How about add a similiar scan pattern when no-magic-dex is in the MIDDLE of the range

Question

How about add a similiar scan pattern when no-magic-dex is in the MIDDLE of the range

kiyadesu opened this issue 4 years ago · comments

00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 70 00 00 00

葫芦娃 · Answer 1 · Sun Mar 01 2020 18:57:46 GMT+0800 (China Standard Time)

This is good, but I think it is not credible of only match the size or offset fields (header_size, string_id_offset).

Maybe verify the address order of tables offset(string_ids_offset, field_ids_offset, ...) is better, because it‘s difficult to modify and clear, on current.

come on, pr~

KIYA · Answer 2 · Mon Mar 02 2020 10:50:20 GMT+0800 (China Standard Time)

but when header & maplist becomes not credible as you said, how to get the offset order?

葫芦娃 · Answer 3 · Mon Mar 02 2020 11:09:07 GMT+0800 (China Standard Time)

header_size, string_id_offset is not credible, because in memory has many 0x70.
map_off, type/proto/field/method/class_def_off is relatively reliable.
and in the map_list, has many table offsets, also credible.

我的塑料英语快编不下去了

KIYA · Answer 4 · Mon Mar 02 2020 11:27:20 GMT+0800 (China Standard Time)

Oh, I thought maplist and header values could all be manipulated, that's a extreme situation. 💃
No pattern can ensure success of all match after all.
Adapation on by one is the ultimate solution. :(

頑張れ！英語をすること！:P

葫芦娃 · Answer 5 · Mon Mar 02 2020 23:17:12 GMT+0800 (China Standard Time)

Thank you! :)