View previous topic :: View next topic |
Author |
Message |
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Mon Nov 21, 2016 9:30 pm Post subject: Is there a signature maker plugin available for CE? |
|
|
I am looking for something like sigmaker plugin for IDA. It is very time consuming and difficult to create signature by hand.
A 64bit sigmaker plugin that is equivalent to IDA one. I am sure every CE user would like to have one.
Or is this kind of plugin only available in IDA? Maybe I am an idiot but I never found a function with CE as easily.
_________________
Last edited by H4x0rBattie on Mon Nov 21, 2016 9:53 pm; edited 1 time in total |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Mon Nov 21, 2016 9:39 pm Post subject: |
|
|
...
Memory View
Tools > Auto Assemble
Template > AOB Injection
|
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Mon Nov 21, 2016 10:00 pm Post subject: |
|
|
That plugin should return a code signature something like below based on a static pointer.
Code: |
DWORD_PTR OFFSET_pLOCALCONTROLLABLE = mem->ResolveRelativePtr(mem->FindPatternEx((PBYTE)"\x48\x8B\x35\x00\x00\x00\x00\x48\x8B\x2D\x00\x00\x00\x00\x48\x39\xEE", "xxx????xxx????xxx"), 3);
|
_________________
|
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Mon Nov 21, 2016 10:05 pm Post subject: |
|
|
So you're telling me that typing in the \x yourself is too hard?
|
|
Back to top |
|
|
++METHOS I post too much Reputation: 92
Joined: 29 Oct 2010 Posts: 4197
|
Posted: Mon Nov 21, 2016 10:05 pm Post subject: |
|
|
There are also custom plugins available that will convert all bytes that are not standard machine instructions into wildcard entries (i.e. hex data for the first or first two bytes on each line, and wildcard entries for the remaining bytes).
And to circumvent any issues with byte limitations for extensive AOB signatures, you can copy what you need from memory viewer, manually, so that only the bytes are copied, allowing for easy script integration.
Regarding the other stuff, a simple macro inside of notepad++ should do the trick.
|
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Tue Nov 22, 2016 12:35 am Post subject: |
|
|
Zanzer wrote: | So you're telling me that typing in the \x yourself is too hard? |
No. I hope you don't get offended. I'm telling you that instructions you gave did not lead me to a signature I need.
_________________
|
|
Back to top |
|
|
STN I post too much Reputation: 42
Joined: 09 Nov 2005 Posts: 2672
|
Posted: Tue Nov 22, 2016 2:45 am Post subject: |
|
|
You can make a quick program and format this data yourself. Won't take more than 5 minutes.
_________________
|
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Tue Nov 22, 2016 6:32 pm Post subject: |
|
|
I do have a static pointer. The current offset is: 143089DE8
Code: |
.edata:0000000144B66876 mov rsi, cs:off_143089DE8
|
Then I follow instructions given in this thread:
Memory View
Tools > Auto Assemble
Template > AOB Injection
The output for 144B66876: If I do the same for 143089DE8, there is neither op codes that even comes to close to the signature produced by IDA sigmaker plugin.
Quote: |
Version:
Date : 2016-11-23
Author :
This script does blah blah blah
}
[ENABLE]
aobscanmodule(TEST,bf1.exe,48 8B 01 4C 8D 45 A0 48 8D) // should be unique
alloc(newmem,$1000,"bf1.exe"+4B0DB78)
label(code)
label(return)
newmem:
code:
mov rax,[rcx]
lea r8,[rbp-60]
jmp return
TEST:
jmp newmem
nop
nop
return:
registersymbol(TEST)
[DISABLE]
TEST:
db 48 8B 01 4C 8D 45 A0
unregistersymbol(TEST)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: "bf1.exe"+4B0DB78
"bf1.exe"+4B0DB4F: F2 0F 11 45 98 - movsd [rbp-68],xmm0
"bf1.exe"+4B0DB54: 48 8D 44 24 58 - lea rax,[rsp+58]
"bf1.exe"+4B0DB59: 48 89 44 24 78 - mov [rsp+78],rax
"bf1.exe"+4B0DB5E: 4D 8D BE 08 02 00 00 - lea r15,[r14+00000208]
"bf1.exe"+4B0DB65: 31 DB - xor ebx,ebx
"bf1.exe"+4B0DB67: 49 8B 76 38 - mov rsi,[r14+38]
"bf1.exe"+4B0DB6B: 49 8B 7E 30 - mov rdi,[r14+30]
"bf1.exe"+4B0DB6F: 48 39 F7 - cmp rdi,rsi
"bf1.exe"+4B0DB72: 74 27 - je bf1.exe+4B0DB9B
"bf1.exe"+4B0DB74: 48 8B 4F 08 - mov rcx,[rdi+08]
// ---------- INJECTING HERE ----------
"bf1.exe"+4B0DB78: 48 8B 01 - mov rax,[rcx]
"bf1.exe"+4B0DB7B: 4C 8D 45 A0 - lea r8,[rbp-60]
// ---------- DONE INJECTING ----------
"bf1.exe"+4B0DB7F: 48 8D 54 24 78 - lea rdx,[rsp+78]
"bf1.exe"+4B0DB84: FF 50 08 - call qword ptr [rax+08]
"bf1.exe"+4B0DB87: 48 89 84 DD 50 01 00 00 - mov [rbp+rbx*8+00000150],rax
"bf1.exe"+4B0DB8F: 48 83 C7 10 - add rdi,10
"bf1.exe"+4B0DB93: 8D 5B 01 - lea ebx,[rbx+01]
"bf1.exe"+4B0DB96: 48 39 F7 - cmp rdi,rsi
"bf1.exe"+4B0DB99: 75 D9 - jne bf1.exe+4B0DB74
"bf1.exe"+4B0DB9B: 44 8B A5 08 01 00 00 - mov r12d,[rbp+00000108]
"bf1.exe"+4B0DBA2: 8B 7D 78 - mov edi,[rbp+78]
"bf1.exe"+4B0DBA5: 45 85 E4 - test r12d,r12d
|
I don't find any ASM code from the results that even comes close to \x48\x8B\x35\x00\x00\x00\x00\x48\x8B\x2D\x00\x00\x00\x00\x48\x39\xEE xxx????xxx????xxx <--- This code sig is produced by IDA sigmaker plugin.
How do I find the above pattern with CE assuming I don't know it beforehand?
Now you know why I opened this thread. I was not asking you to help me with converting signatures ... *SIGH*
I hope you got now what I am after.
_________________
|
|
Back to top |
|
|
ParkourPenguin I post too much Reputation: 138
Joined: 06 Jul 2014 Posts: 4275
|
Posted: Tue Nov 22, 2016 9:18 pm Post subject: |
|
|
- highlight the instruction in the disassembler
- what Zanzer said
- look at the signature in the aobscan
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
Back to top |
|
|
Zanzer I post too much Reputation: 126
Joined: 09 Jun 2013 Posts: 3278
|
Posted: Tue Nov 22, 2016 9:43 pm Post subject: |
|
|
Set the Value Type to Array of byte
Select the Writable checkbox so that it is shaded gray
Scan the value 48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE
Right-click the found address and select Disassemble this memory region
Congratulations, you can now see where the signature you took is pointing
|
|
Back to top |
|
|
H4x0rBattie Advanced Cheater Reputation: 0
Joined: 10 Nov 2016 Posts: 58
|
Posted: Tue Nov 22, 2016 10:54 pm Post subject: |
|
|
Zanzer wrote: | Set the Value Type to Array of byte
Select the Writable checkbox so that it is shaded gray
Scan the value 48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE
Right-click the found address and select Disassemble this memory region
Congratulations, you can now see where the signature you took is pointing |
Thanks. My question was:
I don't know beforehand the signature "48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE"
I only know the following offset after a pointer scan: 143089DE8
How do I find 144B66876 with CE when I only know a static base address of 143089DE8?
Remember IDA + sigmaker plugin did this for me. Basically that is a noob friendly way if you know how to traverse functions in IDA.
Quote: |
.edata:0000000144B66876 mov rsi, cs:off_143089DE8
|
Is it found out what access pointer pointed at 143089DE8 and then I should get an instruction? When I view 144B66876 in CE memory viewer I have the same bytes as in the signature.
And now I remember doing this before but I forgot how to LOL.
Anyway how I know what bytes I should mask as ?? This is where the plugin is coming from.
EDIT: Find out what access that static pointer did the trick.
Now this thread become a basic/medium skill reversing tutorial
_________________
|
|
Back to top |
|
|
Kavvman Master Cheater Reputation: 2
Joined: 17 Apr 2004 Posts: 316
|
Posted: Wed Nov 23, 2016 3:40 am Post subject: |
|
|
I think you need to understand what "48 8B 35 ?? ?? ?? ?? 48 8B 2D ?? ?? ?? ?? 48 39 EE" and 143089DE8 actually are before you touch IDA or sigmaker plugin.
But good thing you figured it out
_________________
... |
|
Back to top |
|
|
|