Outdated C++ - Signature Scan / Pattern Scanning Tutorial

  • WARNING: You are viewing the Legacy Fleep section which contains old and badly explained tutorials. You should not use these old tutorials. Our best, new tutorials are posted here and here.
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
Status
Not open for further replies.

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Updated for 2019
Projects re-created & tested working in VS 2017
Tested working on Windows 10
Attachment updated
Code & Project cleaned up and properly archived using SolZipper
The game updated, here is the new pattern to use:
C++:
"\x8B\x56\x18\x89\x0A\x8B\x76\x14\xFF\x0E\x57\x8B\x7C\x24\x14\x8D\x74\x24\x28\xE8\x87\xE3\xFF\xFF"


All Fleep Tutorials require special compiler settings

If you make a new project from scratch, you must set these project properties:

-Switch from Unicode to Multi Byte Character Set
-Set C++ -> All Options -> Permissive Conformance Mode: NO
-Linker -> Manifest File -> Require Administrator
-C++-> Precompiled Header -> Not Using Precompiled Headers
-C++ -> Add Preprocessor directive: _CRT_SECURE_NO_WARNINGS

Alternatively, download the attachment and use the pre-made project.



Hey guys, here's a tutorial on pattern scanning.

Although not very useful by itself the Pattern/signature scan can be extremely helpful when using code caves/hooks and so on.

The next tutorial will be on code caves/mid function hooks where we will use this to make our lifes very easy when hacking.

Hope you enjoy.

PROGRAMS REQUIRED
Visual studio c++ express 2008/2010 or 2012 Visual Studio Express | Now Visual Studio Community
Cheat engine Cheat Engine
AssaultCube game AssaultCube - Download it!
OllyDBG https://www.ollydbg.de/
Find the OllyDBG SigMaker plugin using Google


here is some sample code:
C++:
#include <Windows.h>
#include <iostream>
#include "Functions.h"

using namespace std;
char AmmoOpCode[] = "\x90\x90";

void InitiateHooks()
{
DWORD ammoAddy = FindPattern("ac_client.exe", "\x8B\x56\x18\x89\x0A\x8B\x76\x14\xFF\x0E\x57\x8B\x7C\x24\x14\x8D\x74\x24\x28\xE8\x87\xE3\xFF\xFF", "xxxxxxxxxxxxxxxxxxxx????");
ammoAddy += 8; //addres to NOP is offet 8 bytes from the address of this pattern

MsgBoxAddy(ammoAddy);
WriteToMemory(ammoAddy, AmmoOpCode, 2);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
InitiateHooks();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
As you can see simple stuff, download the full source below if you would like to see the comments. -Fleep
 

Attachments

Last edited by a moderator:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Well done, Fleep! :)

Thank you for making and sharing this tutorial with us! :challenge:
 

keto

Dank Tier Donator
Nobleman
May 25, 2013
151
1,648
1
Very well. I always love the quality of your videos. Thank you.
 

Marcus

Jr.Coder
Full Member
Nobleman
Jan 28, 2013
98
473
0
Thank you fleep for another great tutorial!

Edit: hmm. How come its private?
 

Drew

Newbie
Full Member
Aug 21, 2013
9
172
0
Do you have to use +5 all the time for every address you find?
Does this only work for injected dll's because i know away to get the module address without injecting in to the game and that is using MODULEENTRY32 stuff
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Do you have to use +5 all the time for every address you find?
Does this only work for injected dll's because i know away to get the module address without injecting in to the game and that is using MODULEENTRY32 stuff
This only works internally because of the FindPattern function.. That's the advantage, it's much faster. Otherwise you'd have to use ReadProcessMemory which slows it down incredibly..
 

Fleep

Founder
Meme Tier VIP
May 20, 2012
572
11,023
6
This only works internally because of the FindPattern function.. That's the advantage, it's much faster. Otherwise you'd have to use ReadProcessMemory which slows it down incredibly..
Yh externally is definately slower. From what i've found out an entire process scan will take about 10 secs externally(depending on bytes) so I assume a single module scan would take about 3 or so secs.

Its not too bad if you have no other choice but if possible internal is the way to go.

Fleep
 

brinkz

Coder
Meme Tier VIP
Sep 3, 2012
209
1,688
12
You can always RPM some bytes at once, check them, if sig isn't included, RPM next and so on.
Is actually pretty fast.
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Especially if you do it in a specific region you expect the sig to be at first
 

Single Core

Newbie
Nov 13, 2013
3
102
0
I'm wondering how I could determine the OP code myself. For this example it was \x90\x90 for 2 bytes. But what would it be for more bytes.

How could i NOP these bytes? E8 5D00

Regards, Single Core
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
I'm wondering how I could determine the OP code myself. For this example it was \x90\x90 for 2 bytes. But what would it be for more bytes.

How could i NOP these bytes? E8 5D00

Regards, Single Core
C++:
\x90\x90\x90 ?
 

Single Core

Newbie
Nov 13, 2013
3
102
0
C++:
Address from Cheat Engine:
0041E846

Bytes From OllyDBG:
89B7 78550000 
Trying the opcode: "\x90\x90\x90\x90\x90\x90"

Signature:
\x89\xB7\x00\x00\x00\x00\xB0\x01\x5E\xC3\x8B\x8F\x00\x00\x00\x00\x8B\x01\x8B\x15\x00\x00\x00\x00

Mask:
xx????xxxxxx????xxxx????
Edit: I forgot to change the WriteToMemory function. It was still on 2 bytes. Thanks for your help, really appreciate the fast reply.
 

Anunymux

Newbie
Full Member
Jun 12, 2012
9
232
0
Yes, this would be great.

I am looking for a working pattern scan function the whole day now. I made my hack completely external and in vb.net. I have a trigger, bhop, one hit kill, no recoil, rapidfire and unlimmited ammo working. It is great.

But I want to use pattern scanning to avoid using all offsets again after each update. Also I try to avoid using dll files. I want to do a simple pattern scan in vb.net. Is this possible? I found a function in c# on gamedeception and I converted it to vb.net.

Nevertheless I can not get it working.

Here is the original function in c# https://www.gamedeception.net/index.php?threads/findpattern-in-c.14470/

and here is the converted one for vb.net: https://pastebin.com/1gE753wm

So here you can see my code: sigscanner.FindPattern(New Byte() {&H83, &H96, &H5C, &H6, &H0, &H0, &H8B, &H7, &H8B, &H90, &HB4, &H5, &H0, &H0}, "xx????xxxx????", &H0)) Here you can see the bytes in olly: https://gyazo.com/153855e2a6d87b141679d7ed45ffa97c

the bytes are working since I tested them in olly and ce....nevertheless my result is always 0 :(

What could be wrong?
 
Status
Not open for further replies.
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods