AOB_scan.nim

1. # A very simple demonstration of an array of bytes scanner
2. # Written by Hel
3. # Compiled with the Nim compiler version 0.17.2, https://nim-lang.org
4.  
5.  
6. import oldwinapi/windows, winlean # https://github.com/nim-lang/oldwinapi
7. # you could just directly import everything from C but this is easier
8.  
9. from strutils import toHex
10. from sequtils import delete
11.  
12. proc AOB*(hook: windows.HANDLE, start_address: int64, end_address: int64, bytes_to_scan_for: string): int64= # `hook` is a variable that takes in the process handle
13.     var # variable declaration
14.         num_addr = start_address
15.         end_addr = end_address
16.         return_address: int64 = start_address
17.         data = bytes_to_scan_for
18.         buf: string = "" # temporary string holder
19.         tokens: seq[string] = @[] # seq(sequence) type, kinda like arrays
20.         aob: seq[string] = @[]
21.         lex: seq[string] = @[]
22.         compare_seq: seq[string] = @[]
23.         jokers_at: seq[int] = @[] # jokers, basically unknown bytes in array of bytes scan AKA `??`
24.         current_byte: byte
25.         proc_hook: windows.HANDLE = hook
26.         tok_len: int = tokens.len
27.         x: int = 0
28.         z: int = 0
29.  
30.     data.add('*') # added a '*' to the end of the string to indicate the end of the string(used it for debugging)
31.     for i in data: # a for loop that takes the string of aob(`data` is a string) and puts it in an actual array(`tokens`)
32.         buf.add(i) # adds `i` to `buf`
33.         if i == ' ': # checks if there is a space in the string
34.             buf.popf # deletes the last char in `buf`, in this case it's the space(AKA deletes the space)
35.             tokens.add(buf) # adds `buf` to tokens
36.             buf = "" # clears `buf`
37.         elif i == '*': # checks if it's the end of the string
38.             buf.popf # deletes the '*'
39.             tokens.add(buf) # adds `buf` to tokens
40.             buf = "" # clears `buf`
41.  
42.     for i in tokens: # for loop that memorizes where you put the `??` in the searched bytes
43.         if i == "??":
44.             jokers_at.add(z) # adds the position of `??` in array of bytes you're searching for
45.         z += 1 # no clue what this does(apart from incrementing `z` by 1), forgot, whoops, oh yeah i used it for debugging
46.  
47.     while num_addr != end_address: # while loop that doesn't stop till `num_addr`(or `start_address`) equalls to `end_address`
48.         discard ReadProcessMemory(proc_hook, (LPVOID)cast[ptr byte](num_addr), LPVOID(addr(current_byte)), cast[windows.DWORD](sizeof((current_byte))),nil) # reads bytes one by one
49.         num_addr += 0x1 # increments `num_addr` by 1
50.         aob.add(toHex(current_byte)) # adds `current_byte` in the hexadecimal format to the `aob` sequence
51.  
52.         if aob.len > tokens.len: # checks if the lenght of aob is equal to tokens lenght
53.             compare_seq = aob[x .. (tokens.len - 1) + x] # `compare_seq` becomes aob, but starts from the zeroth value in array and adds a new one every time the code iterates
54.             if jokers_at.len > 0: # checks if lenght of jokers is greater than 0
55.                 for i in jokers_at:
56.                     compare_seq[i] = "??"
57.             if compare_seq == tokens: # checks if the current bytes equal to the searched bytes
58.                 break # if condition is met the while loop breaks
59.             x += 1 # increments x by 1
60.         discard current_byte # discarding `current_byte` EXTREMELY lowers memory usage
61.  
62.     for i in 1..x:
63.         return_address += 0x1
64.  
65.     return return_address # returns the address of the first byte in the searched array of bytes if they're found