|
Re: Disconnect Reason
if you don't change the source code of a function and use the same compiler with same compiling parameters, generally it will generate the same binary code. Such as registers, short jump relative address..., but long jump relative address maybe changed caused by the update of other functions, that's the mask part. so signature scan is not a garantee also. deponds on how the source code changes.
So your goal is to at least find the right address in the current version, that's good enough. the principle of making a mask is if there is address, use * instead. the operation code(such as mov push reg...) and immediate number(such as 1,2,3...), use the original binary code. Hope you understand what I'm trying to say..., damn my English... |
Re: Disconnect Reason
I understand the purpose and goal of getting a good signature but deciphering what IDA outputs is what I am not versed in. Arkshines example above is a good demonstration for making signatures that is easy to understand. I would like to see a tutorial that shows specifically what should or shouldn't be included in a signature (0x5A, "*", or "?" for each piece of data), from a first-time signature making aka newbie perspective.
|
Re: Disconnect Reason
basiclly the four bytes address should be replaced by "*", other than this, don't change.
|
Re: Disconnect Reason
How do you determine what an address is though? This entire subject is unclear to me, I guess we should bring this discussion to the signature making tut instead of this thread. I think if it is made easier to create signatures more people will begin to use orpheu. I could even make a windows app to make signatures and masks automatically once I understand it fully.
|
Re: Disconnect Reason
Code:
.text:1000A027 75 10 jnz short loc_1000A039first use offset, relative address 10 second use absolute address, four bytes, so the second one should be replaced by FF 15 * * * * FF 15 is CALL opt, don't change if you found something like call dword_ or sub_ or offset off_ and the address is four bytes, then use * |
Re: Disconnect Reason
I am really interested in making an app for creating signatures where you just copy and paste a block of text like Arkshine has above and it will output the signature including the appropriate mask. I need to do more research on the subject, though. Thank you both for the examples.
|
Re: Disconnect Reason
nice, waiting for your tool, gonna sleep now, bye.
|
Re: Disconnect Reason
Just to say I'm not entirely agree with Jim, about : So your goal is to at least find the right address in the current version, that's good enough., it may ok with the engine, but for mod like CS, you have to get a good sig to match CZ too. I can say, because of my plugins, binaries are compiled differently and not exactly the same and a signature working under CS is not working always in CZ.
The rule : "all could be changed except the first byte and local var", I've read it in the SourceMod section from someone which was explaining how to make good signature. Using this rule is more simple and you have more chance to get a good signature. Btw, the hlbeta is going to be a pain, even with a good signature, it won't match always because compiled differently. :/ |
Re: Disconnect Reason
NIce
Here a nice ideea you should put the command kick inside I mean when an admin kick somebody it will write in chat x bla bla bla left the server/game [reason Kicked by admin] |
Re: Disconnect Reason
good job as always bro :P
|
| All times are GMT -4. The time now is 20:00. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.