AOB signatures
What is an AOB? An AOB is just an Array of Bytes, it tends to be used as a signature. A signature is really only an AOB with wild cards. A signature can be found even if the address where it is changes, so long as the signature still exists.
So if we look at the code for step 8 of the CE tutorial (x32), we see some code like this.
Code: Select all
Tutorial-i386.exe+26180 - E8 7B85FEFF - call Tutorial-i386.exe+E700
Tutorial-i386.exe+26185 - 8B 55 DC - mov edx,[ebp-24] //// AOB starts here
Tutorial-i386.exe+26188 - 89 42 18 - mov [edx+18],eax //// Injecting here
Tutorial-i386.exe+2618B - 8B 45 DC - mov eax,[ebp-24]
Tutorial-i386.exe+2618E - 8B 40 18 - mov eax,[eax+18]
Tutorial-i386.exe+26191 - 8D 55 B0 - lea edx,[ebp-50]
Tutorial-i386.exe+26194 - E8 073C0100 - call Tutorial-i386.exe+39DA0And we could just try [ICODE]89 42 18 8B 45 DC 8B 40 18 8D 55 B0[/ICODE], but what if the registry changes or the offset.
So let's say that we always have a MOV, MOV, MOV, LEA, CALL, ... Then we could make an AOB like this:
Code: Select all
8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx[Link]
And after clicking first scan we are looking to get just one result.
[Link]
If you get more results then one just add more bytes to the signature.
So to use this signature we'll need to use an offset. Let's look at a script using the signature.
Code: Select all
define(step8WrtBytes, 89 42 18 8B 45 DC)
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep8WrtHook, Tutorial-i386.exe, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
//// or with aobScan
//aobScan(aobStep8WrtHook, 8Bxxxx89xxxx8Bxxxx8Bxxxx8DxxxxE8xxxxxxxx8Bxxxx8Bxxxx8Bxxxxxxxxxx)
define(injStep8WrtHook, aobStep8WrtHook+3)
//// Here the offset is set, to be used for enabling and disabling.
assert(injStep8WrtHook, step8WrtBytes)
//// Here the bytes are asserted to be compatable with the process version.
registerSymbol(injStep8WrtHook)
alloc(memStep8WrtHook, 0x400, injStep8WrtHook)
//...
////
//// ---------- Injection Point ----------
injStep8WrtHook:
jmp step8wrtn_code
nop
step8wrtreturn:
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
////
//// ---------- Injection Point ----------
injStep8WrtHook:
db step8WrtBytes
unregisterSymbol(injStep8WrtHook)
unregisterSymbol(ptrStep8WrtHook)
dealloc(memStep8WrtHook)But with step 8 we could also use an AOB to pull a pointer.
Code: Select all
Tutorial-i386.exe+25FB1 - A1 60D65F00 - mov eax,[Tutorial-i386.exe+1FD660]
Tutorial-i386.exe+25FB6 - 89 45 E8 - mov [ebp-18],eax
Tutorial-i386.exe+25FB9 - 8B 45 E8 - mov eax,[ebp-18]
Tutorial-i386.exe+25FBC - 8B 55 E8 - mov edx,[ebp-18]
Tutorial-i386.exe+25FBF - 8B 00 - mov eax,[eax]
Tutorial-i386.exe+25FC1 - 3B 42 04 - cmp eax,[edx+04]
Tutorial-i386.exe+25FC4 - 74 02 - je Tutorial-i386.exe+25FC8
Tutorial-i386.exe+25FC6 - EB 4F - jmp Tutorial-i386.exe+26017Code: Select all
////
//// ------------------------------ ENABLE ------------------------------
[ENABLE]
aobScanModule(aobStep8Hook, Tutorial-i386.exe, A1xxxxxxxx89xxxx8Bxxxx8Bxxxx8Bxx3Bxxxx74xxEBxx8Bxxxx8Bxxxx8Bxxxx3Bxxxx)
define(ptrStep8Hook, aobStep8Hook+1)
registerSymbol(ptrStep8Hook)
////
//// ------------------------------ DISABLE ------------------------------
[DISABLE]
unregisterSymbol(ptrStep8Hook)See also
- [Link]
- [Link]
- [Link]
- [Link]