Finding a signature for Windows without a string

Please post any questions about developing your plugin here. Please use the search function before posting!
User avatar
VinciT
Senior Member
Posts: 114
Joined: Thu Dec 18, 2014 2:41 am

Finding a signature for Windows without a string

Postby VinciT » Tue Oct 15, 2019 3:44 pm

I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)
Image
User avatar
Ayuto
Project Leader
Posts: 2029
Joined: Sat Jul 07, 2012 8:17 am
Location: Germany

Re: Finding a signature for Windows without a string

Postby Ayuto » Tue Oct 15, 2019 4:57 pm

Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.

However, if you have a function that is really difficult to find, you can try running these scripts:
https://github.com/Ayuto/discover_win

It first starts with simple string match searches (functions that have the same strings in both databases are renamed). Then it searches for all functions that only have one unnamed xref_to or xref_from function left. Those are easy to find. After that it repeats the steps again, because the string match search is now able to find new results. This is running in a while loop until no more results are found. If I remember correctly, it is able to find 8-12% of all functions, although it is in a very basic state and could possibly be improved a lot.

After running these scripts it's a lot easier to find other functions by finding/renaming global pointers, comparing the code (a decompiler helps a lot), function size, renaming the functions in a vtable or marking multiple functions as "possible findings". Generally speaking: the more you discover, the more it will ease finding other functions.
User avatar
Sam
Member
Posts: 36
Joined: Tue Jul 03, 2018 3:00 pm
Location: Russian Federation
Contact:

Re: Finding a signature for Windows without a string

Postby Sam » Wed Oct 16, 2019 3:24 pm

VinciT wrote:I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)

Signature Scanning
MakeSig.idc (IDA script for making signature of selected code block)

Do you need it? (My English not so good. xP)
It's a trap!
User avatar
VinciT
Senior Member
Posts: 114
Joined: Thu Dec 18, 2014 2:41 am

Re: Finding a signature for Windows without a string

Postby VinciT » Thu Oct 17, 2019 12:40 am

Ayuto wrote:Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.
Whoops.. You're right. I guess I didn't look at the entire function.
Thank you for the scripts, they helped a lot.

I've read that wiki page and I have that script, thanks thought. :smile:
Image

Return to “Plugin Development Support”

Who is online

Users browsing this forum: No registered users and 6 guests