Hi guys, now I write here as find and write one signature for WarRock.
Components you need:
OllyDGB 1.10
WarRock.exe [UnPacked Update]
We search:
PlayerPointer -> 0xA28DC8 (PUBLIC)
Escalator -> 0x53E027 (VIP)
begin with escalator (very easy )
Open WarRock.exe [unpacked] with OllyDgb.
now, -> right click -> Go To -> Expression -> Paste ur Vip Address-> Press OK.
Let's go to the string.
Analyze:
Code:
0053E027 -> Our addy
895D 08 -> Is Our Signature / Byte Off
MOV DWORD PTR SS:[EBP+8],EBX ->instruction that move the data
writing addylogger:
Code:
DWORD dwEscalator FindPattern (PBYTE)"\x89\x5D\x08\xD9\x46\x08\xD9\x46\x04","xxxxxxxxx",0,0); // 0,0 = Don't EXTRACT THE ADDRESS
PlayerPointer
Right Click -> Search For -> Costant-> Paste ur Public Address-> Press OK.
Let's go to the string.
Analyze:
Code:
004180D3 -> The extern address
8325 C88DA200 00 -> Signature / NO byte off
AND DWORD PTR DS:[A28DC8],0 -> The instruction "AND" is: XY = X AND Y. (Example)
writing addylogger.
Code:
DWORD dwPlayerPtr FindPattern (PBYTE)"\x83\x28\x00\x00\x00\x00\x00\xA1\x14\x8E\xA2\x00","xx?????xxxx?",true,2);
Analyze:
true = extract address
2 = The bytes before the dynamic bytes (The address on the contrary) 00 00 00 00 00 (83, 28) (are called StaticByte)
C88DA2 -> 000000, Why? Lolx, C88DA2 is A28DC8, and every update the address changes, so we MUST put "\x00" =)
Finish =) and remember:
"xx?????xxxx?" , "xxxxxxxxx", is the mask, it helps the addylogger to find the address. How it works? easy, u use "x" for byte different from "\x00", and if u find "\x00" put"?".
Credits: Me
