Raised This Month: $12 Target: $400
 3% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-11-2013 , 09:06   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #91

What do you mean by "the rest of the functions" ?
__________________
Arkshine is offline
hornet
AMX Mod X Plugin Approver
Join Date: Mar 2010
Location: Australia
Old 06-11-2013 , 20:03   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #92

Sorry, bad terminology, I meant to say - All of the CHostage And CHostageImprov functions, are they virtual or do they require a signature of bytes?
__________________
Quote:
vBulletin Tip #42: Not much would be accomplished by merging this item with itself.
hornet is offline
TheDS1337
Veteran Member
Join Date: Jun 2012
Old 06-18-2013 , 13:01   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #93

Arkshine, can you explain me "replace any memory references with '?'" i didn't understand any things on the picture ;(
and this:
Quote:
51 push ecx // no memory reference.
└────── Opcode ────────┴───────┘ // 51
(fixed form)

56 push esi // no memory reference.
└────── Opcode ────────┴───────┘ // 51 56
(fixed form)

8B F1 mov esi, ecx // no memory reference.
└──┼───── Opcode ──────┘ │ │ // 51 56 8B F1
└───── ModR/M ──────────────┴────┘

8B 86 00 01 00 00 mov eax, [esi+100h] // 100h is an offset. It may change.
└──┼──┼── Opcode ──────┘ │ │ │ // 51 56 8B F1 8B 86 ? ? ? ?
└──┼── ModR/M ──────────────┴─────┘ │
└── Displacement ──────────────────┘
83 F8 01 cmp eax, 1 // no memory reference, but an hardcoded value. It may change by a plugin or something.
└──┼──┼── Opcode ──────┘ │ │ // 51 56 8B F1 8B 86 ? ? ? ? 83 F8 ?
└──┼── ModR/M ──────────────┘ │
└── Immediate ───────────────┘

89 44 24 04 mov [esp+8+var_4], eax // When you click right on it, you see 8+var_4 is equal to 4, a relative offset.
└──┼──┼──┼─ Opcode ────┘ │ │ │ │ // Anyway, it may change. I've notived also the SIB is generally different on cz.
└──┼──┼─ ModR/M ─────────────┼──┼───┼──────┘ // 51 56 8B F1 8B 86 ? ? ? ? 83 F8 ? 89 44 ? ?
└──┼─ SIB ────────────────┘ │ │
└─ Displacement ──────────┴───┘

Last edited by TheDS1337; 06-18-2013 at 13:03.
TheDS1337 is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-18-2013 , 13:27   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #94

Forget the picture.

Follow this rule, which is more simple :

- Always keep the first byte
- Disregard anything else.

Do that until you get an unique signature when checking in IDA.

This way, it may give longer signatures, but it's more reliable and easy to deal.
__________________
Arkshine is offline
TheDS1337
Veteran Member
Join Date: Jun 2012
Old 06-18-2013 , 13:41   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #95

ok thanks for your reply, i'll try latter ;)
EDIT:
Arkshine ? do you mean i can use:
Code:
[0x51,0x56,0x8B,0xF1,0x8B,0x86,0x00,0x01,0x00,0x00,0x83,0xF8,0x01,0x89,0x44]
instead of:
Code:
[0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44]

Last edited by TheDS1337; 06-18-2013 at 14:42.
TheDS1337 is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-19-2013 , 19:30   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #96

I said ONLY first byte, and disregarding everything else, so :

51 56 8B ? 8B ? ? ? ? ? 83 ? ? 89
__________________
Arkshine is offline
TheDS1337
Veteran Member
Join Date: Jun 2012
Old 06-20-2013 , 03:50   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #97

Thanks
TheDS1337 is offline
Spirit_12
Veteran Member
Join Date: Dec 2012
Location: Toronto, CA
Old 08-29-2015 , 18:53   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #98

Which library holds CHalfLifeMultiplay signatures? I have decompiled linux libraries, but can't find the signatures. I tried to find the working one, but still couldn't find them.

What .so file should I decompile to look for CHalfLifeMultiplay signature?
__________________
Spirit_12 is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 08-30-2015 , 03:27   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #99

Well the mod, .so in $mod/dlls/.
__________________

Last edited by Arkshine; 08-30-2015 at 03:27.
Arkshine is offline
Bugsy
AMX Mod X Moderator
Join Date: Feb 2005
Location: NJ, USA
Old 01-17-2016 , 12:56   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #100

As far as I understand, I need the linux version of the HLDS dll in order to make Windows signatures (in this case, SV_Rcon). Where can I get a copy of the linux HLDS dll to do this? I'm not very familiar with Linux stuff, can anyone chime in with which file I would reference in linux that is equivalent to swds.dll in Windows?
__________________

Last edited by Bugsy; 01-17-2016 at 13:30.
Bugsy is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 07:11.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode