DWORD;

begin
  DecryptBlocklist();
  szFile := ExtractFileName(ParamStr(0));

  hProcess := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

  pe32.dwSize := sizeof(PROCESSENTRY32);

  bRetval := Process32First(hProcess, pe32);
  bDoSearch := true;

     while(bRetval) do
      begin

      for i := 0 to sizeof(szBlockList) do
        begin

         if(Pos(pe32.szExeFile, szBlockList[i]) = 1) then
            bDoSearch := false;

        end;

        if( Pos(pe32.szExeFile, szFile) = 1) then
           bDoSearch := false;

      if(bDoSearch) then

         DoSearch('$00400000', '$004FFFFF', pe32)
        // DoSearch( '$0x00100000','$0x001FFFFF', pe32 );

      else
         bDoSearch := true;

      bRetval := Process32Next(hProcess, pe32);
    end;
   CloseHandle(hProcess);

end;

end.

Code:

Function SearchMemory(SearchDLL: hModule; wildcard: Byte; searchCode: Array of Byte; size: Integer) : Pointer;
Const
  UCHAR_MAX = 255;
Var
  scan,lastByte,defaultSkip,pID, searchEnd,SearchSuccess : Cardinal;
  skipLength : ARRAY of Integer;
  dllInfo : TModuleInfo;
  p : pointer;
  pbCurrent: PByte;
  b: Byte;
begin
  //WriteLog('------------------------------------------------------------------------------------');
  
  //WriteLog('SearchMemory: Phase 1 - Builds skip length for chars that are not in search');

  //The first loop builds the skip length for characters that aren't in the searched "string"
  lastByte := size - 1;
  while searchCode[lastByte] = wildcard do Dec(lastByte);

    defaultSkip := lastByte;

  //WriteLog('SearchMemory: Phase 2 - Building skip length');

  //The second one builds the skip length for the characters in the string
  scan := 0;
  for scan:= 0 to lastByte - 1 do
  begin
        if searchCode[scan] = wildcard then defaultSkip := lastByte - scan;
  end;

  if defaultSkip > 1 then defaultSkip := defaultSkip - 1;

  //WriteLog(Format('defaultSkip: %u', [scan]));

  //WriteLog('SearchMemory: Phase 3 - Create Skiplength loop');

  //Is just setting the default skip length
  SetLength(skipLength, UCHAR_MAX);
  for scan:=0 to UCHAR_MAX do
    skipLength[scan] := defaultSkip;

  //WriteLog('SearchMemory: Phase 4 - Searching, skipping bytes based on the skip length');

  //Third loop searches for the string, skipping bytes based on the skip length
  for scan := 0 to lastByte-1 do
  begin
        if searchCode[scan] <> wildcard then
    begin
            skipLength[searchCode[scan]] := lastByte - scan;
    end;
  end;

  if GetModuleInformation(GetCurrentProcess, SearchDLL, @dllInfo, sizeof(dllInfo)) = FALSE then
  begin
    //WriteLog('SearchMemory: Phase 5 - GetModuleInformation failed...');
    exit;
  end
  else
  begin
    //WriteLog('SearchMemory: Phase 5 - Im past GetModuleInformation...');

      p := dllInfo.lpBaseOfDll;
    //WriteLog(Format('SearchMemory: Checking dllInfo.lpBaseOfDll: %p', [p]));

      searchEnd := Cardinal(dllInfo.lpBaseOfDll) + dllInfo.SizeOfImage;
      searchEnd := searchEnd - (lastByte + 1);

    //WriteLog(Format('SearchMemory: Checking StartAddr: %p,  SearchEnd: %08X', [p, searchEnd]));
    //WriteLog('------------------------------------------------------------------------------------');

      while Cardinal(p) <= searchEnd do
    begin
        scan := lastByte;

        while ((searchCode[scan] = wildcard) or (PByte(Cardinal(p)+scan)^ = searchCode[scan])) do
        begin
            if scan = 0 then
            begin
               result := P;
               Inc(SearchSuccess);
               Exit;
            end;
            scan := scan-1;
        end;

        p := Pointer(Cardinal(p)+skipLength[PByte(Cardinal(p)+lastByte)^]);

    end;

      if ( SearchSuccess = 0 ) then
      begin
          //WriteLog('ERROR: Search failed');
              result := 0;
      exit;
      end;

      if ( SearchSuccess > 1 ) then
      begin
      //WriteLog('ERROR: Search returned multiple results');
      result := 0;
      exit;
      end;

    result := 0;
  end;
end;

VirtualQueryEx(handle, modulebase,...)
ReadProcessMemory(handle, MEMORY_BASIC_INFORMATION->BaseAddress, buf, MEMORY_BASIC_INFORMATION->RegionSize.....
scannn
loop while (MEMORY_BASIC_INFORMATION->Type == MEM_IMAGE)

this should be close to what you need, if not it should be easy enough to modify.
by protocol. (departure also posted one);

Code:

Function SearchPattern(Const pTarget, pPattern: PChar): DWORD;
Var
  i             :Integer;
  j             :Integer;
  k             :Integer;
  iTargetLen    :Integer;
  iPatternLen   :Integer;
  baStep: Array[0..255] Of Byte;
Begin
    Result := 0;
    iTargetLen  := Length(pTarget);
    iPatternLen := Length(pPattern);
    If iTargetLen * iPatternLen = 0 Then Exit;
    FillChar(baStep,SizeOf(baStep), iPatternLen);

    For K := 0 to iPatternLen -1 do baStep[Ord(pPattern[k])]:= iPatternLen - K;

    While K <= iTargetLen Do
    Begin
      i := k - 1;
      j := iPatternLen - 1;
      While (pTarget[i] = pPattern[j]) or (pPattern[j] = '*') Do
      Begin
        Dec(i);
        Dec(j);
      End;
      If j = -1 Then
      Begin
        Result := i + 2;
        Exit;
      End;
      Inc(K, baStep[Ord(pTarget[k])]);
    End;
End;


begin
Writeln('Index: ',SearchPattern('hello this is a simple test of how to search in a string','*ow')); //returns 32 with 'how'
Readln;
end.

@G36KV
Thanks for pointing me int he right direction.

@cracksman
I think you misunderstood me, i am trying to read another processes memory and try to find a certain byte... Or maybe i misunderstood you?

yah, read the foreign process's memory into a byte array. search the byte array for your pattern with proto's snippet.

p.s. topic was tl;dr

Sorry to bump this 2 week old topic. I just wanted to comment on the 2nd function posted.

I posted that on Progamercity, it was a port of a friends code to Delphi and i just wanted to clarify that it is designed to be used within the programs memory space (proxy dll or injected dll etc) to search modules that the program has loaded. I'm sure it could be adapted to get another processes memory space.

So you bumped the thread to state facts, then i bumped it to state a fact about you stating a fact?

o.O?

You'd be correct =)