This tut was made on WarRock dump , nothing diffrent on ca just follow the steps , oh i already released this on my forum while ago so what about we quit flame :P
Let me first explain to you how to make patterns ..
Programs needed Are :
1 ) Brain.exe
2 ) Debugger (OllyBg / Ida)
3 ) NotePad
Lets start ..
First Step !
* The Addie am using is PlayerPointer !! its just example
1 ) Run Ida pro and include old warrock dump on it befor the last update and wait until loading is finish .. ( should be like this )
2 ) Search for the addie u want to make patern for
3 ) Put the addie and click oK
4 ) Should be like this for example
5 ) Click at HexView
6 ) The lined bytes line is the bytes we need to make pattern
So for now our bytes of old addie are ' A1 E8 17 A0 00 3B C3 74 16 33 C9 41 89 98 B4 02 '
Second Step :
After we found the bytes for playerpointer addie on the old dump do the same steps u did on new dump ( make sure u use updated addie of player pointer )
At end after you do same as u did on step 1 you will get this bytes ' A1 50 EE A4 00 3B C3 74 16 33 C9 41 89 98 C8 02 '
Third Step :
We have the bytes of old dump and new dump so what now ?
Here come the last step witch is compile
The New bytes are :
A1 50 EE A4 00 3B C3 74 16 33 C9 41 89 98 C8 02
The old Bytes are :
A1 E8 17 A0 00 3B C3 74 16 33 C9 41 89 98 B4 02
Now what u do is look at the bytes they both are made of 16 byte so the thing is u replace the diffrent byte with ' ? ' and correct byte with ' x '
so lets start ..
A1 50 EE A4 00 3B C3 74 16 33 C9 41 89 98 C8 02
A1 E8 17 A0 00 3B C3 74 16 33 C9 41 89 98 B4 02
X ? ? ? X X X X X X X X X X ? X
<< This is our mask ! so as u see A1 Still A1 So we replaced with ' X ' , 50 Changed to E8 so we replaced with ' ? ' and so on
The Last Step :
We found the mast , old bytes , new bytes now we need to make the correct pattern its not much diffrent than step 3 but this time if there diffrent byte u replace it with 0x00 ..
Example ! :
A1 50 EE A4 00 3B C3 74 16 33 C9 41 89 98 C8 02 << new byte
A1 E8 17 A0 00 3B C3 74 16 33 C9 41 89 98 B4 02 << old byte
xA1\x00\x00\x00\x00\x3B\xC3\x74\x16\x33\xC9\x41\x8 9\x98\x00\x02 =
THE Pattern were gona use to get the addie , As u see A1 / A1 Didnt change at first of the two patterns so we keep it A1 but second byte of new pattern was 50 and the old one was E8 so we replaced with 0x00
So the finaly code will be
DWORD PlayerPointer = FindPattern((PBYTE)"\xA1\x00\x00\x00\x00\x3B\xC3\x 74\x16\x33\xC9\x41\x89\x98\x00\x02", "x???xxxxxxxxxx?x", 1, true );
There something i didnt explain witch is how to get this
FindPattern((PBYTE)"\xA1\x00\x00\x00\x00\x3B\xC3\x 74\x16\x33\xC9\x41\x89\x98\x00\x02", "x???xxxxxxxxxx?x"
, 1, true );
its diffrent from addie to other usually its 1 or 2 i cant explain how know if its 1 or 2 u gota find ur self
Tut is over thanks for reading ..
Credits :
R3d_L!n3
UnknownPk
NoName