Saturday, 22 March 2014

Signature Scanning

I have been getting a lot of questions about Signature Scanning such as

  • What is a signature?
  • How do I find or make one?
  • Where would signature scanning be usefull?

People seem to think this is a hard thing to do so I want to try simplify it.
Basicaly code such as C++ is compiled it is turned into byte code that the computer can run.

When memory hacking we find bytes we want to modify but if the application is recompiled or uses dynamic memory
The address is not garruented to be the same each time the app runs.

A signature is a sequence of bytes and wild cards to find in memory.

I have a game here, and it has a version string rendered in the bottom left.
You may be able to see VER9.02

I wanted to get that version as well as modify it to include my own text.

So I used cheat engine and searched for a string of VER9.02
I had to have Writable and Executable checkboxs set half way so that Cheat engine would scan
readable and executable memory too.

After I found the version string address.
I found what accessed the code.

Which can be done two ways, scan for the address in hex and goto the address -1 in the Memory View dissasembler
Or right click the entry and find what accesses.

I can just scroll up a little bit and look at the bytes on the left. Any references to other memory addresses
will change on recompile, such as ones seen in the PUSH or MOV or CALL op codes
Generally if the value is in the code sections of the executable it will be suspect to change.
Simply make those bytes wild card with the ?? when writing them down. You can search the signature in cheat engine
As an array of bytes with hex turned on.

Signature Scanner:

Video can be found here: