Signatures - What Are They and How Can They Be Changed

[WasserEsser]

Figured i'd post it here aswell inb4 someone copies it.

"What is a "Signature?"

A signature is a permutation which the compiler generates out of your code.

It's the actual code which gets compiled out of your code.

Different code = different Signature.

What exactly does the "different code" mean?

Signature is what the compiler generates.

Here is some code:



Once the compiler compiles this, it will get this signature starting at the highlighted position:



If you look at the decompiler, it will get decompiled into the following code:

The compiler has optimized it and compares the other way around by comparing SomeParameter <= 15 instead of SomeParameter > 15.



These are the op codes for this function:





Now let's change the code a little bit by removing the else statement since it's not necessary and see what it gets compiled and decompiled to:



Decompiled:



It's the same decompiled code.

Now look at the signature:



It's the same except for these parts:



Op codes of this function:





If we take a look at both now we can see that those aren't the exact same as they are compiled differently. If VAC would search for the first part of this function it would trigger, however if it would search for the whole function it wouldn't trigger.

Now let's change the code.

Instead of checking if SomeParameter is > 15 and returning SomeParameter + 15 and else SomeParameter - 15 it's now switched up.

If SomeParameter is <= 15 then we return SomeParameter - 15 and else SomeParameter + 15.

It has the same purpose but it's switched the other way around.



Now let's see how the decompiled code looks like:



Let's take a look at the signature:



Op codes:





Difference:



The signature gets generated by the compiler.

Change the way a function works, and you get a different signature.

This is obviously a small example and a very small function, as functions get bigger and bigger and wrap eachother those changes are much larger.

[_haffy]

I got asked about changing signature on runtime recently actually:

Haffy: Just allocate a bunch of bytes where you want to insert your junk code (random nop instructions or whatever), then just remove memory protection on them and write random data over it. And you can just place a jmp instruction before your junk code so you just jump over it

[Orinion77]

You changed the function of the code tho...
you should check for <= if you switch statements.

[WasserEsser]

You changed the function of the code tho...
you should check for <= if you switch statements.

I knew this would come up

Yes, i didn't exactly switch the statement.

Edit: Changes as i remade the screenshots.

- - - Updated - - -

I got asked about changing signature on runtime recently actually:

Haffy: Just allocate a bunch of bytes where you want to insert your junk code (random nop instructions or whatever), then just remove memory protection on them and write random data over it. And you can just place a jmp instruction before your junk code so you just jump over it

This could, but does not mean it will work.

It always depends on what patterns VAC is gathering.

They could use part of it, they could use wildcards etc.

[Smoke]

Awesome tutorial/guide.

/Stickied.

[_haffy]

I knew this would come up

Yes, i didn't exactly switch the statement.

- - - Updated - - -



This could, but does not mean it will work.

It always depends on what patterns VAC is gathering.

They could use part of it, they could use wildcards etc.

I'm not saying that changing your code's signature is even useful but rather was just answering potention questions.

[bazzz_1512]

Thanks! Really helpfull

[Delision]

Really nice job explaining it. I came into this thread knowing almost nothing about signatures or how they work, and you made it really easy to understand. Well done!

[manuelsantos92]

+rep ! nice tutorial

[skyoo200]

I'm a rookie. I can't understand it at all, but thank you all the same.