Okay many of you may not know how to do this or are just using patterns without knowing how to find them or update them yourself, so I will teach you the process of making a byte pattern.
CharacterHiddenRunAlpha
Okay the first thing you wanna do is load up your debugger and cshell and then navigate to the above string and find the offset.
Great, now how do we make a pattern for it? Simple, we look at the bytes and figure out what changes and make a pattern that can be searched for based off of that!
Now, Look at the bytes next to the disassembly, it reads
Code:
10192FEB | D99C11 90000000 | FSTP DWORD PTR DS:[ECX+EDX+90]
The bytes that pertain to this line are 0xD9 0x9C 0x11 0x90 0x00 0x00 0x00 0x00. Hit CTRL + B and type this in
then search. You will land exactly at the address containing the offset, but what is the guarantee that the bytes will always be the same? we don't know exactly, and that's why pattern scanning can be a good thing. let me just lay down a few things here, anytime we see a byte that is likely to change we replace it with a ?? (i'm not using any code so i'm just showing you the binary string scans in ollydbg), also 0x00 is a wildcard also but a trailing null byte and won't be needed for a pattern scan. Everything else is okay to put in your pattern.
Okay, lets start off with the simplest assumption, that only 0x90 will change, so we change the 0x90 to ?? (dont include the ?? since it's trailing)
What happens when you search this? You actually don't land on the exact address, which can be a problem. Most of the time you cant make a unique pattern from that single line, you have to do some tinkering. What should have happened is that you should have landed on the address with the offset for
MaxCanDefuseDistance, since many offsets will share similar byte patterns, you must expand on your byte pattern.
MaxCanDefuseDistance looks like this
So what you need to do is take some bytes from both strings and compare them to see where they differ, and that is where you can make a unique pattern. From MaxCanDefuseDistance I took this:
Code:
D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3
While for CharacterHiddenRunAlpha I took this:
Code:
D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3
You then had to find out where they differ and here, I did it for you
MaxCanDefuseDistance
Code:
D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3
CharacterHiddenRunAlpha
Code:
D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3
Obviously 0x84 and 0x94 are both offsets that you want to edit, so make them wildcards. Also, make all the 0x00's wild cards.
MaxCanDefuseDistance
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3
CharacterHiddenRunAlpha
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3
Now, find the first byte after all the wild cards that they differ in. I also did that for you
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3
CharacterHiddenRunAlpha
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3
Now take away everything after that byte
MaxCanDefuseDistance
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08
CharacterHiddenRunAlpha
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0
you now have 2 working patterns
if you hit CTRL+B and paste
Code:
D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0
and then search, you will land at the address that contains 0x90.
Now you can implement this pattern into your code, but make a note you must add X amount of bytes depending on how far the offset is in the code. In this case, the offset is 3 bytes in so when you declare your offset with your findpattern function, make sure to add that many bytes in
good luck!