Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Signature Scan

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Sat Nov 15, 2014 3:26 pm    Post subject: Signature Scan Reply with quote

hey, in order to survive signature scans id like to know if i can make a signature scan by myself.

whether or not, id have a following question: how do i solve this? blow the code up? whats the best technique?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 470

Joined: 09 May 2003
Posts: 25791
Location: The netherlands

PostPosted: Sat Nov 15, 2014 5:25 pm    Post subject: Reply with quote

Look at the bytes and use that to make a signature. Make sure to wildcard things that can change
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Sun Nov 16, 2014 9:06 pm    Post subject: Reply with quote

do u have a easy to understand guide/link?
Back to top
View user's profile Send private message
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Thu Nov 27, 2014 12:19 am    Post subject: Reply with quote

what do u mean by wildcard things?

still i have no clue how a signature scan works but id like to know. do u have a link maybe?


these are the functions i use at what im working on

FindWindow
GetWindowThreadProcessId
CreateToolhelp32Snapshot
ModuleEntry32
OpenProcess(handle)
and ReadProcessMemory in loop


i simply want to read a value frequently and send it to my laptop.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1

PostPosted: Thu Nov 27, 2014 2:47 pm    Post subject: Reply with quote

Do not read memory in a loop. Read memory in blocks at a time. You can use VirtualQueryEx to loop the memory regions of a process. Dump each region into a block of memory, then do a signature scan as needed within the block. Calling ReadProcessMemory constantly has a lot of overhead and will cause your signature scanning to be extremely slow.

If you are using CreateToolhelp32Snapshot, you do not need to use FindWindow and GetWindowThreadProcessId as well.

Use these API to locate your target process:
- CreateToolhelp32Snapshot
- Process32First / Process32Next

If you know what specific module the code is within, use these to find that module:
- Module32First / Module32Next

Afterward, to read the memory you will need:
- OpenProcess
- ReadProcessMemory

If you do not know the module the code is in, using VirtualQueryEx will help you step the memory regions and scan them one at a time.

As for the wildcard thing, you can't use every single byte from a function as part of your pattern. It will be bound to break when updates happen. Things like jumps and calls are calculated based on the distance between the calling location and the destination. These often change when a game updates, which will cause your signature to break.

For example, take this block of code from a game:
Code:
04E86B70 - 6A 01                 - push 01
04E86B72 - E8 C95C1200           - call 04FAC840
04E86B77 - 83 C4 04              - add esp,04
04E86B7A - 84 C0                 - test al,al
04E86B7C - 75 22                 - jne 04E86BA0
04E86B7E - 6A FF                 - push -01
04E86B80 - E8 AB740000           - call 04E8E030
04E86B85 - 8B 0D 948D3205        - mov ecx,[05328D94] : [0E1D5268]
04E86B8B - 83 C4 04              - add esp,04
04E86B8E - 85 C9                 - test ecx,ecx


You will see we have a few calls and a jump. We would want to make the bytes of these wildcards.

For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9

Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.

So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers

Another example for something to keep in mind is stuff like this:
mov eax, [ecx+0C]

+0C is the offset to data within a structure. This offset can move between updates for structures that are popular to be changed.
So one day it could be +0C and another it could be +0F, it all depends on how often the game updates and such.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Thu Nov 27, 2014 3:14 pm    Post subject: Reply with quote

atom0s wrote:
For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9

Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.

So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers


do u have a short example how i solve this in practice?

atom0s wrote:
Another example for something to keep in mind is stuff like this:
mov eax, [ecx+0C]

+0C is the offset to data within a structure. This offset can move between updates for structures that are popular to be changed.
So one day it could be +0C and another it could be +0F, it all depends on how often the game updates and such.


i have to make new pointer scans in CE every update anyway, so i assume this doesnt matter in my case
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1

PostPosted: Thu Nov 27, 2014 4:21 pm    Post subject: Reply with quote

Not sure what you mean, I just explained it to you. If you can find a pointer that is accessing the data, then find what is using that pointer code wise. Add the pointer to your address list, then right-click and choose 'Find what accesses this address' for the pointer. You should see a new window pop up that will display any instructions that access the pointer.

You would use the signature scanning information on the function accessing the pointer to automatically refind the pointer when you restart the game, or it updates.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Fri Dec 12, 2014 5:32 pm    Post subject: Reply with quote

atom0s wrote:
As for the wildcard thing, you can't use every single byte from a function as part of your pattern. It will be bound to break when updates happen. Things like jumps and calls are calculated based on the distance between the calling location and the destination. These often change when a game updates, which will cause your signature to break.

For example, take this block of code from a game:
Code:
04E86B70 - 6A 01                 - push 01
04E86B72 - E8 C95C1200           - call 04FAC840
04E86B77 - 83 C4 04              - add esp,04
04E86B7A - 84 C0                 - test al,al
04E86B7C - 75 22                 - jne 04E86BA0
04E86B7E - 6A FF                 - push -01
04E86B80 - E8 AB740000           - call 04E8E030
04E86B85 - 8B 0D 948D3205        - mov ecx,[05328D94] : [0E1D5268]
04E86B8B - 83 C4 04              - add esp,04
04E86B8E - 85 C9                 - test ecx,ecx


You will see we have a few calls and a jump. We would want to make the bytes of these wildcards.

For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9

Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.

So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers



do u mean to do this by edit the exe with assembler or by changing the c++ code?

btw are there any other libraries/headerfiles with a function like ReadProcessMemory ...that could help against signature scans maybe?
Back to top
View user's profile Send private message
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Wed Dec 17, 2014 7:23 pm    Post subject: Reply with quote

anyone?
Back to top
View user's profile Send private message
Awed2
Cheater
Reputation: 0

Joined: 01 Jul 2014
Posts: 26

PostPosted: Wed Dec 24, 2014 9:06 am    Post subject: Reply with quote

another question related to this..

is possible to read this particular value without a handle?
i have not much experience but id like to ask: would it be possible to do find it using pointer arithmetics?
Back to top
View user's profile Send private message
zm0d
Master Cheater
Reputation: 7

Joined: 06 Nov 2013
Posts: 423

PostPosted: Wed Dec 24, 2014 12:33 pm    Post subject: This post has 1 review(s) Reply with quote

Good sig scan method provided by dom1n1k and Patrick on another forum:

Code:

bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
    if(*szMask=='x' && *pData!=*bMask )
        return false;
    return (*szMask) == NULL;
}
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);
    return 0;
}


Example usage:
Code:

DWORD addrofMySigScan = dwFindPattern((DWORD)hModule, 0x128000,(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");


That's a signature scan used to find the VMT of d3d9.dll. Modifiy it for your own usage and this will work for you.[/quote]


Last edited by zm0d on Thu Dec 25, 2014 9:11 am; edited 1 time in total
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1

PostPosted: Wed Dec 24, 2014 3:31 pm    Post subject: Reply with quote

zm0d wrote:
Good sig scan method provided by Gordon on another forum:


It was written by dom1n1k and Patrick from GameDeception originally, just to give proper credits where they are due. (There are much better methods of scanning for signatures now that are much faster too.)

As for obtaining the value without a handle, you could inject into the process and scan for it internally which does not require any handle since you are in the same process space.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
zm0d
Master Cheater
Reputation: 7

Joined: 06 Nov 2013
Posts: 423

PostPosted: Thu Dec 25, 2014 9:13 am    Post subject: Reply with quote

atom0s wrote:
It was written by dom1n1k and Patrick from GameDeception originally


Oh my ... there where I got this, Gordon was mentioned as creator... I edited my post... Hate stuff like that :>
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites