Refactored NodeDissector.

KN4CK3R · KN4CK3R · commit 5ae0961c2f6e · 2019-04-25T11:11:56.000+02:00
diff --git a/ReClass.NET/Memory/NodeDissector.cs b/ReClass.NET/Memory/NodeDissector.cs
@@ -17,27 +17,28 @@ public static void DissectNodes(IEnumerable<BaseHexNode> nodes, MemoryBuffer mem
 
 			foreach (var node in nodes)
 			{
-				var type = GuessExplicitNode(node, memory);
-				if (type != null)
+				if (GuessNode(node, memory, out var guessedNode))
 				{
-					node.GetParentContainer()?.ReplaceChildNode(node, type);
+					node.GetParentContainer()?.ReplaceChildNode(node, guessedNode);
 				}
 			}
 		}
 
-		public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)
+		public static bool GuessNode(BaseHexNode node, MemoryBuffer memory, out BaseNode guessedNode)
 		{
 			Contract.Requires(node != null);
 			Contract.Requires(memory != null);
 
+			guessedNode = null;
+
 			var offset = node.Offset;
 			var is4ByteAligned = offset % 4 == 0;
 			var is8ByteAligned = offset % 8 == 0;
 
 			// The node is not aligned, skip it.
 			if (!is4ByteAligned)
 			{
-				return null;
+				return false;
 			}
 
 			var data64 = memory.ReadObject<UInt64FloatDoubleData>(offset);
@@ -46,46 +47,48 @@ public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)
 			var raw = memory.ReadBytes(offset, node.MemorySize);
 			if (raw.InterpretAsUtf8().IsLikelyPrintableData() >= 0.75f)
 			{
-				return new Utf8TextNode();
+				guessedNode = new Utf8TextNode();
+
+				return true;
 			}
 			if (raw.InterpretAsUtf16().IsLikelyPrintableData() >= 0.75f)
 			{
-				return new Utf16TextNode();
+				guessedNode = new Utf16TextNode();
+
+				return true;
 			}
 
+#if RECLASSNET64
 			if (is8ByteAligned)
 			{
-#if RECLASSNET64
-				var pointerType = GuessPointerNode(data64.IntPtr, memory);
-				if (pointerType != null)
+				if (GuessPointerNode(data64.IntPtr, memory.Process, out guessedNode))
 				{
-					return pointerType;
+					return true;
 				}
-#endif
 			}
+#else
+			if (GuessPointerNode(data32.IntPtr, memory.Process, out guessedNode))
+			{
+				return true;
+			}
+#endif
 
+			// 0 could be anything.
+			if (data32.IntValue != 0)
 			{
-#if RECLASSNET32
-				var pointerNode = GuessPointerNode(data32.IntPtr, memory);
-				if (pointerNode != null)
+				// If the data represents a reasonable range, it could be a float.
+				if (-999999.0f <= data32.FloatValue && data32.FloatValue <= 999999.0f && !data32.FloatValue.IsNearlyEqual(0.0f, 0.001f))
 				{
-					return pointerNode;
+					guessedNode = new FloatNode();
+
+					return true;
 				}
-#endif
 
-				// 0 could be anything.
-				if (data32.IntValue != 0)
+				if (-999999 <= data32.IntValue && data32.IntValue <= 999999)
 				{
-					// If the data represents a reasonable range, it could be a float.
-					if (-999999.0f <= data32.FloatValue && data32.FloatValue <= 999999.0f && !data32.FloatValue.IsNearlyEqual(0.0f, 0.001f))
-					{
-						return new FloatNode();
-					}
+					guessedNode = new Int32Node();
 
-					if (-999999 <= data32.IntValue && data32.IntValue <= 999999)
-					{
-						return new Int32Node();
-					}
+					return true;
 				}
 			}
 
@@ -96,60 +99,74 @@ public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)
 					// If the data represents a reasonable range, it could be a double.
 					if (-999999.0 <= data64.DoubleValue && data64.DoubleValue <= 999999.0 && !data64.DoubleValue.IsNearlyEqual(0.0, 0.001))
 					{
-						return new DoubleNode();
+						guessedNode = new DoubleNode();
+
+						return true;
 					}
 				}
 			}
 
-			return null;
+			return false;
 		}
 
-		private static BaseNode GuessPointerNode(IntPtr address, MemoryBuffer memory)
+		private static bool GuessPointerNode(IntPtr address, IProcessReader process, out BaseNode node)
 		{
-			Contract.Requires(memory != null);
+			Contract.Requires(process != null);
+
+			node = null;
 
 			if (address.IsNull())
 			{
-				return null;
+				return false;
 			}
 
-			var section = memory.Process.GetSectionToPointer(address);
+			var section = process.GetSectionToPointer(address);
 			if (section == null)
 			{
-				return null;
+				return false;
 			}
 
 			if (section.Category == SectionCategory.CODE) // If the section contains code, it should be a function pointer.
 			{
-				return new FunctionPtrNode();
+				node = new FunctionPtrNode();
+
+				return true;
 			}
 			if (section.Category == SectionCategory.DATA || section.Category == SectionCategory.HEAP) // If the section contains data, it is at least a pointer to a class or something.
 			{
 				// Check if it is a vtable. Check if the first 3 values are pointers to a code section.
-				var possibleVmt = memory.Process.ReadRemoteObject<ThreePointersData>(address);
-				if (memory.Process.GetSectionToPointer(possibleVmt.Pointer1)?.Category == SectionCategory.CODE
-					&& memory.Process.GetSectionToPointer(possibleVmt.Pointer2)?.Category == SectionCategory.CODE
-					&& memory.Process.GetSectionToPointer(possibleVmt.Pointer3)?.Category == SectionCategory.CODE)
+				var possibleVmt = process.ReadRemoteObject<ThreePointersData>(address);
+				if (process.GetSectionToPointer(possibleVmt.Pointer1)?.Category == SectionCategory.CODE
+					&& process.GetSectionToPointer(possibleVmt.Pointer2)?.Category == SectionCategory.CODE
+					&& process.GetSectionToPointer(possibleVmt.Pointer3)?.Category == SectionCategory.CODE)
 				{
-					return new VirtualMethodTableNode();
+					node = new VirtualMethodTableNode();
+
+					return true;
 				}
 
 				// Check if it is a string.
-				var data = memory.Process.ReadRemoteMemory(address, IntPtr.Size * 2);
+				var data = process.ReadRemoteMemory(address, IntPtr.Size * 2);
 				if (data.Take(IntPtr.Size).InterpretAsUtf8().IsLikelyPrintableData() >= 07.5f)
 				{
-					return new Utf8TextPtrNode();
+					node = new Utf8TextPtrNode();
+
+					return true;
 				}
 				if (data.InterpretAsUtf16().IsLikelyPrintableData() >= 0.75f)
 				{
-					return new Utf16TextPtrNode();
+					node = new Utf16TextPtrNode();
+
+					return true;
 				}
 
 				// Now it could be a pointer to something else but we can't tell. :(
-				return new PointerNode();
+				node = new PointerNode();
+
+				return true;
 			}
 
-			return null;
+			return false;
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -17,27 +17,28 @@ public static void DissectNodes(IEnumerable<BaseHexNode> nodes, MemoryBuffer mem`
`17`	`17`
`18`	`18`	`foreach (var node in nodes)`
`19`	`19`	`{`
`20`		`- var type = GuessExplicitNode(node, memory);`
`21`		`- if (type != null)`
	`20`	`+ if (GuessNode(node, memory, out var guessedNode))`
`22`	`21`	`{`
`23`		`- node.GetParentContainer()?.ReplaceChildNode(node, type);`
	`22`	`+ node.GetParentContainer()?.ReplaceChildNode(node, guessedNode);`
`24`	`23`	`}`
`25`	`24`	`}`
`26`	`25`	`}`
`27`	`26`
`28`		`- public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)`
	`27`	`+ public static bool GuessNode(BaseHexNode node, MemoryBuffer memory, out BaseNode guessedNode)`
`29`	`28`	`{`
`30`	`29`	`Contract.Requires(node != null);`
`31`	`30`	`Contract.Requires(memory != null);`
`32`	`31`
	`32`	`+ guessedNode = null;`
	`33`	`+`
`33`	`34`	`var offset = node.Offset;`
`34`	`35`	`var is4ByteAligned = offset % 4 == 0;`
`35`	`36`	`var is8ByteAligned = offset % 8 == 0;`
`36`	`37`
`37`	`38`	`// The node is not aligned, skip it.`
`38`	`39`	`if (!is4ByteAligned)`
`39`	`40`	`{`
`40`		`- return null;`
	`41`	`+ return false;`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`var data64 = memory.ReadObject<UInt64FloatDoubleData>(offset);`
`@@ -46,46 +47,48 @@ public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)`
`46`	`47`	`var raw = memory.ReadBytes(offset, node.MemorySize);`
`47`	`48`	`if (raw.InterpretAsUtf8().IsLikelyPrintableData() >= 0.75f)`
`48`	`49`	`{`
`49`		`- return new Utf8TextNode();`
	`50`	`+ guessedNode = new Utf8TextNode();`
	`51`	`+`
	`52`	`+ return true;`
`50`	`53`	`}`
`51`	`54`	`if (raw.InterpretAsUtf16().IsLikelyPrintableData() >= 0.75f)`
`52`	`55`	`{`
`53`		`- return new Utf16TextNode();`
	`56`	`+ guessedNode = new Utf16TextNode();`
	`57`	`+`
	`58`	`+ return true;`
`54`	`59`	`}`
`55`	`60`
	`61`	`+#if RECLASSNET64`
`56`	`62`	`if (is8ByteAligned)`
`57`	`63`	`{`
`58`		`-#if RECLASSNET64`
`59`		`- var pointerType = GuessPointerNode(data64.IntPtr, memory);`
`60`		`- if (pointerType != null)`
	`64`	`+ if (GuessPointerNode(data64.IntPtr, memory.Process, out guessedNode))`
`61`	`65`	`{`
`62`		`- return pointerType;`
	`66`	`+ return true;`
`63`	`67`	`}`
`64`		`-#endif`
`65`	`68`	`}`
	`69`	`+#else`
	`70`	`+ if (GuessPointerNode(data32.IntPtr, memory.Process, out guessedNode))`
	`71`	`+ {`
	`72`	`+ return true;`
	`73`	`+ }`
	`74`	`+#endif`
`66`	`75`
	`76`	`+ // 0 could be anything.`
	`77`	`+ if (data32.IntValue != 0)`
`67`	`78`	`{`
`68`		`-#if RECLASSNET32`
`69`		`- var pointerNode = GuessPointerNode(data32.IntPtr, memory);`
`70`		`- if (pointerNode != null)`
	`79`	`+ // If the data represents a reasonable range, it could be a float.`
	`80`	`+ if (-999999.0f <= data32.FloatValue && data32.FloatValue <= 999999.0f && !data32.FloatValue.IsNearlyEqual(0.0f, 0.001f))`
`71`	`81`	`{`
`72`		`- return pointerNode;`
	`82`	`+ guessedNode = new FloatNode();`
	`83`	`+`
	`84`	`+ return true;`
`73`	`85`	`}`
`74`		`-#endif`
`75`	`86`
`76`		`- // 0 could be anything.`
`77`		`- if (data32.IntValue != 0)`
	`87`	`+ if (-999999 <= data32.IntValue && data32.IntValue <= 999999)`
`78`	`88`	`{`
`79`		`- // If the data represents a reasonable range, it could be a float.`
`80`		`- if (-999999.0f <= data32.FloatValue && data32.FloatValue <= 999999.0f && !data32.FloatValue.IsNearlyEqual(0.0f, 0.001f))`
`81`		`- {`
`82`		`- return new FloatNode();`
`83`		`- }`
	`89`	`+ guessedNode = new Int32Node();`
`84`	`90`
`85`		`- if (-999999 <= data32.IntValue && data32.IntValue <= 999999)`
`86`		`- {`
`87`		`- return new Int32Node();`
`88`		`- }`
	`91`	`+ return true;`
`89`	`92`	`}`
`90`	`93`	`}`
`91`	`94`
`@@ -96,60 +99,74 @@ public static BaseNode GuessExplicitNode(BaseHexNode node, MemoryBuffer memory)`
`96`	`99`	`// If the data represents a reasonable range, it could be a double.`
`97`	`100`	`if (-999999.0 <= data64.DoubleValue && data64.DoubleValue <= 999999.0 && !data64.DoubleValue.IsNearlyEqual(0.0, 0.001))`
`98`	`101`	`{`
`99`		`- return new DoubleNode();`
	`102`	`+ guessedNode = new DoubleNode();`
	`103`	`+`
	`104`	`+ return true;`
`100`	`105`	`}`
`101`	`106`	`}`
`102`	`107`	`}`
`103`	`108`
`104`		`- return null;`
	`109`	`+ return false;`
`105`	`110`	`}`
`106`	`111`
`107`		`- private static BaseNode GuessPointerNode(IntPtr address, MemoryBuffer memory)`
	`112`	`+ private static bool GuessPointerNode(IntPtr address, IProcessReader process, out BaseNode node)`
`108`	`113`	`{`
`109`		`- Contract.Requires(memory != null);`
	`114`	`+ Contract.Requires(process != null);`
	`115`	`+`
	`116`	`+ node = null;`
`110`	`117`
`111`	`118`	`if (address.IsNull())`
`112`	`119`	`{`
`113`		`- return null;`
	`120`	`+ return false;`
`114`	`121`	`}`
`115`	`122`
`116`		`- var section = memory.Process.GetSectionToPointer(address);`
	`123`	`+ var section = process.GetSectionToPointer(address);`
`117`	`124`	`if (section == null)`
`118`	`125`	`{`
`119`		`- return null;`
	`126`	`+ return false;`
`120`	`127`	`}`
`121`	`128`
`122`	`129`	`if (section.Category == SectionCategory.CODE) // If the section contains code, it should be a function pointer.`
`123`	`130`	`{`
`124`		`- return new FunctionPtrNode();`
	`131`	`+ node = new FunctionPtrNode();`
	`132`	`+`
	`133`	`+ return true;`
`125`	`134`	`}`
`126`	`135`	`if (section.Category == SectionCategory.DATA \|\| section.Category == SectionCategory.HEAP) // If the section contains data, it is at least a pointer to a class or something.`
`127`	`136`	`{`
`128`	`137`	`// Check if it is a vtable. Check if the first 3 values are pointers to a code section.`
`129`		`- var possibleVmt = memory.Process.ReadRemoteObject<ThreePointersData>(address);`
`130`		`- if (memory.Process.GetSectionToPointer(possibleVmt.Pointer1)?.Category == SectionCategory.CODE`
`131`		`- && memory.Process.GetSectionToPointer(possibleVmt.Pointer2)?.Category == SectionCategory.CODE`
`132`		`- && memory.Process.GetSectionToPointer(possibleVmt.Pointer3)?.Category == SectionCategory.CODE)`
	`138`	`+ var possibleVmt = process.ReadRemoteObject<ThreePointersData>(address);`
	`139`	`+ if (process.GetSectionToPointer(possibleVmt.Pointer1)?.Category == SectionCategory.CODE`
	`140`	`+ && process.GetSectionToPointer(possibleVmt.Pointer2)?.Category == SectionCategory.CODE`
	`141`	`+ && process.GetSectionToPointer(possibleVmt.Pointer3)?.Category == SectionCategory.CODE)`
`133`	`142`	`{`
`134`		`- return new VirtualMethodTableNode();`
	`143`	`+ node = new VirtualMethodTableNode();`
	`144`	`+`
	`145`	`+ return true;`
`135`	`146`	`}`
`136`	`147`
`137`	`148`	`// Check if it is a string.`
`138`		`- var data = memory.Process.ReadRemoteMemory(address, IntPtr.Size * 2);`
	`149`	`+ var data = process.ReadRemoteMemory(address, IntPtr.Size * 2);`
`139`	`150`	`if (data.Take(IntPtr.Size).InterpretAsUtf8().IsLikelyPrintableData() >= 07.5f)`
`140`	`151`	`{`
`141`		`- return new Utf8TextPtrNode();`
	`152`	`+ node = new Utf8TextPtrNode();`
	`153`	`+`
	`154`	`+ return true;`
`142`	`155`	`}`
`143`	`156`	`if (data.InterpretAsUtf16().IsLikelyPrintableData() >= 0.75f)`
`144`	`157`	`{`
`145`		`- return new Utf16TextPtrNode();`
	`158`	`+ node = new Utf16TextPtrNode();`
	`159`	`+`
	`160`	`+ return true;`
`146`	`161`	`}`
`147`	`162`
`148`	`163`	`// Now it could be a pointer to something else but we can't tell. :(`
`149`		`- return new PointerNode();`
	`164`	`+ node = new PointerNode();`
	`165`	`+`
	`166`	`+ return true;`
`150`	`167`	`}`
`151`	`168`
`152`		`- return null;`
	`169`	`+ return false;`
`153`	`170`	`}`
`154`	`171`	`}`
`155`	`172`	`}`