lunes, 20 de octubre de 2008

[DataCompare]Byte sigs

[DataCompare]Byte sigs

hey i want to search for byte sigs so the address will be valid for a longer time.(auto-update)
here is a function that i've found:
Code:
BOOL DataCompare( PBYTE pbData, PBYTE pbMask, char * szMask )

{
for( ; *szMask; ++szMask, ++pbData, ++pbMask )
{
if( *szMask == 'x' && *pbData != *pbMask )
return FALSE;
}

return ( *szMask == NULL );
}

DWORD FindPattern( DWORD dwAddress, DWORD dwLen, PBYTE pbMask, char * szMask )
{
for( DWORD i = 0; i < class="highlight">PBYTE)( dwAddress + i ), pbMask, szMask ) )
return (DWORD)( dwAddress + i );
}

return 0;
}
and i use it like this:
Code:
	for( DWORD dwAddress = 0x00400000; dwAddress < class="highlight">PBYTE)dwAddress, (PBYTE)"\x0F\xBF\x80\x24\x01\x00\x00", "xxxxxxx" ) )

{
pdwUserData = *(PDWORD*)( dwAddress - 4 );

bAddressFound[0] = true;
}

else if( bAddressFound[1] == false &&
DataCompare( (PBYTE)dwAddress, (PBYTE)"\x33\xF9\x89\xB8\x10\x3A\x00\x00", "xxxxxxxx" ) )
{
ValidateFns[0] = (DWORD)( *(long *)( dwAddress + 28 ) + (long)( dwAddress + 32 ) );
ValidateFns[1] = (DWORD)( *(long *)( dwAddress + 33 ) + (long)( dwAddress + 37 ) );
ValidateFns[2] = (DWORD)( *(long *)( dwAddress + 38 ) + (long)( dwAddress + 42 ) );
ValidateFns[3] = (DWORD)( *(long *)( dwAddress + 43 ) + (long)( dwAddress + 47 ) );
ValidateFns[4] = (DWORD)( *(long *)( dwAddress + 48 ) + (long)( dwAddress + 52 ) );
ValidateFns[5] = (DWORD)( *(long *)( dwAddress + 55 ) + (long)( dwAddress + 59 ) );
ValidateFns[6] = (DWORD)( *(long *)( dwAddress + 63 ) + (long)( dwAddress + 67 ) );
ValidateFns[7] = (DWORD)( *(long *)( dwAddress + 68 ) + (long)( dwAddress + 72 ) );

bAddressFound[1] = true;

}

else if( bAddressFound[2] == false &&
DataCompare( (PBYTE)dwAddress, (PBYTE)"\xE8\x37\xC9\x18\x00", "xxxxx" ) )
{
bAddressFound[2] = true;

}


}
for( int i = 0; i <>( szMessage, "Couldn't find address! (%d)", i );
MessageBox( NULL, (LPCWSTR)szMessage, L"SimplePT Error:(Signatures)", MB_ICONERROR );
}
}
_endthread( );

}
i copy it from another app so i cant know what does the "xxx" mean and when do i use "x" and when "?".
and i dont know how to make sigs by myself i looked in the hex window in IDA and copied the bytes hex from there but i still dont know when to use ? and when X and my sigs never work =/
e.g:
Code:
.text:00415370  E8 2B 92 04 00 68 D0 B2  5B 00 E8 61 EF 01 00 68  _+ò.h__[._a_.h

.text:00415380 C0 B2 5B 00 E8 97 F5 01 00 57 E8 E1 D6 FF FF 8B __[._÷_.W___**ë
.text:00415390 3D 7C 90 5B 00 83 C4 0C 68 9C B4 71 00 FF D7 68 =|ð[.ã_ h£_q.*_h
.text:004153A0 A8 B0 71 00 FF D7 68 28 F7 6D 00 FF D7 FF 15 10 ¿_q.*_h(_m.*_*§
.text:004153B0 92 5B 00 50 E8 0D FC 17 00 E8 E2 47 0C 00 A1 54 ò[.P_
_.__G ._T
.text:004153C0 98 8C 00 8B 0D 5C 98 8C 00 8B 15 50 98 8C 00 33 øì.ë
\øì.ë§Pøì.3
.text:004153D0 DB A3 E0 CD 5E 00 A1 58 98 8C 00 53 68 F0 B1 5B ____^._Xøì.Sh__[
.text:004153E0 00 A3 E4 CD 5E 00 89 0D E8 CD 5E 00 89 15 4C 01 .___^.é
__^.é§L
.text:004153F0 5F 00 8B F8 E8 37 C9 18 00 83 C4 0C E8 1F 98 19 _.ë°_7_.ã_ _ø
.text:00415400 00 39 5C 24 58 75 5D 6A 6F 56 C7 44 24 30 0B 00 .9\$Xu]joV_D$0 .
.text:00415410 00 00 C7 44 24 34 30 36 41 00 89 5C 24 38 89 5C .._D$406A.é\$8é\
.text:00415420 24 3C 89 74 24 40 FF 15 A4 92 5B 00 68 00 7F 00 $<ét$@*§_ò[.h.. .text:00415430 00 53 89 44 24 44 FF 15 A0 92 5B 00 6A 04 89 44 .SéD$D*§_ò[.jéD .text:00415440 24 44 FF 15 5C 90 5B 00 89 44 24 44 A1 50 CA 5E $D*§\ð[.éD$D_P_^ .text:00415450 00 8D 4C 24 28 51 89 5C 24 4C 89 44 24 50 FF 15 .íL$(Qé\$LéD$P*§ .text:00415460 B4 92 5B 00 8B 54 24 54 A1 50 CA 5E 00 53 56 53 _ò[.ëT$T_P_^.SVS .text:00415470 53 52 57 8B 3D 0C 93 5B 00 68 00 00 00 80 68 00 SRWë= ó[.h...àh. .text:00415480 00 00 80 68 08 00 00 90 50 50 53 FF D7 A3 54 B5 ..àh..ðPPS*__T_
i want to make a sig to 004153F4 so i did the thing that you can see in the 2nd code that i post.
thx for the help =]

No hay comentarios: