AlliedModders - View Single Post - Orpheu: How to make signatures (of bytes)

**Arkshine** · *Last edited by Arkshine; 03-09-2011 at 05:47.*

Quote:

Originally Posted by drekes

...

Nice try, but that's not totally correct.

When you check if the signature is well referenced one time, you see 2 references.
You need add more bytes.

Also you use "*" wrongly. See below, in blue it's what you should use "*". It should be enough.

Code:

.text:10064C80 56                   push    esi
.text:10064C81 8B F1                mov     esi, ecx
.text:10064C83 57                   push    edi
.text:10064C84 8B 86 A4 00 00 00    mov     eax, [esi+0A4h]
.text:10064C8A 83 F8 02             cmp     eax, 2
.text:10064C8D 0F 84 FC 00 00 00    jz      loc_10064D8F
.text:10064C93 83 F8 03             cmp     eax, 3
.text:10064C96 0F 84 F3 00 00 00    jz      loc_10064D8F
.text:10064C9C 8B 44 24 0C          mov     eax, [esp+8+arg_0]

So, a final signature would be : [0x56,0x8B,0xF1,0x57,0x8B,0x86,"*","*","*","*" ,0x83,0xF8,"*",0x0F,0x84,"*","*","*","*",0x83 ,0xF8,"*",0x0F,0x84,"*","*","*","*",0x8B]

But like you can see in IDA, you see CBasePlayer::ButtonUse(CBaseEntity*,CBaseEnti ty*,USE_TYPE,float) is exported (you can see easily because you see all the arguments type), it means there is a symbol name for this function. Click right on the function at left and choose "Edit function". You will see : ?ButtonUse@CBaseButton@@QAEXPAVCBaseEntity@@0W 4USE_TYPE@@M@Z

About the signature file, you have not written properly the arg type. The 2 first should be CBaseEntity * (It's written in IDA). About "int", the type is "USE_TYPE" but it's just a tag for an enum and the value passed is anyway an "int", but since "USE_TYPE" is supported, use it.

So, the file should be like :

Code:

 {
    "name"      : "ButtonUse",
    "class"     : "CBaseButton",
    "library"   : "mod",
    "arguments" : 
    [
        {
            "type" : "CBaseEntity *",
            "info" : "pActivator"
        },
        {
            "type" : "CBaseEntity *",
            "ingo" : "pCaller"
        },
        {
            "type" : "USE_TYPE",
            "info" : "useType"
        },
        {
            "type" : "float",
            "info" : "value"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : "?ButtonUse@CBaseButton@@QAEXPAVCBaseEntity@@0W4USE_TYPE@@M@Z"
        },
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : "ButtonUse__11CBaseButtonP11CBaseEntityT18USE_TYPEf"
        }
    ]
}

Notive I've added the linux signature. If you release a plugin with a signature file, don't forget to do for linux. You have just to open the .so, editing the function and copy-paste the symbol name.
You are encouraged to make comments if necessary by using the key "info".

Hope you will understand better. Nice to see someone trying to play with orpheu.