How to find a patterns?

[Anderholm]

Hi all! Who can help me with patterns searching? How it works? For example - i need to "convert" (or find) this:

static void SET_ENTITY_COLLISION(Entity entity, BOOL toggle, BOOL keepPhysics) { invoke<Void>(0x1A9205C1B9EE827F, entity, toggle, keepPhysics); } // 0x1A9205C1B9EE827F 0x139FD37D

 

to this:

 

"\x48\x89\x5C\x24\x00\x48\x89\x6C\x24\x00\x48\x89\x74\x24\x00\x57\x48\x83\xEC\x20\x41\x8A\xF1\x41\x8A\xE8\x40\x8A\xFA",

"xxxx?xxxx?xxxx?xxxxxxxxxxxxxx"

Edited June 22, 2017 by Antrix

[ins1de]

I think this question deserves an answer from people who have enough knowledge to explain it.

It would be quite useful in many situations.

[Scriptkiddy1337]

This isn't an Question with an easy answer.

First of all, you can't do it with ScriptHookV, because it takes the Part to translating the Initial Identifier Hash to current Hash which you will need for it.

If you have access to the Native VTable directly it will work like this:

You search for the current Hash in there and prints out the jmp Address behind it.

In an Disassembler you will go to this jmp and will find something like this:

 

.text:0000000142496750 loc_142496750:                          ; CODE XREF: .text:000000013FD1C22Cj.text:0000000142496750                 mov     rax, [rcx+10h].text:0000000142496754                 mov     r9b, 1.text:0000000142496757                 cmp     dword ptr [rax+8], 0.text:000000014249675B                 mov     ecx, [rax].text:000000014249675D                 setnz   dl.text:0000000142496760                 cmp     dword ptr [rax+10h], 0.text:0000000142496764                 setnz   r8b.text:0000000142496768                 lea     rsp, [rsp-8].text:000000014249676D                 mov     [rsp], rbp.text:0000000142496771                 lea     rbp, sub_13FD49778.text:0000000142496778                 xchg    rbp, [rsp].text:000000014249677C                 lea     rsp, [rsp+8].text:0000000142496781                 jmp     qword ptr [rsp-8].text:0000000142496785 ; ---------------------------------------------------------------------------.text:0000000142496785 ; START OF FUNCTION CHUNK FOR sub_143A0B6E7

The Natives looks most like this and most referce to a piece of Codeblock, which is only part of a way bigger function, however:

Int this Function we can see 1 sub routine

 

Now you disassemble this Function and see something like this:

 

int __fastcall sub_13FD49778(__int64 a1, char a2, char a3, char a4){  char v4; // [email protected]  char v5; // [email protected]  char v6; // [email protected]  __int64 v7; // [email protected]  __int64 v8; // [email protected]  __int64 v9; // [email protected]  __int64 v10; // [email protected]  __int64 v11; // [email protected]  __int64 v12; // [email protected]  Concurrency::details::HardwareAffinity *v13; // [email protected]  __int64 v14; // [email protected]  char v15; // [email protected]  __int64 v16; // [email protected]  v4 = a4;  v5 = a3;  v6 = a2;  LODWORD(v7) = sub_13FD0BBD8();  v9 = v7;  if ( v7 )  {    if ( !byte_141A2294C      || *(_BYTE *)(v7 + 40) != 4      || !v6      || *(_QWORD *)(qword_141641090 + 8) != v7      || (LODWORD(v7) = sub_1402AFBD0(), !(_BYTE)v7) )    {      if ( *(_BYTE *)(v9 + 40) != 4 || (LODWORD(v7) = *(_DWORD *)(v9 + 5112) >> 30, !(v7 & 1)) )      {        v10 = *(_QWORD *)v9;        if ( v6 )        {          (*(void (__fastcall **)(__int64, _QWORD, _QWORD))(v10 + 640))(v9, 0i64, 0i64);        }        else        {          LOBYTE(v8) = v4;          (*(void (__fastcall **)(__int64, _QWORD, __int64))(v10 + 648))(v9, 0i64, v8);        }        if ( *(_BYTE *)(v9 + 40) == 5 )        {          v12 = *(_QWORD *)(v9 + 48);          if ( v12 )          {            if ( v6 )            {              (*(void (__fastcall **)(__int64))(*(_QWORD *)v9 + 608i64))(v9);            }            else if ( !v5 && *(_WORD *)(v12 + 24) != -1 )            {              (*(void (__fastcall **)(__int64))(*(_QWORD *)v9 + 616i64))(v9);            }            if ( byte_141A2294C )            {              v13 = *(Concurrency::details::HardwareAffinity **)(v9 + 208);              if ( v13 )              {                if ( Concurrency::details::HardwareAffinity::GetGroup(v13) == 5 )                {                  v14 = *(_QWORD *)(v9 + 208);                  v15 = qword_141EC0AC4;                  *(_BYTE *)(v14 + 437) |= 0x20u;                  *(_BYTE *)(v14 + 439) = v15;                }              }            }          }        }        v16 = *(_QWORD *)v9;        if ( v6 )        {          LODWORD(v7) = (*(int (__fastcall **)(__int64, _QWORD, _QWORD))(v16 + 640))(v9, 0i64, 0i64);        }        else        {          LOBYTE(v11) = v4;          LODWORD(v7) = (*(int (__fastcall **)(__int64, _QWORD, __int64))(v16 + 648))(v9, 0i64, v11);        }        if ( *(_BYTE *)(v9 + 40) == 4 )        {          LODWORD(v7) = (*(_DWORD *)(v9 + 5132) ^ -(v6 == 0)) & 0x40000000;          *(_DWORD *)(v9 + 5132) ^= v7;          if ( v4 || v6 )            *(_DWORD *)(v9 + 5148) ^= (*(_DWORD *)(v9 + 5148) ^ -(v6 == 0)) & 0x80000000;        }      }    }  }  return v7;}

and thats it already, now you click on the Address and creates a Signatur with Sigmaker.

The Sideeffect of this is, we found out the Native is wrong documentated, because this Function have 3 bools and not only 2, like in natives.h declared.