Array of bytes scan Topic is solved

[Kolonel]

Searching for a unique array of bytes that contains wildcards, for example 7E 08 ?? ?? ?? D8 01 using classMemory.ahk
Anyone can give me an example oh how to search for arrays with wildcards?

[boiler]

Read all seven bytes starting at a given address, then just check to see if the first two and the last two are equal to their respective non-wildcard bytes in your pattern (i.e., don't check the wildcard bytes).

[Kolonel]

Read all seven bytes starting at a given address, then just check to see if the first two and the last two are equal to their respective non-wildcard bytes in your pattern (i.e., don't check the wildcard bytes).

In reality my array is: 7E 08 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(less 00 will not return an unique one)
So as you can see I have some "??" in middle too, that's why I was looking for an example with the memory class

[boiler]

I don't use that class, so I'd have to dig into it to show an actual example. But the logic for what you described is the same. Compare each byte going byte-by-byte, and if the byte in your array is a wildcard, then skip that one when considering it as a match and continue checking the rest as if everything matched so far.

[boiler]

Without using the class myself, the search could look something like this:

Code: Select all

; set up class for desired process with something like:
Mem := new _ClassMemory("ahk_exe MyProcessName.exe", "", hProcessCopy)

MyArray := [0x7E,0x08,00,00,00,00,00,00,00,"??","??","??","??",00,00,00,00,"??","??","??",0x7E,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00]
Length := 1000000 ; assign the number of bytes to search, however that is determined

FoundAddress := 0
loop, % Length {
	Offset := A_Index - 1
	for Index, Byte in MyArray
		if (Byte != Mem.Read(Mem.BaseAddress, "UChar", Offset + Index - 1)) && (Byte != "??")
			continue 2 ; move to next offset
	; got here if there is a match over the whole array
	FoundAddress := Mem.BaseAddress + Offset
	break
}
if FoundAddress
	MsgBox, % "Match was found as memory address " FoundAddress
else
	MsgBox, No match was found

[RHCP]

There are specific pattern scan methods in the class which utilise machine code. These will be orders of magnitude faster and they should avoid other issues which can happen when blindly reading addresses incrementally.

Code: Select all

mem := new _ClassMemory("ahk_exe MyProcessName.exe", "", hProcessCopy)


pattern := [0x7E,0x08,00,00,00,00,00,00,00,"??","??","??","??",00,00,00,00,"??","??","??",0x7E,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00]
; alternatively you can do:
;	pattern := mem.hexStringToPattern("7E 08 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00")


address := mem.processPatternScan(,, pattern*)
address := mem.modulePatternScan(, pattern*) ; this should work too (if the pattern is in main module) and might be slightly faster.