P47R!CK's SigMaker plugin for ollydbg is excellent for creating signatures. Like abuckau explained, '?' are unknown bytes wich might change on each run ( addresses, offsets, etc ) wich will be ignored in the scan, and 'x' are bytes of opcodes, wich will stay constant.
My quick explanation: ( lets use the code in my sig! )
Code:
00F38C0E B8 0610F300 MOV EAX, 00F31006
00F38C13 C700 208CF300 MOV DWORD PTR DS:[EAX], 00F38C20
00F38C19 EB FF JMP SHORT 00F38C1A
00F38C1B 90 NOP
00F38C1C 0000 ADD BYTE PTR DS:[EAX],AL
00F38C1E 0000 ADD BYTE PTR DS:[EAX],AL
00F38C20 58 POP EAX
00F38C21 ^EB EB JMP SHORT 00F38C0E
So, first instruction is MOV EAX, 00F31006. First part of our sig would be "\xB8\x00\x00\x00\x00", and the mask "x????". The opcode for the mov
(0xB8) will always stay the same, but the value could potentially be a different one. ( It's not, but lets pretend it could be ) See where I'm going here?
Next instruction: MOX DWORD PTR [EAX], 00F38C20. The sig would be "\xC7\x00\x00\x00\x00\x00" and the mask "xx????". Again, the opcode for the mov
(0xC7) will stay the same. Note the second 'x'! We can assume the registe will stay the same, so we include the op1 in our scan.
The rest: All of the rest is static. The NOP (0x90) will not change, nor will the DB 00's. (Olly displays DB 00's as ADD BYTE PTR [EAX],AL if you edit them manually) So the rest of the sig is "\x90\x00\x00\x00\x00\x58\xEB\xEB" and the mask is all 'x' obviously: "xxxxxxxx".
SigMaker does all this work for you, and it scans if your pattern is unique to the process. If there is more than one occurence of the pattern, you can't reliably find the place in memory for your hack.
I hope this clears pattern scanning up a bit.