Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pattern scan module with bytes same with regex special characters #47

Open
nyaoouo opened this issue Feb 22, 2021 · 4 comments
Open

pattern scan module with bytes same with regex special characters #47

nyaoouo opened this issue Feb 22, 2021 · 4 comments
Labels
feedback required

Comments

@nyaoouo
Copy link

nyaoouo commented Feb 22, 2021

i solve it for re.escape(raw_pattern).replace(b'\.',b'.') but i think the escape function should be build in or list in the doc that user should pay attention to this point
@StarrFox
Copy link
Collaborator

Escaping the re characters within the function wouldn't allow you to find the vast majority of patterns

@nyaoouo
Copy link
Author

nyaoouo commented Feb 22, 2021

Escaping the re characters within the function wouldn't allow you to find the vast majority of patterns

so i think the document may add a description about its using regular expressions, this feature cause a bit trouble for me and i try to debug for a while then i found this problem

@Insensitivity
Copy link

Is there any more info on this? I'm struggling to find anything that contains wildcards
Using the following pattern in equivalent cpp libraries:
"46 89 ? ? EB ? E8 ? ? ? ? 41 83 C3 ? 44 89 ? 66 45 ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 46 89 ? ? EB ? E8 ? ? ? ? 41 83 C3 ? 44 89 ? 66 45 ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 46 89 ? ? EB ? E8 ? ? ? ? 41 83 C3 ? 44 89 ? 66 41 ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 46 89 ? ? EB ? E8 ? ? ? ? 41 8B ? ? 41 89 ? ? ? ? ? 83 C0 ? 41 8B ? ? ? ? ? 41 89 ? ? ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 42 8B ? ? EB ? E8 ? ? ? ? 41 89 ? ? 41 8B ? ? ? ? ? 83 C0 ? 89 C2 41 89 ? ? ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 42 8B ? ? EB ? E8 ? ? ? ? 41 89 ? ? 41 8B ? ? ? ? ? 83 C0 ? 89 C2 41 89 ? ? ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 42 8B ? ? EB ? E8 ? ? ? ? 41 89 ? ? 41 8B ? ? ? ? ? 83 C0 ? 89 C2 41 89 ? ? ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 42 8B ? ? EB ? E8 ? ? ? ? 41 89 ? ? 41 8B ? ? ? ? ? 83 C0 ? 89 C2 41 89 ? ? ? ? ? 48 B8 ? ? ? ? ? ? ? ? 41 89 ? 41 C1 EE ? 4A 8B ? ? 48 85 ? 74 ? 41 89 ? 41 81 E5 ? ? ? ? 42 8B ? ? EB ? E8 ? ? ? ? 41 89 ? ? 41 8B ? ? ? ? ? 83 C0 ? 45 8B"

I get proper results.

but when I try this library with the following (replacing every '?' with a dot):

b"\x46\x89..\xEB.\xE8....\x41\x83\xC3.\x44\x89.\x66\x45...\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x46\x89..\xEB.\xE8....\x41\x83\xC3.\x44\x89.\x66\x45...\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x46\x89..\xEB.\xE8....\x41\x83\xC3.\x44\x89.\x66\x41...\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x46\x89..\xEB.\xE8....\x41\x8B..\x41\x89.....\x83\xC0.\x41\x8B.....\x41\x89.....\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x42\x8B..\xEB.\xE8....\x41\x89..\x41\x8B.....\x83\xC0.\x89\xC2\x41\x89.....\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x42\x8B..\xEB.\xE8....\x41\x89..\x41\x8B.....\x83\xC0.\x89\xC2\x41\x89.....\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x42\x8B..\xEB.\xE8....\x41\x89..\x41\x8B.....\x83\xC0.\x89\xC2\x41\x89.....\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x42\x8B..\xEB.\xE8....\x41\x89..\x41\x8B.....\x83\xC0.\x89\xC2\x41\x89.....\x48\xB8........\x41\x89.\x41\xC1\xEE.\x4A\x8B..\x48\x85.\x74.\x41\x89.\x41\x81\xE5....\x42\x8B..\xEB.\xE8....\x41\x89..\x41\x8B.....\x83\xC0.\x45\x8B"

I get no results.
I also tried what the OP used, but it didn't work for me.
Any suggestions?

@srounet
Copy link
Owner

srounet commented May 3, 2021

Just tried it for wow 3.3.5a:

import pymem
import pymem.pattern

pm = pymem.Pymem("Wow.exe")
module = pymem.process.module_from_name(pm.process_handle, "Wow.exe")

print("starting scan")
GetMinimapZoneText = pymem.pattern.pattern_scan_module(pm.process_handle, module, rb"\x55\x8B\xEC\xA1....\x85\xC0\x75\x05\xB8....\x50\x8B\x45\x08\x50\xE8....\x83\xC4\x08\xB8....\x5D\xC3")
print("GetMinimapZoneText address: {}".format(hex(GetMinimapZoneText)))

And it works:

2021-05-03 10:17:26,348 - pymem - DEBUG - Process 14580 is being debugged
starting scan
GetMinimapZoneText address: 0x515570

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feedback required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@srounet @Insensitivity @StarrFox @nyaoouo