Raised This Month: $100 Target: $400
 25% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
[email protected]
Veteran Member
Join Date: Jan 2010
Location: Russia, Ivanovo
Old 05-01-2017 , 11:34   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #111

I think the best way to analyze static opcodes for signatures is comparing function opcodes between old build (like 4554) and the newest (6153).
__________________

Last edited by [email protected]; 05-01-2017 at 11:36.
PRoSToTeM@ is offline
Send a message via ICQ to PRoSToTeM@ Send a message via Skype™ to PRoSToTeM@
DarthMan
Veteran Member
Join Date: Aug 2011
Old 05-23-2017 , 03:23   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #112

Quote:
Originally Posted by Bugsy View Post
I created a tool in VB for creating signatures. All you would need to do is copy a block of text from IDA and paste it into the tool and it will generate the entire signature. Maybe I will wait until Arkshine revises the tutorial to make sure my tool has the correct logic.


Could u send us a link for download?
DarthMan is offline
DarthMan
Veteran Member
Join Date: Aug 2011
Old 06-16-2017 , 05:39   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #113

Quote:
Originally Posted by Arkshine View Post
Well, I don't have enough knowledge in assembly to affirm whether this opcode is static. As I said in the tutorial, it's easier to take just the first byte of each line until you have a unique signature. No need to bother with the others bytes. It might create longer signatures but doesn't matter much.

And by the way, "?" should be used by default. "?" = any bytes, "*" = any bytes or nothing. Most of time, you want "?".
Hey Arkshine, could u better explain what keep always the first byte emans? Thanks !

I understood, in the IDA View-A I look for the 1st byte and keep it, and replace any other bytes with ?

Last edited by DarthMan; 06-16-2017 at 12:13.
DarthMan is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-17-2017 , 05:21   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #114

It means you retrieve the first byte of the instruction (the mnemonic 'push', 'mov', etc., you see it in the above screenshot) and that's not something which will change at runtime.
__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),

Arkshine is offline
DarthMan
Veteran Member
Join Date: Aug 2011
Old 10-24-2017 , 05:56   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #115

Quote:
Originally Posted by Arkshine View Post
It means you retrieve the first byte of the instruction (the mnemonic 'push', 'mov', etc., you see it in the above screenshot) and that's not something which will change at runtime.
I got it, sorry for the long time response.
DarthMan is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:19.


Powered by vBulletin®
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Theme made by Freecode