[imyz]

Hi, there. I'm new to this, so I followed the wiki page https://wiki.alliedmods.net/Signature_Scanning, and then ran into a blank wall. There goes the words:

'First what you need to do is compile the HL2M server module. So navigate your way to the "hl2src/dlls" directory and open up "hl_sdk.vcproj".

But I didn't see a clue regarding how to get/find the HL2M server module. Can anyone help me out? Thank you.

[Potato Uno]

That link is outdated. For linux the signatures are already there. For windows you need to find the function in linux, then find it on windows, and use the bytes making up the first few instructions of the function to make a windows signature.

You need IDA for the job.

Spoiler

5000% oversimplified explanation

[imyz]

Quote:

Originally Posted by Potato Uno That link is outdated. For linux the signatures are already there. For windows you need to find the function in linux, then find it on windows, and use the bytes making up the first few instructions of the function to make a windows signature. You need IDA for the job. Spoiler 5000% oversimplified explanation

[imyz]

Quote:

Originally Posted by Potato Uno That link is outdated. For linux the signatures are already there. For windows you need to find the function in linux, then find it on windows, and use the bytes making up the first few instructions of the function to make a windows signature. You need IDA for the job. Spoiler 5000% oversimplified explanation

[imyz]

Many thanks, Potato Uno . It's weird that I can't quote your post and reply it.

Anyway, I disassembled the Linux server_srv.so and saw those function names there. However, I still don't know how to put those bytes together to make a Windows Signature. Can anybody tell me more about that to enlighten me? Thank you.

[imyz]

Quote:

Originally Posted by Potato Uno That link is outdated. For linux the signatures are already there. For windows you need to find the function in linux, then find it on windows, and use the bytes making up the first few instructions of the function to make a windows signature. You need IDA for the job. Spoiler 5000% oversimplified explanation

Many thanks, Potato Uno . It's weird that I can't quote your post and reply it.

Anyway, I disassembled the Linux server_srv.so and saw those function names there. However, I still don't know how to put those bytes together to make a Windows Signature. Can anybody tell me more about that to enlighten me? Especially, I know there is the big/little endian matter. Thank you.

[Miu]

you need to find a unique part of the function that isn't likely to change across compilers and search for it in the dll

[imyz]

Quote:

Originally Posted by Miu you need to find a unique part of the function that isn't likely to change across compilers and search for it in the dll

Good day, Miu. Many thanks for your reply. Although I understand what you were talking about, I'm confused about the way to find out the unique byte sequence of the Linux function dump, and then search for it in Windows dll with IDA.

Here I quoted a CS:S Linux function. Could you please show me how to find out the unique byte sequence? Thank you.

Code:

002a5290 <_ZNK20CBaseCombatCharacter19Weapon_dOwnsThisTypeEPKci>:
  2a5290: 55                    push   %ebp
  2a5291: 89 e5                 mov    %esp,%ebp
  2a5293: 57                    push   %edi
  2a5294: 56                    push   %esi
  2a5295: 53                    push   %ebx
  2a5296: 31 db                 xor    %ebx,%ebx
  2a5298: 83 ec 2c              sub    $0x2c,%esp
  2a529b: 8b 45 08              mov    0x8(%ebp),%eax
  2a529e: 8b 7d 0c              mov    0xc(%ebp),%edi
  2a52a1: 05 38 07 00 00        add    $0x738,%eax
  2a52a6: 89 45 e4              mov    %eax,-0x1c(%ebp)
  2a52a9: eb 11                 jmp    2a52bc <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x2c>
  2a52ab: 90                    nop
  2a52ac: 8d 74 26 00           lea    0x0(%esi,%eiz,1),%esi
  2a52b0: 83 c3 01              add    $0x1,%ebx
  2a52b3: 83 fb 30              cmp    $0x30,%ebx
  2a52b6: 0f 84 b4 00 00 00     je     2a5370 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0xe0>
  2a52bc: 8b 45 e4              mov    -0x1c(%ebp),%eax
  2a52bf: 8b 0d 10 85 ac 00     mov    0xac8510,%ecx
  2a52c5: 8d 34 98              lea    (%eax,%ebx,4),%esi
  2a52c8: 8b 06                 mov    (%esi),%eax
  2a52ca: 83 f8 ff              cmp    $0xffffffff,%eax
  2a52cd: 74 e1                 je     2a52b0 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x20>
  2a52cf: 89 c2                 mov    %eax,%edx
  2a52d1: c1 e8 0c              shr    $0xc,%eax
  2a52d4: 81 e2 ff 0f 00 00     and    $0xfff,%edx
  2a52da: c1 e2 04              shl    $0x4,%edx
  2a52dd: 01 ca                 add    %ecx,%edx
  2a52df: 8d 4a 04              lea    0x4(%edx),%ecx
  2a52e2: 39 41 04              cmp    %eax,0x4(%ecx)
  2a52e5: 75 c9                 jne    2a52b0 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x20>
  2a52e7: 8b 42 04              mov    0x4(%edx),%eax
  2a52ea: 85 c0                 test   %eax,%eax
  2a52ec: 74 c2                 je     2a52b0 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x20>
  2a52ee: 3b 78 64              cmp    0x64(%eax),%edi
  2a52f1: 74 5d                 je     2a5350 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0xc0>
  2a52f3: 89 7c 24 04           mov    %edi,0x4(%esp)
  2a52f7: 89 04 24              mov    %eax,(%esp)
  2a52fa: e8 21 73 24 00        call   4ec620 <_ZN11CBaseEntity19ClassMatchesComplexEPKc>
  2a52ff: 84 c0                 test   %al,%al
  2a5301: 74 ad                 je     2a52b0 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x20>
  2a5303: 8b 0e                 mov    (%esi),%ecx
  2a5305: 8b 15 10 85 ac 00     mov    0xac8510,%edx
  2a530b: 83 f9 ff              cmp    $0xffffffff,%ecx
  2a530e: 75 46                 jne    2a5356 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0xc6>
  2a5310: 31 c0                 xor    %eax,%eax
  2a5312: 8b 10                 mov    (%eax),%edx
  2a5314: 89 04 24              mov    %eax,(%esp)
  2a5317: ff 92 68 03 00 00     call   *0x368(%edx)
  2a531d: 3b 45 10              cmp    0x10(%ebp),%eax
  2a5320: 75 8e                 jne    2a52b0 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x20>
  2a5322: 8b 16                 mov    (%esi),%edx
  2a5324: 31 c0                 xor    %eax,%eax
  2a5326: 8b 1d 10 85 ac 00     mov    0xac8510,%ebx
  2a532c: 83 fa ff              cmp    $0xffffffff,%edx
  2a532f: 74 15                 je     2a5346 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0xb6>
  2a5331: 89 d1                 mov    %edx,%ecx
  2a5333: c1 ea 0c              shr    $0xc,%edx
  2a5336: 81 e1 ff 0f 00 00     and    $0xfff,%ecx
  2a533c: c1 e1 04              shl    $0x4,%ecx
  2a533f: 01 d9                 add    %ebx,%ecx
  2a5341: 39 51 08              cmp    %edx,0x8(%ecx)
  2a5344: 74 34                 je     2a537a <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0xea>
  2a5346: 83 c4 2c              add    $0x2c,%esp
  2a5349: 5b                    pop    %ebx
  2a534a: 5e                    pop    %esi
  2a534b: 5f                    pop    %edi
  2a534c: 5d                    pop    %ebp
  2a534d: c3                    ret    
  2a534e: 66 90                 xchg   %ax,%ax
  2a5350: 89 c8                 mov    %ecx,%eax
  2a5352: 8b 00                 mov    (%eax),%eax
  2a5354: eb bc                 jmp    2a5312 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x82>
  2a5356: 89 c8                 mov    %ecx,%eax
  2a5358: c1 e9 0c              shr    $0xc,%ecx
  2a535b: 25 ff 0f 00 00        and    $0xfff,%eax
  2a5360: c1 e0 04              shl    $0x4,%eax
  2a5363: 8d 44 02 04           lea    0x4(%edx,%eax,1),%eax
  2a5367: 39 48 04              cmp    %ecx,0x4(%eax)
  2a536a: 75 a4                 jne    2a5310 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x80>
  2a536c: 8b 00                 mov    (%eax),%eax
  2a536e: eb a2                 jmp    2a5312 <_ZNK20CBaseCombatCharacter19Weapon_OwnsThisTypeEPKci+0x82>
  2a5370: 83 c4 2c              add    $0x2c,%esp
  2a5373: 31 c0                 xor    %eax,%eax
  2a5375: 5b                    pop    %ebx
  2a5376: 5e                    pop    %esi
  2a5377: 5f                    pop    %edi
  2a5378: 5d                    pop    %ebp
  2a5379: c3                    ret    
  2a537a: 8b 41 04              mov    0x4(%ecx),%eax
  2a537d: 83 c4 2c              add    $0x2c,%esp
  2a5380: 5b                    pop    %ebx
  2a5381: 5e                    pop    %esi
  2a5382: 5f                    pop    %edi
  2a5383: 5d                    pop    %ebp
  2a5384: c3                    ret    
  2a5385: 90                    nop
  2a5386: 8d 76 00              lea    0x0(%esi),%esi
  2a5389: 8d bc 27 00 00 00 00  lea    0x0(%edi,%eiz,1),%edi

[Potato Uno]

For linux the signature would be

Code:

"linux" "@_ZNK20CBaseCombatCharacter19Weapon_dOwnsThisTypeEPKci"

For windows, you need to find that exact same function in the windows DLL. (This I don't know exactly how to do - some guys use hex-ray's decompiler to turn it into some pseudo-C code, and then see how similar that output is - STRINGS help.) Once you manage to locate it, you read the bytes on the 2nd column to make your signature.

So in the above example, IF it was the windows binary, your windows signature would be:

Code:

"windows" "\x55\x89\xE5\x57\x56\x53\x31"

// add more bytes at the end if you want, which raises sig scanning accuracy but it is more prone to breaking in future updates; also use \x2A as a wildcard if you need to

Spoiler

A veteran is free to correct me if I'm wrong in any of this/

[imyz]

Quote:

Originally Posted by Potato Uno For linux the signature would be Code: "linux" "@_ZNK20CBaseCombatCharacter19Weapon_dOwnsThisTypeEPKci" For windows, you need to find that exact same function in the windows DLL. (This I don't know exactly how to do - some guys use hex-ray's decompiler to turn it into some pseudo-C code, and then see how similar that output is - STRINGS help.) Once you manage to locate it, you read the bytes on the 2nd column to make your signature. So in the above example, IF it was the windows binary, your windows signature would be: Code: "windows" "\x55\x89\xE5\x57\x56\x53\x31" // add more bytes at the end if you want, which raises sig scanning accuracy but it is more prone to breaking in future updates; also use \x2A as a wildcard if you need to Spoiler A veteran is free to correct me if I'm wrong in any of this/

Many thanks for your reply. But, I'm not quite sure about this. If I search the above-mentioned sequence of bytes "55 89 E5 57..." in IDA, I'll get nothing but failure. It looks as if everthing in Windows is totally different from that of Linux's. To demonstrate this, I'd like to take the CS:S function "GetFileWeaponInfoFromHandle" as an example, and you may easily get what I meant:

GetFileWeaponInfoFromHandle - server_srv.so(Linux):

Code:

003b5670 <_Z27GetFileWeaponInfoFromHandlet>:
  3b5670: 55                    push   %ebp
  3b5671: b8 80 30 b3 00        mov    $0xb33080,%eax
  3b5676: 89 e5                 mov    %esp,%ebp
  3b5678: 0f b7 55 08           movzwl 0x8(%ebp),%edx
  3b567c: 66 39 15 72 30 b3 00  cmp    %dx,0xb33072
  3b5683: 0f b7 ca              movzwl %dx,%ecx
  3b5686: 76 14                 jbe    3b569c <_Z27GetFileWeaponInfoFromHandlet+0x2c>
  3b5688: 66 83 fa ff           cmp    $0xffffffff,%dx
  3b568c: 74 0e                 je     3b569c <_Z27GetFileWeaponInfoFromHandlet+0x2c>
  3b568e: 89 c8                 mov    %ecx,%eax
  3b5690: c1 e0 04              shl    $0x4,%eax
  3b5693: 03 05 64 30 b3 00     add    0xb33064,%eax
  3b5699: 8b 40 0c              mov    0xc(%eax),%eax
  3b569c: 5d                    pop    %ebp
  3b569d: c3                    ret    
  3b569e: 66 90                 xchg   %ax,%ax

GetFileWeaponInfoFromHandle - server.dll(Windows)

Code:

.text:10254B80 ; =============== S U B R O U T I N E =======================================
.text:10254B80
.text:10254B80 ; Attributes: bp-based frame
.text:10254B80
.text:10254B80 sub_10254B80    proc near               ; CODE XREF: sub_100CD220+8p
.text:10254B80                                         ; sub_100CD240+8p ...
.text:10254B80
.text:10254B80 arg_0           = word ptr  8
.text:10254B80
.text:10254B80                 push    ebp
.text:10254B81                 mov     ebp, esp
.text:10254B83                 mov     ax, [ebp+arg_0]
.text:10254B87                 cmp     ax, word_104C9C12
.text:10254B8E                 jnb     short loc_10254BAA
.text:10254B90                 mov     ecx, 0FFFFh
.text:10254B95                 cmp     ax, cx
.text:10254B98                 jz      short loc_10254BAA
.text:10254B9A                 movzx   ecx, ax
.text:10254B9D                 mov     eax, dword_104C9C04
.text:10254BA2                 add     ecx, ecx
.text:10254BA4                 mov     eax, [eax+ecx*8+0Ch]
.text:10254BA8                 pop     ebp
.text:10254BA9                 retn
.text:10254BAA ; ---------------------------------------------------------------------------
.text:10254BAA
.text:10254BAA loc_10254BAA:                           ; CODE XREF: sub_10254B80+Ej
.text:10254BAA                                         ; sub_10254B80+18j
.text:10254BAA                 mov     eax, offset off_104C9C20
.text:10254BAF                 pop     ebp
.text:10254BB0                 retn
.text:10254BB0 sub_10254B80    endp