FindPattern.

[SwInY]

Hey Guys,

i have finaly worked out sucessfully how to backtrack offsets using IDA.
and have been getting the offsets i have been requiring by good old fassion find.

i am now a bit curious as in how to make "findpattern" work. and how to do such a thing.

now i know that this is ChatBuffer ASM

Code:

.text:004FB210                 push    ebp
.text:004FB211                 mov     ebp, esp
.text:004FB213                 mov     ecx, dword_BCEFF4
.text:004FB219                 mov     eax, [ebp+arg_0]
.text:004FB21C                 add     eax, ecx
.text:004FB21E                 cdq
.text:004FB21F                 mov     ecx, 3Ch ; '<'
.text:004FB224                 idiv    ecx
.text:004FB226                 mov     eax, edx
.text:004FB228                 imul    eax, 17C0h
.text:004FB22E                 add     eax, offset unk_B75A60
.text:004FB233                 pop     ebp
.text:004FB234                 retn
.text:004FB234 sub_4FB210      endp
.text:004FB234

now how do i make a find pattern out of this ?
if some one could help me and point me in the right dirction much aprechiated.
as noted i am using IDA, thanks again guys.

SwInY

[eLaps]

First, display the opcodes in IDA (Options/General/Number of opcode bytes = 10) and get enough of them for a pattern:

Code:

Pattern:  "\x55\x8B\xEC\x8B\x0D\xF4\xEF\xBC\x00\x8B\x45\x08\x03\xC1\x99\xB9\x3C\x00\x00\x00\xF7
\xF9\x8B\xC2\x69\xC0\xC0\x17\x00\x00\x05\x60\x5A\xB7\x00\x5D\xC3"
Mask: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Now find what you need to ignore in the pattern, everything that may change (offsets/addresses):

Code:

dword_BCEFF4       //"\xF4\xEF\xBC\x00"
 3Ch               //"\x3C\x00"
17C0h              //"\xC0\x17"
offset unk_B75A60  //"\x60\x5A\xB7\x00"

Remove the corresponding opcodes from the mask (and from the pattern too if you want it clearer):

Code:

Pattern:  "\x55\x8B\xEC\x8B\x0D____\x8B\x45\x08\x03\xC1\x99\xB9__\x00\x00\xF7\xF9\x8B\xC2\x69
\xC0__\x00\x00\x05____\x5D\xC3"
Mask: "xxxxx????xxxxxxx??xxxxxxxx??xxx????xx"

[SwInY]

Hey Elaps!

Thanks for the insight, i now understand it a bit more.

now i am half way there and a bit more confused.


in the ASM, theres actualy 2 Offsets i wish to make patterns for
dword_BCEFF4 //"\xF4\xEF\xBC\x00"
offset unk_B75A60 //"\x60\x5A\xB7\x00"

could you please give me some more insight into direct offsets not the whole function mate.

thanks alot again

SwInY

[eLaps]

dword_BCEFF4 is at 004FB210 + 0x5, so you can use this pattern and read at [result + 0x5].
You can also modify the pattern to make it start where you want to read (no offset)

Code:

"____\x8B\x45\x08\x03\xC1\x99\xB9__\x00\x00\xF7\xF9\x8B\xC2\x69\xC0__\x00\x00\x05____\x5D\xC3"

but it shortens the pattern => less reliable.

It might look complex because of the opcodes but it is basic string search.

I just tried the pattern and it works on 3.3.5a.

[SwInY]

Hey Elaps,

Many thanks ive kinda worked it out now and getting the idea.

so that find pattern your 1st original is

result + 5, for dword_BCEFF4
result + 20? for unk_B75A60

kinda like that yes?

[eLaps]

dword_BCEFF4 is at 0x004FB215
unk_B75A60 is at 0x004FB22F
&dword_BCEFF4 - &Function = 0x004FB215 - 0x004FB210 = 0x05 = 5
&unk_B75A60 - &Function = 0x004FB22F - 0x004FB210 = 0x1F = 31

[MaiN]

dword_BCEFF4 is at 004FB210 + 0x5, so you can use this pattern and read at [result + 0x5].
You can also modify the pattern to make it start where you want to read (no offset)

Code:

"____\x8B\x45\x08\x03\xC1\x99\xB9__\x00\x00\xF7\xF9\x8B\xC2\x69\xC0__\x00\x00\x05____\x5D\xC3"

but it shortens the pattern => less reliable.

It might look complex because of the opcodes but it is basic string search.

I just tried the pattern and it works on 3.3.5a.

Might someone explain to me why a shorter pattern makes it less reliable? IMO, the chance that one of the opcodes in a long pattern will change is bigger than the chance that a short pattern will have more matches.

[eLaps]

Maybe reliable isn't the word. It's faster to try to shorten the pattern than opening IDA to paste a bit more.

[MaiN]

Maybe reliable isn't the word. It's faster to try to shorten the pattern than opening IDA to paste a bit more.

But it might just as well have changed in the start of the pattern than in the end of the pattern.
The fact is that there are tens of thousands functions in WoW. When you have a pattern with only 1 match, the chance that a new patch will introduce a new match is almost negligible.

[Cypher]

Might someone explain to me why a shorter pattern makes it less reliable? IMO, the chance that one of the opcodes in a long pattern will change is bigger than the chance that a short pattern will have more matches.

Because false positives are worse than false negatives. I'd rather have my pattern scanner fail to find an address than find the wrong address.

[MaiN]

Because false positives are worse than false negatives. I'd rather have my pattern scanner fail to find an address than find the wrong address.

Sure, I would too, but a false positive is still nearly impossible to get. Think about it; if your pattern only matches 1 function within tens of thousands of functions, then what is the chance that it will match one of few new functions in a patch?

[Cypher]

Sure, I would too, but a false positive is still nearly impossible to get. Think about it; if your pattern only matches 1 function within tens of thousands of functions, then what is the chance that it will match one of few new functions in a patch?

Last time I used pattern scanners was back at around the end of BC, and when I went from BC -> WOTLK that patch gave me a whole heap of false positives (about a dozen) out of approximately 100 patterns. In my eyes that's a big enough pain in the ass to warrant more 'discriminate' patterns.

Your particular experience will obviously vary from mine, but it definitely does/can happen.

[eLaps]

But it might just as well have changed in the start of the pattern than in the end of the pattern.

You can shorten the beginning and adjust the offset, if you can specify one.

if your pattern only matches 1 function within tens of thousands of functions, then what is the chance that it will match one of few new functions in a patch?

Supposing you search for multiple matches. Maybe I should do .

[SwInY]

Hey Elaps,

i tryed the original pattern and it cannot find it?

Code:

Pattern:  "\x55\x8B\xEC\x8B\x0D____\x8B\x45\x08\x03\xC1\x99\xB9__\x00\x00\xF7\xF9\x8B\xC2\x69
\xC0__\x00\x00\x05____\x5D\xC3"
Mask: "xxxxx????xxxxxxx??xxxxxxxx??xxx????xx"

i tryed diffrent ways, of doing this.
but still a no go.


also id like to thank every 1 expecily Elaps for taking the time and explaining this

[eLaps]

It works for me.

Code:

void search() {
    char pattern[] = "\x55\x8B\xEC\x8B\x0D____\x8B\x45\x08\x03\xC1\x99\xB9__\x00\x00\xF7\xF9\x8B\xC2\x69\xC0__\x00\x00\x05____\x5D\xC3";
    char mask[] = "xxxxx????xxxxxxx??xxxxxxxx??xxx????xx";
    for (uint32_t i = 0x00401000; i < 0x00A00000; i++) {
        uint32_t addr = i;
        for (uint32_t j = 0; mask[j]; j++) {
            if (mask[j] == 'x' && *(char*)(i + j) != pattern[j])
                addr = 0;
        }
        if (addr)
            std::cout << "found at " << (void*)addr << std::endl;
    }
}

Output:

Code:

found at 0x4fb210