Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # A very simple demonstration of an array of bytes scanner
- # Written by Hel
- # Compiled with the Nim compiler version 0.17.2, https://nim-lang.org
- import oldwinapi/windows, winlean # https://github.com/nim-lang/oldwinapi
- # you could just directly import everything from C but this is easier
- from strutils import toHex
- from sequtils import delete
- proc AOB*(hook: windows.HANDLE, start_address: int64, end_address: int64, bytes_to_scan_for: string): int64= # `hook` is a variable that takes in the process handle
- var # variable declaration
- num_addr = start_address
- end_addr = end_address
- return_address: int64 = start_address
- data = bytes_to_scan_for
- buf: string = "" # temporary string holder
- tokens: seq[string] = @[] # seq(sequence) type, kinda like arrays
- aob: seq[string] = @[]
- lex: seq[string] = @[]
- compare_seq: seq[string] = @[]
- jokers_at: seq[int] = @[] # jokers, basically unknown bytes in array of bytes scan AKA `??`
- current_byte: byte
- proc_hook: windows.HANDLE = hook
- tok_len: int = tokens.len
- x: int = 0
- z: int = 0
- data.add('*') # added a '*' to the end of the string to indicate the end of the string(used it for debugging)
- for i in data: # a for loop that takes the string of aob(`data` is a string) and puts it in an actual array(`tokens`)
- buf.add(i) # adds `i` to `buf`
- if i == ' ': # checks if there is a space in the string
- buf.popf # deletes the last char in `buf`, in this case it's the space(AKA deletes the space)
- tokens.add(buf) # adds `buf` to tokens
- buf = "" # clears `buf`
- elif i == '*': # checks if it's the end of the string
- buf.popf # deletes the '*'
- tokens.add(buf) # adds `buf` to tokens
- buf = "" # clears `buf`
- for i in tokens: # for loop that memorizes where you put the `??` in the searched bytes
- if i == "??":
- jokers_at.add(z) # adds the position of `??` in array of bytes you're searching for
- z += 1 # no clue what this does(apart from incrementing `z` by 1), forgot, whoops, oh yeah i used it for debugging
- while num_addr != end_address: # while loop that doesn't stop till `num_addr`(or `start_address`) equalls to `end_address`
- discard ReadProcessMemory(proc_hook, (LPVOID)cast[ptr byte](num_addr), LPVOID(addr(current_byte)), cast[windows.DWORD](sizeof((current_byte))),nil) # reads bytes one by one
- num_addr += 0x1 # increments `num_addr` by 1
- aob.add(toHex(current_byte)) # adds `current_byte` in the hexadecimal format to the `aob` sequence
- if aob.len > tokens.len: # checks if the lenght of aob is equal to tokens lenght
- compare_seq = aob[x .. (tokens.len - 1) + x] # `compare_seq` becomes aob, but starts from the zeroth value in array and adds a new one every time the code iterates
- if jokers_at.len > 0: # checks if lenght of jokers is greater than 0
- for i in jokers_at:
- compare_seq[i] = "??"
- if compare_seq == tokens: # checks if the current bytes equal to the searched bytes
- break # if condition is met the while loop breaks
- x += 1 # increments x by 1
- discard current_byte # discarding `current_byte` EXTREMELY lowers memory usage
- for i in 1..x:
- return_address += 0x1
- return return_address # returns the address of the first byte in the searched array of bytes if they're found
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement