Archive: Find string offset in exe or dll
Find string offset in exe or dll
I was searching for a function that can give me the offset in where a string can be found inside a exe/dll file and came across this. Now that function seems to do the job quite well, only it doesn't give me the hexadecimal or decimal offset of where the string I searched for is found. Is there anyway to do that?
Push "C:\Program Files\NSIS\makensis.exe"
Push "KERNEL32"
Push 0 ; offset to start
Call BinStrSearch
Pop $1 ; address of string or 0 if not found
Pop $1
IntFmt $1 "0x%04x" $1
well thanks for that, but the weird thing is that using SearchByteFile I do find the string but I can't know the offset however, using BinStrSearch returns 0 for the same string, meaning it's not found.
Isn't it possible to modify the first function and make it return the offset?
I shall re-write that function is it doesn't always work with the offset (or -1) as the output.
Stu
Try this:
Function SearchBinaryFile
Exch $R0 # file
Exch
Exch $R1 # search
Push $R2
Push $R3
Push $R4
Push $R5
Push $R6
StrLen $R2 $R1
ClearErrors
FileOpen $R3 $R0 r
IfErrors error
StrCpy $R0 0
read:
StrCpy $R6 ``
StrCpy $R4 0
read_string:
ClearErrors
FileReadByte $R3 $R5
IfErrors error
IntFmt $R5 %c $R5
StrCpy $R6 $R6$R5
IntOp $R4 $R4 + 1
StrCmp $R4 $R2 0 read_string
StrCmp $R6 $R1 done
IntOp $R0 $R0 + 1
FileSeek $R3 $R0 SET
Goto read
error:
StrCpy $R0 -1
Goto +2
done:
FileClose $R3
Pop $R6
Pop $R5
Pop $R4
Pop $R3
Pop $R2
Pop $R1
Exch $R0 # offset or -1
FunctionEnd
Push "string"
Push "path\to\file.ext"
Call SearchBinaryFile
Pop $R0 # offset / -1