Raised This Month: $100 Target: $400
 25% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 01-16-2011 , 21:44   Orpheu: How to make signatures (of bytes)
Reply With Quote #1

Orpheu : How to make signatures (of bytes)
- last updated : 16 jan 2010

Hello John D., welcome.

You are here because you have found a function by reading the tutorial Searching for functions in libraries and because you know how to make a function file.
If not, you are invited do it now, please.

Let's start.

Contents :

Configuring IDA top
So, you found CBasePlayerWeapon::KickBack(). Why not.

Before, to make more easily a signature, we need to configure IDA by showing the opcode bytes. You will understand.
  • Start to open IDA on this function.
  • Click on the IDA View tab, if not done already. If you are in graph view, click right and select Text View.
  • Go to the menu : Options > General.

In the windows, at the right, you see "Number of opcode bytes". Put a number like 10.


After validiting, you see finally something like the following image. Notice now the opcode bytes at the left.


Making a signature of bytes top
We are ready to start to make a signature of bytes.

You have to keep in mind :
  • The signature needs to be unique.
  • The signature must start from the top of the function.

The length of the signature will depend of the content of the function.
  • If the content is somehow unique like KickBack(), you won't need a large signature.
  • If the content has a lot of memory references, there is a chance you would need a large signature.

A reminder : a signature would be an array of bytes or "*" or "?".
  • "*" is meant to be used when you don't care about the value of that byte.
  • "?" is meant to be used when you don't care about the value of the byte and it can even not exist.

About when you should place "*", a good rule would be : any memory references.
I can't explain because I don't know enough about assembly/memory but that's something it will change at restart.
It's explained further down.

Note : in IDA, '?' has the same meaning as '*' in Orpheu.


So, here my way, the main steps :
  1. We retrieve an amount of bytes.
  2. We replace any memory references with '?'.
  3. We check with IDA if this block of bytes is well referenced one time. If not, back to 1) and increasing the amount of bytes.
  4. We modify the block of bytes to be compliant to the Orpheu format.
  5. We make the function file and we test.

1) We retrieve an amount of bytes
- Make sure the cursor is at the top of the function.
- Go the Hex View tab.
- Select an amount of bytes, like at least the first 16 bytes.
- Copy them in a text editor.
2) We replace any memory references with '?'
EDIT: A more simple way would be :
  1. Keep always the first byte
  2. Replace any others bytes with "?"
That's all.
Old way



3) We check with IDA if this block of bytes is well referenced one time
Let's check if IDA find only one reference.
Go the menu, Search > sequence of bytes... or you can use the shortcut alt + B.


In the windows, paste the block of bytes.
Make sure to mark as Hex and you want to Find all occurences.


As result, we see one reference, and it's good. It means it's unique and we can use this block of bytes as signature.

4) We modify the block of bytes to be compliant to the Orpheu format
Don't bother to do byte by byte. With your text editor you can use replace.
It's probably possible to create a macro to do the task automatically, if your software supports the macros.

Anyway, manually :

Code:
// So, you have that.
51 56 8B F1 8B 86 ? ? ? ? 83 F8 ? 89 44

// Replace all ' ?' by ,"*". Be careful if use '?' for orpheu.
51 56 8B F1 8B 86,"*","*","*","*" 83 F8,"*" 89 44

// Replace all ' ' by ',0x'
,0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44

// Fix the first byte, add '[' and '] and your signature is ready.
[0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44]

5) We make the function file and we test
We make our file :
Code:
{
    "name"       : "KickBack",
    "class"      : "CBasePlayerWeapon",
    "library"    : "mod",
    "arguments"  :
    [
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "int"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : [0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44]
        },
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : "KickBack__17CBasePlayerWeaponffffffi"
        }
    ]
}
Then, start your server and check your log, you should see something like :

Code:
Parsing folder "CBasePlayerWeapon" started
        Parsing file "KickBack" started
                Argument type "float" validated
                Argument type "float" validated
                Argument type "float" validated
                Argument type "float" validated
                Argument type "float" validated
                Argument type "float" validated
                Argument type "int" validated
                Searching for signature "[0x51][0x56][0x8b][0xf1][0x8b](...)" ... FOUND
        Parsing file "KickBack" ended
Parsing folder "CBasePlayerWeapon" ended
If you see "FOUND", be happy.
If you see "NOT FOUND", check carefully what you have done. It may either a typo or you have missed a byte to ignore.

Displacement top
Depending the content of the function, it may be impossible to make a decent signature of bytes, either because there are only few bytes or too much memory references.
In this case, you have the possibility to use the "displacement" field.

It allows you to define a block of bytes which doesn't start from the top of the function, then you need to adjust with this field.
It can be negative or positive value.

Example with our previous signature, I remove the 2 first bytes :

Code:
{
    "os"    : "windows",
    "mod"   : "cstrike",
    "value" : [0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44]
},
You can do that :

Code:
{
    "os"    : "windows",
    "mod"   : "cstrike",
    "value" : [0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,"*",0x89,0x44],
    "displacement" : -2
},
I think you get the idea.


Feel free to ask if you don't understand something.

I will add later a plugin to get the bytes from an offset provided.
It may help if you have problems to make a signature.

That's all.

__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),


Last edited by Arkshine; 02-16-2016 at 10:19.
Arkshine is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 01-17-2011 , 03:09   Re: Orpheu: How to make signatures of bytes
Reply With Quote #2

What Should I Do With That Plugin ?
How To Install ?

So, is IDA Pro needed ?
__________________
- tired and retired -

Last edited by ConnorMcLeod; 01-17-2011 at 03:21.
ConnorMcLeod is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 01-17-2011 , 06:38   Re: Orpheu: How to make signatures of bytes
Reply With Quote #3

It doesn't matter what version you use. You need IDA, that's all.
__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),

Arkshine is offline
Seta00
The Seta00 user has crashed.
Join Date: Jan 2010
Location: Brazil
Old 01-17-2011 , 11:49   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #4

Excellent resource! (Lacks a few 'be's, but who cares? )
Seta00 is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 01-17-2011 , 11:52   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #5

Where.
__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),

Arkshine is offline
meTaLiCroSS
Gaze Upon My Hat
Join Date: Feb 2009
Location: Viņa del Mar, Chile
Old 01-17-2011 , 12:35   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #6

... too pro for me :c.
__________________
Quote:
Originally Posted by joropito View Post
You're right Metalicross
meTaLiCroSS is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 01-17-2011 , 12:36   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #7

That's not hard as you think. Even me I can, so you can too. :p It's because you are not used to play with IDA. Anyway, if you have difficulties, you can ask here.
__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),

Arkshine is offline
Exolent[jNr]
Veteran Member
Join Date: Feb 2007
Location: Tennessee
Old 01-17-2011 , 15:05   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #8

What about finding a memory address for a variable that you want to modify?
__________________
No private work or selling mods.
Quote:
Originally Posted by xPaw View Post
I love you exolent!
Exolent[jNr] is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 01-17-2011 , 15:32   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #9

You're right, I've missed that. I will add later, though the method is the same.
__________________
Working on : CS Weapon Mod (72%) , MonsterAI (PAUSED),

Arkshine is offline
drekes
Veteran Member
Join Date: Jul 2009
Location: Vault 11
Old 03-08-2011 , 22:00   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #10

After a while i got it working

I've used CBaseButton::ButtonUse with this signature:
PHP Code:
 {
    
"name"        "ButtonUse",
    
"class"        "CBaseButton",
    
"library"    "mod",
    
"arguments"    
    [
        {
            
"type" "int"
        
},
        {
            
"type" "int"
        
},
        {
            
"type" "int"
        
},
        {
            
"type" "float"
        
}
    ],
    
"identifiers":
    [
        {
            
"os"    "windows",
            
"mod"    "cstrike",
            
"value" : [0x56,0x8B,0xF1 ,0x57,"*","*","*","*","*","*","*","*","*",0x0F,0x84,0xFC,0x00,0x00,0x00]
        }
    ]

and this code to test it:
PHP Code:
#include <amxmodx>
#include <orpheu>


public plugin_init()
    
OrpheuRegisterHook(OrpheuGetFunction("ButtonUse""CBaseButton"), "HandleButtonUse");
    

public 
HandleButtonUse(idiButtoniUseTypeFloatflSomething)
    
client_print(0print_chat"Orpheu says: Button used :O"); 
Thanks man, this is awesome.
__________________

Quote:
Originally Posted by nikhilgupta345 View Post
You're retarded.
drekes is offline
Send a message via MSN to drekes
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 05:52.


Powered by vBulletin®
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Theme made by Freecode