using "9eA8" in pattern_offset.rb does not work

[bellascalzi1]

Firstly I'd like to say I just went through your tutorial and I thought it was great! Thanks so much for creating it :)

I just want to point out a small issue that I found when running pattern_offset.rb to find the offset that overwrites the saved return pointer. If I use pattern_offset.rb with the raw address, ie

./pattern_offset.rb -q 39654138

Then I get the expected value of 146, but if I use the hexadecimal value that is mentioned in the tutorial (9eA8) ie:

./pattern_offset.rb -q 9eA8

I get this output:

[*] No exact matches, looking for likely candidates...

Interestingly if I reverse the order of the bytes, ie:

./pattern_offset.rb -q 8Ae9

I get the correct offset.

I assume this happens due to endian-ness shenanigans, (or possibly the way pattern_create.rb works has been changed since the tutorial was written) but it would be cool if the tutorial was updated with the correct value :) I am happy to create a PR to fix this if you would like

[justinsteven]

Thanks for the report @bellascalzi1 ! Nice catch. I'd like to understand more about how I made that mistake - did pattern_create.rb change over the years? I just haven't had time to dig into it, and I shouldn't keep letting that get in the way of this being fixed 😪

Yes, can you please submit a PR. If you have it in you to rebuild the PDF, please do, just make sure there's only one copy in the commits you propose. I wish I hadn't burned the PDF builds into the repo itself, and had used GitHub Releases to publish it, but alas... At this stage the best we can do is keep the repo size as trim as possible by avoiding unnecessary builds of the PDF.

Thanks again!