[DiscordArchive] Do you mean byte patterns/signatures?
[DiscordArchive] Do you mean byte patterns/signatures?
Original source
Do you mean byte patterns/signatures?
rektbyfaith
02-01-2024, 03:40 PM #1Archived author: Nix • Posted: 2024-02-01T15:40:54.143000+00:00
Original source
Do you mean byte patterns/signatures?
Original source
Yes
rektbyfaith
02-01-2024, 03:43 PM #2Archived author: Thordekk • Posted: 2024-02-01T15:43:38.297000+00:00
Original source
Yes
Original source
I think the preferred way is to use a plugin (For most people), I know in IDA there is a plugin that lets you select a certain region, and it will generate or try to generate the most unique pattern that it can.
You can also learn what things are wild cards.
Typically a pattern will consist on a set of bytes that never change across versions, and some bytes that you know might change.
For example bytes referring to a specific variable, lets say you're moving some variable in the data section into eax, then you know the bytes beside the mov is likely to change (across updates), and maybe even the register depending on calling convention and how sure you are that the parameter input/output stays the same etc.
rektbyfaith
02-01-2024, 03:46 PM #3Archived author: Nix • Posted: 2024-02-01T15:46:30.843000+00:00
Original source
I think the preferred way is to use a plugin (For most people), I know in IDA there is a plugin that lets you select a certain region, and it will generate or try to generate the most unique pattern that it can.
You can also learn what things are wild cards.
Typically a pattern will consist on a set of bytes that never change across versions, and some bytes that you know might change.
For example bytes referring to a specific variable, lets say you're moving some variable in the data section into eax, then you know the bytes beside the mov is likely to change (across updates), and maybe even the register depending on calling convention and how sure you are that the parameter input/output stays the same etc.
Original source
There is also the case of 'where to sample the pattern from'. For example a function may be too small to genuinely produce a unique pattern. In those cases, you may instead sample the pattern from a calling site, which may provide a more unique pattern, and then you'll just have to resolve that pattern to the true address of the call (Which will be part of the bytes at the address that you're reading).
rektbyfaith
02-01-2024, 03:48 PM #4Archived author: Nix • Posted: 2024-02-01T15:48:01.272000+00:00
Original source
There is also the case of 'where to sample the pattern from'. For example a function may be too small to genuinely produce a unique pattern. In those cases, you may instead sample the pattern from a calling site, which may provide a more unique pattern, and then you'll just have to resolve that pattern to the true address of the call (Which will be part of the bytes at the address that you're reading).
Original source
Nice thanks i will try to find the plugin
rektbyfaith
02-01-2024, 03:49 PM #5Archived author: Thordekk • Posted: 2024-02-01T15:49:50.087000+00:00
Original source
Nice thanks i will try to find the plugin
Original source
Patterns are usually most useful when dealing with a couple of different scenarios, I'd say the most common are.
1. You're looking for a specific function or specific instructions that should stay the same across multiple updates. In these cases patterns are very useful as you don't need to update the offset every time, but rather will automatically resolve them using the patterns.
2. You are working on one base version of an executable, but there exists many executables of the same 'base' version, but with multiple small changes here and there
3. Looking for similar functions or functionality in the binary
In these cases patterns are nice. If you always work on the same static base, then patterns are imo less useful, but can still be nice to learn.
rektbyfaith
02-01-2024, 03:49 PM #6Archived author: Nix • Posted: 2024-02-01T15:49:52.047000+00:00
Original source
Patterns are usually most useful when dealing with a couple of different scenarios, I'd say the most common are.
1. You're looking for a specific function or specific instructions that should stay the same across multiple updates. In these cases patterns are very useful as you don't need to update the offset every time, but rather will automatically resolve them using the patterns.
2. You are working on one base version of an executable, but there exists many executables of the same 'base' version, but with multiple small changes here and there
3. Looking for similar functions or functionality in the binary
In these cases patterns are nice. If you always work on the same static base, then patterns are imo less useful, but can still be nice to learn.
Original source
https://github.com/kweatherman/sigmakerex
[Embed: GitHub - kweatherman/sigmakerex: Enhanced IDA Pro signature generat...]
Enhanced IDA Pro signature generator plugin. Contribute to kweatherman/sigmakerex development by creating an account on GitHub.
https://github.com/kweatherman/sigmakerex
rektbyfaith
02-01-2024, 03:50 PM #7Archived author: Nix • Posted: 2024-02-01T15:50:25.502000+00:00
Original source
https://github.com/kweatherman/sigmakerex
[Embed: GitHub - kweatherman/sigmakerex: Enhanced IDA Pro signature generat...]
Enhanced IDA Pro signature generator plugin. Contribute to kweatherman/sigmakerex development by creating an account on GitHub.
https://github.com/kweatherman/sigmakerex
Original source
I know there is this one for Ida, maybe Robin knows of a better one
rektbyfaith
02-01-2024, 03:50 PM #8Archived author: Nix • Posted: 2024-02-01T15:50:28.577000+00:00
Original source
I know there is this one for Ida, maybe Robin knows of a better one
Original source
I will try it ty
rektbyfaith
02-01-2024, 03:51 PM #9Archived author: Thordekk • Posted: 2024-02-01T15:51:27.102000+00:00
Original source
I will try it ty
Original source
The noggit code referenced there is just wrong. I know I implemented the low quality map back then, but obviously not the noDoodads, because I think it wasn’t really documented well back then. Yes, the noggit structure needs to be fixed as said there, wiki is perfectly fine.
![[Image: IMG_7823.png?ex=690c1ee1&is=690acd61&hm=...5e750b620&]](https://cdn.discordapp.com/attachments/1086807686571642900/1202646280585744394/IMG_7823.png?ex=690c1ee1&is=690acd61&hm=5e3994411db9c2daba8f55d7561b11b71d273257bbd48bbf8e38aa85e750b620&)
rektbyfaith
02-01-2024, 04:06 PM #10Archived author: schlumpf • Posted: 2024-02-01T16:06:57.436000+00:00
Original source
The noggit code referenced there is just wrong. I know I implemented the low quality map back then, but obviously not the noDoodads, because I think it wasn’t really documented well back then. Yes, the noggit structure needs to be fixed as said there, wiki is perfectly fine.
1 Guest(s)
1 Guest(s)