Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Is there a signature maker plugin available for CE?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine
View previous topic :: View next topic  
Author Message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Mon Nov 21, 2016 9:30 pm    Post subject: Is there a signature maker plugin available for CE? Reply with quote

I am looking for something like sigmaker plugin for IDA. It is very time consuming and difficult to create signature by hand.

A 64bit sigmaker plugin that is equivalent to IDA one. I am sure every CE user would like to have one.

Or is this kind of plugin only available in IDA? Maybe I am an idiot but I never found a function with CE as easily.

_________________


Last edited by H4x0rBattie on Mon Nov 21, 2016 9:53 pm; edited 1 time in total
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Mon Nov 21, 2016 9:39 pm    Post subject: Reply with quote

...

Memory View
Tools > Auto Assemble
Template > AOB Injection
Back to top
View user's profile Send private message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Mon Nov 21, 2016 10:00 pm    Post subject: Reply with quote

That plugin should return a code signature something like below based on a static pointer.

Code:

DWORD_PTR OFFSET_pLOCALCONTROLLABLE = mem->ResolveRelativePtr(mem->FindPatternEx((PBYTE)"\x48\x8B\x35\x00\x00\x00\x00\x48\x8B\x2D\x00\x00\x00\x00\x48\x39\xEE", "xxx????xxx????xxx"), 3);

_________________
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Mon Nov 21, 2016 10:05 pm    Post subject: Reply with quote

So you're telling me that typing in the \x yourself is too hard?
Back to top
View user's profile Send private message
++METHOS
I post too much
Reputation: 92

Joined: 29 Oct 2010
Posts: 4197

PostPosted: Mon Nov 21, 2016 10:05 pm    Post subject: Reply with quote

There are also custom plugins available that will convert all bytes that are not standard machine instructions into wildcard entries (i.e. hex data for the first or first two bytes on each line, and wildcard entries for the remaining bytes).

And to circumvent any issues with byte limitations for extensive AOB signatures, you can copy what you need from memory viewer, manually, so that only the bytes are copied, allowing for easy script integration.

Regarding the other stuff, a simple macro inside of notepad++ should do the trick.
Back to top
View user's profile Send private message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Tue Nov 22, 2016 12:35 am    Post subject: Reply with quote

Zanzer wrote:
So you're telling me that typing in the \x yourself is too hard?


No. I hope you don't get offended. I'm telling you that instructions you gave did not lead me to a signature I need.

_________________
Back to top
View user's profile Send private message
STN
I post too much
Reputation: 42

Joined: 09 Nov 2005
Posts: 2672

PostPosted: Tue Nov 22, 2016 2:45 am    Post subject: Reply with quote

You can make a quick program and format this data yourself. Won't take more than 5 minutes.
_________________
Cheat Requests/Tables- Fearless Cheat Engine
https://fearlessrevolution.com
Back to top
View user's profile Send private message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Tue Nov 22, 2016 6:32 pm    Post subject: Reply with quote

I do have a static pointer. The current offset is: 143089DE8

Code:

.edata:0000000144B66876                 mov     rsi, cs:off_143089DE8


Then I follow instructions given in this thread:

Memory View
Tools > Auto Assemble
Template > AOB Injection

The output for 144B66876: If I do the same for 143089DE8, there is neither op codes that even comes to close to the signature produced by IDA sigmaker plugin.

Quote:

Version:
Date : 2016-11-23
Author :

This script does blah blah blah
}

[ENABLE]

aobscanmodule(TEST,bf1.exe,48 8B 01 4C 8D 45 A0 48 8D) // should be unique
alloc(newmem,$1000,"bf1.exe"+4B0DB78)

label(code)
label(return)

newmem:

code:
mov rax,[rcx]
lea r8,[rbp-60]
jmp return

TEST:
jmp newmem
nop
nop
return:
registersymbol(TEST)

[DISABLE]

TEST:
db 48 8B 01 4C 8D 45 A0

unregistersymbol(TEST)
dealloc(newmem)

{
// ORIGINAL CODE - INJECTION POINT: "bf1.exe"+4B0DB78

"bf1.exe"+4B0DB4F: F2 0F 11 45 98 - movsd [rbp-68],xmm0
"bf1.exe"+4B0DB54: 48 8D 44 24 58 - lea rax,[rsp+58]
"bf1.exe"+4B0DB59: 48 89 44 24 78 - mov [rsp+78],rax
"bf1.exe"+4B0DB5E: 4D 8D BE 08 02 00 00 - lea r15,[r14+00000208]
"bf1.exe"+4B0DB65: 31 DB - xor ebx,ebx
"bf1.exe"+4B0DB67: 49 8B 76 38 - mov rsi,[r14+38]
"bf1.exe"+4B0DB6B: 49 8B 7E 30 - mov rdi,[r14+30]
"bf1.exe"+4B0DB6F: 48 39 F7 - cmp rdi,rsi
"bf1.exe"+4B0DB72: 74 27 - je bf1.exe+4B0DB9B
"bf1.exe"+4B0DB74: 48 8B 4F 08 - mov rcx,[rdi+08]
// ---------- INJECTING HERE ----------
"bf1.exe"+4B0DB78: 48 8B 01 - mov rax,[rcx]
"bf1.exe"+4B0DB7B: 4C 8D 45 A0 - lea r8,[rbp-60]
// ---------- DONE INJECTING ----------
"bf1.exe"+4B0DB7F: 48 8D 54 24 78 - lea rdx,[rsp+78]
"bf1.exe"+4B0DB84: FF 50 08 - call qword ptr [rax+08]
"bf1.exe"+4B0DB87: 48 89 84 DD 50 01 00 00 - mov [rbp+rbx*8+00000150],rax
"bf1.exe"+4B0DB8F: 48 83 C7 10 - add rdi,10
"bf1.exe"+4B0DB93: 8D 5B 01 - lea ebx,[rbx+01]
"bf1.exe"+4B0DB96: 48 39 F7 - cmp rdi,rsi
"bf1.exe"+4B0DB99: 75 D9 - jne bf1.exe+4B0DB74
"bf1.exe"+4B0DB9B: 44 8B A5 08 01 00 00 - mov r12d,[rbp+00000108]
"bf1.exe"+4B0DBA2: 8B 7D 78 - mov edi,[rbp+78]
"bf1.exe"+4B0DBA5: 45 85 E4 - test r12d,r12d



I don't find any ASM code from the results that even comes close to \x48\x8B\x35\x00\x00\x00\x00\x48\x8B\x2D\x00\x00\x00\x00\x48\x39\xEE xxx????xxx????xxx <--- This code sig is produced by IDA sigmaker plugin.

How do I find the above pattern with CE assuming I don't know it beforehand?

Now you know why I opened this thread. I was not asking you to help me with converting signatures ... *SIGH*

I hope you got now what I am after.

_________________
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Tue Nov 22, 2016 9:18 pm    Post subject: Reply with quote

  1. highlight the instruction in the disassembler
  2. what Zanzer said
  3. look at the signature in the aobscan

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Zanzer
I post too much
Reputation: 126

Joined: 09 Jun 2013
Posts: 3278

PostPosted: Tue Nov 22, 2016 9:43 pm    Post subject: Reply with quote

Set the Value Type to Array of byte
Select the Writable checkbox so that it is shaded gray
Scan the value 48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE
Right-click the found address and select Disassemble this memory region
Congratulations, you can now see where the signature you took is pointing
Back to top
View user's profile Send private message
H4x0rBattie
Advanced Cheater
Reputation: 0

Joined: 10 Nov 2016
Posts: 58

PostPosted: Tue Nov 22, 2016 10:54 pm    Post subject: Reply with quote

Zanzer wrote:
Set the Value Type to Array of byte
Select the Writable checkbox so that it is shaded gray
Scan the value 48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE
Right-click the found address and select Disassemble this memory region
Congratulations, you can now see where the signature you took is pointing


Thanks. My question was:

I don't know beforehand the signature "48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE"

I only know the following offset after a pointer scan: 143089DE8

How do I find 144B66876 with CE when I only know a static base address of 143089DE8?

Remember IDA + sigmaker plugin did this for me. Basically that is a noob friendly way if you know how to traverse functions in IDA.
Quote:

.edata:0000000144B66876 mov rsi, cs:off_143089DE8


Is it found out what access pointer pointed at 143089DE8 and then I should get an instruction? When I view 144B66876 in CE memory viewer I have the same bytes as in the signature.

And now I remember doing this before but I forgot how to LOL.

Anyway how I know what bytes I should mask as ?? This is where the plugin is coming from.

EDIT: Find out what access that static pointer did the trick.

Now this thread become a basic/medium skill reversing tutorial Smile

_________________
Back to top
View user's profile Send private message
Kavvman
Master Cheater
Reputation: 2

Joined: 17 Apr 2004
Posts: 316

PostPosted: Wed Nov 23, 2016 3:40 am    Post subject: Reply with quote

I think you need to understand what "48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE" and 143089DE8 actually are before you touch IDA or sigmaker plugin.

But good thing you figured it out

_________________
...
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites