View previous topic :: View next topic |
Author |
Message |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Sat Nov 15, 2014 3:26 pm Post subject: Signature Scan |
|
|
hey, in order to survive signature scans id like to know if i can make a signature scan by myself.
whether or not, id have a following question: how do i solve this? blow the code up? whats the best technique?
|
|
Back to top |
|
 |
Dark Byte Site Admin
Reputation: 470
Joined: 09 May 2003 Posts: 25791 Location: The netherlands
|
Posted: Sat Nov 15, 2014 5:25 pm Post subject: |
|
|
Look at the bytes and use that to make a signature. Make sure to wildcard things that can change
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Sun Nov 16, 2014 9:06 pm Post subject: |
|
|
do u have a easy to understand guide/link?
|
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Thu Nov 27, 2014 12:19 am Post subject: |
|
|
what do u mean by wildcard things?
still i have no clue how a signature scan works but id like to know. do u have a link maybe?
these are the functions i use at what im working on
FindWindow
GetWindowThreadProcessId
CreateToolhelp32Snapshot
ModuleEntry32
OpenProcess(handle)
and ReadProcessMemory in loop
i simply want to read a value frequently and send it to my laptop.
|
|
Back to top |
|
 |
atom0s Moderator
Reputation: 205
Joined: 25 Jan 2006 Posts: 8587 Location: 127.0.0.1
|
Posted: Thu Nov 27, 2014 2:47 pm Post subject: |
|
|
Do not read memory in a loop. Read memory in blocks at a time. You can use VirtualQueryEx to loop the memory regions of a process. Dump each region into a block of memory, then do a signature scan as needed within the block. Calling ReadProcessMemory constantly has a lot of overhead and will cause your signature scanning to be extremely slow.
If you are using CreateToolhelp32Snapshot, you do not need to use FindWindow and GetWindowThreadProcessId as well.
Use these API to locate your target process:
- CreateToolhelp32Snapshot
- Process32First / Process32Next
If you know what specific module the code is within, use these to find that module:
- Module32First / Module32Next
Afterward, to read the memory you will need:
- OpenProcess
- ReadProcessMemory
If you do not know the module the code is in, using VirtualQueryEx will help you step the memory regions and scan them one at a time.
As for the wildcard thing, you can't use every single byte from a function as part of your pattern. It will be bound to break when updates happen. Things like jumps and calls are calculated based on the distance between the calling location and the destination. These often change when a game updates, which will cause your signature to break.
For example, take this block of code from a game:
Code: | 04E86B70 - 6A 01 - push 01
04E86B72 - E8 C95C1200 - call 04FAC840
04E86B77 - 83 C4 04 - add esp,04
04E86B7A - 84 C0 - test al,al
04E86B7C - 75 22 - jne 04E86BA0
04E86B7E - 6A FF - push -01
04E86B80 - E8 AB740000 - call 04E8E030
04E86B85 - 8B 0D 948D3205 - mov ecx,[05328D94] : [0E1D5268]
04E86B8B - 83 C4 04 - add esp,04
04E86B8E - 85 C9 - test ecx,ecx |
You will see we have a few calls and a jump. We would want to make the bytes of these wildcards.
For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9
Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.
So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers
Another example for something to keep in mind is stuff like this:
mov eax, [ecx+0C]
+0C is the offset to data within a structure. This offset can move between updates for structures that are popular to be changed.
So one day it could be +0C and another it could be +0F, it all depends on how often the game updates and such.
_________________
- Retired. |
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Thu Nov 27, 2014 3:14 pm Post subject: |
|
|
atom0s wrote: | For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9
Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.
So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers |
do u have a short example how i solve this in practice?
atom0s wrote: | Another example for something to keep in mind is stuff like this:
mov eax, [ecx+0C]
+0C is the offset to data within a structure. This offset can move between updates for structures that are popular to be changed.
So one day it could be +0C and another it could be +0F, it all depends on how often the game updates and such. |
i have to make new pointer scans in CE every update anyway, so i assume this doesnt matter in my case
|
|
Back to top |
|
 |
atom0s Moderator
Reputation: 205
Joined: 25 Jan 2006 Posts: 8587 Location: 127.0.0.1
|
Posted: Thu Nov 27, 2014 4:21 pm Post subject: |
|
|
Not sure what you mean, I just explained it to you. If you can find a pointer that is accessing the data, then find what is using that pointer code wise. Add the pointer to your address list, then right-click and choose 'Find what accesses this address' for the pointer. You should see a new window pop up that will display any instructions that access the pointer.
You would use the signature scanning information on the function accessing the pointer to automatically refind the pointer when you restart the game, or it updates.
_________________
- Retired. |
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Fri Dec 12, 2014 5:32 pm Post subject: |
|
|
atom0s wrote: | As for the wildcard thing, you can't use every single byte from a function as part of your pattern. It will be bound to break when updates happen. Things like jumps and calls are calculated based on the distance between the calling location and the destination. These often change when a game updates, which will cause your signature to break.
For example, take this block of code from a game:
Code: | 04E86B70 - 6A 01 - push 01
04E86B72 - E8 C95C1200 - call 04FAC840
04E86B77 - 83 C4 04 - add esp,04
04E86B7A - 84 C0 - test al,al
04E86B7C - 75 22 - jne 04E86BA0
04E86B7E - 6A FF - push -01
04E86B80 - E8 AB740000 - call 04E8E030
04E86B85 - 8B 0D 948D3205 - mov ecx,[05328D94] : [0E1D5268]
04E86B8B - 83 C4 04 - add esp,04
04E86B8E - 85 C9 - test ecx,ecx |
You will see we have a few calls and a jump. We would want to make the bytes of these wildcards.
For example, we would use:
6A 01 E8 ?? ?? ?? ?? 83 C4 04 84 C0 75 ?? 6A FF E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 83 C4 04 85 C9
Also notice I made the pointer a wildcard since these are also calculated addresses based on where the code is loaded into memory.
So to recap, it is important to not use the bytes for:
- Calls
- Jumps
- Pointers |
do u mean to do this by edit the exe with assembler or by changing the c++ code?
btw are there any other libraries/headerfiles with a function like ReadProcessMemory ...that could help against signature scans maybe?
|
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Wed Dec 17, 2014 7:23 pm Post subject: |
|
|
anyone?
|
|
Back to top |
|
 |
Awed2 Cheater
Reputation: 0
Joined: 01 Jul 2014 Posts: 26
|
Posted: Wed Dec 24, 2014 9:06 am Post subject: |
|
|
another question related to this..
is possible to read this particular value without a handle?
i have not much experience but id like to ask: would it be possible to do find it using pointer arithmetics?
|
|
Back to top |
|
 |
zm0d Master Cheater
Reputation: 7
Joined: 06 Nov 2013 Posts: 423
|
Posted: Wed Dec 24, 2014 12:33 pm Post subject: |
|
|
Good sig scan method provided by dom1n1k and Patrick on another forum:
Code: |
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i < dwLen; i++)
if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
return (DWORD)(dwAddress+i);
return 0;
}
|
Example usage:
Code: |
DWORD addrofMySigScan = dwFindPattern((DWORD)hModule, 0x128000,(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
|
That's a signature scan used to find the VMT of d3d9.dll. Modifiy it for your own usage and this will work for you.[/quote]
Last edited by zm0d on Thu Dec 25, 2014 9:11 am; edited 1 time in total |
|
Back to top |
|
 |
atom0s Moderator
Reputation: 205
Joined: 25 Jan 2006 Posts: 8587 Location: 127.0.0.1
|
Posted: Wed Dec 24, 2014 3:31 pm Post subject: |
|
|
zm0d wrote: | Good sig scan method provided by Gordon on another forum:
|
It was written by dom1n1k and Patrick from GameDeception originally, just to give proper credits where they are due. (There are much better methods of scanning for signatures now that are much faster too.)
As for obtaining the value without a handle, you could inject into the process and scan for it internally which does not require any handle since you are in the same process space.
_________________
- Retired. |
|
Back to top |
|
 |
zm0d Master Cheater
Reputation: 7
Joined: 06 Nov 2013 Posts: 423
|
Posted: Thu Dec 25, 2014 9:13 am Post subject: |
|
|
atom0s wrote: | It was written by dom1n1k and Patrick from GameDeception originally |
Oh my ... there where I got this, Gordon was mentioned as creator... I edited my post... Hate stuff like that :>
|
|
Back to top |
|
 |
|