View previous topic :: View next topic |
Author |
Message |
rog9001 Expert Cheater Reputation: 2
Joined: 22 Dec 2015 Posts: 214 Location: Jupiter
|
Posted: Tue Aug 02, 2016 11:42 am Post subject: This is better right? |
|
|
Just asking for fun cuz I think its better to have less symbols but I want someone else's input on this.
Is it better to have more symbols in a AOB:
Code: |
aobscan(90 90 BB FC 8B 0A CC)
|
or is it better to have less symbols:
Code: |
aobscan(?? ?0 BB ?? 8? ?A ?C)
|
Don't forget I am only asking this to see what others will say and why is it better so for example: "ya its better to have less because blah blah blah" or "its better to have more symbols because blah blah blah".
|
|
Back to top |
|
|
ulysse31 Master Cheater Reputation: 2
Joined: 19 Mar 2015 Posts: 324 Location: Paris
|
Posted: Tue Aug 02, 2016 12:14 pm Post subject: |
|
|
It's better to have as many fixed bytes as you can rely on. If some bytes are likely to change within time (patches) because they are part of jump instructions (etc.) then don't hesitate to replace them with ??.
If they are part of the core code, leave them in as they give your scan more precision and make it less likely to triger false positives.
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 140
Joined: 06 Jul 2014 Posts: 4297
|
Posted: Tue Aug 02, 2016 1:17 pm Post subject: |
|
|
That depends entirely on the significance of the individual byte/nibble you're working with as well as the frequency and extent of updates to the game.
Obviously, if an instruction directly references an address, don't use it even if that address is in the main module: the module isn't guaranteed to be loaded in the same location when you restart the game.
Code: | instruction: mov eax,[0012ABDC]
Real bytes: A1 DC AB 12 00
Signature: A1 ?? ?? ?? ?? |
Beyond that, it's a balancing act between uniqueness and versatility. Excluding bytes from the signature will make it less likely to break on an update to the game, but that will also makes it less unique.
Relative addressing is unlikely to change between instances of the game (so long as the two addresses are within the same memory region), but large displacements could very likely change if the game updates. It's usually safe to include the most significant byte or two in a 32-bit displacement, however.
Code: | instruction: jmp eip+000001E5
Real bytes: E9 E5 01 00 00
Signature: E9 ?? ?? 00 00 |
If you're working with large offsets, you might want to exclude those from the signature. Again, it's usually safe to include the most significant byte or two.
Code: | instruction: mov edi,[ebp-000007D4]
Real bytes: 8B BD 2C F8 FF FF
Signature: 8B BD ?? ?? FF FF |
Excluding the ModR/M and SIB bytes (or the lower nibble in some opcodes) might help if your AoB signatures are breaking with every update, but that's starting to get a little pedantic, not to mention you could lose unrelated information.
Code: | instruction: mov edx,[ebx+ecx*4]
Real bytes: 8B 14 8B
Signature: 8B ?? ?? // unfortunately you can't include any nibble due to how they're encoded
instruction: inc eax
Real bytes: 40
Signature: 4? // doesn't check highest bit of lower nibble, so could be dec instead of inc |
Obviously (again), if your script relies on the injection point to be at a certain state (e.g. writing to the ecx register or using a certain offset), it should include that information in the signature as a sanity check.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Tue Aug 02, 2016 7:25 pm Post subject: |
|
|
Neither is better. It depends entirely on the situation, the bytes you're working with.
aobscan(90 90 BB FC 8B 0A CC) is amazeballs if all the other bytes around it are hard-coded addresses or there are no other unique bytes around.
aobscan(?? ?0 BB ?? 8? ?A ?C) is damn awesome if this is a signature for a hard-coded address and allows you to make it work across multiple versions or work upon each restart in a unity game.
For you to be asking this question, i don't think you have quite grasped the concept of AOB yet. These bytes are a dead giveaway of your noobiness -?0 8? ?A ?C - It literally made me chuckle to see them (stupid!)
_________________
|
|
Back to top |
|
|
|