指针-模拟CE内存搜索

指针-模拟CE内存搜索

滴水逆向三期初级，指针3

使用C语言模拟CE内存搜索

模拟搜索

题目

• 这一堆数据中存储了角色的血值信息，假设血值的类型为int类型，值为100(10进制),请列出所有可能的值以及该值对应的地址.

  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
  0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
  0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
  0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
  0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
  0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
  0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
  0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
  0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
  0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
  

分析

1. 数据类型为int型，即宽度为4个字节，需要注意在内存中整数存储时高位存高位低位存低位，如果某4字节的值为0x00 0x01 0x02 0x03，那int型值应为0x03020100
2. 注意指针加法的跨度，char*+1内存地址+1，short*+1内存地址+2，int*+1内存地址+4
3. 内存并没有指定变量范围，也就是说任意4个连续的地址都有可能是一个int类型
4. 注意结束点，因为int类型宽度为4，所以在扫描时结束点因为内存长度-4

个人方案

方案一

• 双指针，一个负责取值判断，一个负责地址加法

#include "stdafx.h"
void Function() {
    char arr[] = {
		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
		0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
		0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
		0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
		0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
		0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
		0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
		0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
		0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
	};
	char* pc = arr;
	int*  pt = (int*)pc;
	int n = sizeof(arr);
	for (int i = 0; i <= n-4; i++) {
		if (*pt == 0x64) {
			printf("[%x]=%d\n", pc, *pt);
		}
		pc++;
		pt = (int*)pc;
	}
}
int main(int argc, char* argv[]) {
	Function();
	return 0;
}

---

[12feea]=100

方案二

• 双重循环，对起始地址做偏移

#include "stdafx.h"
void Function() {
    char arr[] = {
		0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x07,0x09,
		0x00,0x20,0x10,0x03,0x03,0x0C,0x00,0x00,0x44,0x00,
		0x00,0x33,0x00,0x47,0x0C,0x0E,0x00,0x0D,0x00,0x11,
		0x00,0x00,0x00,0x02,0x64,0x00,0x00,0x00,0xAA,0x00,
		0x00,0x00,0x64,0x10,0x00,0x00,0x00,0x00,0x00,0x00,
		0x00,0x00,0x02,0x00,0x74,0x0F,0x41,0x00,0x00,0x00,
		0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x0A,0x00,
		0x00,0x02,0x74,0x0F,0x41,0x00,0x06,0x08,0x00,0x00,
		0x00,0x00,0x00,0x64,0x00,0x0F,0x00,0x00,0x0D,0x00,
		0x00,0x00,0x23,0x00,0x00,0x64,0x00,0x00,0x64,0x00
	};
	int*  pt = (int*)arr;
	int n = sizeof(arr);
	for (int i = 0; i < 4; i++) {
		pt = (int*)(arr+i);
		for (int j = 0; j <= n-4; j++) {
			if (*pt == 0x64) {
				printf("[%x]=%d\n", pt, *pt);
			}
			pt++;
		}
	}
}
int main(int argc, char* argv[]) {
	Function();
	return 0;
}

---

[12feea]=100