Had myself into the MHS help file, and done a few things with Script Search tho, and here's what i've got...
I've put the 'Shell Code To Get You Started' from the helpfile to the Code Editor and compiled it... Anyway, allow me to put the shell code here, so
we don't have to open the helpfile... :
- Code: Select all
const DWORD SIZE_OF_ITEM = sizeof( DWORD );
INT UserSearch( LPVOID lpvAddress, LPVOID lpvBuffer, INT iSize ) {
// Cast to a standard DWORD value. iSize is always equal to SIZE_OF_ITEM here.
DWORD dwThis = *(DWORD *)lpvBuffer;
// Add your checks here to determine if the DWORD value should be added
// to the list.
return 0; // Value not added.
}
VOID UserDecoder( LPVOID lpvAddress, LPVOID lpvBuffer, DWORD dwLength, CHAR * pcReturn, INT iMaxLength ) {
// Display a DWORD in decimal and hex.
DWORD dwValue = *(DWORD *)lpvBuffer;
SNPrintF( pcReturn, iMaxLength, "%u (%.8X)", dwValue , dwValue );
}
VOID UserSearchSetup( INT * piDataSize, INT * piAlign, CHAR ** ppcCallback, CHAR ** ppcDecoder ) {
(*piDataSize) = SIZE_OF_ITEM;
(*piAlign) = 4;
(*ppcCallback) = "UserSearch";
(*ppcDecoder) = "UserDecoder";
}
INT UserSubSearch( LPVOID lpvAddress, LPVOID lpvCur, DWORD dwCurSize, LPVOID lpvOld, DWORD dwOldSize ) {
return 0; // Item removed from the list.
}
Now... In my understanding, the UserSearch, UserDecoder, UserSearchSetup, UserSubSearch are all functions. Am i correct ?
If it is, what are each of their purpose(s) ?
Started the script search with minesweeper as the target, using the Basic mode, i set the 4 for Data Size, and UserDecoder for CallBack function.
I got these in result window:
- Code: Select all
Address | Value
00830000 | 03 00 00 00
00830004 | 80 4F 0A 00
00830008 | 10 00 83 00
0083000C | 00 00 00 00
... | ...
My understanding is, this part of the script :
- Code: Select all
VOID UserDecoder( LPVOID lpvAddress, LPVOID lpvBuffer, DWORD dwLength, CHAR * pcReturn, INT iMaxLength ) {
// Display a DWORD in decimal and hex.
DWORD dwValue = *(DWORD *)lpvBuffer;
SNPrintF( pcReturn, iMaxLength, "%u (%.8X)", dwValue , dwValue );
}
is a decoder that reads every bytes in the memory, starting address 00830000 and put them as hex dumber in the result in 4 column, as i
enter 4 for the Data Size... Am i correct on this ?
So, now for the really questions:
1. How do i search the exact value of 500 in Long datatype with search scripts ?
2. How do i perform subsearch after the result 500 were found with the script ? Say i want to subsearch to the value of 300 ?
3. Why the result in my experiment started at 00830000 ?
I've trying to study the helpfile but it seems that i'm not capable enough to understand it clearly... But, hey, at least i've done something ...
Thank you very much in advance... Appreciate for any kind of help to get me really start with this feature...