01-02-2011, 12:05
Resources:
Click here for video tutorial
The pattern scanning function:
SigMaker 0.3 by P47R!CK
This plugin is meant to help you create signatures. You can choose from a variety of styles to suit your needs and you can now also test your signatures.
![[Image: basicusage.jpg]](http://img703.imageshack.us/img703/6856/basicusage.jpg)
The supported styles are:
Code style ( to use with dwFindPattern )
PB Style ( the style that punkbuster uses )
Tabris style
Text style ( used by Olly, IDA and Op Searcher )
There is also the option to get an offset from the current address which will look like this:
modulename + offset
clearly you will have to use GetModuleHandle or LoadLibrary to convert the name into an address....
------------------------------------------------------------------------------------------
![[Image: optionsu.jpg]](http://img266.imageshack.us/img266/5517/optionsu.jpg)
Here is what the options do:
"include short jumps" this option will include short jumps as such as "jmp 10" ( EB 0A )
"Include data" adds data as such as the 5 of mov eax, 5
"include eip related data" will add info that modifies the program flow and stack pointer such as "retn C"
"Add additional info" adds information about the module in which your signature is situated in
"include relative addresses" will add relative offsets to your signature as such as the 8 in this instruction "mov eax,[ecx+8]"
"include unsafe data" is currently disabled because my register tracking code( to determine if the constant is an address ) doesn't work yet.
the last 2 options should be self-explanatory.
------------------------------------------------------------------------------------------
![[Image: findsig.jpg]](http://img266.imageshack.us/img266/1118/findsig.jpg)
should be pretty self-explanatory as well, the only thing I should mention is that you can double click the results to jump the associated address.
------------------------------------------------------------------------------------------
Credits:
P47R!CK
Credits for advice and testing:
Tami(fox), GSDS, loopnz, Kynox, Helios, wav and Tabris(billdoor) for this sig style
Enjoy.
Click here for video tutorial
The pattern scanning function:
PHP Code:
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen, BYTE *bMask, char * szMask) {
for(DWORD i=0;i<dwLen;i++)
if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
return (DWORD)(dwAddress+i);
return NULL;
}
SigMaker 0.3 by P47R!CK
This plugin is meant to help you create signatures. You can choose from a variety of styles to suit your needs and you can now also test your signatures.
The supported styles are:
Code style ( to use with dwFindPattern )
PB Style ( the style that punkbuster uses )
Tabris style
Text style ( used by Olly, IDA and Op Searcher )
There is also the option to get an offset from the current address which will look like this:
modulename + offset
clearly you will have to use GetModuleHandle or LoadLibrary to convert the name into an address....
------------------------------------------------------------------------------------------
Here is what the options do:
"include short jumps" this option will include short jumps as such as "jmp 10" ( EB 0A )
"Include data" adds data as such as the 5 of mov eax, 5
"include eip related data" will add info that modifies the program flow and stack pointer such as "retn C"
"Add additional info" adds information about the module in which your signature is situated in
"include relative addresses" will add relative offsets to your signature as such as the 8 in this instruction "mov eax,[ecx+8]"
"include unsafe data" is currently disabled because my register tracking code( to determine if the constant is an address ) doesn't work yet.
the last 2 options should be self-explanatory.
------------------------------------------------------------------------------------------
should be pretty self-explanatory as well, the only thing I should mention is that you can double click the results to jump the associated address.
------------------------------------------------------------------------------------------
Credits:
P47R!CK
Credits for advice and testing:
Tami(fox), GSDS, loopnz, Kynox, Helios, wav and Tabris(billdoor) for this sig style
Enjoy.
