Use wildcards for searching? #2

New Issue

Open

opened 2022-12-30 15:18:39 -08:00 by ANTONIOPS · 0 comments

ANTONIOPS commented 2022-12-30 15:18:39 -08:00

Copy Link

Is there any way of using "??" as a search wildcard like in Cheat Engine?

For example, I want to find the next pattern using "??":

44 01 1B 2F 33 ?? 6A 06 CF ?? 80 CA 7F F4 E8 91 7E

It should find all patterns that match all the bytes and matching any byte on the positions of all the "??", so the next patterns are matched:

"44 01 1B 2F 33 04 6A 06 CF 45 80 CA 7F F4 E8 91 7E"
"44 01 1B 2F 33 2B 6A 06 CF FB 80 CA 7F F4 E8 91 7E"
"44 01 1B 2F 33 6C 6A 06 CF 16 80 CA 7F F4 E8 91 7E"
"44 01 1B 2F 33 11 6A 06 CF 4F 80 CA 7F F4 E8 91 7E"

Another example in Cheat Engine:

Also using "??" when replacing, will not touch that byte.

The result will be "66 DA 66"

Here is a working without wildcards code using the normal search and replace that I created:

import ctypes
from mem_edit import Process

hex_pattern = "33 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"
pattern = bytes.fromhex(hex_pattern)

bytes object
replacement_hex = "22 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"
replacement = bytes.fromhex(replacement_hex)

replacement_buffer = ctypes.create_string_buffer(replacement, len(replacement))

pid = Process.get_pid_by_name("MyProcess.exe")

with Process.open_process(pid) as p:

    addrs = p.search_all_memory(pattern)

    for addr in addrs:
        p.write_memory(addr, replacement_buffer)

This will search for:

"33 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"

and replace it with:

"22 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"

Is there any way of using "??" as a search wildcard like in Cheat Engine? For example, I want to find the next pattern using "??": 44 01 1B 2F 33 **??** 6A 06 CF **??** 80 CA 7F F4 E8 91 7E It should find all patterns that match all the bytes and matching any byte on the positions of all the "??", so the next patterns are matched: "44 01 1B 2F 33 **04** 6A 06 CF **45** 80 CA 7F F4 E8 91 7E" "44 01 1B 2F 33 **2B** 6A 06 CF **FB** 80 CA 7F F4 E8 91 7E" "44 01 1B 2F 33 **6C** 6A 06 CF **16** 80 CA 7F F4 E8 91 7E" "44 01 1B 2F 33 **11** 6A 06 CF **4F** 80 CA 7F F4 E8 91 7E" Another example in Cheat Engine:  Also using "??" when replacing, will not touch that byte.  The result will be "66 DA 66" Here is a working without wildcards code using the normal search and replace that I created: ``` import ctypes from mem_edit import Process hex_pattern = "33 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E" pattern = bytes.fromhex(hex_pattern) bytes object replacement_hex = "22 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E" replacement = bytes.fromhex(replacement_hex) replacement_buffer = ctypes.create_string_buffer(replacement, len(replacement)) pid = Process.get_pid_by_name("MyProcess.exe") with Process.open_process(pid) as p: addrs = p.search_all_memory(pattern) for addr in addrs: p.write_memory(addr, replacement_buffer) ``` This will search for: **"33 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"** and replace it with: **"22 00 00 00 00 00 00 00 CF 80 CA 7F F4 E8 91 7E"**

imagen.png

30 KiB

imagen.png

10 KiB

jan self-assigned this 2023-01-22 00:44:34 -08:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

test

v0.8

release

v0.7

v0.6

v0.5

v0.4

v0.3

0.2

0.1

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

jan

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: jan/mem_edit#2

No description provided.