Pattern Signature Scanner

xKemya · 06/13/2014, 16:01

I've got C++ Issue about Pattern,

why won't work when OLLYDBG not work

Functions.h

Code:

#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
#include <Psapi.h>

void MsgBoxAddy(DWORD addy)
{
 char szBuffer[1024];
 sprintf(szBuffer, "Addy: %02x", addy);
 MessageBox(NULL, szBuffer, "Title", MB_OK);

}

MODULEINFO GetModuleInfo( char *szModule )
{
 MODULEINFO modinfo = {0};
 HMODULE hModule = GetModuleHandle(szModule);
 if(hModule == 0) 
  return modinfo;
 GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
 return modinfo;
}


void WriteToMemory(uintptr_t addressToWrite, char* valueToWrite, int byteNum)
{
 unsigned long OldProtection;
 VirtualProtect((LPVOID)(addressToWrite), byteNum, PAGE_EXECUTE_READWRITE, &OldProtection);
 memcpy( (LPVOID)addressToWrite, valueToWrite, byteNum);
 VirtualProtect((LPVOID)(addressToWrite), byteNum, OldProtection, NULL);
}


DWORD FindPattern(char *module, char *pattern, char *mask)
{
 MODULEINFO mInfo = GetModuleInfo(module);
 DWORD base = (DWORD)mInfo.lpBaseOfDll;
 DWORD size =  (DWORD)mInfo.SizeOfImage;
 DWORD patternLength = (DWORD)strlen(mask);

 for(DWORD i = 0; i < size - patternLength; i++)
 {
  bool found = true;
  for(DWORD j = 0; j < patternLength; j++)
  {
   found &= mask[j] == '?' || pattern[j] == *(char*)(base + i + j);
  }
  if(found) 
  {
   return base + i;
  }
 }

 return NULL;
}

Source.cpp

Code:

#include <Windows.h>
#include <iostream>  
#include "Functions.h"

using namespace std;
char OpCode[] = "\xDB\x45";


void InitiateHooks()
{
  DWORD aAddy = FindPattern("s4client.exe",
  "\xD9\x45\x57\x8B\x7C\x24\x14\x8D\x74\x24\x28\xE8\x00\x00\x00\x00\x5F\x5E\xB0\x01",
  "xxxxxxxxxxxx????xxxx");
 aAddy += 5;


 MsgBoxAddy(aAddy);
 WriteToMemory(aAddy, OpCode, 4);
 
}
#pragma endregion

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL, 
    DWORD fdwReason, 
    LPVOID lpReserved) 
{
    switch(fdwReason)
    {
        case DLL_PROCESS_ATTACH:
   InitiateHooks();
            break;
    }
    return TRUE;
}

why won't work when OLLYDBG not work

xXrussXx · 06/13/2014, 17:49

I dont really know what you mean but i think:
most games/programms scan your opened tasks. If they find a process like "ollydbg" they crash because they dont want you to change bytes oder else...

Just close OllyDbg or bypass the check

xKemya · 06/13/2014, 18:28

Quote:

Originally Posted by xXrussXx

I dont really know what you mean but i think:
most games/programms scan your opened tasks. If they find a process like "ollydbg" they crash because they dont want you to change bytes oder else...

Just close OllyDbg or bypass the check

I mean, I've coded a pattern code for C++, but it works only if ollybdg is running else won't work

cookie69 · 06/13/2014, 20:03

Quote:

Originally Posted by "V"

I mean, I've coded a pattern code for C++, but it works only if ollybdg is running else won't work

This code is from Fleep's channel

Fleep tested it for a local FPS little game so it could be different for an MMO with too many protections! I don't see why it does work only when the process is being debugged by Olly but I trust you..
Anyway, if it works with olly just keep olly running or is it detected by the game s4client ? (I don't know which game is it).

Good luck

xnkromix · 06/13/2014, 23:50

look here ^^

Quote:

#include <Psapi.h>

MODULEINFO GetModuleInfo(char *szModule){
MODULEINFO modinfo = { 0 };
HMODULE hModule = GetModuleHandle(szModule);
if (hModule == 0)
return modinfo;
GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
return modinfo;
}

void WriteToMemory(uintptr_t addressToWrite, char* valueToWrite, int byteNum)
{

unsigned long OldProtection;
VirtualProtect((LPVOID)(addressToWrite), byteNum, PAGE_EXECUTE_READWRITE, &OldProtection);

memcpy((LPVOID)addressToWrite, valueToWrite, byteNum);

VirtualProtect((LPVOID)(addressToWrite), byteNum, OldProtection, NULL);
}

DWORD FindPattern(char *module, char *pattern, char *mask)
{

MODULEINFO mInfo = GetModuleInfo(module);

DWORD base = (DWORD)mInfo.lpBaseOfDll;
DWORD size = (DWORD)mInfo.SizeOfImage;

DWORD patternLength = (DWORD)strlen(mask);

for (DWORD i = 0; i < size - patternLength; i++)
{
bool found = true;
for (DWORD j = 0; j < patternLength; j++)
{

found &= mask[j] == '?' || pattern[j] == *(char*)(base + i + j);
}

if (found)
{
return base + i;
}
}

return NULL;
}

Quote:

#include <Windows.h>
#include <iostream>
#include "Functions.h"
using namespace std;

char BytesToPatch[] = "yvalue by array";
char ProcessName[] = "Name.exe";

void InitiateHook()
{
DWORD Bytes = FindPattern(ProcessName, "Pattern", "mask");
Bytes += 5;
WriteToMemory(Bytes, BytesToPatch, 4);

}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
switch (dwReason) {
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
InitiateHook();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

Quote:

Originally Posted by cookie69

This code is from Fleep's channel

Fleep tested it for a local FPS little game so it could be different for an MMO with too many protections! I don't see why it does work only when the process is being debugged by Olly but I trust you..
Anyway, if it works with olly just keep olly running or is it detected by the game s4client ? (I don't know which game is it).

Good luck

it work but you need to find the correct Pattren and mask

xKemya · 06/14/2014, 00:34

Guys, my friend has solved it, he missed only 1 number -.- ****, but anyways thank you all!