Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- using System;
- using System.Collections.Generic;
- using System.ComponentModel;
- using System.Data;
- using System.Diagnostics;
- using System.Drawing;
- using System.Linq;
- using System.Runtime.InteropServices;
- using System.Text;
- using System.Threading.Tasks;
- using System.Windows.Forms;
- namespace AllocExTest
- {
- public partial class Form1 : Form
- {
- #region win32 imports
- [DllImport("kernel32.dll", SetLastError = true)]
- private static extern bool ReadProcessMemory(
- IntPtr hProcess,
- IntPtr lpBaseAddress,
- byte[] lpBuffer,
- uint dwSize,
- uint lpNumberOfBytesRead);
- [DllImport("kernel32.dll", SetLastError = true)]
- private static extern bool WriteProcessMemory(
- IntPtr hProcess,
- IntPtr lpBaseAddress,
- byte[] lpBuffer,
- uint nSize,
- uint lpNumberOfBytesWritten);
- [DllImport("kernel32.dll", SetLastError = true)]
- public static extern IntPtr VirtualAllocEx(
- IntPtr hProcess,
- IntPtr lpAddress,
- uint dwSize,
- uint flAllocationType,
- uint flProtect);
- [DllImport("kernel32.dll", SetLastError = true)]
- public static extern IntPtr OpenProcess(
- uint dwDesiredAccess,
- bool bInheritHandle,
- uint dwProcessId);
- [DllImport("kernel32.dll")]
- private static extern bool VirtualProtectEx(
- IntPtr hProcess,
- IntPtr lpAddress,
- UIntPtr dwSize,
- uint flNewProtect,
- out uint lpflOldProtect);
- #endregion
- Process gameProcess = Process.GetProcessesByName("theHunterCotW_F").FirstOrDefault();
- IntPtr hProcess;
- IntPtr baseaddress;
- public Form1()
- {
- InitializeComponent();
- hProcess = OpenProcess(2035711U, false, (uint)gameProcess.Id);
- baseaddress = gameProcess.MainModule.BaseAddress;
- }
- private void button1_Click(object sender, EventArgs e)
- {
- /* ignore this
- MessageBox.Show(readMoney().ToString()); // work wonders
- */
- PatternScanner patternscanner = new PatternScanner(hProcess);
- patternscanner.SelectModule(gameProcess.MainModule);
- long timetookms;
- ulong offset = patternscanner.FindPattern("F3 0F 11 84 8B 68 05 00 00 F3 41 0F 10 00 0F 2F C2", out timetookms); // finds the correct place
- IntPtr lpAddress = baseaddress - 0x10000; // seems to be the place where cheat engine puts alloc() stuff
- IntPtr thing = VirtualAllocEx(hProcess, lpAddress, 4096, (uint)AllocationType.Commit, (uint)VirtualMemoryProtection.PAGE_EXECUTE_READWRITE);
- MessageBox.Show(thing.ToString() + " | " + Marshal.GetLastWin32Error()); // outputs 0 | 487
- }
- private int readMoney()
- {
- IntPtr offset1 = (IntPtr)ReadUInt64(IntPtr.Add(baseaddress, 0x01E8B7F8));
- IntPtr offset2 = (IntPtr)ReadUInt64(IntPtr.Add(offset1, 0x298));
- return ReadInt32(offset2 + 0xa0);
- }
- private byte[] ReadByteArray(IntPtr pOffset, uint pSize)
- {
- if (hProcess == IntPtr.Zero)
- throw new Exception("process is fucked");
- try
- {
- uint lpflOldProtect;
- VirtualProtectEx(hProcess, pOffset, (UIntPtr)pSize, (uint)VirtualMemoryProtection.PAGE_READWRITE, out lpflOldProtect);
- byte[] lpBuffer = new byte[pSize];
- ReadProcessMemory(hProcess, pOffset, lpBuffer, pSize, 0U);
- VirtualProtectEx(hProcess, pOffset, (UIntPtr)pSize, lpflOldProtect, out lpflOldProtect);
- return lpBuffer;
- }
- catch (Exception ex)
- {
- throw new Exception("it broke");
- }
- }
- private int ReadInt32(IntPtr pOffset)
- {
- if (hProcess == IntPtr.Zero)
- throw new Exception("process is fucked");
- try
- {
- return BitConverter.ToInt32(this.ReadByteArray(pOffset, 4U), 0);
- }
- catch (Exception ex)
- {
- return 0;
- }
- }
- private ulong ReadUInt64(IntPtr pOffset)
- {
- if (hProcess == IntPtr.Zero)
- throw new Exception("process is fucked");
- try
- {
- return BitConverter.ToUInt64(this.ReadByteArray(pOffset, 8U), 0);
- }
- catch (Exception ex)
- {
- return 0;
- }
- }
- }
- public enum AllocationType : uint
- {
- Commit = 0x1000,
- Reserve = 0x2000,
- Decommit = 0x4000,
- Release = 0x8000,
- Reset = 0x80000,
- Physical = 0x400000,
- TopDown = 0x100000,
- WriteWatch = 0x200000,
- LargePages = 0x20000000
- }
- public enum ProcessAccessFlags : uint
- {
- All = 2035711, // 0x001F0FFF
- Terminate = 1,
- CreateThread = 2,
- VMOperation = 8,
- VMRead = 16, // 0x00000010
- VMWrite = 32, // 0x00000020
- DupHandle = 64, // 0x00000040
- SetInformation = 512, // 0x00000200
- QueryInformation = 1024, // 0x00000400
- Synchronize = 1048576, // 0x00100000
- }
- public enum VirtualMemoryProtection : uint
- {
- PAGE_NOACCESS = 1,
- PAGE_READONLY = 2,
- PAGE_READWRITE = 4,
- PAGE_WRITECOPY = 8,
- PAGE_EXECUTE = 16, // 0x00000010
- PAGE_EXECUTE_READ = 32, // 0x00000020
- PAGE_EXECUTE_READWRITE = 64, // 0x00000040
- PAGE_EXECUTE_WRITECOPY = 128, // 0x00000080
- PAGE_GUARD = 256, // 0x00000100
- PAGE_NOCACHE = 512, // 0x00000200
- PROCESS_ALL_ACCESS = 2035711, // 0x001F0FFF
- }
- public class PatternScanner
- {
- private IntPtr g_hProcess { get; set; }
- private byte[] g_arrModuleBuffer { get; set; }
- private ulong g_lpModuleBase { get; set; }
- private Dictionary<string, string> g_dictStringPatterns { get; }
- public PatternScanner(IntPtr hProc)
- {
- g_hProcess = hProc;
- g_dictStringPatterns = new Dictionary<string, string>();
- }
- public bool SelectModule(ProcessModule targetModule)
- {
- g_lpModuleBase = (ulong)targetModule.BaseAddress;
- g_arrModuleBuffer = new byte[targetModule.ModuleMemorySize];
- g_dictStringPatterns.Clear();
- return Win32.ReadProcessMemory(g_hProcess, g_lpModuleBase, g_arrModuleBuffer, targetModule.ModuleMemorySize);
- }
- public void AddPattern(string szPatternName, string szPattern)
- {
- g_dictStringPatterns.Add(szPatternName, szPattern);
- }
- private bool PatternCheck(int nOffset, byte[] arrPattern)
- {
- for (int i = 0; i < arrPattern.Length; i++)
- {
- if (arrPattern[i] == 0x0)
- continue;
- if (arrPattern[i] != this.g_arrModuleBuffer[nOffset + i])
- return false;
- }
- return true;
- }
- public ulong FindPattern(string szPattern, out long lTime)
- {
- if (g_arrModuleBuffer == null || g_lpModuleBase == 0)
- throw new Exception("Selected module is null");
- Stopwatch stopwatch = Stopwatch.StartNew();
- byte[] arrPattern = ParsePatternString(szPattern);
- for (int nModuleIndex = 0; nModuleIndex < g_arrModuleBuffer.Length; nModuleIndex++)
- {
- if (this.g_arrModuleBuffer[nModuleIndex] != arrPattern[0])
- continue;
- if (PatternCheck(nModuleIndex, arrPattern))
- {
- lTime = stopwatch.ElapsedMilliseconds;
- return g_lpModuleBase + (ulong)nModuleIndex;
- }
- }
- lTime = stopwatch.ElapsedMilliseconds;
- return 0;
- }
- public Dictionary<string, ulong> FindPatterns(out long lTime)
- {
- if (g_arrModuleBuffer == null || g_lpModuleBase == 0)
- throw new Exception("Selected module is null");
- Stopwatch stopwatch = Stopwatch.StartNew();
- byte[][] arrBytePatterns = new byte[g_dictStringPatterns.Count][];
- ulong[] arrResult = new ulong[g_dictStringPatterns.Count];
- for (int nIndex = 0; nIndex < g_dictStringPatterns.Count; nIndex++)
- arrBytePatterns[nIndex] = ParsePatternString(g_dictStringPatterns.ElementAt(nIndex).Value);
- for (int nModuleIndex = 0; nModuleIndex < g_arrModuleBuffer.Length; nModuleIndex++)
- {
- for (int nPatternIndex = 0; nPatternIndex < arrBytePatterns.Length; nPatternIndex++)
- {
- if (arrResult[nPatternIndex] != 0)
- continue;
- if (this.PatternCheck(nModuleIndex, arrBytePatterns[nPatternIndex]))
- arrResult[nPatternIndex] = g_lpModuleBase + (ulong)nModuleIndex;
- }
- }
- Dictionary<string, ulong> dictResultFormatted = new Dictionary<string, ulong>();
- for (int nPatternIndex = 0; nPatternIndex < arrBytePatterns.Length; nPatternIndex++)
- dictResultFormatted[g_dictStringPatterns.ElementAt(nPatternIndex).Key] = arrResult[nPatternIndex];
- lTime = stopwatch.ElapsedMilliseconds;
- return dictResultFormatted;
- }
- private byte[] ParsePatternString(string szPattern)
- {
- List<byte> patternbytes = new List<byte>();
- foreach (var szByte in szPattern.Split(' '))
- patternbytes.Add(szByte == "?" ? (byte)0x0 : Convert.ToByte(szByte, 16));
- return patternbytes.ToArray();
- }
- private static class Win32
- {
- [DllImport("kernel32.dll")]
- public static extern bool ReadProcessMemory(IntPtr hProcess, ulong lpBaseAddress, byte[] lpBuffer, int dwSize, int lpNumberOfBytesRead = 0);
- }
- }
- }
Add Comment
Please, Sign In to add comment