mistdumper
一个用 Dart 编写的、用于静态分析的可配置模式查找器。
它旨在从磁盘上的文件检索偏移量,而无需运行它们。
该项目受到了 hazedumper 的启发,后者是一个运行时签名查找器。
用法
mistdumper.exe [选项] <executablePath>
选项
-c, --config=<path> (mandatory) Path of the config file
-f, --format=<format> (mandatory) The output format
--[no-]versioned Should the version be appended to file name
executablePath Path of the executable to parse
格式化器
Mistdumper 可以格式化为多种输出格式。
当前实现的输出格式为
- Dart
- C++
- CSharp
JSON 配置
完整结构
{
"name": "ExampleApp Signature List",
"appname": "ExampleApp",
"version": "0.0.0.1",
"author": "Midi12",
"signatures" : [
{
"name": "s_globalPtr",
"relative": true,
"dereference": false,
"dereference_size": 0,
"offset": 3,
"extra": 12,
"pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
"namespace": "Statics"
}
]
}
- name : 必需
- pattern : 必需
- namespace : 必需
- dereference : 可选 (默认值 :
false) - dereference_size : 可选 (默认值 :
4) - relative : 可选 (默认值 :
false) - offset : 可选 (默认值 :
0) - extra : 可选 (默认值 :
0)
JSON 配置完整示例
{
"name": "ExampleApp Signature List",
"appname": "ExampleApp",
"version": "0.0.0.1",
"author": "Midi12",
"signatures" : [
{
"name": "s_globalPtr",
"relative": true,
"offset": 3,
"pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
"namespace": "Statics"
},
{
"name": "s_globalPtr__pOffset",
"dereference": true,
"dereference_size": 4,
"offset": 8,
"pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
"namespace": "Offsets"
},
{
"name": "ExampleFunction",
"extra": 12,
"pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
"namespace": "Functions"
}
]
}
输出示例
Dart
library mistdumper;
class Functions {
static const int ExampleFunction = 0xdeadc0de;
}
class Offsets {
static const int s_globalPtr__pOffset = 0xc0ffee;
}
class Statics {
static const int s_globalPtr = 0xdeadbeef;
}
C++
#pragma once
#include <cstdint>
namespace mistdumper {
namespace Functions {
constexpr ptrdiff_t ExampleFunction = 0xdeadc0de;
}
namespace Offsets {
constexpr ptrdiff_t s_globalPtr__pOffset = 0xc0ffee;
}
namespace Statics {
constexpr ptrdiff_t s_globalPtr = 0xdeadbeef;
}
}
CSharp
using System;
namespace MistDumper
{
public static class Functions {
public static readonly UIntPtr ExampleFunction = 0xdeadc0de;
}
public static class Offsets {
public static readonly UIntPtr s_globalPtr__pOffset = 0xc0ffee;
}
public static class Statics {
public static readonly UIntPtr s_globalPtr = 0xdeadbeef;
}
}
从源代码构建
您至少需要 Dart SDK 2.12.0 (https://dart.ac.cn/get-dart)。
如果您修改了 JSON 类,则需要运行 dart run build_runner build。
运行 dart compile exe .\bin\mistdumper.dart -o .\build\mistdumper.exe。
