Wildcard String.
First copy several bytes from the function you want to find. In my case I got this:
- Code: Select all
00440974 | E8 CD7C0000 | CALL 00448646 |
00440979 | E9 17FEFFFF | JMP 00440795 |
0044097E | 8B4424 04 | MOV EAX, DWORD PTR [ESP+4] |
00440982 | 85C0 | TEST EAX, EAX |
00440984 | 56 | PUSH ESI |
00440985 | 8BF1 | MOV ESI, ECX |
00440987 | C646 0C 00 | MOV BYTE PTR [ESI+C], 0 |
0044098B | 75 63 | JNZ 004409F0 |
0044098D | E8 EA6B0000 | CALL 0044757C |
00440992 | 8946 08 | MOV DWORD PTR [ESI+8], EAX |
To copy: Select the code in the Disassembler. Edit/Copy/Code.This gives me:
- Code: Select all
E8 CD7C0000
E9 17FEFFFF
8B4424 04
85C0
56
8BF1
C646 0C 00
75 63
E8 EA6B0000
8946 08
First change all the operands to question marks.
This gives me:
- Code: Select all
E8 ????
E9 ????
8B4424 ?
85C0
56
8BF1
C646 ??
75 63
E8 ????
8946 ?
Then add \x in front of every byte value. This gives me:
- Code: Select all
\xE8 ????
\xE9 ????
\x8B\x44\x24 ?
\x85\xC0
\x56
\x8B\xF1
\xC6\x46 ??
\x75 \x63
\xE8 ????
\x89\x46 ?
Finally, remove spaces and make it one line:
- Code: Select all
\xE8????\xE9????\x8B\x44\x24?\x85\xC0\x56\x8B\xF1\xC6\x46??\x75\x63\xE8????\x89\x46?
This is my final search string.
To use it:
Start a
String Search (
Search/String Search in the main window).
Select
Wildcard.
String to Find = the string you made.
Uncheck
Aligned.
My search returned this:
- Code: Select all
00440974
Which is exactly the address where my code was found.
L. Spiro
Our songs remind you of songs you’ve never heard.