Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   [C++] PatternFind (https://forum.exetools.com/showthread.php?t=15795)

mr.exodia 05-18-2014 22:07
[C++] PatternFind
 
Hello everyone,

For x64_dbg I created a pattern finder that supports nibble wildcards (FF D? for example). Here is a standalone version of this pattern finder, feel free to use it wherever you like, credit (link to http://x64dbg.com) is appreciated, but not required.

Example of usage:
Code:
#include "patternfind.h"
#include <stdio.h>
size_t patternfind(
unsigned char* data //pointer to the data to search in
size_t size //data size
const char* pattern //text pattern, will be filtered to only contain hex characters and wildcards (?)
);

int main(int argc, char* argv[])
{
    size_t found = patternfind((unsigned char*)main, 0x100, "68 ?? ?1 0? 00");
    printf("found: main+%p\n", found);
    return 0;
}
PatternFind source code is attached.

Greetings,

Mr. eXoDia

mr.exodia 05-19-2014 06:32
mudlord asked me to update this to include a pattern search & replace engine.

Example of full usage:
Code:
#include "patternfind.h"

int main(int argc, char* argv[])
{
    unsigned char data[0x100];
    memcpy(data, main, sizeof(data));

    //find pattern offset
    size_t found = patternfind(data, sizeof(data), "68 ?? ?1 0? 00");

    printf("found: main+%p\n", found);
    if(found==-1) //not found
        return 0;

    //print current data
    for(int i=0; i<5; i++)
        printf("%.2X ", data[found+i]);
    puts("");

    //search & replace
    if(!patternsnr(data, sizeof(data), "68 ?? ?1 0? 00", "?? ?1 1? 21 23"))
        return 0; //search & replace failed

    //print replaced data
    for(int i=0; i<5; i++)
        printf("%.2X ", data[found+i]);
    puts("");

    return 0;
}
Prints:
Code:
found: main+00000026
68 00 01 00 00
68 01 11 21 23
New patternfind.cpp attached.

Greetings,

Mr. eXoDia

Computer_Angel 06-29-2014 08:52
Hi eXoDia,
Your find pattern have a wrong situation. Example, we have pattern to find "C1 F8 02 33 C9 BA", and in file we have these byte "C1 C1 F8 02 33 C9 BA", then your code will not return the offset.

Quote:
if(patternmatchbyte(data[i], &searchpattern.at(pos))) //check if our pattern matches the current byte
{
pos++;
if(pos==searchpatternsize) //everything matched
return i-searchpatternsize+1;
}
else
pos=0; //reset current pattern position
We should reset pattern pos and decrease i :D

Computer_Angel 06-29-2014 10:00
My fix code:
if(patternmatchbyte(data[i], &searchpattern.at(pos))) //check if our pattern matches the current byte
{
pos++;
if(pos==searchpatternsize) //everything matched
return i-searchpatternsize+1;
}
else if (pos>0)
{
i-=pos; // return to prev
pos=0; //reset current pattern position
}

mr.exodia 06-29-2014 16:40
Alright, this will also be fixed in x64_dbg, thanks a lot!

Greetings

mr.exodia 08-16-2014 08:24
Latest version will always be here: https://bitbucket.org/mrexodia/patternfind


All times are GMT +8. The time now is 12:08.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX