program signaturescanner;
{$APPTYPE CONSOLE}
uses
  Windows, SysUtils, TlHelp32;
var
  m_pID: integer;
  m_hProc: THandle;
  module: TModuleEntry32;
  m_Sign: integer;
const
  procName = 'D3D9Test.exe';
procedure GetPID;
var
  snapshot: THandle;
  pInfo: PROCESSENTRY32;
begin
  snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  pInfo.dwSize := sizeof(PROCESSENTRY32);
  if (Process32First(snapshot, pInfo)) then
  begin
        while (Process32Next(snapshot, pInfo)) do
        begin
          if pInfo.szExeFile = procName then
          begin
                m_pID := pInfo.th32ProcessID;
                CloseHandle(snapshot);
                exit;
          end;
        end;
  end;
  m_pID := 0;
  CloseHandle(snapshot);
  exit;
end;
function GetModuleInfo(const module_name: PChar; main_process: boolean): TModuleEntry32;
var
  snapshot: THandle;
  module: TModuleEntry32;
begin
  snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, m_pID);
  module.dwSize := sizeof(TModuleEntry32);
  if (Module32First(snapshot, module)) then
  begin
        if (main_process) then
        begin
          CloseHandle(snapshot);
          result := module;
        end;
        while (Module32Next(snapshot, module)) do
        begin
          if (StrIComp(PChar(ExtractFileName(module.szModule)), PChar(module_name)) = 0) then
          begin
                CloseHandle(snapshot);
                result := module;
          end;
        end;
  end;
  result := module;
end;
function DataCompare(data: PByte; sign: PByte; mask: PAnsiChar): boolean;
begin
  while mask^ <> #0 do
  begin
        if ((mask^ = 'x') and (data^ <> sign^)) then
        begin
          result := false;
          exit;
        end;
        inc(mask);
        inc(data);
        inc(sign);
  end;
  result := true;
end;
function ScanSignature(base: Dword; size: Dword; sign: PByte; mask: PAnsiChar): integer;
var
  mbi: MEMORY_BASIC_INFORMATION;
  offset: integer;
  buffer: PByte;
  BytesRead: Dword;
  i: integer;
begin
  offset := 0;
  while (offset < size) do
  begin
        VirtualQueryEx(m_hProc, Pointer(base + offset), &mbi, sizeof(MEMORY_BASIC_INFORMATION));
        if (mbi.State <> MEM_FREE) then
        begin
          GetMem(buffer, mbi.RegionSize);
          ReadProcessMemory(m_hProc, mbi.BaseAddress, buffer, mbi.RegionSize, BytesRead);
          for i := 0 to mbi.RegionSize do
          begin
                if (DataCompare(buffer + i, sign, mask)) then
                begin
                  FreeMem(buffer);
                  result := integer(mbi.BaseAddress) + i;
                  exit;
                end;
          end;
          FreeMem(buffer);
        end;
        offset := offset + mbi.RegionSize;
  end;
  result := 0;
end;
const
  Sign: array [0 .. 22] of byte = ($68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $FF, $15, $00, $00, $00, $00, $6A, $20);
  Mask = 'x????x????x????xx????xx';
begin
  GetPID();
  if (m_pID <> 0) then
  begin
        module := GetModuleInfo(nil, true);
        m_hProc := OpenProcess(PROCESS_ALL_ACCESS, false, m_pID);
        m_Sign := ScanSignature(integer(module.modBaseAddr), module.modBaseSize, @Sign, Mask);
        writeln(' *************************************************************');
        writeln(' * Signature Scanner for Delphi *');
        writeln(' * Special for Cheat[ON].ru by ArxLex *');
        writeln(' *************************************************************'+#10#13#10#13);
        writeln(' Handle Process: $', inttohex(m_hProc, sizeof(m_hProc)));
        writeln(' Pid: $', inttohex(m_pID, sizeof(m_pID)));
        writeln(' Process Base Address: $', inttohex(integer(module.modBaseAddr), sizeof(module.modBaseAddr)));
        writeln(' Process Base Size: $', inttohex(module.modBaseSize, sizeof(module.modBaseSize)));
        writeln(' Signature Address: $', inttohex(m_Sign, sizeof(m_Sign)));
        readln;
        CloseHandle(m_hProc);
  end;
end.