在编写x64Dbg插件时用到以下两个函数,有坑!
1
2
|
SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern);
SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern);
|
首先SearchAndReplaceMem只会在start开始的size大小范围内只替换一次,所以要结合FindMem来完成全部的替换.
当FindMem查找的地址范围过大时,第二次查找会失败(示例中的Size为0x0000000040000000),出现下述错误.
正确的写法如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
DWORD WINAPI workThreadProc(_In_ LPVOID lpParameter) {
duint dSelDisasmAddr = Script::Gui::Disassembly::SelectionGetStart();
duint dSelBase = Script::Memory::GetBase(dSelDisasmAddr);
duint dSelSize = Script::Memory::GetSize(dSelDisasmAddr);
char searchpattern[] = "48656C6C6F205869614C756F48756E2100";
char replacepattern[] = "48656C6C6F20576F726C642100";
duint nSearchpatternLen = strlen(searchpattern) + 1;
duint dStartAddr = dSelBase;
do
{
duint dAddr = Script::Pattern::FindMem(dStartAddr, dSelSize + dSelBase - dStartAddr, searchpattern);
if (dAddr == -1 || dAddr == 0) {
break;
}
dStartAddr = dAddr + 1;
if (!Script::Pattern::SearchAndReplaceMem(dAddr, nSearchpatternLen, searchpattern, replacepattern))
{
break;
}
Sleep(10);
} while (true);
::MessageBox(NULL, "Done", "replaceMemory", MB_OK);
return 0;
}
|
夏洛魂