Solved Pattern Scanning

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
Hello there,

I've worked with pattern scanning before on the game WarRock and always got it to work.
Now i'm trying to do the same for a game called The Forest. The addies i want to retrieve change on every game, thats why i want to solve it with patternscanning.
Every time i trace the newly made addy i get to a part that's always the same, but on a different address(So i based my pattern in this with sigmaker and tested it, it only occured once in olly!). The problem is i never get a result at all. I'm sure it injects because i built in a messagebox...

This is that part:
C++:
First run:
734182FD   D99F EC000000     FSTP DWORD PTR DS:[EDI+EC]
73418303   8B05 CC9F8705     MOV EAX,DWORD PTR DS:[5879FCC]
73418309   0FB680 92000000  MOVZX EAX,BYTE PTR DS:[EAX+92]
73418310   85C0                      TEST EAX,EAX
73418312   0F85 93000000     JNZ 734183AB

Second run:
7102C57D   D99F EC000000       FSTP DWORD PTR DS:[EDI+EC]
7102C583   0FB680 92000000    MOV EAX,DWORD PTR DS:[58F9FCC]
7102C589   0FB680 92000000    MOVZX EAX,BYTE PTR DS:[EAX+92]
7102C590   85C0                         TEST EAX,EAX
7102C592   0F85 93000000        JNZ 7102C62B
So i want to get the 734182FD address. I created a signature with the sigmaker, and i did a custom one, but both retrieve no addresses at all.

I'm on Vista 64 bit. I tried to make a dump with Chimprec but that failed because virtualprotectEX was protected or something(that might be the issue for not working..)

Anyone has an idea where it goes wrong? If you want to see parts of the logger itself, please feel free to ask and i will post it!

Thanks in advance and kind regards!
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
dreamgun said:
DWORD joajoa = FindPattern2(0x0154D000, 0x1E7000,(unsigned char*)"\x89\x46\x2C\x8B\x46\x18\x8B\x4E\x2C\x39\x48\x0C\0x0F\0x86","xx?xx?xx?xx?");
Correct me if I'm wrong but I think the length of the mask and the pattern isn't even the same.. :confused:


EDIT:
DWORD joajoa1 = FindPattern((PBYTE)"\xD9\x9F\x00\x00\x00\x8B\x05\x00\x00\x00\x00\x0F\xB6\x80\x92\x00\x00\x00", "xxxxxxx????xxxxxxx", 0, true);

You missed a byte. D9 9F EC 0 0 0 8B ..
 
Last edited:

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Hello there,

I've worked with pattern scanning before on the game WarRock and always got it to work.
Now i'm trying to do the same for a game called The Forest. The addies i want to retrieve change on every game, thats why i want to solve it with patternscanning.
Every time i trace the newly made addy i get to a part that's always the same, but on a different address(So i based my pattern in this with sigmaker and tested it, it only occured once in olly!). The problem is i never get a result at all. I'm sure it injects because i built in a messagebox...

This is that part:
C++:
First run:
734182FD   D99F EC000000     FSTP DWORD PTR DS:[EDI+EC]
73418303   8B05 CC9F8705     MOV EAX,DWORD PTR DS:[5879FCC]
73418309   0FB680 92000000  MOVZX EAX,BYTE PTR DS:[EAX+92]
73418310   85C0                      TEST EAX,EAX
73418312   0F85 93000000     JNZ 734183AB

Second run:
7102C57D   D99F EC000000       FSTP DWORD PTR DS:[EDI+EC]
7102C583   0FB680 92000000    MOV EAX,DWORD PTR DS:[58F9FCC]
7102C589   0FB680 92000000    MOVZX EAX,BYTE PTR DS:[EAX+92]
7102C590   85C0                         TEST EAX,EAX
7102C592   0F85 93000000        JNZ 7102C62B
So i want to get the 734182FD address. I created a signature with the sigmaker, and i did a custom one, but both retrieve no addresses at all.

I'm on Vista 64 bit. I tried to make a dump with Chimprec but that failed because virtualprotectEX was protected or something(that might be the issue for not working..)

Anyone has an idea where it goes wrong? If you want to see parts of the logger itself, please feel free to ask and i will post it!

Thanks in advance and kind regards!
I think it's because of this:
73418303 8B05 CC9F8705 MOV EAX,DWORD PTR DS:[5879FCC]
7102C583 0FB680 92000000 MOV EAX,DWORD PTR DS:[58F9FCC]

Those are addresses which change as well, and which aren't given relative but absolute, unlike e.g. your jumps:
73418312 0F85 93000000 JNZ 734183AB
7102C592 0F85 93000000 JNZ 7102C62B

which are relative.

The pattern would be
D9 9F EC 0 0 0 8B 05 X X X X 0F B6 80

Or in the dwPatternScan:
"xxxxxxxx????xxx"
 

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
Unfortunately still nothing:(

Edit: so i just searched for it in cheat engine again. If i nop this specific line of code it does exactly what i want! But i just can't log this address with my dll..

Here is the same piece of bytes again(this time in Cheat Engine)
2425vtt.jpg
 
Last edited:

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
C++:
bool Match2(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
}
 
 
DWORD FindPattern2(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( Match2( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
 
    return 0;
}

and in the function i call on attaching:

Sleep(1000);
	dwStartAddress = 0x0154D000;//0x400000;
	do {
		dwStartAddress = (DWORD)GetModuleHandle("TheForest.exe");
		Sleep(10);
	} while (!dwStartAddress);
	time_t rawtime;
	struct tm * timeinfo;
	char buffer[80];

	time(&rawtime);
	timeinfo = localtime(&rawtime);
	dwSize = 0x1E7000;//0x140000;

DWORD  joajoa  = FindPattern2(0x0154D000, 0x1E7000,(unsigned char*)"\x89\x46\x2C\x8B\x46\x18\x8B\x4E\x2C\x39\x48\x0C\0x0F\0x86","xx?xx?xx?xx?");

The above dword is logged in a txt file..
The above dword is logged in a txt file and so is the one below. I tried two different findpatterns to see if that was an issue but it's not.
C++:
DWORD joajoa1 = FindPattern((PBYTE)"\xD9\x9F\x00\x00\x00\x8B\x05\x00\x00\x00\x00\x0F\xB6\x80\x92\x00\x00\x00", "xxxxxxx????xxxxxxx", 0, true);


Uses this findpattern:

BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for (; *szMask; ++szMask, ++pData, ++bMask)
	{
		if (*szMask == 'x' && *pData != *bMask)
			return 0;
	}


	return (*szMask) == NULL;
}
DWORD FindPattern(BYTE *bMask, char * szMask, int codeOffset, BOOL extract)
{
	for (DWORD i = 0; i < dwSize; i++)
	{
		if (bCompare((BYTE*)(dwStartAddress + i), bMask, szMask))
		{
			if (extract)
			{
				return *(DWORD*)(dwStartAddress + i + codeOffset);
			}
			else
			{
				return (DWORD)(dwStartAddress + i + codeOffset);
			}
		}
	}
	return NULL;
}
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Why are you setting dwStartAddress and dwSize and then call it like this anyways?
FindPattern2(0x0154D000, 0x1E7000, ..)

Also use
dwStartAddress = (DWORD)GetModuleHandle(0);
 

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
Why are you setting dwStartAddress and dwSize and then call it like this anyways?
FindPattern2(0x0154D000, 0x1E7000, ..)

Also use
dwStartAddress = (DWORD)GetModuleHandle(0);
The dwStartAddress is used by the second FindPattern function. I'll give that a try!

How do i determine the size?
 
Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683201(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684229(v=vs.85).aspx

C++:
    MODULEINFO lpMod;
    GetModuleInformation(GetCurrentProcess(), GetModuleHandle(NULL), &lpMod, sizeof(MODULEINFO));

    printf("Entry Point -> 0x%X\n", lpMod.EntryPoint);
    printf("Base -> 0x%X\n", lpMod.lpBaseOfDll);
    printf("Size of Image -> 0x%X\n\n", lpMod.SizeOfImage);

    printf("Scan:\nFrom -> 0x%X | To -> 0x%X\n", lpMod.lpBaseOfDll, ((unsigned long)lpMod.lpBaseOfDll + lpMod.SizeOfImage));
 

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
Thank you! So this part should be correct as well. Does any of you know whether VirtualQueryEx is protected? Either by the game or by windows Vista?
 

dreamgun

Newbie
Full Member
Feb 4, 2015
8
82
0
Yes there are some mistakes in there i see. The result of failing for 2 days in a row haha. But the pattern i made with sigmaker also didn't work.
I know this sounds silly now, but trust me the patterns are fine xD
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods