Page 1 of 1

Finding a signature for Windows without a string

Posted: Tue Oct 15, 2019 3:44 pm
by VinciT
I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)

Re: Finding a signature for Windows without a string

Posted: Tue Oct 15, 2019 4:57 pm
by Ayuto
Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.

However, if you have a function that is really difficult to find, you can try running these scripts:
https://github.com/Ayuto/discover_win

It first starts with simple string match searches (functions that have the same strings in both databases are renamed). Then it searches for all functions that only have one unnamed xref_to or xref_from function left. Those are easy to find. After that it repeats the steps again, because the string match search is now able to find new results. This is running in a while loop until no more results are found. If I remember correctly, it is able to find 8-12% of all functions, although it is in a very basic state and could possibly be improved a lot.

After running these scripts it's a lot easier to find other functions by finding/renaming global pointers, comparing the code (a decompiler helps a lot), function size, renaming the functions in a vtable or marking multiple functions as "possible findings". Generally speaking: the more you discover, the more it will ease finding other functions.

Re: Finding a signature for Windows without a string

Posted: Wed Oct 16, 2019 3:24 pm
by Sam
VinciT wrote:I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)

Signature Scanning
MakeSig.idc (IDA script for making signature of selected code block)

Do you need it? (My English not so good. xP)

Re: Finding a signature for Windows without a string

Posted: Thu Oct 17, 2019 12:40 am
by VinciT
Ayuto wrote:Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.
Whoops.. You're right. I guess I didn't look at the entire function.
Thank you for the scripts, they helped a lot.

I've read that wiki page and I have that script, thanks thought. :smile: