-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pattern scan always returns same (wrong) address #48
Comments
Hey, is the process 32 or 64 bit? And did you recompile the library for the target architecture? |
The process is 64bit. By "recompile for target architecture", do you mean running I recall getting EDIT: Spent over an hour trying to solve the gyp error, still no luck. |
I forgot to add, I am on Windows 10 64-bit. |
Go inside |
Funny how I found this out myself before I checked your response, but it's still not working correctly. I have a
And the console windows outputs this:
The But if instead of using the
By the way I know the compilation worked correctly because the Although if I download your |
Could you perhaps try the experiment yourself? How would you find the text Would be greatly appreciated ... |
I've been needing this project to work so bad for 3 months lol ... I need to grab all text from the memory of a game and save it to a file. I can do this with a slightly modified Lua script inside Cheat Engine after the game is over but the text is not in chronological order (I don't know if this is intentional obfuscation or just an inherent aspect of Random Access Memory?) and I don't know Lua enough to make it do what your project does. I even tried OCR with |
lib/memoryjs.cc 693: https://v8docs.nodesource.com/node-10.15/d9/d29/classv8_1_1_number.html: After conversion to double, the value of Comparing signed and unsigned numbers produces a logical error.Exceptions may never be thrown? |
@MelerEcckmanLawler did you figure this out? I'm having the same issue. |
Hey, I changed memoryjs::findPattern and pattern::findPattern functions to return signed integers(intptr_t). after the change, the address returned was actually -2, so I understood there's an issue with my pattern. In my case, it still didn't help. I'm searching the memory of an emulator, so I have no module name since the actual data is allocated somewhere. I'm working on a new function that will receive a start address and size to search in. I also want to implement pattern search using std::search, since it gave me really good results very quickly. I will share it if it works at all 😄 |
By happenstance, I spent the evening attempting the same type of task, but in If I search for my string of interest ("deez", which I typed as the only word into a new instance of Notepad) via Cheat Engine, I see it in two memory addresses (scanning RWX memory and for Unicode strings). I've noted elsewhere here that memoryjs doesn't support Unicode (yet?), so I thought that pattern-scanning for the bytes that make up the string would be a workaround, but that doesn't appear to be the case. If I use the I'm not sure at this point if the issue is my understanding of utilizing the library thus far, or perhaps if there's an issue with the I just wanted to chime in here and gather some thoughts. Thanks, everyone! (And thank you for the library, Rob--; I've really been enjoying using much of it thus far!) |
@dsasmblr thanks, glad you've found it useful! I've also taken a look at the same example. The implementation of Opening up 0x2E84C1CB240
0x2E84C1FBBA0 Running this script (using one of the two addresses) shows the address doesn't lie inside of any modules, but lies inside of a single region: const memoryjs = require('./index');
const processName = "notepad.exe";
const processObject = memoryjs.openProcess(processName);
const address = 0x2E84C1CB240;
const matchingModules = memoryjs
.getModules(processObject.th32ProcessID)
.filter(mod => address >= mod.modBaseAddr && address <= (mod.modBaseAddr + mod.modBaseSize));
const matchingRegions = memoryjs
.getRegions(processObject.handle)
.filter(region => address >= region.BaseAddress && address <= (region.BaseAddress + region.RegionSize));
console.log('modules', matchingModules);
console.log('regions', matchingRegions);
const pattern = "64 00 65 00 65 00 7A 00";
memoryjs.findPattern(processObject.handle, pattern, 0, 0, (error, address) => {
console.log(`error: ${error}, address: 0x${address.toString(16).toUpperCase()}`);
}); I've edited the source code so that $ node test
modules []
regions [
{
BaseAddress: 3196732375040,
AllocationBase: 3196732375040,
AllocationProtect: 4,
RegionSize: 659456,
State: 4096,
Protect: 4,
Type: 131072
}
]
error: , address: 0x2E84C1CB240 Searching all regions & modules takes too long, so it might be worth having a I think I'll change // search all modules + all regions
findPattern(handle, pattern, flags, patternOffset[, callback])
// search a specific module
findPattern(handle, moduleName, pattern, flags, patternOffset[, callback])
// search a specific region (will find the region or module the base address lies inside)
findPattern(handle, baseAddress, pattern, flags, patternOffset[, callback]) |
Hey, @Rob--! Thanks so much for taking the time to test and reply with all of that. I totally didn't think about exploring regions like that. I was incorrectly assuming that regions relative to the application's modules were already taken into consideration. Thanks for clarifying! I like the Thanks again, Rob! |
These changes are implemented in a32ceee. New implementation of // search all modules + all regions
findPattern(handle, pattern, flags, patternOffset[, callback])
// search a specific module
findPattern(handle, moduleName, pattern, flags, patternOffset[, callback])
// search a specific region (will find the region or module the base address lies inside)
findPattern(handle, baseAddress, pattern, flags, patternOffset[, callback]) The I'll leave the issue open to take comments until I publish all the recent library changes to NPM. |
Closing the issue since v3.5.1 has been published to NPM and includes these changes. |
No matter what process name I use, or pattern, the above code will always output this:
Which is of course incorrect. And looking at
notepad++.exe
's memory using Cheat Engine I can seeHello World!
is definitely in the its memory, infact in three different locations, and not inutf16
format (it doesn't have00
between each character).But using the address found via Cheat Engine to read the text I typed in
notepad++.exe
works correctly:Will output:
Hello World!
The text was updated successfully, but these errors were encountered: