• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Tutorial Video Tutorial - Memory Pattern Scanning
#1
Resources:

Click here for video tutorial

The pattern scanning function:

PHP Code:
bool bDataCompare(const BYTEpData, const BYTEbMask, const charszMask)
{
    for(;*
szMask;++szMask,++pData,++bMask)
        if(*
szMask=='x' && *pData!=*bMask )
            return 
false;
    return (*
szMask) == NULL;
}

DWORD dwFindPattern(DWORD dwAddress,DWORD dwLenBYTE *bMaskchar szMask) {
    for(
DWORD i=0;i<dwLen;i++)
        if( 
bDataCompare( (BYTE*)( dwAddress+),bMask,szMask) )
            return (
DWORD)(dwAddress+i);
    return 
NULL;



SigMaker 0.3 by P47R!CK

This plugin is meant to help you create signatures. You can choose from a variety of styles to suit your needs and you can now also test your signatures.

[Image: basicusage.jpg]

The supported styles are:
Code style ( to use with dwFindPattern )
PB Style ( the style that punkbuster uses )
Tabris style
Text style ( used by Olly, IDA and Op Searcher )

There is also the option to get an offset from the current address which will look like this:
modulename + offset
clearly you will have to use GetModuleHandle or LoadLibrary to convert the name into an address....

------------------------------------------------------------------------------------------

[Image: optionsu.jpg]

Here is what the options do:
"include short jumps" this option will include short jumps as such as "jmp 10" ( EB 0A )
"Include data" adds data as such as the 5 of mov eax, 5
"include eip related data" will add info that modifies the program flow and stack pointer such as "retn C"
"Add additional info" adds information about the module in which your signature is situated in
"include relative addresses" will add relative offsets to your signature as such as the 8 in this instruction "mov eax,[ecx+8]"
"include unsafe data" is currently disabled because my register tracking code( to determine if the constant is an address ) doesn't work yet.

the last 2 options should be self-explanatory.

------------------------------------------------------------------------------------------
[Image: findsig.jpg]

should be pretty self-explanatory as well, the only thing I should mention is that you can double click the results to jump the associated address.

------------------------------------------------------------------------------------------
Credits:
P47R!CK

Credits for advice and testing:
Tami(fox), GSDS, loopnz, Kynox, Helios, wav and Tabris(billdoor) for this sig style


Enjoy.


Attached Files
.rar   OllyDbg.rar (Size: 44.05 KB / Downloads: 41)
[-] The following 2 users say Thank You to d0h! for this post:
  • Tomsen1410, triggerhappy
  Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  TUTORIAL CHEAT ENGINE for mw3 [HARD] Tony. 5 2,199 10-24-2013, 15:22
Last Post: Tomsen1410
  [News] Call Of Duty: Ghosts - New Engine Video Tomsen1410 7 2,540 06-10-2013, 20:24
Last Post: Pozzuh
Question Tutorial addon! [HARD] Tony. 2 1,465 04-30-2013, 13:55
Last Post: [HARD] Tony.
  Our Harlem Shake Video Lemon 9 3,010 02-18-2013, 19:34
Last Post: Arteq
Video [Tutorial] (Video) How to create the Beretta (or any CoD4's weapon) in Black Ops hitmax 19 7,171 02-08-2013, 00:18
Last Post: Gamemaster20
  [TUTORIAL] Various Statements KrypTiK 2 1,199 01-07-2013, 21:00
Last Post: kokole
  Help Game Programming Tutorial Ich1994 8 2,143 01-01-2013, 21:21
Last Post: Ich1994
  [TUTORIAL] C# Introduction KrypTiK 4 1,586 12-30-2012, 10:06
Last Post: KrypTiK
  [TUTORIAL] Basic Syntax KrypTiK 0 975 12-29-2012, 20:33
Last Post: KrypTiK
  [TUTORIAL] Handling Errors in VB.NET KrypTiK 0 875 12-29-2012, 20:28
Last Post: KrypTiK

Forum Jump:


Users browsing this thread: 1 Guest(s)