How To Find Patterns Signatures

**darlwis** · 04-14-2012

Hello,
I want to know if 1 of u could help me finding Patterns Signatures,i want to make a auto update hack.
Please,help me

.
Regards,

EDIT: I Find Signatures,But i cant get it working,Some Help?

Code:

#include <windows.h>
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask); //On Globals
#define Ptr 0xAAC3D0
bool reload = true;

void Base()
{
	DWORD CShell = *(DWORD*)GetModuleHandleA("CShell");
    DWORD NoReload = (FindPattern((DWORD)GetModuleHandleA("CShell.dll"), 0xFFFF, (PBYTE)"\xD9\x98\xA4\x26\x00\x00"    ,"xxxx??"));
	DWORD pWeaponMgr = *(DWORD*)(CShell + Ptr);

	if(reload)
	{
		if (pWeaponMgr)
		{
			for(int i=0; i<601; i++)
			{
				DWORD pWeapon = *(DWORD*)(pWeaponMgr+4*i);
				if(pWeapon != NULL)
					*(float*)((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i))) + NoReload) = 100;	     
			}
		}
	 }
}

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for(;*szMask;++szMask,++pData,++bMask)
		if(*szMask=='x' && *pData!=*bMask)  
			return 0;
	return (*szMask) == NULL;
}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
	for(DWORD i=0; i<dwLen; i++)
		if (bCompare((BYTE*)(dwAddress+i),bMask,szMask))  
			return (DWORD)(dwAddress+i);
	return 0;
}

-iFaDy..* · 04-14-2012

Really Dunno Maybe u Should Ask @~FALLEN~ or @giniyat101 ?

**giniyat101** · 04-14-2012

you search first 0xFFFF bytes only.. try increasing to 0x20000 or something
EDIT: you are searching a pattern including the offset 0x26A4 itself, the fuck?

**darlwis** · 04-14-2012

So:

Code:

DWORD NoReload = (FindPattern((DWORD)GetModuleHandleA("CShell.dll"), 0x20000, (PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??"));

??
@giniyat101
I Will Test it.

**Genkidesu** · 04-14-2012

@darlwis
I believe findpattern is detected... i suggest u to learn anti-cheat bypass (xtrap) & disable it.

Try this, but i'm not sure it will work like said above.

Code:

#include <windows.h>
#define WeaponMgr 0xAAC3D0

BYTE NoReloadArray[] =
{
        0xD9, 0x98, 0xA4, 0x26, 0x00, 0x00    
};

void Base()
{
      DWORD pNoReload;

      DWORD CShell = NULL;
      do
      {
	      CShell = (DWORD)GetModuleHandleA("CShell.dll");
      } while (!CShell);

      pNoReload = FindPattern(CShell, 0xFFFF, NoReloadArray,"xxxx??");

      While(1)
      {
            DWORD NoReload = *(DWORD*)(CShell + WeaponMgr);
            if(NoReload)
            {
                  for(int i=0; i<601; i++)
		  {
		        DWORD Weapon = *(DWORD*)(NoReload+4*i);
			if(Weapon != NULL)
			      *(float*)((*(DWORD*)((*(DWORD*)(CShell+WeaponMgr))+(4*i))) + pNoReload ) = 100;	
	          }
            }
      }
}

edit: ops.. small mistake cause i c+p your noreload's codes to this post without check it first.

**darlwis** · 04-14-2012

Originally Posted by Genkidesu

@darlwis
I believe findpattern is detected... i suggest u to learn anti-cheat bypass (xtrap) & disable it.

Try this, but i'm not sure it will work like said above.

Code:

#include <windows.h>
#define WeaponMgr 0xAAC3D0

BYTE NoReloadArray[] =
{
        0xD9, 0x98, 0xA4, 0x26, 0x00, 0x00    
};

void Base()
{
      DWORD pNoReload;

      DWORD CShell = NULL;
      do
      {
	      CShell = (DWORD)GetModuleHandleA("CShell.dll");
      } while (!CShell);

      pNoReload = FindPattern(CShell, 0xFFFF, NoReloadArray,"xxxx??");

      While(1)
      {
            DWORD NoReload = *(DWORD*)(CShell + WeaponMgr);
            if(NoReload)
            {
                  for(int i=0; i<601; i++)
		  {
		        DWORD Weapon = *(DWORD*)(NoReload+4*i);
			if(Weapon != NULL)
			      *(float*)((*(DWORD*)((*(DWORD*)(CShell+WeaponMgr))+(4*i))) + pNoReload ) = 100;	
	          }
            }
      }
}

edit: ops.. small mistake cause i c+p your noreload's codes to this post without check it first.

Hey,I Get Client MFC not working.
In Windows Vista 32 Bits.
Any Help?

Edit: No Work.

**derh.acker** · 04-15-2012

Try putting Sleep(10); after GetModuleHandleA("CShell.dll"); .
You didn't conside that CShell uses Themida and it takes time until it is unpacked.
Put the FindPattern into a loop which ends when the pattern is found with Sleep(10); at the end.

FindPattern isn't detected, there is something else XTrap detects. It is easy to find out what.

Maybe you should search for the string, then for the PUSH and search the pattern because this opcode could also be before the opcode for setting the reload time in CShell and then you got the wrong one. The region should begin after the PUSH.

**darlwis** · 04-15-2012

Originally Posted by derh.acker

Try putting Sleep(10); after GetModuleHandleA("CShell.dll"); .
You didn't conside that CShell uses Themida and it takes time until it is unpacked.
Put the FindPattern into a loop which ends when the pattern is found with Sleep(10); at the end.

FindPattern isn't detected, there is something else XTrap detects. It is easy to find out what.

Maybe you should search for the string, then for the PUSH and search the pattern because this opcode could also be before the opcode for setting the reload time in CShell and then you got the wrong one. The region should begin after the PUSH.

Yes,I was thinking how the patterns get the address if the normal CShell is Packed.
Then i think,if i rename my unpack CShell it will get it?
But,Then i think if a patch surge i have to unpack it again and there is no auto update then.

Look This:

Code:

1013E778   68 6C083010      PUSH _CShell.1030086C                    ; ASCII "ReloadAnimRatio"
1013E77D   D998 A4260000//Here are the Signatures for ---> FSTP DWORD PTR DS:[EAX+26A4]
1013E783   55               PUSH EBP

Then My Code is:

Code:

void Base()
{
      DWORD CShell;
	  while(!(CShell = (DWORD)GetModuleHandle(L"CShell.dll")))
	  Sleep(10);
	  DWORD pWeaponMgr = *(DWORD*)(CShell + WeaponMgr);
      DWORD pReload = (FindPattern((DWORD)GetModuleHandle(L"CShell.dll"), 0x20000, (PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??"));
	  Sleep(10);
      if(NoReload)
      {
	  if(pWeaponMgr)
	  {
      for(int i=0; i<601; i++)
	  {
	  DWORD Weapon = *(DWORD*)(pWeaponMgr+4*i);
	  if(Weapon != NULL)
	  *(float*)(Weapon + pReload) = 35;	
	  }
      }
      }
}

But when i do GetModuleHandleA i Get Xtrap,But when i use a Extern _stdcall like:
GetModuleHandle(L"CShell"); No problem with XTrap.

Too i have to Define on Globals:

Code:

//Globals
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask);
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);

To get no errors when i debug it.
Regards,

Edit:
I Get the Patterns work but i give me a super lag,
Look my source:

Code:

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include "Pattern.h"
#define Ptr 0xAAC3D0
#define NoRecoil1	 0x051C
#define NoRecoil2	 0x0684
#define NoRecoil3	 0x1938
#define NoRecoil4	 0x1B14
#define NoRecoil5	 0x1FA0
#define NoRecoil6	 0x2108
#define NoRecoil7    0x2270
#define NoRecoil8    0x2790
bool reload = true;
bool NoRecoil = true;
void Base()
{
dwStartAddress = 0x400000;
do {
dwStartAddress = (DWORD)GetModuleHandle(L"CShell.dll");
Sleep(10);
}
while(!dwStartAddress);

dwSize = 0x500000;
DWORD CShell = (DWORD)GetModuleHandleW(L"CShell.dll");
DWORD pWeaponMgr = *(DWORD*)(CShell + Ptr);
DWORD FastAmmo = FindPattern((PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??",2,true);

 if(NoRecoil) 
		{
			if (pWeaponMgr) 
			{
				for(int i=0; i<601; i++) 
				{
					if((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i)) ) != NULL) 
					{
						DWORD pNoRecoil = *(DWORD*)(pWeaponMgr + (4*i));
						for(int y=0; y<9; y++)
						{
							if(pNoRecoil) 
							{
								*(float*)(pNoRecoil + (NoRecoil1 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil2 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil3 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil4 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil5 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil6 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil7 + (4*y))) = 0.0f;
							}
						}
					}
				}
			}
		}

if(reload)
	{
		if (pWeaponMgr)
		{
			for(int i=0; i<601; i++)
			{
				DWORD pWeapon = *(DWORD*)(pWeaponMgr+4*i);
				if(pWeapon != NULL)
					*(float*)((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i))) + FastAmmo) = 100;	     
			}
		}
	 }
}

int Wait()
{
Base();
return true;
}


BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH)
	{
		DisableThreadLibraryCalls(hDll); 
		SetTimer(0,99,80,(TIMERPROC)Base);
	}
	return TRUE;
}

**derh.acker** · 04-16-2012

Originally Posted by darlwis

Yes,I was thinking how the patterns get the address if the normal CShell is Packed.
Then i think,if i rename my unpack CShell it will get it?
But,Then i think if a patch surge i have to unpack it again and there is no auto update then.

Look This:

Code:

1013E778   68 6C083010      PUSH _CShell.1030086C                    ; ASCII "ReloadAnimRatio"
1013E77D   D998 A4260000//Here are the Signatures for ---> FSTP DWORD PTR DS:[EAX+26A4]
1013E783   55               PUSH EBP

Then My Code is:

Code:

void Base()
{
      DWORD CShell;
	  while(!(CShell = (DWORD)GetModuleHandle(L"CShell.dll")))
	  Sleep(10);
	  DWORD pWeaponMgr = *(DWORD*)(CShell + WeaponMgr);
      DWORD pReload = (FindPattern((DWORD)GetModuleHandle(L"CShell.dll"), 0x20000, (PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??"));
	  Sleep(10);
      if(NoReload)
      {
	  if(pWeaponMgr)
	  {
      for(int i=0; i<601; i++)
	  {
	  DWORD Weapon = *(DWORD*)(pWeaponMgr+4*i);
	  if(Weapon != NULL)
	  *(float*)(Weapon + pReload) = 35;	
	  }
      }
      }
}

But when i do GetModuleHandleA i Get Xtrap,But when i use a Extern _stdcall like:
GetModuleHandle(L"CShell"); No problem with XTrap.

Too i have to Define on Globals:

Code:

//Globals
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask);
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);

To get no errors when i debug it.
Regards,

Edit:
I Get the Patterns work but i give me a super lag,
Look my source:

Code:

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include "Pattern.h"
#define Ptr 0xAAC3D0
#define NoRecoil1	 0x051C
#define NoRecoil2	 0x0684
#define NoRecoil3	 0x1938
#define NoRecoil4	 0x1B14
#define NoRecoil5	 0x1FA0
#define NoRecoil6	 0x2108
#define NoRecoil7    0x2270
#define NoRecoil8    0x2790
bool reload = true;
bool NoRecoil = true;
void Base()
{
dwStartAddress = 0x400000;
do {
dwStartAddress = (DWORD)GetModuleHandle(L"CShell.dll");
Sleep(10);
}
while(!dwStartAddress);

dwSize = 0x500000;
DWORD CShell = (DWORD)GetModuleHandleW(L"CShell.dll");
DWORD pWeaponMgr = *(DWORD*)(CShell + Ptr);
DWORD FastAmmo = FindPattern((PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??",2,true);

 if(NoRecoil) 
		{
			if (pWeaponMgr) 
			{
				for(int i=0; i<601; i++) 
				{
					if((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i)) ) != NULL) 
					{
						DWORD pNoRecoil = *(DWORD*)(pWeaponMgr + (4*i));
						for(int y=0; y<9; y++)
						{
							if(pNoRecoil) 
							{
								*(float*)(pNoRecoil + (NoRecoil1 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil2 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil3 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil4 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil5 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil6 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil7 + (4*y))) = 0.0f;
							}
						}
					}
				}
			}
		}

if(reload)
	{
		if (pWeaponMgr)
		{
			for(int i=0; i<601; i++)
			{
				DWORD pWeapon = *(DWORD*)(pWeaponMgr+4*i);
				if(pWeapon != NULL)
					*(float*)((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i))) + FastAmmo) = 100;	     
			}
		}
	 }
}

int Wait()
{
Base();
return true;
}


BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH)
	{
		DisableThreadLibraryCalls(hDll); 
		SetTimer(0,99,80,(TIMERPROC)Base);
	}
	return TRUE;
}

Because you are repeating everything you don't have to repeat.

**darlwis** · 04-16-2012

Originally Posted by derh.acker

Because you are repeating everything you don't have to repeat.

I only see that i repeat severals time the CShell only then,
I think is de dwSize and dwstartaddress.

**OMFGDUDE** · 04-17-2012

Originally Posted by darlwis

Code:

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include "Pattern.h"
#define Ptr 0xAAC3D0
#define NoRecoil1	 0x051C
#define NoRecoil2	 0x0684
#define NoRecoil3	 0x1938
#define NoRecoil4	 0x1B14
#define NoRecoil5	 0x1FA0
#define NoRecoil6	 0x2108
#define NoRecoil7    0x2270
#define NoRecoil8    0x2790
bool reload = true;
bool NoRecoil = true;
void Base()
{
dwStartAddress = 0x400000;
do {
dwStartAddress = (DWORD)GetModuleHandle(L"CShell.dll");
Sleep(10);
}
while(!dwStartAddress);

dwSize = 0x500000;
DWORD CShell = (DWORD)GetModuleHandleW(L"CShell.dll");
DWORD pWeaponMgr = *(DWORD*)(CShell + Ptr);
DWORD FastAmmo = FindPattern((PBYTE)"\xD9\x98\xA4\x26\x00\x00","xxxx??",2,true);

 if(NoRecoil) 
		{
			if (pWeaponMgr) 
			{
				for(int i=0; i<601; i++) 
				{
					if((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i)) ) != NULL) 
					{
						DWORD pNoRecoil = *(DWORD*)(pWeaponMgr + (4*i));
						for(int y=0; y<9; y++)
						{
							if(pNoRecoil) 
							{
								*(float*)(pNoRecoil + (NoRecoil1 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil2 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil3 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil4 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil5 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil6 + (4*y))) = 0.0f;
								*(float*)(pNoRecoil + (NoRecoil7 + (4*y))) = 0.0f;
							}
						}
					}
				}
			}
		}

if(reload)
	{
		if (pWeaponMgr)
		{
			for(int i=0; i<601; i++)
			{
				DWORD pWeapon = *(DWORD*)(pWeaponMgr+4*i);
				if(pWeapon != NULL)
					*(float*)((*(DWORD*)((*(DWORD*)(CShell+Ptr))+(4*i))) + FastAmmo) = 100;	     
			}
		}
	 }
}

int Wait()
{
Base();
return true;
}


BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH)
	{
		DisableThreadLibraryCalls(hDll); 
		SetTimer(0,99,80,(TIMERPROC)Base);
	}
	return TRUE;
}

Thank you very much for source, this way works fine for me, but this is not works with pointers, so we need to update it manually every time

. Or maybe some 1 here have a solution?

Help, guys, plz plz plz.

**darlwis** · 04-17-2012

Originally Posted by OMFGDUDE

Thank you very much for source, this way works fine for me, but this is not works with pointers, so we need to update it manually every time

. Or maybe some 1 here have a solution?

Help, guys, plz plz plz.

No FPS drops?

**OMFGDUDE** · 04-17-2012

Originally Posted by darlwis

No FPS drops?

Works great! I have a WinXP SP3. Idk why you lags, srry

. Thanx for code again.

**darlwis** · 04-17-2012

Yes,i note it,is my pc problem,
Can some body same a way to get them works with a Slow PC?

**Genkidesu** · 04-17-2012

finally i got the findpattern working but my codes a bit different from @darlwis, took me almost 3 hours to figure it out my mistakes... @derh.acker you're right about it, it's not detected.

@darlwis this signature once cf updates, it wont work anymore (if the offset not changed).

Code:

\xD9\x98\xA4\x26\x00\x00
xxxx??

here's the signature for noreload:

Code:

0xd65000 
\xD9\x98\x00\x00\x00\x00\x55\xE8\x00\x00\x00\x00\x83\xC4\x08 
xx????xx????xxx

Thread: How To Find Patterns Signatures

Thread Tools

Display

How To Find Patterns Signatures

The Following User Says Thank You to darlwis For This Useful Post:

The Following User Says Thank You to derh.acker For This Useful Post:

The Following User Says Thank You to darlwis For This Useful Post:

The Following User Says Thank You to darlwis For This Useful Post:

The Following User Says Thank You to darlwis For This Useful Post:

The Following User Says Thank You to Genkidesu For This Useful Post:

Similar Threads

How to find signatures?

How to find Recoil and Spread addresses?

How to find GPS address?

[Tutorial]How to find some Hacks

how to find rar pw?