منذ 7 ساعات
The core algorithm
SSE2 requires hardware support, but a very small number of devices do not support it, so a purely software-based implementation is provided…
① It supports wildcards and half-bytes at the beginning, middle, and end using a mask;
② After finding the first element in the feature code byte sequence that is not '??', subsequent bytes are only compared for feature bytes that are not '??', thus optimizing the number of comparison bytes.
Code:
SSE2 requires hardware support, but a very small number of devices do not support it, so a purely software-based implementation is provided…
① It supports wildcards and half-bytes at the beginning, middle, and end using a mask;
② After finding the first element in the feature code byte sequence that is not '??', subsequent bytes are only compared for feature bytes that are not '??', thus optimizing the number of comparison bytes.
Code:
#include <iostream>
#include <windows.h>
int main()
{
//Simulate bytes of data in memory
BYTE MemByte[] = { 0x33, 0xC9, 0x89, 0x0D, 0xB4, 0x67, 0x92, 0x77, 0x89, 0x0D, 0xB8, 0x67, 0x92, 0x77, 0x88, 0x08, 0x38, 0x48, 0x02, 0x74, 0x05, 0xE8, 0x94, 0xFF, 0xFF, 0xFF, 0x33, 0xC0, 0xC3, 0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x83, 0xE4, 0xF8 };
//The signature is: ?9 ?? 0? ?? 67
//This will be processed as: F9 FF 0F FF 67 for matching.
std::string pattern = "?9 ?? 0? ?? 67";
int index = 0;
while ((index = pattern.find(' ', index)) >= 0) pattern.erase(index, 1); // Remove all spaces from the pattern signature
size_t len = pattern.length() / 2; // Calculate the pattern length
size_t nFirstMatch = len; // Skip the header and record the position of the first match (half-character or non-`?`) to optimize the search.
BYTE* pMarkCode = new BYTE[len]; // Store the converted feature code bytes
BYTE* pWildcard = new BYTE[len]; // Stores wildcards (??=FF, ?=F, non-?=0) in the characteristic string.
//Process the signature string and convert it into a byte array
for (size_t i = 0; i < len; i++)
{
std::string tmpStr = pattern.substr(i * 2, 2);
if ("??" == tmpStr) // This is the characteristic character of "??"
{
tmpStr = "FF";
pWildcard[i] = 0xFF;
}
else // Not a character with the characteristic of "??"
{
if ('?' == tmpStr[0]) // The left half-byte is '?'
{
tmpStr[0] = 'F';
pWildcard[i] = (0xF << 4);
}
else if ('?' == tmpStr[1]) // The right half-byte is '?'
{
tmpStr[1] = 'F';
pWildcard[i] = 0xF;
}
else
{
pWildcard[i] = 0x0;
}
if (nFirstMatch == len) nFirstMatch = i;
}
pMarkCode[i] = strtoul(tmpStr.c_str(), nullptr, 16);
}
// Search memory, matching feature code algorithm
for (size_t m = 0; m < sizeof(MemByte); ++m)
{
if (!((MemByte[m] | pWildcard[nFirstMatch]) ^ pMarkCode[nFirstMatch])) // Match the first byte
{
size_t offset = m - nFirstMatch; // Record the offset
for (size_t n = nFirstMatch; n < len; ++n) // Match subsequent bytes
{
if (offset > sizeof(MemByte) - len) break; // Out of memory range
if (pWildcard[n] != 0xFF) // If the following bytes are wildcards "??", skip them. This line of code can optimize the search.
if ((MemByte[offset + n] | pWildcard[n]) ^ pMarkCode[n]) break; // Match failed
if (n + 1 == len) // Match successful
{
printf("%Ix\n", MemByte[m - nFirstMatch]);
}
}
}
}
system("pause");
return 0;
}
LEARNING