AOB signatures

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
TimFun13
Expert Cheater
Expert Cheater
Posts: 1354
Joined: Fri Mar 03, 2017 12:31 am
Reputation: 6

AOB signatures

Post by TimFun13 »

[Link]

AOB signatures

What is an AOB? An AOB is just an Array of Bytes, it tends to be used as a signature. A signature is really only an AOB with wild cards. A signature can be found even if the address where it is changes, so long as the signature still exists.



So if we look at the code for step 8 of the CE tutorial (x32), we see some code like this.

Code: Select all

Tutorial-i386.exe+26180 - E8 7B85FEFF - call Tutorial-i386.exe+E700
Tutorial-i386.exe+26185 - 8B 55 DC - mov edx,[ebp-24] //// AOB starts here
Tutorial-i386.exe+26188 - 89 42 18 - mov [edx+18],eax //// Injecting here
Tutorial-i386.exe+2618B - 8B 45 DC - mov eax,[ebp-24]
Tutorial-i386.exe+2618E - 8B 40 18 - mov eax,[eax+18]
Tutorial-i386.exe+26191 - 8D 55 B0 - lea edx,[ebp-50]
Tutorial-i386.exe+26194 - E8 073C0100 - call Tutorial-i386.exe+39DA0
So we could just inject at the address [ICODE]Tutorial-i386.exe+26188[/ICODE], but let's setup an AOB.

And we could just try [ICODE]89 42 18 8B 45 DC 8B 40 18 8D 55 B0[/ICODE], but what if the registry changes or the offset.

So let's say that we always have a MOV, MOV, MOV, LEA, CALL, ... Then we could make an AOB like this:

Code: Select all

8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx
Note: Any none byte characters are wild cards, so X and ? are wild cards. So let's setup CE for an AOB scan.

[Link]



And after clicking first scan we are looking to get just one result.

[Link]

If you get more results then one just add more bytes to the signature.



So to use this signature we'll need to use an offset. Let's look at a script using the signature.

Code: Select all

define(step8WrtBytes, 89 42 18 8B 45 DC)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep8WrtHook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
//// or with aobScan
//aobScan(aobStep8WrtHook, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)

define(injStep8WrtHook, aobStep8WrtHook+3)
//// Here the offset is set, to be used for enabling and disabling.

assert(injStep8WrtHook, step8WrtBytes)
//// Here the bytes are asserted to be compatable with the process version.

registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
//...

////
//// ---------- Injection Point ----------
injStep8WrtHook:
 jmp step8wrtn_code
 nop
 step8wrtreturn:

////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep8WrtHook:
 db step8WrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)
And that's really the basics of AOB signatures.



But with step 8 we could also use an AOB to pull a pointer.

Code: Select all

Tutorial-i386.exe+25FB1 - A1 60D65F00 - mov eax,[Tutorial-i386.exe+1FD660]
Tutorial-i386.exe+25FB6 - 89 45 E8 - mov [ebp-18],eax
Tutorial-i386.exe+25FB9 - 8B 45 E8 - mov eax,[ebp-18]
Tutorial-i386.exe+25FBC - 8B 55 E8 - mov edx,[ebp-18]
Tutorial-i386.exe+25FBF - 8B 00 - mov eax,[eax]
Tutorial-i386.exe+25FC1 - 3B 42 04 - cmp eax,[edx+04]
Tutorial-i386.exe+25FC4 - 74 02 - je Tutorial-i386.exe+25FC8
Tutorial-i386.exe+25FC6 - EB 4F - jmp Tutorial-i386.exe+26017

Code: Select all

////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep8Hook, Tutorial-i386.exe, A1xxxxxxxx89xxxx8Bxxxx8Bxxxx8Bxx3Bxxxx74xxEBxx8Bxxxx8Bxxxx8Bxxxx3Bxxxx)
define(ptrStep8Hook, aobStep8Hook+1)
registerSymbol(ptrStep8Hook)
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
unregisterSymbol(ptrStep8Hook)


See also
  • [Link]
  • [Link]
  • [Link]
External links
  • [Link]
Last edited by TimFun13 on Wed May 02, 2018 6:28 am, edited 7 times in total.

Post Reply

Who is online

Users browsing this forum: No registered users