Solved Can someone post a good tutorial explaining signature finding without plugins?

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Kalist

Newbie
Full Member
Jul 5, 2015
24
122
0
I'm having a hard time wrapping my head around the logic behind array of bytes and masks, when to use wildcards etc. Could someone post a tutorial or reading material that helped some of you "conquer" these "memory obstacles".
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Exactly, I want to create my signature manually by writing down the bytes. Fleep doesn't cover this I'm afraid, he just mentions quickly that it's possible to do for those that wish to.

(by "locate" I meant "create", my fault)
I said that Fleep covers topics like "how to find the address / location of what you're searching for".
I didn't say anything about him covering creating signatures. ;)
But let me try to explain how this stuff works.

This post from me includes an image of disassembly from a keygenme file https://guidedhacking.com/showthread.php?6511-KeygenMe&p=32570&viewfull=1#post32570.

From left to right:
1. addresses
2. bytes
3. disassembly
4. my comments

Lets say I want to find the instructions starting with where I placed the breakpoint (red) and I don't know the addresses.
I found them per runtime once but I dont want to search for them after every update of the game
So I take a look at the bytes and create the signature.

There are a few things you should keep in mind.
Bytes of relative / absolute jump instructions like at 0xED16CD are likely to change during a fresh compile of an executable.
Including them in our signature wouldn't be smart because if one byte changes the entire signature will be "broken".
This is why we use masks for our signatures. Marking these bytes with a '?' tells the "findSignature()" method to ignore these bytes.

So the signature would start like
8B 4D 08 03 4D F8 0F BE 01 ...

I hope this helps :)
 
Last edited:

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33

Kalist

Newbie
Full Member
Jul 5, 2015
24
122
0
Yeah but they're all like: "Look at this sigscan I made, you can use it to make your life easier". Unfortunately they don't go in depth with how you manually locate the AOB's that make up a signature, they just tell you this or that sigscan I made can save you the "tedious" trouble of creating your own signature. Do you HAVE to write a sigscanner to find a sig? I though it was just trial and error.
 
Last edited:

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Yeah but they're all like: "Look at this sigscan I made, you can use it to make your life easier". Unfortunately they don't go in depth with how you manually locate the AOB's that make up a signature, they just tell you this or that sigscan I made can save you the "tedious" trouble of creating your own signature. Do you HAVE to write a sigscanner to find a sig? I though it was just trial and error.
In order to find a signature you have to write a signature scanner, no shit :D

how you manually locate the AOB's that make up a signature
RCE that part of the game you want to know more about using cheat engine or olly or any other debugger of your choice.
When you found the function, the hardcoded address, the offset or whatever else, you can make a signature out of the array of bytes (aob) surrounding it.

I suggest you reading this:
https://guidedhacking.com/showthread.php?4543-Array-of-bytes-in-DLL-hack
 

Kalist

Newbie
Full Member
Jul 5, 2015
24
122
0
Yes but the sigscan is something you do at run-time, right? It's a part of the DLL module. But the first Signature itself, to lay a foundation, you find on your own through a debugger before creating the sigscan. And also, thanks for the link, but unfortunately the guy in that thread uses a plugin to locate the signature.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Yes but the sigscan is something you do at run-time, right? It's a part of the DLL module. But the first Signature itself, to lay a foundation, you find on your own through a debugger before creating the sigscan. And also, thanks for the link, but unfortunately the guy in that thread uses a plugin to locate the signature.
How to initially do a sig without plugin, is that what you want?
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Yes but the sigscan is something you do at run-time, right? It's a part of the DLL module. But the first Signature itself, to lay a foundation, you find on your own through a debugger before creating the sigscan. And also, thanks for the link, but unfortunately the guy in that thread uses a plugin to locate the signature.
No Syperus wasn't using the plugin to locate the signature, he was using it to create the signature. It's just for time saving purposes.
You can also just go ahead and write down the bytes yourself (manually).

If you are wondering how to find the address / location of what you're searching for (that can be an attack function, the health decreasing instructions, or offsets etc.) I highly recommend watching Fleeps tutorials.
He covers most of this stuff.

Edit: Are you sure you read what I advised you to read? This covers exactly how to find and create a searchable signature.
 
Last edited:

Kalist

Newbie
Full Member
Jul 5, 2015
24
122
0
Exactly, I want to create my signature manually by writing down the bytes. Fleep doesn't cover this I'm afraid, he just mentions quickly that it's possible to do for those that wish to.

(by "locate" I meant "create", my fault)
 
Last edited:

artfulwave

Banned
Silenced
Feb 2, 2013
11
181
0
I said that Fleep covers topics like "how to find the address / location of what you're searching for".
I didn't say anything about him covering creating signatures. ;)
But let me try to explain how this stuff works.

This post from me includes an image of disassembly from a keygenme file https://guidedhacking.com/showthread.php?6511-KeygenMe&p=32570&viewfull=1#post32570.

From left to right:
1. addresses
2. bytes
3. disassembly
4. my comments

Lets say I want to find the instructions starting with where I placed the breakpoint (red) and I don't know the addresses.
I found them per runtime once but I dont want to search for them after every update of the game/keygenme/crackme whatever.
So I take a look at the bytes and create the signature.

There are a few things you should keep in mind.
Bytes of relative / absolute jump instructions like at 0xED16CD are likely to change during a fresh compile of an executable.
Including them in our signature wouldn't be smart because if one byte changes the entire signature will be "broken".
This is why we use masks for our signatures. Marking these bytes with a '?' tells the "findSignature()" method to ignore these bytes.

So the signature would start like
8B 4D 08 03 4D F8 0F BE 01 ...

I hope this helps :)


Are you sure you are accurate ? Maybe the module contains another similar signature like the one you used.
That's why the plugin eases everything. Now explain how to check if your signature is unique ( I am looking for that ).
1) Create signature ( OK )
2) Check if it exists ( Awaiting... )
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
Are you sure you are accurate ? Maybe the module contains another similar signature like the one you used.
That's why the plugin eases everything. Now explain how to check if your signature is unique ( I am looking for that ).
1) Create signature ( OK )
2) Check if it exists ( Awaiting... )
The plugin is just as reliable as the user in front of the monitor.
2.)
C++:
for(;sigScan(/*args*/);) printf("Sig found\n"); // assuming sigScan starts at last match+1 and returns NULL if no match
 
Last edited:

artfulwave

Banned
Silenced
Feb 2, 2013
11
181
0
The plugin is just as reliable as the user in front of the monitor.
2.)
C++:
for(;sigScan(/*args*/);) printf("Sig found\n"); // assuming sigScan starts at last match+1 and returns NULL if no match
The plugin gets the opcode like human beings and than searches the module if it exists more than once. If so it reports the user to find another (more or less).
I am asking, if you are making the signature manually. How to check for that without writing a signature scanner.

either there is miscommunication or you are reading 3 posts at once.
 

Liduen

Hacker
Dank Tier VIP
May 19, 2013
702
8,478
33
... check for that without writing a signature scanner...
It's not possible.

You have to write your own signature scanner at some point. What the hell is so complicated about that?
Plugin or self implemented both ways are easy to go with.
 
Last edited:

Syperus

RTFM
Meme Tier VIP
Dank Tier Donator
Oct 29, 2012
432
2,638
7
As Liduen posted earlier I wrote a tutorial on how to do this with plugins, but I understand your wanting to do this manually. It is possible to write your own signature. Using CE it's very easy if you're going to be using aobscans with a cheat table, a little different though if writing a trainer. Hopefully this will also help someone else in the future. To write your signature with wildcards locate the address your going to alter and grab the bytes from a few lines above your address your wanting to modify to a few lines past. Here's an example on the game I was working on
CEBytes.jpg
In this example I only selected a couple lines, but generally you'd want to select a couple more on top of this for a stronger signature
Notice the blue block. Those are usually the bytes you want to make your wildcards since the memory is likely to change between runs. So take those bytes that look like this
C++:
66 83 7E 1C 00 0F85 88000000 8B 4E 24 8B 01
and it would become
C++:
66 83 7E 1C 00 ?? ?? ?? ?? ?? ?? 8B 4E 24 8B 01
Again this would be for using aobscans in CE table, but its the concept as aobs for trainers. Hope this helps! :)

Edit: Thanks Liduen for the Wiki page link. That looks like it will be a good read! :)
 
Last edited:

artfulwave

Banned
Silenced
Feb 2, 2013
11
181
0
Have I told you I can't ?? You said you can do it manually without any problem, didn't you ? I found the problem. Then you are mistaken.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods