Searching for an hex string in a file

[PeterWolf]

Hi friends,

Could anybody tell me how to search for a sequence of hex characters inside a file? I have a file, let's say 'whatever.exe' and I need to find the string '00 FF 20 3A' for instance. I know how to open the file, but then how do I search inside it?

Well, thanks in advance,

-Peter

[hutch--]

Any string search that specifies the search pattern length.

[PeterWolf]

Well, thanks hutch, but I'm afraid I need more specific instructions :-) I just begun programming in assembler a while ago, and I really don't know what to do.

Suppose that I have a file called 'john.exe' and I want to find the following hex string inside it:
'3F 00 2E'.
How do I proceed? I open the file with an invoke CreateFile or whatever and then what? Is there any function I can use to make a search in that file or something?

Thanks for your help,

- Peter

[hutch--]

Sorry Peter,

I am used to guys who knew a bit about the library with MASM32. It has a number of string searches that are designed for specified length searches that don't depend on zero terminators that makes them suitable for doing binary searches.


BinSearch proc StartPos:DWORD,lpString:DWORD,lnStrng:DWORD,lpSubStr:DWORD,lnSubSt:DWORD


This is the algo I had in mind and its in the MASM32 library.

For file search I am inclined to load a complete file into memory then scan it to see whats in it. You can use CreateFile() and matching API calls and it will work fine but if you have a look in the macros in the masm32 library help file, there are a matched pair of block read to memory, block write to file that are easy enough to use that call procedures in the MASM32 library.

[Tedd]

use 'createfile' to open it
then 'readfile' to get it into memory (you'll probably have to 'globalalloc' to get some memory to put it in)
and then check through the bytes for the first byte (3F)
if you find the first byte, check the second byte matches too (00)
if it does, check the third byte (2E)
if that matches, then you've found it
if any of the bytes don't match, then you have to keep searching for the first byte again, and so on
when you've finished doing whatever, remember to 'closehandle' and 'globalfree'

[Nilrem]

Is this link of any use?
http://biw.rult.at/coding/patching2.htm

[Ghirai]

It's probably better to use filemapping, look at CreateFileMapping and MapViewOfFile.
Then you can do the whole search in a few lines, using repz cmpsb/cmpsd.

[pbrennick]

Nilrem,
Any site about cracking or reversing or any other way they want to color it to hide the stink is not of any use here.  You probably did not realize this because if you Google into the middle of the site, it looks innocent enough, but be careful.  You can pick up unwanted baggage from these sites.  Okay?

Paul

[PeterWolf]

Thanks for the tips, guys. That link was very useful, Nilrem. I think I can work it out.

Regards,

-Peter

[Nilrem]

I know that site, but the article was relevant, I thought if I post a direct link (not actually to the main website) then it would be safe. If not I apologise since I been personally spoken to before about such things.