Raised This Month: $ Target: $400
 0% 

Solved [ORPHEU] How to identify windows signatures ??


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
HamletEagle
AMX Mod X Plugin Approver
Join Date: Sep 2013
Location: Romania
Old 02-26-2021 , 12:32   Re: [ORPHEU] How to identify windows signatures ??
Reply With Quote #1

Usually, you don't just go in IDA, look at windows functions and figure out what they are from the assembly(possible, but hard and requires experience). The usual workflow is you look at a project such as regamedll, figure out which function you need to find(depending on what you want to do), then search for it in the windows dll.

How to do that? You look in the regamedll source code to see if it contains strings. If it does, you search in IDA by that string and identify the function. You can compare the output with the output from disassembling the Linux binary(it contains debug symbol so you can search functions by their name).
If the function doesn't use strings, you check where it is used(which functions call the function you want to find). Then, keep doing that until at least one function in the chain contains a string. Search by that string and work your way up the functions call chain until you find yours.

For parameters/return type you can look at regamedll. Don't forget that some functions may be virtual(you don't need a signature for them). In this case, use a tool like https://asherkin.github.io/vtable/

Use regamedll carefully, it is not a 1 to 1 match with the official binary.
__________________

Last edited by HamletEagle; 02-26-2021 at 12:35.
HamletEagle is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 17:36.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode