Raised This Month: $12 Target: $400
 3% 

Orpheu: How to make signatures (of bytes)


Post New Thread Reply   
 
Thread Tools Display Modes
PRoSToTeM@
Veteran Member
Join Date: Jan 2010
Location: Russia, Ivanovo
Old 05-01-2017 , 10:34   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #111

I think the best way to analyze static opcodes for signatures is comparing function opcodes between old build (like 4554) and the newest (6153).
__________________

Last edited by PRoSToTeM@; 05-01-2017 at 10:36.
PRoSToTeM@ is offline
Send a message via ICQ to PRoSToTeM@ Send a message via Skype™ to PRoSToTeM@
DarthMan
Veteran Member
Join Date: Aug 2011
Old 05-23-2017 , 02:23   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #112

Quote:
Originally Posted by Bugsy View Post
I created a tool in VB for creating signatures. All you would need to do is copy a block of text from IDA and paste it into the tool and it will generate the entire signature. Maybe I will wait until Arkshine revises the tutorial to make sure my tool has the correct logic.


Could u send us a link for download?
DarthMan is offline
DarthMan
Veteran Member
Join Date: Aug 2011
Old 06-16-2017 , 04:39   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #113

Quote:
Originally Posted by Arkshine View Post
Well, I don't have enough knowledge in assembly to affirm whether this opcode is static. As I said in the tutorial, it's easier to take just the first byte of each line until you have a unique signature. No need to bother with the others bytes. It might create longer signatures but doesn't matter much.

And by the way, "?" should be used by default. "?" = any bytes, "*" = any bytes or nothing. Most of time, you want "?".
Hey Arkshine, could u better explain what keep always the first byte emans? Thanks !

I understood, in the IDA View-A I look for the 1st byte and keep it, and replace any other bytes with ?

Last edited by DarthMan; 06-16-2017 at 11:13.
DarthMan is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 06-17-2017 , 04:21   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #114

It means you retrieve the first byte of the instruction (the mnemonic 'push', 'mov', etc., you see it in the above screenshot) and that's not something which will change at runtime.
__________________
Arkshine is offline
DarthMan
Veteran Member
Join Date: Aug 2011
Old 10-24-2017 , 04:56   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #115

Quote:
Originally Posted by Arkshine View Post
It means you retrieve the first byte of the instruction (the mnemonic 'push', 'mov', etc., you see it in the above screenshot) and that's not something which will change at runtime.
I got it, sorry for the long time response.
DarthMan is offline
ish12321
Veteran Member
Join Date: May 2016
Old 06-03-2018 , 07:03   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #116

Hey,
I opened IDA Freeware. Clicked on new. Selected cs.so. Now a menu titled "Load a new file" appears with various options :
[1]
EFL for Intel 386 (Shared Object) [elf64.dll]
OR
Binary File

[2]
Processor Type with various options..
and many more...

Could anyone please help me out what to choose here?
__________________
['O|s|G'] | Death Wins a.k.a Ish Chhabra was here
ish12321 is offline
metal_upa
Senior Member
Join Date: Jun 2016
Old 01-24-2019 , 08:41   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #117

I tried to make a signature for CBasePlayerWeapon::KickBack() on regamedll library but i don't find the function name 'CBasePlayerWeapon::KickBack()'. What now?
Attached Files
File Type: zip mp.zip (595.7 KB, 130 views)
metal_upa is offline
HamletEagle
AMX Mod X Plugin Approver
Join Date: Sep 2013
Location: Romania
Old 01-24-2019 , 09:43   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #118

Read the tutorial about finding functions?
__________________
HamletEagle is offline
metal_upa
Senior Member
Join Date: Jun 2016
Old 01-24-2019 , 13:43   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #119

Quote:
Originally Posted by HamletEagle View Post
Read the tutorial about finding functions?
There are no function named CBasePlayerWeapon::KickBack() in mp.dll from regamedll, most of them are sub_xxx and a few from CBasePlayer:: function. Tried with IDA freeware.
metal_upa is offline
HamletEagle
AMX Mod X Plugin Approver
Join Date: Sep 2013
Location: Romania
Old 01-25-2019 , 04:26   Re: Orpheu: How to make signatures (of bytes)
Reply With Quote #120

Quote:
Originally Posted by metal_upa View Post
There are no function named CBasePlayerWeapon::KickBack() in mp.dll from regamedll, most of them are sub_xxx and a few from CBasePlayer:: function. Tried with IDA freeware.
Maybe I was not clear enough: read the tutorial about finding functions.
__________________
HamletEagle is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:44.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode