This script searches for addresses in the game within specific dll by signatures pattern, through it, you can find out the new offsets for the pattern you are looking for, you can also see the addresses that change constantly through this script.
import pymem
import time
import re
pm = pymem.Pymem('cs2.exe')
client = pymem.process.module_from_name(pm.process_handle, 'client.dll')
clientModule = pm.read_bytes(client.lpBaseOfDll, client.SizeOfImage)
# Search the specified pattern in the DLL
pattern = rb'\x48\x8B\x0D....\x48\x8B\x01\x48\xFF\x60\x30'
match = re.search(pattern, clientModule)
if match:
# +3 (size of mov)
address = match.start() + 3
# Address with hex & decimal
print(f"Address found: 0x{address:X}\nAddress found: {int(address):d}")
print("Waiting for new value to be found...")
time.sleep(10)
# Check the current value if changed
new_value = 2 if pm.read_uchar(address) == 1 else 1
# Check if the value was changed and print a message
if pm.read_uchar(address) == new_value:
print(f"Value at address 0x{address:X} changed to {new_value}")
else:
print("Value did not change. Ending search.")
else:
print("Pattern not found in client module")
pm.close_process()
-
Install pymem library →
pip install pymem -
Put ur pattern for search about address,
Replace this example with your code
pattern = rb'x48x8Bx0D....x48x8Bx01x48xFFx60x30'And make sure ur pattern format like this
- Change size of mov for pattern in code
# +3 (size of mov)
address = match.start() + 3To know what is the size of mov , i will provide a simplified explanation
Sometimes when you come across signatures they'll also come with an offset, when you scan for a pattern the address that is returned is the address of the very first bytes in the pattern but sometimes that first byte is not the data you're looking .
- Run it →
python PatternAddress.py
Im using SigMaker in IDA Pro to ScanPattern it very helpful, i will explain a little about it.
-
Download SigMaker From Here → SigMaker IDA Pro
-
Drag sigmaker into the plugins folder in your Ida Pro directory:
Go to IDA Pro folder → Plugins → put sigmaker dll in folder.
-
Open IDA Pro go to → options → General → change number of opcode bytes to a higher number like
16.After you do this you will notice that in the text view next to each assembly instruction you willl be able to see all the bytes that represent that instruction these are the bytes we are going to be scanning for.
But unfortunately it's not that simple you can't just scan for these exact bytes because variables changed while your program is running if you had to scan for these exact bytes it would fail because when the program is running, functions and variables have different values and addresses to combat this problem signatures include something called wildcards in the place of functions and variables you'll find question marks because those bytes can be any value when the program is running it doesn't matter.
you can see this in action by selecting a few bytes near the data you want to find and then pressing (Ctrl+Alt+s) which is the sigmaker shortcut once Sigmaker is open select (create ida pattern from selection) and look at the pattern that is generated in output.
that's all.