Raised This Month: $12 Target: $400
 3% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 03-09-2011 , 13:51   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #21

Like said, you want some difficulty, try to find the function. There is a tuto about how to find functions. Use the IDA with linux binary to see what you can check in IDA with windows binary. Making a signature file is very easy. Which is more difficult is to find a function in windows. Not funny If I give you directly the offset. ^^ (but if you really don't get how to find the function, I will give the solution :p)
__________________
Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-09-2011 , 14:44   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #22

I'll keep trying, i'll figure it out sometime
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-09-2011 , 21:41   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #23

I've been spending several hours now, reread the 2 linked tutorials,
but i can't seem to figure out how to find the windows offset.
Maybe you can lead me in the right direction ;)
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 03-10-2011 , 05:12   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #24

To search a function in windows, it's a matter of searching string and/or looking where are referenced a function. Here, the function is filled with string. It will be easy to find it.

So, you have just to pick up a string in linux, copy, and checking in windows.

To check a string among the referenced ones, go to View > Open subviews > Strings. Then in this new tab, search for a specific string. You can do Search > Search... or ALT + T.
Once you done, click on the string, you will be redirected where the string is referenced.

From there, you can see a variable (aSomething) associated to the full string name and its xrefs. xrefs are where are referenced the string in the functions. By default it shows only the 2 first xrefs and to have a full list you need to select the variable and clicking right on Jump to xref to operand... or use X. Now it's just a matter to click on it and see if it's the right function. For this function, you're lucky it's actually easy. :p.
__________________
Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-10-2011 , 06:29   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #25

I think i got it, at least i found something
but when i make the signature it always says:
FILE FORMATTED INCORRECT

I've rewritten it 3 times, but i fail to get it right or to see what i'm doing wrong.
Code:
{
    "name"        : "HandleMenu_ChooseTeam",
    "library"    : "mod",
    "arguments"    :
    [
        {    
            "type"    : "CBasePlayer *"
        },
        {
            "type"    : "int"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"    : "cstrike",
            "value"    : [0x81,0xEC,"*","*","*","*",0x53,0x55,0x,0x8B,0x2D,0x7C,0x8F,0x12,0x10,0x56,0x8B]
        },
        {
            "os"    : "linux",
            "mod"    : "cstrike",
            "value"    : "HandleMenu_ChooseTeam__FP11CBasePlayeri"
        }
    ]
}
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 03-10-2011 , 06:38   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #26

,0x, be careful when you copy the bytes from Hexview tab, there is a space :p like : 16 bytes space 16 bytes, remove this extra space. (by the way it should start by 83 not 81 :p )
__________________

Last edited by Arkshine; 03-10-2011 at 06:43.
Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-10-2011 , 08:16   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #27

That's why i didn't saw what's wrong, i just copied the value when i rewrote it.
I'll check it again, see if i can find the right value now.
Thanks
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-10-2011 , 14:23   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #28

I still haven't been able to find it. I've found several values that i though could be the right one, but none starts with 83.
I also haven't found any string values in either IDA and the decompiled version of the linux library from the how to find functions tutorial.
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.

Last edited by drekes; 03-10-2011 at 16:14. Reason: Removed useless stuff
drekes is offline
Send a message via MSN to drekes
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 03-10-2011 , 14:30   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #29

To find HandleMenu_ChooseTeam() in linux, you have just to open your eyes at left. If not done, you can sort the list by name. And you have to scroll down until you find it. If you still have problem to find it (it would be really weird), just use ALT + T on the list, and type the function name. EDIT: you can even click on the function from CHalfLifeMultiplay::PlayerThink() or others where you find references.

Once done, you can see there are severals strings in this function.
__________________

Last edited by Arkshine; 03-10-2011 at 14:34.
Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-10-2011 , 16:30   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #30

I think i got it, it says FOUND in console but did i do right with the "*".
Code:
{
    "name"        : "HandleMenu_ChooseTeam",
    "library"    : "mod",
    "arguments"    :
    [
        {    
            "type"    : "CBasePlayer *",
            "info"    : "Player id"
        },
        {
            "type"    : "int",
            "info"    : "Menu Item"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"    : "cstrike",
            "value"    : [0x83,0xEC,"*",0x8B,0x0D,"*","*","*","*",0x53,0x55,0x56,0x8B,0x74,"*","*",0x57,0x33,0xFF]
        },
        {
            "os"    : "linux",
            "mod"    : "cstrike",
            "value"    : "HandleMenu_ChooseTeam__FP11CBasePlayeri"
        }
    ]
}
EDIT: updated sig with "info" things
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.

Last edited by drekes; 03-10-2011 at 16:33.
drekes is offline
Send a message via MSN to drekes
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 13:51.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode