Pattern Scan

**GoldWhite** · 11-24-2012

Pattern Scan of Dip Engine can anyone give?

**[MPGH]Flengo** · 11-24-2012

There's no need for DIP Engine. Just hook D3D DIP.

Do a midfunction hook after the first 5 bytes.

**Saltine** · 11-24-2012

Originally Posted by Flengo

There's no need for DIP Engine. Just hook D3D DIP.

Do a midfunction hook after the first 5 bytes.

Or you can look into hotpatch hooking, its a feature windows implemented to allow patching executables without restarting.

**Departure** · 11-25-2012

The hot patch nops are the first place any decent anti hack software looks, I am sure Hack shield would scan there if they are scanning the functions entry point. there is 6 bytes allocated just before the entry of the function these are normally nops 0x90 then on the function export table it will be the original address - 6 bytes, when this function is called with the new address there is normally a patch which jumps to another function, it goes something like that... it was years ago I played with microsoft hot patch area because its normally the first thing checked in any good hack detection software

**Saltine** · 11-25-2012

Originally Posted by Departure

The hot patch nops are the first place any decent anti hack software looks, I am sure Hack shield would scan there if they are scanning the functions entry point. there is 6 bytes allocated just before the entry of the function these are normally nops 0x90 then on the function export table it will be the original address - 6 bytes, when this function is called with the new address there is normally a patch which jumps to another function, it goes something like that... it was years ago I played with microsoft hot patch area because its normally the first thing checked in any good hack detection software

Believe it or not, as of several patches ago (I haven't checked since), hotpatch hooking worked perfectly for DrawIndexedPrimitive :P

**GoldWhite** · 11-25-2012

close please

**[MPGH]Flengo** · 11-25-2012

Nexon doesn't really do shit.

I'll try it out. But I'm pretty sure it should still be working.

It wouldn't stand a chance against any real Anti-Hack programs.

**Genesis** · 11-26-2012

Not sure if it's right but try this.

Code:

PATTERN: "\x8B\x08\x8B\x91\x48\x01\x00\x00\xFF\xD2\x8B\xE5\x5D\xC2\x14\x00"
MASK: "xxxxxxxxxxxxxxxx"

Search in Engine of course.

**demtrios** · 11-26-2012

Well you can use the vtable 82 Dip not use any type of address and parese that undetectable

**Ch40zz-C0d3r** · 11-26-2012

Originally Posted by demtrios

Well you can use the vtable 82 Dip not use any type of address and parese that undetectable

A normal vtable hook on 82 with ms detours (or any other detours) is detected :/

**demtrios** · 11-26-2012

Originally Posted by Ch40zz-C0d3r

A normal vtable hook on 82 with ms detours (or any other detours) is detected :/

Yes mine is working perfectly

**-Bl00d-** · 11-27-2012

use Vtable
with modified "Clarkie detours"
works like a charm

Thread: Pattern Scan

Thread Tools

Display

Pattern Scan

The Following User Says Thank You to Saltine For This Useful Post:

The Following User Says Thank You to Departure For This Useful Post:

The Following User Says Thank You to Saltine For This Useful Post:

The Following User Says Thank You to Genesis For This Useful Post:

Similar Threads

[Help] Auto-Updating hack through Patterns/Sig Scans?

[Solved] Scan these byte patterns

[Help] Pattern scanning

File Scan here

CE SCANS TAKING 4ever