mistdumper

A configurable pattern finder for static analysis written in Dart.

It is meant to retrieve offsets from file on disk without running them.

This project has been inspired by hazedumper which is a runtime signature finder.

Usage

mistdumper.exe [options] <executablePath>

options :

-c, --config=<path> (mandatory)      Path of the config file
-f, --format=<format> (mandatory)    The output format
    --[no-]versioned                 Should the version be appended to file name
executablePath                       Path of the executable to parse

Formatters

Mistdumper can format to multiple output formats.

Currently implemented output formats are :

  • Dart
  • C++
  • CSharp

JSON configuration

Full structure :

{
  "name": "ExampleApp Signature List",
  "appname": "ExampleApp",
  "version": "0.0.0.1",
  "author": "Midi12",
  "signatures" : [
    {
      "name": "s_globalPtr",
      "relative": true,
      "dereference": false,
      "dereference_size": 0,
      "offset": 3,
      "extra": 12,
      "pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
      "namespace": "Statics"
    }
  ]
}
  • name : mandatory
  • pattern : mandatory
  • namespace : mandatory
  • dereference : optional (default value : false)
  • dereference_size : optional (default value : 4)
  • relative : optional (default value : false)
  • offset : optional (default value : 0)
  • extra : optional (default value : 0)

Full example of JSON configuration:

{
  "name": "ExampleApp Signature List",
  "appname": "ExampleApp",
  "version": "0.0.0.1",
  "author": "Midi12",
  "signatures" : [
    {
      "name": "s_globalPtr",
      "relative": true,
      "offset": 3,
      "pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
      "namespace": "Statics"
    },
    {
      "name": "s_globalPtr__pOffset",
      "dereference": true,
      "dereference_size": 4,
      "offset": 8,
      "pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
      "namespace": "Offsets"
    },
    {
      "name": "ExampleFunction",
      "extra": 12,
      "pattern": "DE AD BE ?? ?? ?? ?? EF DE AD C0 DE ?? ?? ?? ??",
      "namespace": "Functions"
    }
  ]
}

Example outputs

Dart :

library mistdumper;


	class Functions {
		static const int ExampleFunction = 0xdeadc0de;
	}
	class Offsets {
		static const int s_globalPtr__pOffset = 0xc0ffee;
	}
	class Statics {
		static const int s_globalPtr = 0xdeadbeef;
	}

C++ :

#pragma once
#include <cstdint>

namespace mistdumper {

	namespace Functions {
			constexpr ptrdiff_t ExampleFunction = 0xdeadc0de;
	}
	namespace Offsets {
			constexpr ptrdiff_t s_globalPtr__pOffset = 0xc0ffee;
	}
	namespace Statics {
			constexpr ptrdiff_t s_globalPtr = 0xdeadbeef;
	}

}

CSharp :

using System;

namespace MistDumper
{

	public static class Functions {
			public static readonly UIntPtr ExampleFunction = 0xdeadc0de;
	}
	public static class Offsets {
			public static readonly UIntPtr s_globalPtr__pOffset = 0xc0ffee;
	}
	public static class Statics {
			public static readonly UIntPtr s_globalPtr = 0xdeadbeef;
	}

}

Building from the source

You need Dart SDK 2.12.0 at least (https://dart.dev/get-dart).

In case you modified the JSON class you need to run dart run build_runner build.

Run dart compile exe .\bin\mistdumper.dart -o .\build\mistdumper.exe.

GitHub

https://github.com/Midi12/mistdumper