You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// Just return 0 if not using the dereference, otherwise place in the code from another library/source to obtain the instructions length
23
24
return 0;
24
25
}
25
26
```
26
27
28
+
#### Pattern Flags:
29
+
- d: Dereference from the found address, or found address + offset ( addr + instructlen length + relative address )
30
+
- r: Read the relative value at the address, or at the address + offset (not used on arm)
31
+
<optional read size>: Value of 1, 2, 4 or 8 to use with reading the relative value at address, or address + offset (not used with dereferencing, and not used on arm)
32
+
- a: Perform a byte aligned scan for a faster scan. 4 byte alignment x32, 8 byte alignment x64 (rather than byte by byte scan)
33
+
34
+
27
35
#### Examples:
28
36
```c++
29
37
// Scan will read the relative value from the X offset as 4 bytes
30
38
constexpr auto compiletime_pattern = "AB CC 11 22 33 44 AB 6D X EF BE AD DE /r4"_ctpattern;
31
39
// Scan will read the address from where the marked X is pointed to (defaults as a relative address), and perform the scan byte aligned (4 - 32bit, 8 - 64bit)
32
-
// This also uses the instruction len (notice 9 after X). This tells it during the dereference to start the RIP after the E8 instruction
33
-
constexpr auto xor_pattern = "FE ED FA CE E8 X9 ? ? ? ? EF BE AD DE /da"_xorpattern;
40
+
// This also uses the instruction len (notice 4 after X). This tells it during the dereference to start the RIP after the E8 instruction
41
+
constexpr auto xor_pattern = "FE ED FA CE E8 X4 ? ? ? ? EF BE AD DE /da"_xorpattern;
34
42
// Scan will read the address from where the marked X is pointed to (as a single byte; i.e. short jump)
35
43
auto runtime_pattern = "BA BE CA FE 72 X ? 11 22 /d1"_rtpattern
0 commit comments