How to make byte patterns

Okay many of you may not know how to do this or are just using patterns without knowing how to find them or update them yourself, so I will teach you the process of making a byte pattern.

CharacterHiddenRunAlpha

Okay the first thing you wanna do is load up your debugger and cshell and then navigate to the above string and find the offset.
Great, now how do we make a pattern for it? Simple, we look at the bytes and figure out what changes and make a pattern that can be searched for based off of that!

Now, Look at the bytes next to the disassembly, it reads
The bytes that pertain to this line are 0xD9 0x9C 0x11 0x90 0x00 0x00 0x00 0x00. Hit CTRL + B and type this in

then search. You will land exactly at the address containing the offset, but what is the guarantee that the bytes will always be the same? we don't know exactly, and that's why pattern scanning can be a good thing. let me just lay down a few things here, anytime we see a byte that is likely to change we replace it with a ?? (i'm not using any code so i'm just showing you the binary string scans in ollydbg), also 0x00 is a wildcard also but a trailing null byte and won't be needed for a pattern scan. Everything else is okay to put in your pattern.

Okay, lets start off with the simplest assumption, that only 0x90 will change, so we change the 0x90 to ?? (dont include the ?? since it's trailing)
What happens when you search this? You actually don't land on the exact address, which can be a problem. Most of the time you cant make a unique pattern from that single line, you have to do some tinkering. What should have happened is that you should have landed on the address with the offset for MaxCanDefuseDistance, since many offsets will share similar byte patterns, you must expand on your byte pattern.

MaxCanDefuseDistance looks like this
So what you need to do is take some bytes from both strings and compare them to see where they differ, and that is where you can make a unique pattern. From MaxCanDefuseDistance I took this:
While for CharacterHiddenRunAlpha I took this:
You then had to find out where they differ and here, I did it for you

MaxCanDefuseDistance
CharacterHiddenRunAlpha
Obviously 0x84 and 0x94 are both offsets that you want to edit, so make them wildcards. Also, make all the 0x00's wild cards.

MaxCanDefuseDistance
CharacterHiddenRunAlpha
Now, find the first byte after all the wild cards that they differ in. I also did that for you

CharacterHiddenRunAlpha
Now take away everything after that byte
MaxCanDefuseDistance
CharacterHiddenRunAlpha
you now have 2 working patterns

if you hit CTRL+B and paste and then search, you will land at the address that contains 0x90.

Now you can implement this pattern into your code, but make a note you must add X amount of bytes depending on how far the offset is in the code. In this case, the offset is 3 bytes in so when you declare your offset with your findpattern function, make sure to add that many bytes in

good luck!

Good tut, nice and clear for those who don't already know.

yea i was one of those people so i decided to learn to help those who don't know out

Is it different with AddysLogger? It's a bit harder and confusing compare to it..

you're suppose to use this for your addy logger.

nice tutorial dude... this should be stickied... doesn't mean it will be.

it's okay i've already had my fair share of threads stickied.

SigMaker? :L

sigmaker is not effective if you don't know how to make a pattern. c+p a pattern from sigmaker likely won't work as you want it to. I usually just use sigmaker so i don't have to write out the pattern /

Thx it helped a lot

small error it's 0x90 not 0x94.

thanks @grannycrazy