Scanning for values/addresses
Little article about scanning for values (“searching”) or finding addresses based on their values.
This is intended for everyone, but I present it at the basic level to accomplish this. Sorry if you see information that is redundant and stupid to you; it may be new and useful to someone else.
First things first, though, in case you don’t understand how addresses & their “values” work.
Let’s look at a random address from a random program.
0x004012AF is the address. The opcode at this address is MOV DWORD PTR SS:[ESP+4],EAX. The hexadecimal representation of this opcode is 0x89 0x44 0x24 0x04. This is also the same thing as what many people know as the “array of bytes”. In little endian, this is 0x04244489. In decimal, this is 69485705. This is also the same thing as what many people know as the “value” of the address.
So, the opcode, array of bytes, and value (whether in decimal or hexadecimal) are ALL the SAME THING. They’re just different representations/notations. So if you edit the value of an address, you edit the array of bytes and the opcode as well. Same thing applies for visa-versa.
So anyways, now that you know that (or if you already did know that), there are many ways to search. You can search for the byte signature (“array of bytes”) or the value of the address. I prefer the byte signature because it’s a little cooler and allows for some variation.
Here is the address with all values, again, for reference. (Link to reference paste.)
ADDRESS: 0x004012AF | MOV DWORD PTR SS:[ESP+4],EAX | 0x89 0x44 0x24 0x04 | 0x04244489 | 69485705
So, the address 0×004012AF has a FOUR BYTE value. A WORD is two bytes, and a DWORD (double word) is FOUR BYTES. So our address has a DWORD value.
Each incrementing address contains one of the bytes. Ex:
0x004012AF: 0x89
0x004012B0: 0x44
0x004012B1: 0x24
0x004012B2: 0x04
So, if we want to search for each byte in a pattern (like searching for arrays of bytes), we have to search each address independently, then increment the address and our slot in the array.
If we want to search for values, it’s more simple.
Take note that these code examples search for values WITHIN THE CURRENT PROCESS.
If you want to use them externally, modify them to use the ReadProcessMemory API!
Also note that the whole code has to be run in an independent thread so that it doesn’t kill the program by messing up the flow!
If you’re using CE, you can do this by going to the address of the new thread and going to the tools menu -> create thread (or press CTRL+ALT+T).
Otherwise, use the CreateThread API.
ASM:
push 0
push 0
push 0
push NewThread
push 0
push 0
call CreateThread
// EAX (return value) contains handle to the new thread.
C:
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)NewThread, NULL, 0, 0);
// Returns the handle to the new thread.
Also note that this is not very efficient coding. Just get the general idea from it.
On to the code!
ASM:
// Declare FoundAddy as a DWORD.
// Declare BytePattern as however many bytes you use (a DWORD in this case).
FoundAddy: // Will contain the found addy or 0 if no addy is found.
db 00 00 00 00
BytePattern: // Defines your byte pattern.
db 89
db 44
db 24
db 04
FindAddressThread:
mov eax, 00400000 // Address to start at.
mov ecx, 00300000 // Range of address (how many bytes to search).
SearchLoop: // Compares byte pattern to the current search address.
mov ebx,[BytePattern]
cmp byte ptr [eax], ebx
jne NotFound
mov ebx,[BytePattern+1]
cmp byte ptr [eax+1], ebx
jne NotFound
mov ebx,[BytePattern+2]
cmp byte ptr [eax+2], ebx
jne NotFound
mov ebx,[BytePattern+3]
cmp byte ptr [eax+3], ebx
je Found
NotFound: // Accessed if byte pattern didn’t match current addy.
inc eax // Increments the current addy by one.
loop SearchLoop // Decrements CX by one, then jumps to SearchLoop if CX is not equal to 0.
mov [FoundAddy],0 // This is accessed if the loop is not taken, meaning no addresses were found.
push 0
call ExitThread // Exits thread (duh).
Found: // Accessed if byte pattern matched current addy.
mov [FoundAddy],eax // Record the found address.
push 0
call ExitThread // Exits thread (duh).
This is meant to be its own thread without anything else. You can modify it to return a value so that the proc is called.
C(++):
DWORD SearchBytes(DWORD Value, DWORD StartAddress, DWORD EndAddress)
{
for (DWORD CurrentAddress = StartAddress; CurrentAddress <= EndAddress; CurrentAddress++)
{
if (*(DWORD*)CurrentAddress == Value)
return CurrentAddress;
}
return 0;
}
This is a proc that you call, but it should be called from within a separate thread. Feel free to modify it. This code just searches a value.
Done. Questions/comments? Contact me on MSN (codexlive@hotmail.com) or comment here.
Add comment February 1, 2008
Upcoming posts
Soon (friday/weekend) I’ll write some shit.
It will probably be about searching for values (& thus finding dynamic addresses) in ASM and C++.
Add comment January 31, 2008
