Solved Pattern scanning not function correctly

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

V-X

Newbie
Dank Tier Donator
Jan 12, 2014
15
1,918
0
Hello all, I come today after ~3 days of smashing my head against a wall trying to get this to work but to no avail. For reference, I'm very good at the .Net Framework, however, I'm not too great when it comes to hacking games, this is my first real attempt at something.

The game I'm trying to hack is a rather new one, Albion Online, I'm nop'ing out a call that in turn allows me to zoom out farther than allowed. Mind you I'm doing this externally.

When using the dynamic address I was able to successfully nop out and then restore the function once I wanted it back to normal.

However when signature scanning I cannot for the life of me get it to work, I attached OllyDbg and make a signature, tested to make sure there were no duplicates, then got it working in C#.

I was able to get it to function properly and get a valid address with the base address and scan size provided by OllyDbg, however, when I tried feeding the signature scanner the base address of the main module and the size of the module it didn't find the pattern. Furthermore when I checked, the Base + Size of the main module was smaller than the dynamic address in that instance, which would lead me to beilive that for some reason either my size or base is wrong. However even after trying GetModuleInformation, I found it returned the same information that I was getting from the Process class in System.Diagnostic.

To further debug as I figured I may be in the wrong module for some reason, I tried scanning each module inside of the process, and nothing worked, I got no valid value each time. However the moment I used the base address and scan size that olly gave me it worked, albiet only temporary it did work.

Here's a snippet of my function:
C#:
                Process pAlbion = Process.GetProcessesByName("Albion-Online")[0];

                MODULEINFO mI = new MODULEINFO();

                if (!GetModuleInformation(pAlbion.Handle, pAlbion.MainModule.BaseAddress, out mI, Marshal.SizeOf(mI)))
                    throw new Exception("GetModuleInformation failed! Win32 Error Message: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);

                SigScan scanner = new SigScan();
                scanner.Process = pAlbion;

                IntPtr iZoom = IntPtr.Zero;

                foreach (ProcessModule pM in pAlbion.Modules)
                {
                    scanner.Address = pM.BaseAddress;
                    scanner.Size = Convert.ToInt32(pM.ModuleMemorySize);
                    iZoom = new IntPtr(scanner.FindPattern("89 4C 24 04 8B 4D C8 89 4C 24 08 50 E8 ?? ?? ?? ?? 83 C4 1C 8B 45 08 8B 4D C0", 12));
                    if (!iZoom.Equals(IntPtr.Zero))
                        break;
                }

                Console.WriteLine(iZoom.ToString());
                Console.ReadKey();
As stated above nothing is returned so 0 is output to console. And help would be greatly appreciated.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,118
78,998
2,392
I tried feeding the signature scanner the base address of the main module and the size of the module it didn't find the pattern. Furthermore when I checked, the Base + Size of the main module was smaller than the dynamic address in that instance, which would lead me to beilive that for some reason either my size or base is wrong.
Good post/question! I was anticipating this and actually already got some code for part2 of that tutorial.

Your pattern does not exist inside the module, it's either in another module or it's dynamically allocated. Albion Online is a Unity engine game, which I believe will have plenty of dynamic allocated goodies.

I wrote this function that will be featured in part2 of the pattern scan tutorial that will scan all committed memory, you can convert it to C#:

C++:
//Scan entire process, slowest method
char* Pattern::Ex::Proc(char* combopattern, Process* process)
{
    unsigned int patternLen = ((strlen(combopattern) + 1) / 3) + 1;
    char* pattern = new char[patternLen];
    char* mask = new char[patternLen];

    Parse(combopattern, pattern, mask);

    SYSTEM_INFO si;
    GetSystemInfo(&si);

    MEMORY_BASIC_INFORMATION mbi;
    char* address = 0x0;

    while ((uintptr_t)address < 0x80000000)
    {
        VirtualQueryEx(process->handle, address, &mbi, sizeof(mbi));

        if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
        {
            char* match = nullptr;
            match = Scan(pattern, mask, address, address + mbi.RegionSize, process);
            if (match != nullptr)
            {
                address = match;
                break;
            }
            address += mbi.RegionSize;
        }
        else
        {
            address += si.dwPageSize;
        }
    }

    delete[] pattern;
    delete[] mask;
    return address;
}
Here's the original tutorial:

And a remake of the original code @ GH-Rake / PatternScan / source / patterscan.cpp — Bitbucket
 
Last edited:

V-X

Newbie
Dank Tier Donator
Jan 12, 2014
15
1,918
0
Thanks for that man, I've mad a little progress, but now I'm having an issue with VirtualQueryEx...
This is my code:
C#:
                Process pAlbion = Process.GetProcessesByName("Albion-Online")[0];

                SigScan scanner = new SigScan();
                scanner.Process = pAlbion;

                IntPtr iZoom = IntPtr.Zero;

                SystemInfo sI = new SystemInfo();
                GetSystemInfo(out sI);

                uint address = 0x0;
                MEMORY_BASIC_INFORMATION mBI = new MEMORY_BASIC_INFORMATION();

                while (address < 0x80000000)
                {
                    if (!VirtualQueryEx(pAlbion.Handle, new IntPtr(address), out mBI, Marshal.SizeOf(mBI)))
                        throw new Exception("VirtualQueryEx failed! Win32 Error Message: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);

                    if (mBI.State == 0x00001000) // MEM_COMMIT = 0x00001000
                    {
                        Console.WriteLine("Correct State!");
                        if (mBI.Protect != Convert.ToUInt32(AllocationProtect.PAGE_NOACCESS))
                        {
                            Console.WriteLine("Protect correct!");
                            scanner.Address = new IntPtr(address);
                            scanner.Size = Convert.ToInt32(address + mBI.RegionSize);
                            iZoom = new IntPtr(scanner.FindPattern("89 4C 24 04 8B 4D C8 89 4C 24 08 50 E8 ?? ?? ?? ?? 83 C4 1C 8B 45 08 8B 4D C0", 12));
                            if (!iZoom.Equals(IntPtr.Zero))
                                break;
                            address += mBI.RegionSize;
                        }
                    }
                    else
                    {
                        address += sI.PageSize;
                    }
                }

                Console.WriteLine(iZoom.ToString());
                Console.ReadKey();
this is the error that is returned from Marshal.GetLastWin32Error():

Exception occurred: VirtualQueryEx failed! Win32 Error Message: Unknown error (0x8013141b)
 

V-X

Newbie
Dank Tier Donator
Jan 12, 2014
15
1,918
0
Uhh, nvm. I think I fixed it. I took a leap of faith and did Process.EnterDebugMode() and it didn't return an error code...
Nevermind still not working

AHH fixed it, I was compiled to Any CPU instead of x86, problem solved.
 
Last edited:

V-X

Newbie
Dank Tier Donator
Jan 12, 2014
15
1,918
0
So I took what you told me to do in discord, but still, can't get it to work.
Here's my current code:
C#:
Process pAlbion = Process.GetProcessesByName("Albion-Online")[0];

                IntPtr iZoom = IntPtr.Zero;

                SystemInfo sI = new SystemInfo();
                GetSystemInfo(out sI);

                uint address = 0x0;
                MEMORY_BASIC_INFORMATION mBI = new MEMORY_BASIC_INFORMATION();
                Process.EnterDebugMode();
                List<Task> tasks = new List<Task>();
                bool found = false;
                long scans = 0;
                while (address < 0x7fffffff)
                {
                    if (found)
                    {
                        Console.WriteLine("Found!");
                        break;
                    }

                    if (!VirtualQueryEx(pAlbion.Handle, new IntPtr(address), out mBI, (uint)Marshal.SizeOf(mBI)))
                        throw new Exception("VirtualQueryEx failed! Win32 Error Message: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);

                    if (mBI.State == 0x00001000 && mBI.Protect != Convert.ToUInt32(AllocationProtect.PAGE_NOACCESS)) // MEM_COMMIT = 0x00001000
                    {
                        Task t = Task.Run(() =>
                        {
                            SigScan scanner = new SigScan();
                            scanner.Process = pAlbion;
                            scanner.Address = new IntPtr(address);
                            scanner.Size = address + mBI.RegionSize;
                            iZoom = new IntPtr(scanner.FindPattern("89 4C 24 04 8B 4D C8 89 4C 24 08 50 E8 ?? ?? ?? ?? 83 C4 1C 8B 45 08 8B 4D C0", 12));
                            
                            scans++;
                            if (!iZoom.Equals(IntPtr.Zero))
                                found = true;
                        });

                        address += mBI.RegionSize;
                    }
                    else
                    {
                        address += sI.PageSize;
                    }
                }
                Task.WaitAll(tasks.ToArray());
                tasks.Clear();

                Console.WriteLine("Done!");
                Console.WriteLine("Total scans: " + scans.ToString());
                Console.WriteLine("Offset: " + iZoom.ToString());
                Console.ReadKey();
Here's what it outputs:
https://prntscr.com/c2y9ir
takes only ~5 seconds with tasks, but uses an ungodly ammount of ram, it jumps to 2GB instantly.
 

V-X

Newbie
Dank Tier Donator
Jan 12, 2014
15
1,918
0
So I took what you said to do rake and implemented it a little better and with tasks so it will go quicker and it's still not functioning, any ideas?
C#:
Process pAlbion = Process.GetProcessesByName("Albion-Online")[0];

                IntPtr iZoom = IntPtr.Zero;

                SystemInfo sI = new SystemInfo();
                GetSystemInfo(out sI);

                uint address = 0x0;
                MEMORY_BASIC_INFORMATION mBI = new MEMORY_BASIC_INFORMATION();
                Process.EnterDebugMode();
                List<Task> tasks = new List<Task>();
                bool found = false;
                long scans = 0;
                while (address < 0x7fffffff)
                {
                    if (found)
                    {
                        Console.WriteLine("Found!");
                        break;
                    }

                    if (!VirtualQueryEx(pAlbion.Handle, new IntPtr(address), out mBI, (uint)Marshal.SizeOf(mBI)))
                        throw new Exception("VirtualQueryEx failed! Win32 Error Message: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);

                    if (mBI.State == 0x00001000 && mBI.Protect != Convert.ToUInt32(AllocationProtect.PAGE_NOACCESS)) // MEM_COMMIT = 0x00001000
                    {
                        Task t = Task.Run(() =>
                        {
                            SigScan scanner = new SigScan();
                            scanner.Process = pAlbion;
                            scanner.Address = new IntPtr(address);
                            scanner.Size = address + mBI.RegionSize;
                            iZoom = new IntPtr(scanner.FindPattern("89 4C 24 04 8B 4D C8 89 4C 24 08 50 E8 ?? ?? ?? ?? 83 C4 1C 8B 45 08 8B 4D C0", 12));

                            scans++;
                            if (!iZoom.Equals(IntPtr.Zero))
                                found = true;
                        });

                        address += mBI.RegionSize;
                    }
                    else
                    {
                        address += sI.PageSize;
                    }
                }
                Task.WaitAll(tasks.ToArray());
                tasks.Clear();

                Console.WriteLine("Done!");
                Console.WriteLine("Total scans: " + scans.ToString());
                Console.WriteLine("Offset: " + iZoom.ToString());
                Console.ReadKey();
Output:
https://prntscr.com/c2y9ir
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods