Signature Scanning Windows help - Page 2

Chris-_- · 11-24-2009 , 13:41 Re: Signature Scanning Windows help

Start poking someone on IRC until they do it for you, works every time.

blodia · 11-24-2009 , 15:28 Re: Signature Scanning Windows help

i know nothing about sig scanning, but after looking through the tutorial i can see you have made mistakes in the mask, also the last value is incorrect you have F5 but in the code you posted it is 55.

try this in the sigcreator

PHP Code:


			
81 EC 44 03 00 00 53 55 56 8D? 44? 24? 10? 57 8B F1 33 DB 50 89 5C 24 18 89 5C 24 1C 89 74 24 20 E8? DC? 61? FD? FF? 83 C4 04 38 9C 24 58 03 00 00 75? 10? 8B CE E8? C9? 82? D7? FF? 83 F8 01 0F? 85? C4? 01? 00? 00? 8B 7C 24 14 3B FB 0F? 84? AF? 01? 00? 00? 8B 46 20 8B? 0D? E0? F1? 69? 10? 8B 11 8B AF 9C 2B 00 00 50 8B 42 40 FF D0 55

don't know if it will work, but if want to give it a try.

AtomicStryker · 11-24-2009 , 18:26 Re: Signature Scanning Windows help

@blodia

Code:

? 81 EC 44 03 00 00 53 55 56 8D? 44? 24? 10? 57 8B F1 33 DB 50 89 5C 24 18 89 5C
 24 1C 89 74 24 20 E8? DC? 61? FD? FF? 83 C4 04 38 9C 24 58 03 00 00 75? 10? 8B
CE E8? C9? 82? D7? FF? 83 F8 01 0F? 85? C4? 01? 00? 00? 8B 7C 24 14 3B FB 0F? 84
? AF? 01? 00? 00? 8B 46 20 8B? 0D? E0? F1? 69? 10? 8B 11 8B AF 9C 2B 00 00 50 8B
 42 40 FF D0 55


Size: 100

Sig:
\x81\xEC\x44\x03\x00\x00\x53\x55\x56\x8D\x44\x24\x10\x57\x8B\xF1\x33\xDB\x50\x89
\x5C\x24\x18\x89\x5C\x24\x1C\x89\x74\x24\x20\xE8\xDC\x61\xFD\xFF\x83\xC4\x04\x38
\x9C\x24\x58\x03\x00\x00\x75\x10\x8B\xCE\xE8\xC9\x82\xD7\xFF\x83\xF8\x01\x0F\x85
\xC4\x01\x00\x00\x8B\x7C\x24\x14\x3B\xFB\x0F\x84\xAF\x01\x00\x00\x8B\x46\x20\x8B
\x0D\xE0\xF1\x69\x10\x8B\x11\x8B\xAF\x9C\x2B\x00\x00\x50\x8B\x42\x40\xFF\xD0\x55


Mask:
xxxxxxxxx????xxxxxxxxxxxxxxxxxx?????xxxxxxxxxx??xx?????xxx??????xxxxxx??????xxx?
?????xxxxxxxxxxxxxxx

If i enter that signature into the gamedata file, i still get Handle 0 errors when i try to call it.

I cant help but think simply entering that signature in the gamedata file is wrong (what about the entire mask concept?!)

pvtschlag · 11-25-2009 , 08:25 Re: Signature Scanning Windows help

This could be just a wild stab in the dark, but based on the dis-assembly you have posted the following signature may work.

Code:

\x81\x2A\x2A\x2A\x2A\x2A\x53\x55\x56\x8D\x44\x2A\x2A\x2A\x8B\xF1\x33\xDB\x50

I don't have a windows server setup to test it on, but it may be worth giving it a shot.

AtomicStryker · *Last edited by AtomicStryker; 11-25-2009 at 08:38.*

Nope, Handle 0 error on call

Someone could have MENTIONED mask bytes are supposed to be written "\x2A"

I've tried

Code:

\x81\x2A\x2A\x2A\x2A\x2A\x53\x55\x56\x2A\x2A\x2A\x2A\x57\x8B\xF1\x33\xDB\x50

aswell, because i think theres a typo in pvtschlags line, but that doesnt work either.

pvtschlag · 11-25-2009 , 08:37 Re: Signature Scanning Windows help

If you don't mind testing some more I have one more that you could try.

Code:

\x81\x2A\x2A\x2A\x2A\x2A\x53\x55\x56\x8D\x2A\x2A\x2A\x57\x8B\xF1\x33\xDB\x50

bl4nk · 11-25-2009 , 08:45 Re: Signature Scanning Windows help

Are you getting the signature from the disassembled Windows binary or Linux binary? To get the Windows signature you need to use the Windows version.

AtomicStryker · *Last edited by AtomicStryker; 11-25-2009 at 10:27.*

Ive posted both, already xD

All Signature attemps of the last side are off the windows binary, easily discernible for being unreadable

Quote:

Originally Posted by pvtschlag

If you don't mind testing some more I have one more that you could try.

Code:

\x81\x2A\x2A\x2A\x2A\x2A\x53\x55\x56\x8D\x2A\x2A\x2A\x57\x8B\xF1\x33\xDB\x50

Of course i DONT

But this one doesnt work either, unfortunately

pvtschlag · 11-26-2009 , 02:13 Re: Signature Scanning Windows help

Has anyone actually got any SDKcalls that use signature scanning to work on L4D2 yet?

I can't even get the L4DSwitchPlayers plugin working correctly on linux, which should have the same signatures as for L4D1. Whenever it goes to do an SDKCall sourcemod reports back an invalid handle. The plugin actually works fine for everything but setting the team as survivors because it is the only team change that requires any SDKCalls. I have even checked to make sure the linux signatures were still the same in L4D2 as they were in L4D1.

I could be wrong, but I think there may be an issue with signature scanning on L4D2.

DrMon · *Last edited by DrMon; 11-26-2009 at 03:42.*

Yes, signature scanning works on left for dead 2.
I've used it a few times without a problem.

Your signature for L4D2 should be something like this:

Code:

\x81*****\x53\x55\x56\x8D***\x57\x8B\xF1\x33\xDB

That should do nicely.
You really don't need those sig creator tools, just do it by eye. Much quicker if you ask me.
I haven't tested it, but I've done my fair share of sigscanning, it it's the only byte match in the dll. I can't see why it wouldn't work.