[jim_yang]

if you don't change the source code of a function and use the same compiler with same compiling parameters, generally it will generate the same binary code. Such as registers, short jump relative address..., but long jump relative address maybe changed caused by the update of other functions, that's the mask part. so signature scan is not a garantee also. deponds on how the source code changes.
So your goal is to at least find the right address in the current version, that's good enough.
the principle of making a mask is if there is address, use * instead.
the operation code(such as mov push reg...) and immediate number(such as 1,2,3...), use the original binary code.
Hope you understand what I'm trying to say..., damn my English...

[Bugsy]

I understand the purpose and goal of getting a good signature but deciphering what IDA outputs is what I am not versed in. Arkshines example above is a good demonstration for making signatures that is easy to understand. I would like to see a tutorial that shows specifically what should or shouldn't be included in a signature (0x5A, "*", or "?" for each piece of data), from a first-time signature making aka newbie perspective.

[jim_yang]

basiclly the four bytes address should be replaced by "*", other than this, don't change.

[Bugsy]

How do you determine what an address is though? This entire subject is unclear to me, I guess we should bring this discussion to the signature making tut instead of this thread. I think if it is made easier to create signatures more people will begin to use orpheu. I could even make a windows app to make signatures and masks automatically once I understand it fully.

[jim_yang]

Code:

.text:1000A027    75 10                    jnz     short loc_1000A039
.text:1000A029    FF 15 E4 62 0D 10   call    dword_100D62E4

here is two jumps, one is short jump, second is long jump,
first use offset, relative address 10
second use absolute address, four bytes, so the second one should be replaced by
FF 15 * * * *
FF 15 is CALL opt, don't change

if you found something like call dword_ or sub_ or offset off_ and the address is four bytes, then use *

[Bugsy]

I am really interested in making an app for creating signatures where you just copy and paste a block of text like Arkshine has above and it will output the signature including the appropriate mask. I need to do more research on the subject, though. Thank you both for the examples.

[jim_yang]

nice, waiting for your tool, gonna sleep now, bye.

[Arkshine]

Just to say I'm not entirely agree with Jim, about : So your goal is to at least find the right address in the current version, that's good enough., it may ok with the engine, but for mod like CS, you have to get a good sig to match CZ too. I can say, because of my plugins, binaries are compiled differently and not exactly the same and a signature working under CS is not working always in CZ.

The rule : "all could be changed except the first byte and local var", I've read it in the SourceMod section from someone which was explaining how to make good signature. Using this rule is more simple and you have more chance to get a good signature.

Btw, the hlbeta is going to be a pain, even with a good signature, it won't match always because compiled differently. :/

[Se7ven]

NIce
Here a nice ideea you should put the command kick inside
I mean when an admin kick somebody it will write in chat
x bla bla bla left the server/game [reason Kicked by admin]

[F0RCE]

good job as always bro