What is wrong with this ?
I'm trying to find AddAccount signature
So first i've founded CBasePlayer::AddAccount(int,bool) in "Names" window
Double clicked on it, put cursor above function name in "IDA View-A" and jumped to Hex View-A window to find bits
It doesn't begin at the start of a line but i don't think it is a problem, so first 16 bits are :
55 89 E5 83 EC 0C 57 56 53 E8 EE FF FF FF 81 C3
Search for "55 89 E5 83 EC ? 57 56 53 E8 EE ? ? ? 81 C3" in IDA returns me around 1600 occurences, so i put more bits untill i found only 1 result
Code:
55 push ebp
89 E5 mov ebp, esp
83 EC 0C sub esp, 0Ch
57 push edi
56 push esi
53 push ebx
E8 EE FF FF FF call sub_EDE28
81 C3 92 73 0F 00 add ebx, (offset loc_F7391+1)
8B 7D 08 mov edi, [ebp+arg_0]
8B 87 E0 01 00 00 mov eax, [edi+1E0h]
03 45 0C add eax, [ebp+arg_4]
So
55 89 E5 83 EC 0C 57 56 53 E8 EE FF FF FF 81 C3 ? ? ? ? 8B 7D ? 8B 87 ? ? ? ? 03 45
and
8B 7D ? 8B 87 ? ? ? ? 03 45
and
8B 87 ? ? ? ? 03 45
returned a unique occirence in IDA
Tried :
[0x55,0x89,0xE5,0x83,0xEC,"*",0x57,0x56,0x53,0 xE8,0xEE,"*","*","*",0x81,0xC3,"*","*","*","* ",0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x0 3,0x45]
and (tried to put less bits with displacement)
[0x8B,0x87,"*","*","*","*",0x03,0x45]
"displacement" : -23
and also:
"value" : [0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x03, 0x45],
"displacement" : -20
I'm testing on a listenserver
configs\orpheu\functions\CBasePlayer\AddAccou nt
->
Code:
{
"name" : "AddAccount",
"class" : "CBasePlayer",
"library" : "mod",
"arguments" :
[
{
"type" : "int",
"info" : "amount"
},
{
"type" : "bool",
"info" : "bTrackChange"
}
],
"identifiers":
[
{
"os" : "windows",
"mod" : "cstrike",
"value" : [0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x03,0x45],
"displacement" : -20
},
{
"os" : "linux",
"mod" : "cstrike",
"value" : "AddAccount__11CBasePlayerib"
}
]
}
Cs console says that signature is NOT FOUND.