Raised This Month: $12 Target: $400
 3% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 03-10-2011 , 17:52   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #31

Yep, it's ok. Mine is the same but just a bit more long but since yours is still referenced one time, it's all good. You can also add "info" above "arguments" if you want to add a description for the function.

Anyway good job.
__________________
Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-10-2011 , 21:07   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #32

Thanks, i'm glad i finally got the hang of it.
Time to experiment with the possibilities now =)
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 04-15-2011 , 01:52   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #33

What is wrong with this ?
I'm trying to find AddAccount signature

So first i've founded CBasePlayer::AddAccount(int,bool) in "Names" window
Double clicked on it, put cursor above function name in "IDA View-A" and jumped to Hex View-A window to find bits

It doesn't begin at the start of a line but i don't think it is a problem, so first 16 bits are :
55 89 E5 83 EC 0C 57 56 53 E8 EE FF FF FF 81 C3

Search for "55 89 E5 83 EC ? 57 56 53 E8 EE ? ? ? 81 C3" in IDA returns me around 1600 occurences, so i put more bits untill i found only 1 result

Code:
55                                 push    ebp
89 E5                              mov     ebp, esp
83 EC 0C                           sub     esp, 0Ch
57                                 push    edi
56                                 push    esi
53                                 push    ebx
E8 EE FF FF FF                     call    sub_EDE28
81 C3 92 73 0F 00                  add     ebx, (offset loc_F7391+1)
8B 7D 08                           mov     edi, [ebp+arg_0]
8B 87 E0 01 00 00                  mov     eax, [edi+1E0h]
03 45 0C                           add     eax, [ebp+arg_4]
So
55 89 E5 83 EC 0C 57 56 53 E8 EE FF FF FF 81 C3 ? ? ? ? 8B 7D ? 8B 87 ? ? ? ? 03 45
and
8B 7D ? 8B 87 ? ? ? ? 03 45
and
8B 87 ? ? ? ? 03 45
returned a unique occirence in IDA

Tried :


[0x55,0x89,0xE5,0x83,0xEC,"*",0x57,0x56,0x53,0 xE8,0xEE,"*","*","*",0x81,0xC3,"*","*","*","* ",0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x0 3,0x45]


and (tried to put less bits with displacement)

[0x8B,0x87,"*","*","*","*",0x03,0x45]
"displacement" : -23

and also:

"value" : [0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x03, 0x45],
"displacement" : -20


I'm testing on a listenserver


configs\orpheu\functions\CBasePlayer\AddAccou nt
->
Code:
{
	"name" : "AddAccount",
	"class" : "CBasePlayer",
	"library" : "mod",
	"arguments" : 
	[
		{
			"type" : "int",
			"info" : "amount"
		},
		{
			"type" : "bool",
			"info" : "bTrackChange"
		}
	],
	"identifiers":
	[
		{
			"os"    : "windows",
			"mod"   : "cstrike",
			"value" : [0x8B,0x7D,"*",0x8B,0x87,"*","*","*","*",0x03,0x45],
			"displacement" : -20
		},
		{
			"os"    : "linux",
			"mod"   : "cstrike",
			"value" : "AddAccount__11CBasePlayerib"
		}
	]
}

Cs console says that signature is NOT FOUND.
__________________
- tired and retired -

- my plugins -

Last edited by ConnorMcLeod; 04-15-2011 at 07:12.
ConnorMcLeod is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 04-15-2011 , 11:09   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #34

Solved (with all day arkshine's help), was looking in linux file...

Code:
{
	"name" : "AddAccount",
	"class" : "CBasePlayer",
	"library" : "mod",
	"arguments" : 
	[
		{
			"type" : "int",
			"info" : "amount"
		},
		{
			"type" : "bool",
			"info" : "bTrackChange"
		}
	],
	"identifiers":
	[
		{
			"os"    : "windows",
			"mod"   : "cstrike",
			"value" : [0x8B,0x44,"*","*",0x56,0x8B,0xF1,0x8B,0x8E,"*","*","*","*",0x03,0xC8,0x89]
		},
		{
			"os"    : "linux",
			"mod"   : "cstrike",
			"value" : "AddAccount__11CBasePlayerib"
		}
	]
}
__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 04-15-2011 , 11:16   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #35

Wooo. Congratulation. One person of more now converted to Orpheu. Next ?
__________________
Arkshine is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 04-15-2011 , 12:02   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #36

Make 1 sig doesn't mean you are converted, there is a lot to learn.
__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 04-15-2011 , 13:10   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #37

You are interested by Orpheu now, and trying to understand how work things. Basically, you are converted because you're going anyway to learn more and more, otherwise you would not have spent that time on it.

That said, will try to update tutorial soon. I had forgot the xolent's request.
__________________

Last edited by Arkshine; 04-15-2011 at 14:19.
Arkshine is offline
Old 04-15-2011, 14:15
ConnorMcLeod
This message has been deleted by Arkshine. Reason: osef
K.K.Lv
Veteran Member
Join Date: Aug 2008
Location: GameFolder
Old 04-20-2012 , 03:23   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #38

I have found this
Code:
00068BE4 55 89 E5 81 EC 5C 08 00 00 57 56 53 E8 EB FF FF
with IDA at engine_i686.so
because I try to hook this function
Code:
SV_SendServerinfo
but when I use above line to make a signature, and the function was not found.
what is the correct way to find the function, and use it ?
PS:server using the win version. finding the function with the linux version.
please help me how to do it ?

edited:
when I see Connor post, I think I got the same problem !
How to find the correct windows value ?
because I can't find the "SV_SendServerinfo" at windows file .
__________________
QQ:116268742

Last edited by K.K.Lv; 04-20-2012 at 03:40.
K.K.Lv is offline
Send a message via MSN to K.K.Lv
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 04-20-2012 , 04:12   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #39

Did you read this tutorial http://forums.alliedmods.net/showthread.php?t=118934 ?

Just a matter to find some reference in linux and searching in windows with that.
Looking inside the function, it has strings, it should be easy to find it on windows.
__________________
Arkshine is offline
K.K.Lv
Veteran Member
Join Date: Aug 2008
Location: GameFolder
Old 04-20-2012 , 04:35   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #40

Maybe I have found it
Code:
.text:01D968E0                               sub_1D968E0     proc near               ; CODE XREF: sub_1D972D0+BAp
.text:01D968E0                                                                       ; sub_1D9D7B0+229p
but the server console still tell me "File incorrectly formatted"

folder:addons\amxmodx\configs\orpheu\function s\engine
name SV_SendServerinfo
signature:
Code:
{
    "name" : "SV_SendServerinfo",
    "library" : "engine",
    "identifiers":
    [
        {
            "os" : "windows",
            "mod" : "cstrike",
            "value" : [0x55,0x8B,0xEC,0x81,0xEC,0x04,0x08, "*", "*",0xD9,0x05,0x28,0x56,0xE5,0x01,0xD8]
        }
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : "SV_SendServerinfo"
        }
    ]
}
server print
Attached Thumbnails
Click image for larger version

Name:	Unnamed QQ Screenshot.jpg
Views:	493
Size:	15.4 KB
ID:	102428  
__________________
QQ:116268742
K.K.Lv is offline
Send a message via MSN to K.K.Lv
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 19:48.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode