Getting WORKING signatures

Hey guys

Since so many peole are just failing at this, and I hate people posting 1000 threads about updated addies, Im going to show you now how to make WORKING signature scans. This method is well known by some people, but most just c&p, thats why I will not give examples on real addresses.
So for now, lets look at a function in CShell.dll:

As you can see, here is much empty, not initialized memory. The game will intialize it later, but we dont want to wait for this.
So, lets do 2 simple things:

1. Search for static pointers
You simply rightclick anywhere in the CPU window, and click search for -> All constants.
Enter your address above and press ok, Olly will list you some pointers using this address.

2. Search for All references
If the first method fails, just try it with this method.
Mark the address you want to find and press CTRL + R.
Olly will make a list of the adresses using this address as parameter.

If you have a list, you need to look for some things:

Code:

372EDDE9   |.  8B15 F8FB8237      MOV EDX,DWORD PTR DS:[3782FBF8]

This line is good. Our address is moved into a register. Now you need this table:

Code:

EAX - 0x1
ECX - 0x2
EDX - 0x3
EBX - 0x4
ESP - 0x5
EBP - 0x6
ESI - 0x7
EDI - 0x8

As we can see, the register is clearly EDX which means an offset of 0x3!
Now we will make the signature. Make a signaturescan of the adress which is MOVING your addressinto the register, not the address itself. (Make a sginature from 0x372EDDE9)

And when you logg this address in your hack, simply add the offset and read out the pointer, which is pointing TO OUR ADDRESS WE WANT.

Code:

dwAdrTbl[8] = (DWORD)*(DWORD*)(dwTmp + 0x3);

So, in pseudocode:

Code:

FinalAddress = (DWORD)*(DWORD*)(MOVAddress + RegisterOffset);

I hope you understood all well, give credits, and dont be a noob

CREDITS:
Ch40zz-C0d3r
MattyPatty (used this method earlier)

emptymemory.png

Good thread, hopefully people can stop posting wrong addresses, and for the people who DON'T know how to make sigs in olly, google SigMaker plugin, just a hint.

You were telling me about this before, I got some sense out of it by looking at Gellin's examples.

But this is a greater help, thanks for sharing some of your knowledge

Thanks for the great tutorial, hopefully people post some good pattern scans now and can create working ones!

How about a tutorial for attaching Olly to Combat Arms undetected?

Originally Posted by Avery17

How about a tutorial for attaching Olly to Combat Arms undetected?

I will floot this section with my methods soon, just be patient

Hope my shit gets stickied or something, since its not useless :P

Originally Posted by Avery17

How about a tutorial for attaching Olly to Combat Arms undetected?

I have never attached CA to olly, that's just too much work. Link CShell .dll to Load Lib, google PE Tools, run it and search for the Load Lib program you have. Now just look for cshell.dll and dump! Then you can load it into IDA or Olly, w/e you use. For engine.exe, as soon as you start ca, you must suspend the process then head on over to pe tools look for engine.exe and dump. Hope this helps

Originally Posted by Ch40zz-C0d3r

I will floot this section with my methods soon, just be patient

Hope my shit gets stickied or something, since its not useless :P

Make a bunch of threads like this.
Make one thread which links to all this, plus more, even older things.
That thread gets stickied.

Possibly.

Originally Posted by Flengo

Make a bunch of threads like this.
Make one thread which links to all this, plus more, even older things.
That thread gets stickied.

Possibly.

If he continues to make tutorials, this section will only continue to improve

whats this offset register table?

the line "MOV EDX,DWORD PTR DS:[3782FBF8]"
is taking the bytes at address 3782FBF8 and placing them into EDX register, EDX is a 32bit register which means 4 bytes is place there(aka Dword), could you please explain the "Register Offset" a little better I don't see what this has to do with anything, Maybe I have misunderstood something.

now if you look at 372EDDE9 |. 8B15 F8FB8237 MOV EDX,DWORD PTR DS:[3782FBF8]

for each byte the address is increased by 1

first lets look take the byte values "8B15 F8FB8237" the address 3782FBF8 is in these byte values as little endian.

Take address 372EDDE9 + 2 bytes would land here 8B15 F8FB8237 so it will take byte values from F8(green) and copy the size of a dword( 4 bytes) in the EDX register, This is a 2 byte offset from original address and it has nothing to do with register table offset.

to prove this what if the line said to mov EBX instead of EDX? 372EDDE9 8B1D F8FB8237 MOV EBX,DWORD PTR DS:[3782FBF8]

according to you it would be a 0x4 byte offset(From your "register table") which is incorrect it is still 0x2 bytes offset. So once again it has nothing to with Register table. only when mov EAX is used it will be a 1 byte offset

Code:

Bytes                               Instructions
======================================================
A1 F8FB8237                     MOV EAX,[3782FBF8]
8B0D F8FB8237                   MOV ECX,[3782FBF8]
8B15 F8FB8237                   MOV EDX,[3782FBF8]
8B1D F8FB8237                   MOV EBX,[3782FBF8]
8B25 F8FB8237                   MOV ESP,[3782FBF8]
8B2D F8FB8237                   MOV EBP,[3782FBF8]
8B35 F8FB8237                   MOV ESI,[3782FBF8]
8B3D F8FB8237                   MOV EDI,[3782FBF8]

as you can see for each register it would be 2 byte offset(Except for EAX, 1 byte) to get the value "F8FB8237" which once placed into the register is 3782FBF8 because of little endian.

Unless I have missed something here or misunderstood what you are actually trying to do, I suggest editing your original post with correct information so people don't get confused why there offsets are not working...

I agree with Departure, the "offset register table" is just plain wrong. It just depends on which variant of an assembly instruction is used.

@Departure
can you help me

i cant get the right offset log

Code:

00C8BF06   D958 04          FSTP DWORD PTR DS:[EAX+4]
00C8BF09   83C4 04          ADD ESP,4
00C8BF0C   8B4C24 2C        MOV ECX,DWORD PTR SS:[ESP+2C]

Code:

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
	for(DWORD i=0; i < dwLen; i++)
		if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
			return (DWORD)(dwAddress+i);
	return 0;
}

Code:

unsigned long DamagePerMeter = FindPattern(dwCShellEntryPoint, dwCShellCodeSize, (PBYTE)Pattern, Mask);

if(DamagePerMeter)
{
DamagePerMeter = *(PDWORD)(DamagePerMeter+0x2);
log("#define DamagePerMeter 0x%X",DamagePerMeter);
}

Log result

Code:

#define DamagePerMeter 			0x4C48304

So you guys wre right, I just learned some ASM now.
So basicly my table posted is bullshit.
Simply do this:

Code:

A1 F8FB8237                     MOV EAX,[3782FBF8]

Notice the space between A1 and the rest?
A1 = 1 byte = 0x1 offset

Code:

8B0D F8FB8237                   MOV ECX,[3782FBF8]

Heres the space after 2 bytes = 0x2 offset

The first bytes are the command itself (MOV EAX, MOV ECX) and the last bytes the address read backwards (C compiler is backwards, PASCAL compiler its forward).
Hope people will use this

Sorry for the shit I posted above :P

@UTAN
What are you trying to do?
I dont see what Address you want.

Getting WORKING signatures

Post a Reply

Similar Threads

Tags for this Thread