Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-18-2014, 22:07
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
[C++] PatternFind

Hello everyone,

For x64_dbg I created a pattern finder that supports nibble wildcards (FF D? for example). Here is a standalone version of this pattern finder, feel free to use it wherever you like, credit (link to http://x64dbg.com) is appreciated, but not required.

Example of usage:
Code:
#include "patternfind.h"
#include 
size_t patternfind(
unsigned char* data //pointer to the data to search in
size_t size //data size
const char* pattern //text pattern, will be filtered to only contain hex characters and wildcards (?)
);

int main(int argc, char* argv[])
{
    size_t found = patternfind((unsigned char*)main, 0x100, "68 ?? ?1 0? 00");
    printf("found: main+%p\n", found);
    return 0;
}
PatternFind source code is attached.

Greetings,

Mr. eXoDia

Last edited by mr.exodia; 10-28-2015 at 09:13.
Reply With Quote
The Following 4 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (05-19-2014), chessgod101 (05-19-2014), ontryit (05-19-2014), zeuscane (05-19-2014)
  #2  
Old 05-19-2014, 06:32
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
mudlord asked me to update this to include a pattern search & replace engine.

Example of full usage:
Code:
#include "patternfind.h"

int main(int argc, char* argv[])
{
    unsigned char data[0x100];
    memcpy(data, main, sizeof(data));

    //find pattern offset
    size_t found = patternfind(data, sizeof(data), "68 ?? ?1 0? 00");

    printf("found: main+%p\n", found);
    if(found==-1) //not found
        return 0;

    //print current data
    for(int i=0; i<5; i++)
        printf("%.2X ", data[found+i]);
    puts("");

    //search & replace
    if(!patternsnr(data, sizeof(data), "68 ?? ?1 0? 00", "?? ?1 1? 21 23"))
        return 0; //search & replace failed

    //print replaced data
    for(int i=0; i<5; i++)
        printf("%.2X ", data[found+i]);
    puts("");

    return 0;
}
Prints:
Code:
found: main+00000026
68 00 01 00 00
68 01 11 21 23
New patternfind.cpp attached.

Greetings,

Mr. eXoDia

Last edited by mr.exodia; 10-28-2015 at 09:13.
Reply With Quote
The Following 11 Users Gave Reputation+1 to mr.exodia For This Useful Post:
besoeso (05-19-2014), bilbo (05-26-2014), chessgod101 (05-19-2014), Computer_Angel (05-19-2014), Dreamer (05-19-2014), Git (05-19-2014), Insid3Code (05-20-2014), nikkapedd (05-24-2014), nulli (05-27-2014), ontryit (05-19-2014), zeuscane (05-19-2014)
  #3  
Old 06-29-2014, 08:52
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 67
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
Hi eXoDia,
Your find pattern have a wrong situation. Example, we have pattern to find "C1 F8 02 33 C9 BA", and in file we have these byte "C1 C1 F8 02 33 C9 BA", then your code will not return the offset.

Quote:
if(patternmatchbyte(data[i], &searchpattern.at(pos))) //check if our pattern matches the current byte
{
pos++;
if(pos==searchpatternsize) //everything matched
return i-searchpatternsize+1;
}
else
pos=0; //reset current pattern position
We should reset pattern pos and decrease i
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
The Following User Gave Reputation+1 to Computer_Angel For This Useful Post:
mr.exodia (07-23-2014)
  #4  
Old 06-29-2014, 10:00
Computer_Angel's Avatar
Computer_Angel Computer_Angel is offline
Lo*eXeTools*rd
 
Join Date: Aug 2003
Posts: 151
Rept. Given: 67
Rept. Rcvd 37 Times in 18 Posts
Thanks Given: 10
Thanks Rcvd at 1 Time in 1 Post
Computer_Angel Reputation: 37
My fix code:
if(patternmatchbyte(data[i], &searchpattern.at(pos))) //check if our pattern matches the current byte
{
pos++;
if(pos==searchpatternsize) //everything matched
return i-searchpatternsize+1;
}
else if (pos>0)
{
i-=pos; // return to prev
pos=0; //reset current pattern position
}
__________________
Welcome to my place http://www.reaonline.net
Reply With Quote
The Following User Gave Reputation+1 to Computer_Angel For This Useful Post:
mr.exodia (06-29-2014)
  #5  
Old 06-29-2014, 16:40
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Alright, this will also be fixed in x64_dbg, thanks a lot!

Greetings
Reply With Quote
  #6  
Old 08-16-2014, 08:24
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Latest version will always be here: https://bitbucket.org/mrexodia/patternfind
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
Stingered (08-08-2022)
Reply

Tags
finder, nibble, pattern, string, wildcard

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 07:48.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )