Signiture Scanning

[Mega Byte]

I have been getting a lot of questions about Signature Scanning such as

• What is a signature?
• How do I find or make one?
• Where would signature scanning be usefull?

I made a video which can be found here,

People seem to think this is a hard thing to do so I want to try simplify it.
Basicaly code such as C++ is compiled it is turned into byte code that the computer can run.

When memory hacking we find bytes we want to modify but if the application is recompiled or uses dynamic memory
The address is not garruented to be the same each time the app runs.

A signature is a sequence of bytes and wild cards to find in memory.

I have a game here, and it has a version string rendered in the bottom left.
You may be able to see VER9.02

I wanted to get that version as well as modify it to include my own text.

So I used cheat engine and searched for a string of VER9.02
I had to have Writable and Executable checkboxs set half way so that Cheat engine would scan
readable and executable memory too.

After I found the version string address.
I found what accessed the code.

Which can be done two ways, scan for the address in hex and goto the address -1 in the Memory View dissasembler
Or right click the entry and find what accesses.

I can just scroll up a little bit and look at the bytes on the left. Any references to other memory addresses
will change on recompile, such as ones seen in the PUSH or MOV or CALL op codes
Generally if the value is in the code sections of the executable it will be suspect to change.
Simply make those bytes wild card with the ?? when writing them down. You can search the signature in cheat engine
As an array of bytes with hex turned on.

Check out the sig scanner code too let me know if you think its easy.
You can do XXXXXXXX to get address at that spot or just do wild cards and put an offset in.



sig->search("SigPattern...",offset,fromstart,startaddr ess)
You can have offset + or -. If using XXXXXXXX I think it applied the offset to that address as you would a pointer.
If multi level you would have to deref+offset your self for other levels.

fromstart lets you say false to start the signature address returned from the end of the sig rather than the beginning. It defaults to beginning.

startAddress is well.. the start address :P if not set it will start from first code section.

Woot woot...




Signature Scanner:

[Mostey]

Is there any reason for using the heap and pointers?

Code:

signature_scanner* sig = new signature_scanner();

[Mega Byte]

Hmm I suppose it could be made as just functions without needing to use new and heap.
However I did have future plans to extend it with using multiple threads for searching the memory in chunks. (faster?) and prehaps other features like backing up code sections or detouring them to get anti hacks to hash the un tampered memory.

Or maybe signiture_scanner s; im not sure Have not tried.

[Mostey]

Quote:

Originally Posted by Mega Byte

Hmm I suppose it could be made as just functions without needing to use new and heap.
However I did have future plans to extend it with using multiple threads for searching the memory in chunks. (faster?) and prehaps other features like backing up code sections or detouring them to get anti hacks to hash the un tampered memory.

Or maybe signiture_scanner s; im not sure Have not tried.

How do you came to the decision to use pointers and the heap here? Of course that could be made without them, except the memory is that big that the stack could potentially overflow.

See for more information.

[qkuh]

It's signature not signiture. My eyes are bleeding. You should know how to write things while dealing with them.

[Mega Byte]

thanks qkuh you seem to be only person who noticed lol I suck at spelling and sometimes also write stuff backwards. :P

I guess I have always pronounced it with a ni instead of a na :P.