Skip to content

Instantly share code, notes, and snippets.

@hdf

hdf/GetAoBAddresses.cs

Created August 14, 2014 21:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hdf/c65a5aae3fcc146c7d51 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hdf/c65a5aae3fcc146c7d51 to your computer and use it in GitHub Desktop.
Download ZIP
C# console app to get addresses from aobscan patterns (Cheat Engine) (Uses Patcher.dll from: https://github.com/hdf/patcher2)
Raw
GetAoBAddresses.cs
using Patcher2; // Uses Patcher.dll from: https://github.com/hdf/patcher2
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;
namespace GetAoBAddresses
{
internal class Program
{
internal static class NativeMethods
{
[Flags]
internal enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VMOperation = 0x00000008,
VMRead = 0x00000010,
VMWrite = 0x00000020,
DupHandle = 0x00000040,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
Synchronize = 0x00100000
}
[DllImport("kernel32.dll")]
internal static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool CloseHandle(IntPtr hProcess);
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool ReadProcessMemory(IntPtr handle, IntPtr lpBaseAddress, byte[] lpBuffer, IntPtr nSize, ref int lpNumberOfBytesRead);
}
private static readonly string iam = System.Reflection.Assembly.GetExecutingAssembly().GetName().Name;
private static void Main(string[] args)
{
string AoBfile = "EoCApp.CT";
string file = "EoCApp.exe";
if (args.Length == 2)
{
AoBfile = args[0];
file = args[1];
}
else if (args.Length > 0)
{
Console.WriteLine("Usage:\n " +
iam + " App.CT App.exe\n" +
" or:\n " +
iam + " App.CT pid:1234\n" +
" Will print out all the addresses associated with the aobscan patterns given in the CT file.\n" +
" To get the pid on windows type:\n" +
" tasklist /FI \"IMAGENAME eq App.exe\"");
return;
}
AoBfile = File.ReadAllText(AoBfile);
byte[] bytes;
if (file.Length > 4 && file.Substring(0, 4).ToLower() == "pid:")
{
Process proc = Process.GetProcessById(int.Parse(file.Split(':')[1]));
file = proc.ProcessName;
IntPtr hProc = NativeMethods.OpenProcess(NativeMethods.ProcessAccessFlags.All, false, proc.Id);
// Read bytes
int bytesRead = 0;
bytes = new byte[proc.MainModule.ModuleMemorySize];
if (!NativeMethods.ReadProcessMemory(hProc, proc.MainModule.BaseAddress, bytes, (IntPtr)proc.MainModule.ModuleMemorySize, ref bytesRead) || bytes == null)
{
NativeMethods.CloseHandle(hProc);
return;
}
NativeMethods.CloseHandle(hProc);
}
else if (!File.Exists(file))
{
Console.WriteLine("File not found.");
return;
}
else
bytes = File.ReadAllBytes(file);
MatchCollection aobs = Regex.Matches(AoBfile, @"aobscan.*,\s*(([a-f0-9\?\*][a-f0-9\?\*]\s?)+)\)", RegexOptions.IgnoreCase | RegexOptions.Multiline);
string[] svals;
int[] locs;
string aob;
for (int i = 0; i < aobs.Count; i++)
{
aob = aobs[i].Groups[1].Value.Trim().ToUpper();
svals = aob.Replace("??", "?").Replace("**", "?").Split(' ');
locs = Patcher.BinaryPatternSearch(ref bytes, svals, false);
if (locs.Length == 1)
Console.WriteLine(string.Format("\"{0}\"+{1:X6} : {2}", file, locs[0], aob));
else if (locs.Length < 1)
Console.WriteLine("Pattern not found.");
else
Console.WriteLine(locs.Length.ToString() + " occurrences found.");
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment