قوانين المنتدى | إعلانات هامة | صفحة المبتدئين | كتاب الفريق الأول | كتاب الفريق الثاني | مجلة الفريق | أسطوانتين للمبتدئين | من نحن ؟ | تبرع للموقع | Donate

الفريق العربي للهندسة العكسية منتديات البرمجة - Programming Forums البرمجة بلغة السى و السى بلس بلس ++C & C v
Memory Signature Brute-Force Search Algorithm Supports ?? F? ?F

تقييم الموضوع :
  • 0 أصوات - بمعدل 0
  • 1
  • 2
  • 3
  • 4
  • 5
ادوات الموضوع
Memory Signature Brute-Force Search Algorithm Supports ?? F? ?F
Lauda937 غير متصل
.: عضو نشيط :.
*
المشاركات : 31
المواضيع : 25
الإعجاب المحصل: 3
الإعجاب المعطى: 24
الإنتساب : Aug 2022
السمعة : 4
#1
منذ 5 ساعات
The core algorithm
SSE2 requires hardware support, but a very small number of devices do not support it, so a purely software-based implementation is provided…

① It supports wildcards and half-bytes at the beginning, middle, and end using a mask;
② After finding the first element in the feature code byte sequence that is not '??', subsequent bytes are only compared for feature bytes that are not '??', thus optimizing the number of comparison bytes.

Code:


#include <iostream>
#include <windows.h>
 
int main()
{
    //Simulate bytes of data in memory
    BYTE MemByte[] = { 0x33, 0xC9, 0x89, 0x0D, 0xB4, 0x67, 0x92, 0x77, 0x89, 0x0D, 0xB8, 0x67, 0x92, 0x77, 0x88, 0x08, 0x38, 0x48, 0x02, 0x74, 0x05, 0xE8, 0x94, 0xFF, 0xFF, 0xFF, 0x33, 0xC0, 0xC3, 0x8B, 0xFF, 0x55, 0x8B, 0xEC, 0x83, 0xE4, 0xF8 };
 
    //The signature is: ?9 ?? 0? ?? 67
    //This will be processed as: F9 FF 0F FF 67 for matching.
    std::string pattern = "?9 ?? 0? ?? 67";
    int index = 0;
    while ((index = pattern.find(' ', index)) >= 0) pattern.erase(index, 1); // Remove all spaces from the pattern signature
    size_t len ​​= pattern.length() / 2; // Calculate the pattern length
    size_t nFirstMatch = len; // Skip the header and record the position of the first match (half-character or non-`?`) to optimize the search.
    BYTE* pMarkCode = new BYTE[len]; // Store the converted feature code bytes
    BYTE* pWildcard = new BYTE[len]; // Stores wildcards (??=FF, ?=F, non-?=0) in the characteristic string.
 
    //Process the signature string and convert it into a byte array
    for (size_t i = 0; i < len; i++)
    {
        std::string tmpStr = pattern.substr(i * 2, 2);
        if ("??" == tmpStr) // This is the characteristic character of "??"
        {
            tmpStr = "FF";
            pWildcard[i] = 0xFF;
        }
        else // Not a character with the characteristic of "??"
        {
            if ('?' == tmpStr[0]) // The left half-byte is '?'
            {
                tmpStr[0] = 'F';
                pWildcard[i] = (0xF << 4);
            }
            else if ('?' == tmpStr[1]) // The right half-byte is '?'
            {
                tmpStr[1] = 'F';
                pWildcard[i] = 0xF;
            }
            else
            {
                pWildcard[i] = 0x0;
            }
            if (nFirstMatch == len) nFirstMatch = i;
        }
 
        pMarkCode[i] = strtoul(tmpStr.c_str(), nullptr, 16);
    }
 
    // Search memory, matching feature code algorithm
    for (size_t m = 0; m < sizeof(MemByte); ++m)
    {
        if (!((MemByte[m] | pWildcard[nFirstMatch]) ^ pMarkCode[nFirstMatch])) // Match the first byte
        {
            size_t offset = m - nFirstMatch; // Record the offset
            for (size_t n = nFirstMatch; n < len; ++n) // Match subsequent bytes
            {
                if (offset > sizeof(MemByte) - len) break; // Out of memory range
                if (pWildcard[n] != 0xFF) // If the following bytes are wildcards "??", skip them. This line of code can optimize the search.
                    if ((MemByte[offset + n] | pWildcard[n]) ^ pMarkCode[n]) break; // Match failed
                if (n + 1 == len) // Match successful
                {
                    printf("%Ix\n", MemByte[m - nFirstMatch]);
                }
            }
        }
    }
    system("pause");
    return 0;
}
LEARNING
البحث


التنقل السريع :


يقوم بقرائة الموضوع: