Question about Patterns

c, c++, php, html, sql ..etc discussion. also includes codes and source codes.

Question about Patterns

Postby GAFO666 » Sat Mar 21, 2015 9:18 pm

Hey Guys,
Im pretty new here so dont be too rude to me ;D joke :P

Im just wondering about one thing, some people here might know that you can create patterns out of static adresses by olly or ida plugins,
so Im wondering how this works in dept :)

here an examble what I mean:
Code: Select all
bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
        for(;*szMask;++szMask,++pData,++bMask)
                if(*szMask=='x' && *pData!=*bMask)   return 0;
        return (*szMask) == NULL;
}
 
DWORD Pattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
        for(DWORD i=0; i<dwLen; i++)
                if (Compare((BYTE*)(dwAddress+i),bMask,szMask))  return (DWORD)(dwAddress+i);
        return 0;
}
 
 
bool Status = false;
void foo ()
{
    Status = Pattern((DWORD)GetModuleHandleA("moudule.dll"), 0x97D000, (PBYTE)"\x71\x37\x50\x94\x71\x37", "xxxxxx");
}


So my point is clearly howto get the pattern and mask without using any olly or ida plugins just by coding some kind of c++ tool :)
( "libXY.dll + 0x12345" into -> "\x71\x37\x50\x94\x71\x37 && xxxxxx" )

Just as a little remark for people who never worked with patterns,
they are used to find adresses again pretty fast after e.g. an game update..
I think no-one here would like to search adresses and offsets again after some anoying patches ;D

And my personal optinion about this is that they are pretty usefull even when they are made with plugins ..
but as I said, I want to know how the creation works and for me its not handy to open all the time e.g. olly
after found an Adress in CheatEngine to make them to patterns ... I would prefer a small tool where you
just c/p the module.dll + adress and it prints it or saves it into a log file :P ... Thats what Im trying to do :D


,greetings GAFO
GAFO666
Newbie..
Newbie..
 
Posts: 4
Joined: Sat Mar 21, 2015 9:08 pm

Re: Question about Patterns

Postby Sethioz » Sun Mar 22, 2015 10:07 am

personally I have no idea how to get static addresses even after some patch, i always re-do my hacks (if it's game hack addresses you talk about).
but now it got me interested and might explain why developers have not made the type of anti-cheat protection i've had in mind (release automatic patch every day that scrambles .exe so that current hacks stop working).
Also i've never actually seen anyone coding a tool that can find static addresses even after patch.

if it comes to game hacking, i use AoB (array of bytes) scan to find the OpCodes i need and from there i can "breakpoint on read" and find all the addresses this OpCode touches and find the address within few seconds with ease.
User avatar
Sethioz
Admin
Admin
 
Posts: 4754
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Question about Patterns

Postby GAFO666 » Sun Mar 22, 2015 1:36 pm

so you realy do multilevel pointers which you have to search each update of an game again ? O_o
Omg I would never do that tbh xD

When you found a pattern once, it replaces the mess and the work and you nearly never have to re-search the stuff again after updates,
out of they are doing a fundamental update which nearly never happens.
GAFO666
Newbie..
Newbie..
 
Posts: 4
Joined: Sat Mar 21, 2015 9:08 pm

Re: Question about Patterns

Postby Sethioz » Wed Mar 25, 2015 2:04 am

What most programmers / hackers don't realize, is that even tho i re-scan for pointers, there's always a "pattern" to them. I can pick a working pointer manually out of millions by just knowing how it looked like.
I make a note of memory range and offsets, it takes me only few seconds to jump to that location and pick it out manually, never been wrong so far.

For example if pointer is 12348080 +104 +64 +100 then in next update that pointer will be like 12488090 +104 +64 +100
sometimes the offsets change, but only by like 10 or 4 bytes, so 104 becomes 108 or 114. It's because of how games are patched. Every game i have made trainers for has this pattern. So once i find the pointer once, doing it again takes 10 times less time, cuz i already know where to look and what to look for.

and as i said, i also use AoB, but i've had games where AoB is completely changed, so i never rely on AoB 100%, cuz if it changes and you have no other reference to find the hack again, you're screwed. I did that in the crew and lost one hack i found after hours and hours of searching, i didn't make note of address range and values and now i can't find it again cuz AoB changed.
User avatar
Sethioz
Admin
Admin
 
Posts: 4754
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Question about Patterns

Postby GAFO666 » Wed Mar 25, 2015 5:39 pm

oh mate, you are thinking to complicated, I already found a way by using my brain and some talks with ppl, it was so obvious actually xD

Code: Select all
int grabBytes(DWORD funct, std::list<BYTE>& lst)
{
   for (int i = 0;; i++)
   {
      //If we come across an INT instruction, return the number of bytes found
      if ((*(BYTE*)(funct + i)) == 0xCC)
      {
         return i;
      }

      //Push the byte into our list
      lst.push_back(*(BYTE*)(funct + i));
   }
}


so if the address would be e.g 0x1234567 you check the area around it, lets say +/- 8 bytes and you can create a pattern with a bit more code and some changes, but thats the base :)



if I would use that function e.g. in my own code just for trying on e.g. a function

lets say
Code: Select all
int foo(int a, int b, int c)
{
   return a + b + c;
}


thats the full sig of that tiny function:
Code: Select all
\xE9\x2D\x47\x00\x00\xE9\xE4\x71\x00\x00\xE9\x3D\x64\x00\x00\xE9\x64\x72\x00\x00
\xE9\x69\x2C\x00\x00\xE9\xC2\x68\x00\x00\xE9\x5F\x23\x00\x00\xE9\xC0\x71\x00\x00
\xE9\x55\x5D\x00\x00\xE9\x60\x65\x00\x00\xE9\x5B\x5A\x00\x00\xE9\x56\x5E\x00\x00
\xE9\x01\x4D\x00\x00\xE9\x7C\x61\x00\x00\xE9\x67\x4A\x00\x00\xE9\x00\x68\x00\x00
\xE9\xAD\x4C\x00\x00\xE9\xA8\x16\x00\x00\xE9\x93\x37\x00\x00\xE9\x4E\x3F\x00\x00
\xE9\xC9\x55\x00\x00\xE9\xB4\x20\x00\x00\xE9\x4F\x43\x00\x00\xE9\xCA\x71\x00\x00
\xE9\x65\x27\x00\x00\xE9\x5A\x71\x00\x00\xE9\x2B\x1F\x00\x00\xE9\xC6\x44\x00\x00
\xE9\x91\x1E\x00\x00\xE9\xAC\x3E\x00\x00\xE9\x37\x63\x00\x00\xE9\xF2\x19\x00\x00
\xE9\x6D\x17\x00\x00\xE9\x02\x4A\x00\x00\xE9\x03\x31\x00\x00\xE9\x40\x4C\x00\x00
\xE9\x49\x34\x00\x00\xE9\x54\x24\x00\x00\xE9\xD3\x71\x00\x00\xE9\xBA\x5F\x00\x00
\xE9\xA5\x65\x00\x00\xE9\xC0\x4D\x00\x00\xE9\xCF\x49\x00\x00\xE9\xE6\x3A\x00\x00
\xE9\x71\x25\x00\x00\xE9\x0C\x14\x00\x00\xE9\x67\x2B\x00\x00\xE9\xA0\x71\x00\x00
\xE9\xBD\x39\x00\x00\xE9\x78\x3F\x00\x00\xE9\xD3\x3F\x00\x00\xE9\x4E\x5F\x00\x00
\xE9\x59\x67\x00\x00\xE9\xD4\x2C\x00\x00\xE9\xBF\x16\x00\x00\xE9\x2A\x39\x00\x00
\xE9\x05\x51\x00\x00\xE9\x9C\x49\x00\x00\xE9\xBB\x70\x00\x00\xE9\x66\x40\x00\x00
\xE9\x51\x29\x00\x00\xE9\x5E\x49\x00\x00\xE9\x5F\x49\x00\x00\xE9\xE2\x21\x00\x00
\xE9\xAD\x5F\x00\x00\xE9\x28\x60\x00\x00\xE9\x23\x26\x00\x00\xE9\x18\x71\x00\x00
\xE9\x99\x30\x00\x00\xE9\xA2\x70\x00\x00\xE9\x0F\x71\x00\x00\xE9\xCA\x49\x00\x00
\xE9\x43\x60\x00\x00\xE9\xC0\x1C\x00\x00\xE9\x5B\x37\x00\x00\xE9\xB6\x3F\x00\x00
\xE9\x31\x4B\x00\x00\xE9\xFC\x26\x00\x00\xE9\xE7\x46\x00\x00\xE9\xA6\x70\x00\x00
\xE9\x5D\x66\x00\x00\xE9\x08\x1F\x00\x00\xE9\x43\x44\x00\x00\xE9\x1E\x17\x00\x00
\xE9\x6F\x70\x00\x00\xE9\xD0\x70\x00\x00\xE9\xAF\x12\x00\x00\xE9\x7A\x26\x00\x00
\xE9\xC7\x70\x00\x00\xE9\xDE\x48\x00\x00\xE9\x4B\x70\x00\x00\xE9\xA6\x5B\x00\x00
\xE9\x05\x49\x00\x00\xE9\x3C\x3B\x00\x00\xE9\xE7\x34\x00\x00\xE9\xA2\x6C\x00\x00
\xE9\x45\x70\x00\x00\xE9\xA8\x19\x00\x00\xE9\xF3\x42\x00\x00\xE9\xEA\x5E\x00\x00
\xE9\xC9\x20\x00\x00\xE9\x54\x60\x00\x00\xE9\x57\x4B\x00\x00\xE9\x82\x70\x00\x00
\xE9\x75\x39\x00\x00\xE9\x80\x5F\x00\x00\xE9\x3B\x1E\x00\x00\xE9\xAE\x48\x00\x00
\xE9\x6B\x5F\x00\x00\xE9\x3C\x40\x00\x00\xE9\x07\x25\x00\x00\xE9\xA2\x1B\x00\x00
\xE9\x81\x5F\x00\x00\xE9\xA8\x37\x00\x00\xE9\x33\x45\x00\x00\xE9\x9E\x48\x00\x00
\xE9\x93\x48\x00\x00\xE9\xA4\x3F\x00\x00\xE9\xCB\x6F\x00\x00\xE9\x56\x70\x00\x00
\xE9\x25\x63\x00\x00\xE9\x48\x5F\x00\x00\xE9\x7B\x1E\x00\x00\xE9\x56\x53\x00\x00
\xE9\xF5\x6F\x00\x00\xE9\x7C\x24\x00\x00\xE9\x8B\x6F\x00\x00\xE9\x62\x51\x00\x00
\xE9\xBD\x39\x00\x00\xE9\x48\x26\x00\x00\xE9\x35\x48\x00\x00\xE9\x0E\x32\x00\x00
\xE9\xA9\x26\x00\x00\xE9\xA8\x61\x00\x00\xE9\xBF\x1C\x00\x00\xE9\x64\x6F\x00\x00
\xE9\xF5\x6F\x00\x00\xE9\x28\x66\x00\x00\xE9\x4B\x2D\x00\x00\xE9\x8C\x6F\x00\x00
\xE9\x41\x5D\x00\x00\xE9\x5E\x6F\x00\x00\xE9\x77\x28\x00\x00\xE9\x32\x39\x00\x00
\xE9\xFF\x11\x00\x00


to be exact 725 bytes :)


,greez
GAFO666
Newbie..
Newbie..
 
Posts: 4
Joined: Sat Mar 21, 2015 9:08 pm

Re: Question about Patterns

Postby Sethioz » Sun Mar 29, 2015 3:06 pm

well i'm not a programmer, i'm scientist. I approach those things scientifically by using common sense and logic.

8 bytes around the address would not work tho, very often change is like 1000+ bytes and i have never seen addresses go lower, they already increase, because something is added into the file, increasing the address range.

i'd like to see a way to re-find the hacks without searching tho. Only AoB works for me, but even that gets changed sometimes.
User avatar
Sethioz
Admin
Admin
 
Posts: 4754
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown


Return to Programming / Coding / Debugging

Who is online

Users browsing this forum: No registered users and 4 guests