Trao đổi với tôi

www.hdphim.info

12/10/10

[Reverse] [IDA] Finding Signatures For WarRock! [MEMORY+ASM]

I posted it in the VIP section before, now its all yours!

Ill show you how to find FastAmmo with Pictures


For Memory Signatures:

Step1 : Open Ida Pro, Open the newest WarRock.exe
Step2 : Do Jump > Just to address : Enter the newest address B183F0 (Without 0x00/0x!!)

Next step's (3 till 7)






Text must be : Save these *Always save 10-20 bytes!!*


Step8 : Now do the same thing for the OLD address (Do this in the unpacked warrock from that patch)

Step9 : Now you got a OLD pattern and a NEW pattern how to get it to the Signature?
Lets say we got

New: D8 D9 D0 D1 D2 D3 D4
Old: D9 D9 D0 D1 D3 D3 D4

For every CHANGED byte u get a ? if its not changed u get a x

So the mask will be :

Code:
?xxx?xx
The pattern you could use the new byte.

In our example that would be :

Code:
/xD8/xD9/xD0/xD1/xD2/xD3/xD4

THIS IS JUST AN EXAMPLE!!!

Step10: Now u need to tell C++ that it is a memory hack, most addy logger sources uses:

Code:
DWORD  (PBYTE)"", "", 0 , true);

The 0 respresents the one WE need to change. It depends on the addy you are logging, normally its between 1-4 (For Memory hacks, If its wrong your logger logs something like: 0x0089384918)


For ASM Signatures:

Step1 : Open Ida Pro, Open the newest WarRock.exe
Step2 : Do Jump > Jump to address > Newest OPK1 Addres (68570C) (WITHOUT 0X/0X00!!)

Step3/4:





Step5: Now do the same thing for the OLD address (Do this in the unpacked warrock from that patch)

Step6(Same as Memory Step9) : Now you got a OLD pattern and a NEW pattern how to get it to the Signature?
Lets say we got

New: D8 D9 D0 D1 D2 D3 D4
Old: D9 D9 D0 D1 D3 D3 D4

For every CHANGED byte u get a ? if its not changed u get a x

So the mask will be :

Code:
?xxx?xx
The pattern you could use the new byte.

In our ex that would be :

Code:
/xD8/xD9/xD0/xD1/xD2/xD3/xD4

THIS IS JUST AN EXAMPLE!!!


Step10:

Code:
DWORD  (PBYTE)"", "", 0 , 0);
OR

Code:
DWORD  (PBYTE)"", "", 0 , true);
This depents on the source you are using.



Important : Why the byte length must be 10-20?

Sometimes bytes change so you have to reference with line of codes near the original address to find new address in updated warrock.exe.(quote from Vince')

This tut is for people who are just starting with finding addies!

Havefun

No comments:

Post a Comment