How to make byte patterns

[dakr54]

Okay many of you may not know how to do this or are just using patterns without knowing how to find them or update them yourself, so I will teach you the process of making a byte pattern.

CharacterHiddenRunAlpha

Okay the first thing you wanna do is load up your debugger and cshell and then navigate to the above string and find the offset.

Code:

0x90

Great, now how do we make a pattern for it? Simple, we look at the bytes and figure out what changes and make a pattern that can be searched for based off of that!

Now, Look at the bytes next to the disassembly, it reads

Code:

10192FEB      |       D99C11 90000000   |    FSTP DWORD PTR DS:[ECX+EDX+90]

The bytes that pertain to this line are 0xD9 0x9C 0x11 0x90 0x00 0x00 0x00 0x00. Hit CTRL + B and type this in

Code:

D9 9C 11 90

then search. You will land exactly at the address containing the offset, but what is the guarantee that the bytes will always be the same? we don't know exactly, and that's why pattern scanning can be a good thing. let me just lay down a few things here, anytime we see a byte that is likely to change we replace it with a ?? (i'm not using any code so i'm just showing you the binary string scans in ollydbg), also 0x00 is a wildcard also but a trailing null byte and won't be needed for a pattern scan. Everything else is okay to put in your pattern.

Okay, lets start off with the simplest assumption, that only 0x90 will change, so we change the 0x90 to ?? (dont include the ?? since it's trailing)

Code:

 D9 9C 11

What happens when you search this? You actually don't land on the exact address, which can be a problem. Most of the time you cant make a unique pattern from that single line, you have to do some tinkering. What should have happened is that you should have landed on the address with the offset for MaxCanDefuseDistance, since many offsets will share similar byte patterns, you must expand on your byte pattern.

MaxCanDefuseDistance looks like this

Code:

 D9 9C 11 84

So what you need to do is take some bytes from both strings and compare them to see where they differ, and that is where you can make a unique pattern. From MaxCanDefuseDistance I took this:

Code:

D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

While for CharacterHiddenRunAlpha I took this:

Code:

D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

You then had to find out where they differ and here, I did it for you

MaxCanDefuseDistance

Code:

D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Obviously 0x84 and 0x94 are both offsets that you want to edit, so make them wildcards. Also, make all the 0x00's wild cards.

MaxCanDefuseDistance

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Now, find the first byte after all the wild cards that they differ in. I also did that for you

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08  E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0  E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Now take away everything after that byte
MaxCanDefuseDistance

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0

you now have 2 working patterns

if you hit CTRL+B and paste

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0

and then search, you will land at the address that contains 0x90.

Now you can implement this pattern into your code, but make a note you must add X amount of bytes depending on how far the offset is in the code. In this case, the offset is 3 bytes in so when you declare your offset with your findpattern function, make sure to add that many bytes in

good luck!

[Pingo]

Good tut, nice and clear for those who don't already know.

[dakr54]

yea i was one of those people so i decided to learn to help those who don't know out

[3D]

Good Jop Nice tut

[remzkee0903]

Is it different with AddysLogger? It's a bit harder and confusing compare to it..

[dakr54]

you're suppose to use this for your addy logger.

[Intellectual]

Is it different with AddysLogger? It's a bit harder and confusing compare to it..

you need to use these patterns for your addy logger
nice job dakr

[rabir007]

Okay many of you may not know how to do this or are just using patterns without knowing how to find them or update them yourself, so I will teach you the process of making a byte pattern.

CharacterHiddenRunAlpha

Okay the first thing you wanna do is load up your debugger and cshell and then navigate to the above string and find the offset.

Code:

0x90

Great, now how do we make a pattern for it? Simple, we look at the bytes and figure out what changes and make a pattern that can be searched for based off of that!

Now, Look at the bytes next to the disassembly, it reads

Code:

10192FEB      |       D99C11 90000000   |    FSTP DWORD PTR DS:[ECX+EDX+90]

The bytes that pertain to this line are 0xD9 0x9C 0x11 0x90 0x00 0x00 0x00 0x00. Hit CTRL + B and type this in

Code:

D9 9C 11 90

then search. You will land exactly at the address containing the offset, but what is the guarantee that the bytes will always be the same? we don't know exactly, and that's why pattern scanning can be a good thing. let me just lay down a few things here, anytime we see a byte that is likely to change we replace it with a ?? (i'm not using any code so i'm just showing you the binary string scans in ollydbg), also 0x00 is a wildcard also but a trailing null byte and won't be needed for a pattern scan. Everything else is okay to put in your pattern.

Okay, lets start off with the simplest assumption, that only 0x90 will change, so we change the 0x90 to ?? (dont include the ?? since it's trailing)

Code:

 D9 9C 11

What happens when you search this? You actually don't land on the exact address, which can be a problem. Most of the time you cant make a unique pattern from that single line, you have to do some tinkering. What should have happened is that you should have landed on the address with the offset for MaxCanDefuseDistance, since many offsets will share similar byte patterns, you must expand on your byte pattern.

MaxCanDefuseDistance looks like this

Code:

 D9 9C 11 84

So what you need to do is take some bytes from both strings and compare them to see where they differ, and that is where you can make a unique pattern. From MaxCanDefuseDistance I took this:

Code:

D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

While for CharacterHiddenRunAlpha I took this:

Code:

D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

You then had to find out where they differ and here, I did it for you

MaxCanDefuseDistance

Code:

D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Obviously 0x84 and 0x94 are both offsets that you want to edit, so make them wildcards. Also, make all the 0x00's wild cards.

MaxCanDefuseDistance

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Now, find the first byte after all the wild cards that they differ in. I also did that for you

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08  E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0  E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Now take away everything after that byte
MaxCanDefuseDistance

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0

you now have 2 working patterns

if you hit CTRL+B and paste

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0

and then search, you will land at the address that contains 0x90.

Now you can implement this pattern into your code, but make a note you must add X amount of bytes depending on how far the offset is in the code. In this case, the offset is 3 bytes in so when you declare your offset with your findpattern function, make sure to add that many bytes in

good luck!

Thanks now i would make my own logger...

[AxiomFlux]

nice tutorial dude... this should be stickied... doesn't mean it will be.

[dakr54]

nice tutorial dude... this should be stickied... doesn't mean it will be.

it's okay i've already had my fair share of threads stickied.

[giniyat101]

SigMaker? :L

[dakr54]

SigMaker? :L

sigmaker is not effective if you don't know how to make a pattern. c+p a pattern from sigmaker likely won't work as you want it to. I usually just use sigmaker so i don't have to write out the pattern /

[vinke2013]

Thx it helped a lot

[dakr54]

MaxCanDefuseDistance

Code:

D9 9C 11 84 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 90 00 00 00 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

Obviously 0x84 and 0x94 are both offsets that you want to edit, so make them wildcards. Also, make all the 0x00's wild cards.

MaxCanDefuseDistance

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 08 E1 3E 10 50 E8 1F 71 1E 00 83 C4 08 3B C3

CharacterHiddenRunAlpha

Code:

D9 9C 11 ?? ?? ?? ?? 8B 4C 24 30 3B CB 74 0D 8B 44 24 34 2B C1 C1 F8 02 3B F8 72 06 FF D5 8B 4C 24 30 8B 04 B9 68 C0 E0 3E 10 50 E8 F5 6F 1E 00 83 C4 08 3B C3

small error it's 0x90 not 0x94.

thanks @grannycrazy

[grannycrazy]

Great Tutorial! Thank you!