Solved VB 2010 - Sig/Pattern scanning

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Croser

Newbie
Dec 28, 2014
2
152
0
Hey guys,

I ran into a bit of a trouble when trying to do a pattern scan.

First off I followed Fleep's tutorial on Sig/Pattern scanning, (https://guidedhacking.com/showthread.php?3981-C-Signature-Pattern-Scanning-Tutorial-DIFFICULTY-3-10) ( Difficulty 3 / 10, I feel stupider by the minute >.< ) but since he's using C++ and I'm coding my app in Basic I couldn't just copy/paste the code, and having very little to no C++ knowledge ( or byte scanning in general anyway ) I went with the next best thing and tried to build his tutorial project,and then just referance the .DLL in my VB project and use it's functions. And while I have successfully used this method in the past ( building a C# class into a .dll and using it in my vb project ), it just didn't work this time, for whatever reason( probably because there is no Class, just a header, whatever the hell that is ). After countless tries I have, naturally, given up on this idea and went back to google. A few hours later, I've managed to get my hands on what looked like a promising piece of code.

This promising looking piece of code has, unfortunatelly for me, turned into a major kick in the balls as it threw a stack imbalance exception upon execution.. From what I've read, it is a straightforward error with a fairly 'simple' fix. I've been staring at it for the past 2 hours and I still have no idea as to what in the hell does it want from me. Then again, I'm so tired I couldn't code a 'Hello World' app right now. I was so excited about 15 hours ago, when I first discovered this alternative to pointers and whatnot. As the game I'm trying to read the memory of has an airtight security, not to mention the anti-debugging stuff. It was a major pain in the ass to just hook it to olly. ( I'm currently using Assault Cube for testing purposes )

The exception :

PInvokeStackImbalance was detected
Message: A call to PInvoke function 'WindowsApplication1!WindowsApplication1.Module1::ReadProcessMemory' has unbalanced the stack. This is likely because the managed PInvoke signature does not match the unmanaged target signature. Check that the calling convention and parameters of the PInvoke signature match the target unmanaged signature.
With that said, here's the code I'm using. ( Ignore the names (Module1, WindowsFormApp etc..) I'm desperate here.)
Credits to whoever wrote this. I literally went through tens of thousands of lines of code when desperately trying to get it to work, I don't even know anymore.
Simple thing my ass.

Module1.vb:
C#:
Module Module1
    Public Declare Function OpenProcess Lib "KERNEL32" _
    (ByVal DesiredAccess As Int32, _
     ByVal InheritHandle As Boolean, _
     ByVal ProcessId As Int32) _
    As Int32

    Private Declare Function ReadProcessMemory Lib "KERNEL32" _
    (ByVal Handle As Int32, _
     ByVal address As Int32, _
     ByRef Value As Int32, _
     Optional ByVal Size As Int32 = 4, _
     Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
    As Long

    Public PROCESS_VM_OPERATION As Int32 = 8
    Public PROCESS_VM_READ As Int32 = 16
    Public PROCESS_VM_WRITE As Int32 = 32

    Private process_id As Int32 = 0
    Public pHandle As Integer = 0

    Public Function GetProcessId(ByVal game_name As String) As Boolean
        Dim Processes() As Process = Process.GetProcesses
        Dim process_name As String
        Dim i As Byte
        For i = LBound(Processes) To UBound(Processes)
            process_name = Processes(i).ProcessName
            If process_name = game_name Then
                process_id = Processes(i).Id
                pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
                Return True
            End If
        Next
        If process_id = 0 Then
            Return False
        End If
        Return False
    End Function

    Public Function ReadByte(ByVal address As Int32) As Integer
        Dim value As Integer
        ReadProcessMemory(pHandle, address, value, 1, 0) ' <-- this is where the exception points to
        Return value
    End Function

    Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Mask As Byte()) As Integer
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) Or Mask(i) = &H0 Then
                    If i = Signature.Length - 1 Then
                        MsgBox(curAddr.ToString("X"))
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function
End Module


Usage :
C#:
 Dim sigAddresses As Integer = AOBSCAN("ac_client", "ac_client.exe", New Byte() {&H0,&H0,&H0,&H0,&H0,&H0,&H0,&H0,}, New Byte() {&H0,&H0,&H0,&H0,&H0,&H0,&H0,&H0,})
'Not an actual byte pattern and mask. Also, Assault Cube FTW
If someone could just help me and / or tell me what to change, so I can get this little thing to work as it's the last thing I need for my project. Once I have this, and am able to grab the adresses, my life will be complete and I'll love you forever.

Thanks.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
How'd you fix this?
For one you want to make sure your size is accurate, a size of 1 is wrong unless you really only want to read one byte, if so, then you want to pass in a byte, not an integer because an integer is 4 bytes.

Secondly, you want to pass the address of your buffer, not the buffer itself ( i.e. &integerBuffer, &byteBuffer ) , not sure how it works in VB.Net though, is that what you're also coding in?

Complete vb.net memory class Source Code - Nether's VB Memory Class
 
Last edited by a moderator:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Glad you were able to solve it!

PS. Why not just learn C++?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods