++METHOS I post too much Reputation: 92 Joined: 29 Oct 2010 Posts: 4197
|
Posted: Sun Mar 12, 2017 11:05 am Post subject: |
|
|
There is nothing wrong with using an AOB signature to find the injection point. Using wildcard variables is also recommended if you want to account for possible changes where bytes may be dynamic. Nothing will be 100% fail-proof, as you will never know what the developer will decide to do for future releases and patches. However, these recommended steps can be used to help mitigate any potential issues.
Regarding efficiency, you my use AOBScanModule in lieu of AOBScan. AOBScanRegion may also be a viable option, although, I never use it myself.
Nonetheless, storing offsets and the like will be pointless if you are not able to find the appropriate injection location. Even if you decide to use module addressing for injection, I still do not see how storing the offsets will help you from a compatibility standpoint, since you will have to know what those offsets will need to be in the first place.
So, you either need to have the information beforehand, which would make all of this pointless anyway, or, you will need to have a good way to find the appropriate injection location across multiple versions that may or may not change.
With that said, you can create an AOB signature that is near your injection point, that may not have many potentially dynamic bytes, and that can be used for your signature in an effort to reduce possible issues with broken signatures.
Truthfully, though, with regard to wildcard variables, I do not believe that having more is a bad thing or will cause inaccurate signatures anymore than not having them. In my mind, having this:
Code: | 55 8B xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 03 D0 |
is just as good, if not better, than having this:
Code: | 55 8B EC 8B 45 08 56 xx xx 3C 03 C8 0F xx xx 14 8D 51 18 03 D0 |
If the signature breaks because an additional byte is added or removed, then both signatures will be broken. At least with the first example, you have a better chance of the signature not breaking in the event that a byte value simply changes.
...unless I am still not understanding you fully.
|
|