Skip to content
View in the app

A better way to browse. Learn more.
ResHax

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Help us keep the site running.

Scan memdump for specific hex pattern and write to file from it.

ZenHAX
in Zenhax

Featured Replies

  • Author
  • Localization

Gazyi, posted Fri Feb 09, 2018 6:07 pm (32306)

I tried to write it myself, but still don't understand QuickBMS scripting.
I want to somewhat automate process of finding Cryengine RSA keys inside memory dumps. I wanted to make quickbms script which scans dump for specific hex code (30 81 89 02 81 81 00) and then write to file 140 bytes in hex from all positions at which this pattern starts in format like this:
Code:
0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xBF, 0xD6, 0x12, 0xF2, 0x5E, 0x95, 0x48, 0x4C, 0xCB,
0xB5, 0xCE, 0x2B, 0xAB, 0x39, 0xFB, 0x3C, 0xEF, 0xE0, 0x8B, 0xC3, 0x1B, 0xB9, 0x3E, 0x59, 0x85,
0xB9, 0x22, 0x8C, 0x90, 0x87, 0xA3, 0xE0, 0xCF, 0x7F, 0x80, 0x6B, 0xAD, 0x52, 0xEB, 0x11, 0x81,
0xC8, 0x58, 0x46, 0xB4, 0xD1, 0xF2, 0x7E, 0xC2, 0x63, 0xC5, 0xEE, 0x1B, 0x06, 0xE8, 0x7F, 0xDE,
0x2B, 0xD9, 0x53, 0x5F, 0x96, 0x91, 0x5C, 0x39, 0x9E, 0xBC, 0xF7, 0xFA, 0xEF, 0x65, 0xFC, 0x94,
0x7F, 0xB0, 0x37, 0xCA, 0xF6, 0xE3, 0xCE, 0xF9, 0xDC, 0xDD, 0xD5, 0x5F, 0x23, 0x6D, 0x2B, 0x29,
0xEC, 0x90, 0x72, 0x0C, 0xCC, 0xBE, 0xC6, 0x65, 0x25, 0xE9, 0x64, 0xF8, 0x31, 0x14, 0x0B, 0xC0,
0xCC, 0xFB, 0x9F, 0xA4, 0x97, 0x32, 0x71, 0xA3, 0x86, 0xA1, 0x46, 0x97, 0x5F, 0x4A, 0x86, 0xB6,
0x24, 0x8D, 0x45, 0x89, 0xEE, 0xF3, 0xD7, 0x02, 0x03, 0x01, 0x00, 0x01

Any help will be useful.
  • Author
  • Localization

aluigi, posted Fri Feb 09, 2018 8:54 pm (32309)

Code:
for
    findloc OFFSET binary "\x30\x81\x89\x02\x81\x81\x00"
    goto OFFSET
    log "" OFFSET 140
    getdstring KEY 140  # useless, advances and can be used to show the key instead of dumping it
next
Guest
This topic is now closed to further replies.
Go to topic listing

Account

Navigation

Search

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.