[AtomicStryker]

Referring to this tutorial http://forums.alliedmods.net/showthread.php?t=39566


Could someone be very very nice and help me a little with this?


My progress:

I have decompiled the L4D2 serverfile and am looking at the assembler code of the function i need. Now i'd need to create a searchable Signature and Mask, and scan the running progress for the actual Signature. So far so good?


Difficulties:
Knowing nothing about assembler - is anything IDA prints in green and blue an address? Meaning i should put the bytes of that line in question marks for the Sigcreator?


Im having difficulties with stuff like

Code:

.text:00BE6022 C1 F8 04                                sar     eax, 4

Does the "4" stand for an address, or not?

Same here:

Code:

.text:00BE5FF7 BE 01 00 00 00                          mov     esi, 1

Does "1" mean an address? Need i put "BE? 01? 00? 00? 00?"


Next, the Sigcreator itself. I managed to get it compiled as commandline tool and it seems to work. But i can't select or copy and paste stuff from and to its runtime window? WHAT HELP IS IT TO ME THEN?? I can't help but think i compiled it wrong somehow. (I used the default settings all over)

As for the Sigscanner, i can't even get that to compile. There's a truckload of compiler errors - and i know nothing about C(++) either.


Correctly compiled executables of these utilities (for windows) would help SO MUCH. Does anyone have those, or could send them?

[antihacker]

"BE 01 00 00 00" and are the same "mov esi, 1", the last one is just better to read you could use this as a signature, but i would be too short, you need more bytes, so the sig gets unique. You put a question mark at position that might change with every update (pointers). For example

Code:

FF35 E0057F00  PUSH DWORD PTRDS[7F05E0]

Its propably a good idea to just post a bit of the assembler here, so some can make a signature for you.

[bl4nk]

That tutorial is rather out of date. Which function are you trying to get a signature for?

[Wazz]

Quote:

Originally Posted by AtomicStryker Next, the Sigcreator itself. I managed to get it compiled as commandline tool and it seems to work. But i can't select or copy and paste stuff from and to its runtime window? WHAT HELP IS IT TO ME THEN?? I can't help but think i compiled it wrong somehow. (I used the default settings all over)

Right click on the command window and select mark. Then highlight signature and press enter on your keyboard, this will copy the marked characters which you can then paste into a word document. Also, on the off-chance that you are creating an extension, you don't actually need to bother with signature masks, you just need the signature opcodes.

[AtomicStryker]

Im not creating an extension, i just want a SDK call whose signature has changed from L4D to L4D2. And ive tried right clicking the commandline of course, there is no menu popping up.


The function is CTerrorPlayer::TakeOverBot(bool) in L4D2 - the still correct linux Signature is "_ZN13CTerrorPlayer11TakeOverBotEb"


I'd welcome more hints or an updated tutorial (would be willing to WRITE one) on how to generally do this - there are many interesting functions there not accessible by Virtual Function Calls



The Code:

PHP Code:

.text:00BE5FD0                         ; CTerrorPlayer::TakeOverBot(bool)
.text:00BE5FD0                         _ZN13CTerrorPlayer11TakeOverBotEb proc near
.text:00BE5FD0                                                                 ; CODE XREF: CDirector::NewPlayerPossessBot(DirectorNewPlayerType_t &,SurvivorBot *)+1F6j
.text:00BE5FD0                                                                 ; CDirector::SwapTeams(void)+27Ep ...
.text:00BE5FD0
.text:00BE5FD0                         var_25C         = dword ptr -25Ch
.text:00BE5FD0                         var_258         = dword ptr -258h
.text:00BE5FD0                         var_254         = dword ptr -254h
.text:00BE5FD0                         var_250         = dword ptr -250h
.text:00BE5FD0                         var_24C         = dword ptr -24Ch
.text:00BE5FD0                         var_245         = byte ptr -245h
.text:00BE5FD0                         var_244         = dword ptr -244h
.text:00BE5FD0                         var_234         = byte ptr -234h
.text:00BE5FD0                         var_1FC         = dword ptr -1FCh
.text:00BE5FD0                         var_1F8         = dword ptr -1F8h
.text:00BE5FD0                         var_1F4         = dword ptr -1F4h
.text:00BE5FD0                         var_1F0         = dword ptr -1F0h
.text:00BE5FD0                         var_1EC         = dword ptr -1ECh
.text:00BE5FD0                         var_1D4         = dword ptr -1D4h
.text:00BE5FD0                         var_1D0         = dword ptr -1D0h
.text:00BE5FD0                         var_1CC         = dword ptr -1CCh
.text:00BE5FD0                         var_1C8         = dword ptr -1C8h
.text:00BE5FD0                         var_1C4         = dword ptr -1C4h
.text:00BE5FD0                         var_140         = dword ptr -140h
.text:00BE5FD0                         var_13C         = dword ptr -13Ch
.text:00BE5FD0                         var_138         = dword ptr -138h
.text:00BE5FD0                         var_134         = dword ptr -134h
.text:00BE5FD0                         var_130         = dword ptr -130h
.text:00BE5FD0                         var_28          = byte ptr -28h
.text:00BE5FD0                         arg_0           = dword ptr  4
.text:00BE5FD0                         arg_4           = byte ptr  8
.text:00BE5FD0
.text:00BE5FD0 55                                      push    ebp
.text:00BE5FD1 57                                      push    edi
.text:00BE5FD2 56                                      push    esi
.text:00BE5FD3 53                                      push    ebx
.text:00BE5FD4 81 EC 4C 02 00 00                       sub     esp, 24Ch
.text:00BE5FDA 8B 15 8C 07 1B 01                       mov     edx, ds:gpGlobals
.text:00BE5FE0 0F B6 8C 24 64 02 00 00                 movzx   ecx, [esp+25Ch+arg_4]
.text:00BE5FE8 88 4C 24 17                             mov     [esp+25Ch+var_245], cl
.text:00BE5FEC 8B 42 14                                mov     eax, [edx+14h]
.text:00BE5FEF 85 C0                                   test    eax, eax
.text:00BE5FF1 0F 8E C3 00 00 00                       jle     loc_BE60BA
.text:00BE5FF7 BE 01 00 00 00                          mov     esi, 1
.text:00BE5FFC
.text:00BE5FFC                         loc_BE5FFC:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+E4j
.text:00BE5FFC 89 34 24                                mov     [esp+25Ch+var_25C], esi
.text:00BE5FFF E8 C8 67 18 00                          call    _Z18UTIL_PlayerByIndexi ; UTIL_PlayerByIndex(int)
.text:00BE6004 85 C0                                   test    eax, eax
.text:00BE6006 89 C3                                   mov     ebx, eax
.text:00BE6008 0F 84 9A 00 00 00                       jz      loc_BE60A8
.text:00BE600E 8B 40 28                                mov     eax, [eax+28h]
.text:00BE6011 85 C0                                   test    eax, eax
.text:00BE6013 0F 84 8F 00 00 00                       jz      loc_BE60A8
.text:00BE6019 8B 15 8C 07 1B 01                       mov     edx, ds:gpGlobals
.text:00BE601F 2B 42 58                                sub     eax, [edx+58h]
.text:00BE6022 C1 F8 04                                sar     eax, 4
.text:00BE6025 85 C0                                   test    eax, eax
.text:00BE6027 0F 84 81 00 00 00                       jz      loc_BE60AE
.text:00BE602D 8B 03                                   mov     eax, [ebx]
.text:00BE602F 89 1C 24                                mov     [esp+25Ch+var_25C], ebx
.text:00BE6032 FF 90 68 01 00 00                       call    dword ptr [eax+168h]
.text:00BE6038 84 C0                                   test    al, al
.text:00BE603A 74 6C                                   jz      short loc_BE60A8
.text:00BE603C 83 BB 8C 1F 00 00 02                    cmp     dword ptr [ebx+1F8Ch], 2
.text:00BE6043 74 63                                   jz      short loc_BE60A8
.text:00BE6045 89 1C 24                                mov     [esp+25Ch+var_25C], ebx
.text:00BE6048 E8 8B EE AF FF                          call    _ZNK11CBaseEntity13GetTeamNumberEv ; CBaseEntity::GetTeamNumber(void)
.text:00BE604D 83 F8 02                                cmp     eax, 2
.text:00BE6050 0F 85 02 05 00 00                       jnz     loc_BE6558
.text:00BE6056 C7 44 24 0C 00 00 00 00                 mov     [esp+25Ch+var_250], 0
.text:00BE605E C7 44 24 08 78 8D FB 00                 mov     [esp+25Ch+var_254], offset _ZTI11SurvivorBot ; `typeinfo for'SurvivorBot
.text:00BE6066 C7 44 24 04 08 73 FC 00                 mov     [esp+25Ch+var_258], offset _ZTI13CTerrorPlayer ; `typeinfo for'CTerrorPlayer
.text:00BE606E 89 1C 24                                mov     [esp+25Ch+var_25C], ebx
.text:00BE6071 E8 52 5C 67 00                          call    __dynamic_cast
.text:00BE6076 85 C0                                   test    eax, eax
.text:00BE6078 89 C5                                   mov     ebp, eax
.text:00BE607A 74 2C                                   jz      short loc_BE60A8
.text:00BE607C 8B 15 18 04 1B 01                       mov     edx, ds:engine
.text:00BE6082 8B BC 24 60 02 00 00                    mov     edi, [esp+25Ch+arg_0]
.text:00BE6089 8B 98 E4 42 00 00                       mov     ebx, [eax+42E4h]
.text:00BE608F 8B 0A                                   mov     ecx, [edx]
.text:00BE6091 8B 47 28                                mov     eax, [edi+28h]
.text:00BE6094 89 14 24                                mov     [esp+25Ch+var_25C], edx
.text:00BE6097 89 44 24 04                             mov     [esp+25Ch+var_258], eax
.text:00BE609B FF 51 40                                call    dword ptr [ecx+40h]
.text:00BE609E 39 C3                                   cmp     ebx, eax
.text:00BE60A0 0F 84 73 05 00 00                       jz      loc_BE6619
.text:00BE60A6                                         db      66h
.text:00BE60A6 66 90                                   nop
.text:00BE60A8
.text:00BE60A8                         loc_BE60A8:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+38j
.text:00BE60A8                                                                 ; CTerrorPlayer::TakeOverBot(bool)+43j ...
.text:00BE60A8 8B 15 8C 07 1B 01                       mov     edx, ds:gpGlobals
.text:00BE60AE
.text:00BE60AE                         loc_BE60AE:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+57j
.text:00BE60AE 83 C6 01                                add     esi, 1
.text:00BE60B1 3B 72 14                                cmp     esi, [edx+14h]
.text:00BE60B4 0F 8E 42 FF FF FF                       jle     loc_BE5FFC
.text:00BE60BA
.text:00BE60BA                         loc_BE60BA:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+21j
.text:00BE60BA 31 FF                                   xor     edi, edi
.text:00BE60BC
.text:00BE60BC                         loc_BE60BC:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+5EDj
.text:00BE60BC 31 ED                                   xor     ebp, ebp
.text:00BE60BE
.text:00BE60BE                         loc_BE60BE:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+64Bj
.text:00BE60BE 80 7C 24 17 00                          cmp     [esp+25Ch+var_245], 0
.text:00BE60C3 0F 84 FB 04 00 00                       jz      loc_BE65C4
.text:00BE60C9
.text:00BE60C9                         loc_BE60C9:                             ; CODE XREF: CTerrorPlayer::TakeOverBot(bool)+606j
.text:00BE60C9 85 ED                                   test    ebp, ebp
.text:00BE60CB 0F 84 9F 02 00 00                       jz      loc_BE6370
.text:00BE60D1 8B B5 9C 2B 00 00                       mov     esi, [ebp+2B9Ch]
.text:00BE60D7 89 34 24                                mov     [esp+25Ch+var_25C], esi
.text:00BE60DA E8 C5 1F 9D FF                          call    _Z21SurvivorCharacterName21SurvivorCharacterType ; SurvivorCharacterName(SurvivorCharacterType)
.text:00BE60DF 8B 15 18 04 1B 01                       mov     edx, ds:engine
.text:00BE60E5 8B 9C 24 60 02 00 00                    mov     ebx, [esp+25Ch+arg_0]
.text:00BE60EC 8B 0A                                   mov     ecx, [edx]
.text:00BE60EE 89 C6                                   mov     esi, eax
.text:00BE60F0 8B 43 28                                mov     eax, [ebx+28h]
.text:00BE60F3 89 14 24                                mov     [esp+25Ch+var_25C], edx
.text:00BE60F6 89 44 24 04                             mov     [esp+25Ch+var_258], eax
.text:00BE60FA FF 51 40                                call    dword ptr [ecx+40h]
.text:00BE60FD 8B 94 24 60 02 00 00                    mov     edx, [esp+25Ch+arg_0]
.text:00BE6104 89 C3                                   mov     ebx, eax
.text:00BE6106 8B 02                                   mov     eax, [edx]
.text:00BE6108 89 14 24                                mov     [esp+25Ch+var_25C], edx
.text:00BE610B FF 90 B4 00 00 00                       call    dword ptr [eax+0B4h]
.text:00BE6111 89 5C 24 0C                             mov     [esp+25Ch+var_250], ebx
.text:00BE6115 89 74 24 10                             mov     [esp+25Ch+var_24C], esi
.text:00BE6119 C7 44 24 04 94 5A FC 00                 mov     [esp+25Ch+var_258], offset aTakeoverSDIsTr ; "[TAKEOVER]: %s (%d) is trying to take o"...
.text:00BE6121 C7 04 24 01 00 00 00                    mov     [esp+25Ch+var_25C], 1
.text:00BE6128 89 44 24 08                             mov     [esp+25Ch+var_254], eax
.text:00BE612C E8 17 5A 67 00                          call    DevMsg
.text:00BE6131 8B 0D 00 23 1D 01                       mov     ecx, ds:TheDirector
.text:00BE6137 8B 99 68 05 00 00                       mov     ebx, [ecx+568h]
.text:00BE613D 80 7B 34 00                             cmp     byte ptr [ebx+34h], 0
.text:00BE6141 0F 84 15 02 00 00                       jz      loc_BE635C 


That should hopefully be enough

[bl4nk]

You need to find the function in a decompiled version of the Windows binary, not the Linux. Looking at the decompiled function you just pasted, it looks like there's a string that you can use to easily find the function in the windows binary:

"[TAKEOVER]: %s (%d) is trying to take o"

Simply open up the windows binary in IDB and do a search for all occurrences of the string "TAKEOVER" to locate the function. After that, you can use the opcode bytes to get a proper Windows signature.

[AtomicStryker]

Okay, the same code in the Windows binary

PHP Code:

.text:102CDA80                         ; =============== S U B R O U T I N E =======================================
.text:102CDA80
.text:102CDA80
.text:102CDA80                         sub_102CDA80    proc near               ; CODE XREF: sub_1022F000+219p
.text:102CDA80                                                                 ; sub_1022F000+226p ...
.text:102CDA80
.text:102CDA80                         var_344         = dword ptr -344h
.text:102CDA80                         var_340         = dword ptr -340h
.text:102CDA80                         var_33C         = dword ptr -33Ch
.text:102CDA80                         var_338         = dword ptr -338h
.text:102CDA80                         var_334         = dword ptr -334h
.text:102CDA80                         var_330         = byte ptr -330h
.text:102CDA80                         var_2F4         = dword ptr -2F4h
.text:102CDA80                         var_2F0         = dword ptr -2F0h
.text:102CDA80                         var_2EC         = dword ptr -2ECh
.text:102CDA80                         var_2E8         = dword ptr -2E8h
.text:102CDA80                         var_2E4         = dword ptr -2E4h
.text:102CDA80                         var_238         = dword ptr -238h
.text:102CDA80                         var_234         = dword ptr -234h
.text:102CDA80                         var_230         = dword ptr -230h
.text:102CDA80                         var_22C         = dword ptr -22Ch
.text:102CDA80                         var_228         = dword ptr -228h
.text:102CDA80                         var_224         = byte ptr -224h
.text:102CDA80                         var_1C4         = byte ptr -1C4h
.text:102CDA80                         var_18          = byte ptr -18h
.text:102CDA80                         arg_0           = byte ptr  4
.text:102CDA80
.text:102CDA80 81 EC 44 03 00 00                       sub     esp, 344h
.text:102CDA86 53                                      push    ebx
.text:102CDA87 55                                      push    ebp
.text:102CDA88 56                                      push    esi
.text:102CDA89 8D 44 24 10                             lea     eax, [esp+350h+var_340]
.text:102CDA8D 57                                      push    edi
.text:102CDA8E 8B F1                                   mov     esi, ecx
.text:102CDA90 33 DB                                   xor     ebx, ebx
.text:102CDA92 50                                      push    eax
.text:102CDA93 89 5C 24 18                             mov     [esp+358h+var_340], ebx
.text:102CDA97 89 5C 24 1C                             mov     [esp+358h+var_33C], ebx
.text:102CDA9B 89 74 24 20                             mov     [esp+358h+var_338], esi
.text:102CDA9F E8 DC 61 FD FF                          call    sub_102A3C80
.text:102CDAA4 83 C4 04                                add     esp, 4
.text:102CDAA7 38 9C 24 58 03 00 00                    cmp     [esp+354h+arg_0], bl
.text:102CDAAE 75 10                                   jnz     short loc_102CDAC0
.text:102CDAB0 8B CE                                   mov     ecx, esi
.text:102CDAB2 E8 C9 82 D7 FF                          call    sub_10045D80
.text:102CDAB7 83 F8 01                                cmp     eax, 1
.text:102CDABA 0F 85 C4 01 00 00                       jnz     loc_102CDC84
.text:102CDAC0
.text:102CDAC0                         loc_102CDAC0:                           ; CODE XREF: sub_102CDA80+2Ej
.text:102CDAC0 8B 7C 24 14                             mov     edi, [esp+354h+var_340]
.text:102CDAC4 3B FB                                   cmp     edi, ebx
.text:102CDAC6 0F 84 AF 01 00 00                       jz      loc_102CDC7B
.text:102CDACC 8B 46 20                                mov     eax, [esi+20h]
.text:102CDACF 8B 0D E0 F1 69 10                       mov     ecx, dword_1069F1E0
.text:102CDAD5 8B 11                                   mov     edx, [ecx]
.text:102CDAD7 8B AF 9C 2B 00 00                       mov     ebp, [edi+2B9Ch]
.text:102CDADD 50                                      push    eax
.text:102CDADE 8B 42 40                                mov     eax, [edx+40h]
.text:102CDAE1 FF D0                                   call    eax
.text:102CDAE3 55                                      push    ebp
.text:102CDAE4 89 44 24 14                             mov     [esp+358h+var_344], eax
.text:102CDAE8 E8 D3 69 01 00                          call    sub_102E44C0
.text:102CDAED 8B 4C 24 14                             mov     ecx, [esp+358h+var_344]
.text:102CDAF1 8B 16                                   mov     edx, [esi]
.text:102CDAF3 83 C4 04                                add     esp, 4
.text:102CDAF6 50                                      push    eax
.text:102CDAF7 8B 82 B0 00 00 00                       mov     eax, [edx+0B0h]
.text:102CDAFD 51                                      push    ecx
.text:102CDAFE 8B CE                                   mov     ecx, esi
.text:102CDB00 FF D0                                   call    eax
.text:102CDB02 50                                      push    eax
.text:102CDB03 68 40 ED 55 10                          push    offset aTakeoverSDIsTr ; "[TAKEOVER]: %s (%d) is trying to take o"...
.text:102CDB08 6A 01                                   push    1
.text:102CDB0A FF 15 0C 32 49 10                       call    ds:DevMsg
.text:102CDB10 8B 0D A8 8C 6E 10                       mov     ecx, dword_106E8CA8
.text:102CDB16 8B 91 58 05 00 00                       mov     edx, [ecx+558h]
.text:102CDB1C 83 C4 14                                add     esp, 14h
.text:102CDB1F 38 5A 34                                cmp     [edx+34h], bl
.text:102CDB22 75 0C                                   jnz     short loc_102CDB30
.text:102CDB24 38 9E 44 3F 00 00                       cmp     [esi+3F44h], bl
.text:102CDB2A 0F 84 4B 01 00 00                       jz      loc_102CDC7B
.text:102CDB30
.text:102CDB30                         loc_102CDB30:                           ; CODE XREF: sub_102CDA80+A2j
.text:102CDB30 A1 D8 F1 69 10                          mov     eax, dword_1069F1D8
.text:102CDB35 D9 40 0C                                fld     dword ptr [eax+0Ch]
.text:102CDB38 8B 46 20                                mov     eax, [esi+20h]
.text:102CDB3B 8B 0D E0 F1 69 10                       mov     ecx, dword_1069F1E0
.text:102CDB41 D8 A6 1C 24 00 00                       fsub    dword ptr [esi+241Ch]
.text:102CDB47 8B 11                                   mov     edx, [ecx]
.text:102CDB49 8B AF 9C 2B 00 00                       mov     ebp, [edi+2B9Ch]
.text:102CDB4F 50                                      push    eax
.text:102CDB50 D9 5C 24 24                             fstp    [esp+358h+var_334]
.text:102CDB54 8B 42 40                                mov     eax, [edx+40h]
.text:102CDB57 FF D0                                   call    eax
.text:102CDB59 55                                      push    ebp
.text:102CDB5A 89 44 24 14                             mov     [esp+358h+var_344], eax
.text:102CDB5E E8 5D 69 01 00                          call    sub_102E44C0
.text:102CDB63 8B 4C 24 14                             mov     ecx, [esp+358h+var_344]
.text:102CDB67 8B 16                                   mov     edx, [esi]
.text:102CDB69 83 C4 04                                add     esp, 4
.text:102CDB6C 50                                      push    eax
.text:102CDB6D 8B 82 B0 00 00 00                       mov     eax, [edx+0B0h]
.text:102CDB73 51                                      push    ecx
.text:102CDB74 8B CE                                   mov     ecx, esi
.text:102CDB76 FF D0                                   call    eax
.text:102CDB78 50                                      push    eax
.text:102CDB79 68 1C ED 55 10                          push    offset aTakeoverSDPoss ; "[TAKEOVER]: %s (%d) possessed %s\n"
.text:102CDB7E 6A 01                                   push    1
.text:102CDB80 FF 15 0C 32 49 10                       call    ds:DevMsg
.text:102CDB86 83 C4 14                                add     esp, 14h
.text:102CDB89 53                                      push    ebx
.text:102CDB8A 8B CF                                   mov     ecx, edi
.text:102CDB8C E8 6F CD 04 00                          call    sub_1031A900
.text:102CDB91 8D 8C 24 30 01 00 00                    lea     ecx, [esp+354h+var_224]
.text:102CDB98 E8 F3 C9 FD FF                          call    sub_102AA590
.text:102CDB9D 57                                      push    edi
.text:102CDB9E 8D 8C 24 34 01 00 00                    lea     ecx, [esp+358h+var_224]
.text:102CDBA5 E8 76 FC FE FF                          call    sub_102BD820
.text:102CDBAA 8B 17                                   mov     edx, [edi]
.text:102CDBAC 8B 82 8C 01 00 00                       mov     eax, [edx+18Ch]
.text:102CDBB2 6A 01                                   push    1
.text:102CDBB4 8B CF                                   mov     ecx, edi
.text:102CDBB6 FF D0                                   call    eax
.text:102CDBB8 56                                      push    esi
.text:102CDBB9 57                                      push    edi
.text:102CDBBA 8D 8C 24 38 01 00 00                    lea     ecx, [esp+35Ch+var_224]
.text:102CDBC1 E8 3A E5 FF FF                          call    sub_102CC100
.text:102CDBC6 8B 0D EC F4 6F 10                       mov     ecx, dword_106FF4EC
.text:102CDBCC D9 41 2C                                fld     dword ptr [ecx+2Ch]
.text:102CDBCF D8 5C 24 20                             fcomp   [esp+354h+var_334]
.text:102CDBD3 DF E0                                   fnstsw  ax
.text:102CDBD5 F6 C4 41                                test    ah, 41h
.text:102CDBD8 7A 07                                   jp      short loc_102CDBE1
.text:102CDBDA B8 01 00 00 00                          mov     eax, 1
.text:102CDBDF EB 02                                   jmp     short loc_102CDBE3
.text:102CDBE1                         ; --------------------------------------------------------------------------- 


This here is what i comprehend as input for the Sigcreator:

PHP Code:

81? EC? 44? 03? 00? 00? 53 55 56 8D? 44? 24? 10? 57 8B F1 33 DB 50 89? 5C? 24? 18? 89? 5C? 24? 1C? 89? 74? 24? 20? E8? DC? 61? FD? FF? 83 C4 04 38? 9C? 24? 58? 03? 00? 00? 75? 10? 8B CE E8? C9? 82? D7? FF? 83 F8 01 0F? 85? C4? 01? 00? 00? 8B? 7C? 24? 14? 3B FB 0F? 84? AF? 01? 00? 00? 8B? 46? 20? 8B? 0D? E0? F1? 69? 10? 8B 11 8B? AF? 9C? 2B? 00? 00? 50 8B? 42? 40? FF D0 F5 


Problem returns, i cant input this into my sigcreator.exe short of TYPING it, or get the Output unless re-typing it.



Following the tutorial by hand, i get this

Code:

\x81\xEC\x44\x03\x00\x00\x53\x55\x56\x8D\x44\x24\x10\x57\x8B\xF1\x33\xDB\x50\x89\x5C\x24\x18\x89\x5C\x24\x1C\x89\x74\x24\x20\xE8\xDC\x61\xFD\xFF\x83\xC4\x03\x38\x9C\x24\x58\x03\x00\x00\x75\x10\x8B\xCE\xE8\xC9\x82\xD7\xFF\x83\xF8\x01\x0F\x85\xC4\x01\x00\x00\x8B\x7C\x24\x14\x3B\xFB\x0F\x84\xAF\x01\x00\x00\x8B\x46\x20\x8B\x0D\xE0\xF1\x69\x10\x8B\x11\x8B\xAF\x9C\x2B\x00\x00\x50\x8B\x42\x40\xFF\xD0\xF5

??????xxx????xxxxxx?????????????????xxx?????????xx?????xxx??????????xx???????????????xx??????x???xxx

Now id need runtime scanner?

[Wazz]

I'm surprised that you can not right-click on the cmdline window. Are you running the sigcreator.exe from windows (ie double clicking on it)? If so start cmd first and then load sigcreator in that.

The scanner just verifies that the signature is correct, however if you are having problems getting it to work you could just use the signature and see what happens If the signature is correct the server won't crash and it wont produce any errors logs .

[AtomicStryker]

Awesome, that works - and ill try the signature right away

Code:

? 81? EC? 44? 03? 00? 00? 53 55 56 8D? 44? 24? 10? 57 8B F1 33 DB 50 89? 5C? 24?
 18? 89? 5C? 24? 1C? 89? 74? 24? 20? E8? DC? 61? FD? FF? 83 C4 04 38? 9C? 24? 58
? 03? 00? 00? 75? 10? 8B CE E8? C9? 82? D7? FF? 83 F8 01 0F? 85? C4? 01? 00? 00?
 8B? 7C? 24? 14? 3B FB 0F? 84? AF? 01? 00? 00? 8B? 46? 20? 8B? 0D? E0? F1? 69? 1
0? 8B 11 8B? AF? 9C? 2B? 00? 00? 50 8B? 42? 40? FF D0 F5


Size: 100

Sig:
\x81\xEC\x44\x03\x00\x00\x53\x55\x56\x8D\x44\x24\x10\x57\x8B\xF1\x33\xDB\x50\x89
\x5C\x24\x18\x89\x5C\x24\x1C\x89\x74\x24\x20\xE8\xDC\x61\xFD\xFF\x83\xC4\x04\x38
\x9C\x24\x58\x03\x00\x00\x75\x10\x8B\xCE\xE8\xC9\x82\xD7\xFF\x83\xF8\x01\x0F\x85
\xC4\x01\x00\x00\x8B\x7C\x24\x14\x3B\xFB\x0F\x84\xAF\x01\x00\x00\x8B\x46\x20\x8B
\x0D\xE0\xF1\x69\x10\x8B\x11\x8B\xAF\x9C\x2B\x00\x00\x50\x8B\x42\x40\xFF\xD0\xF5


Mask:
??????xxx????xxxxxx?????????????????xxx?????????xx?????xxx??????????xx??????????
?????xx??????x???xxx

EDIT

Nope, it doesnt. I get Handle 0 errors on the sdk call

Ive tried this one here aswell

Code:

                "windows" "\x53\x55\x56\x8D\x44\x24\x10\x57\x8B\xF1\x33\xDB\x50\x89\x5C\x24\x18\x89\x5C\x24\x1C\x89\x74\x24\x20\xE8\xDC\x61\xDF\xFF\x83\xC4\x04\x38\x9C\x24\x58\x03\x00\x00\x75\x10\x8B\xCE\xE8\xC9\x82\xD7\xFF\x83\xF8\x01\x0F\x85\xC4\x01\x00\x00\x8B\x7C\x24\x14\x3B\xFB"

Which doesnt START with changing bytes, but no avail either.

[AtomicStryker]

Could someone who knows what hes doing please please look into this?