Hello hello!
Which plugins do you guys use at IDA / Ollydbg to search a signature in the engine?
Thanks!
Which plugins do you guys use at IDA / Ollydbg to search a signature in the engine?
Thanks!
Signature search in engine
06/27/2016 13:32
TheRealPower#1
06/27/2016 22:30
luki180pl#2
The standard search works good in ida
06/27/2016 22:52
TheRealPower#3
also to find a pattern? and to know which pointers are variable and which are static? cuz i know where the function is i want
06/28/2016 06:59
luki180pl#4
I'm not sure but if you put a "?" instead of a byte it would mean that this byte could have any value
06/28/2016 10:00
TheRealPower#5
Ye, so all the bytes which are 00 in the engine or well in my partern can be writen as an ? i assume?
Like if i got \x66\x8B\xED\x83\x00\x00\x00\x3D
it is like xxxx???x
Like if i got \x66\x8B\xED\x83\x00\x00\x00\x3D
it is like xxxx???x
06/28/2016 11:26
meak1#6
a dword are 4 bytesQuote:
Ye, so all the bytes which are 00 in the engine or well in my partern can be writen as an ? i assume?
Like if i got \x66\x8B\xED\x83\x00\x00\x00\x3D
it is like xxxx???x
06/28/2016 12:13
luki180pl#7
I would make you a screenshot but I don't have access to my computer. If your function starts with for example 55 87 14 25 69 74 and last 4 bytes are relative address then you would write 55 87 ? ? ? ? To find this. I hope it's understandable what I say xd
06/28/2016 13:48
TheRealPower#8
Yea i understand, but my question actually was how do i know if '14' in your example is a relative address or not? throught IDA
06/28/2016 14:44
meak1#9
mb bec there stand a adress Call ????????????????????????????? [0x24244242] ???
06/28/2016 15:44
luki180pl#10
Almost every time an instruction use memory address it should be replaced with '?'