I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)
Finding a signature for Windows without a string
Re: Finding a signature for Windows without a string
Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.
However, if you have a function that is really difficult to find, you can try running these scripts:
https://github.com/Ayuto/discover_win
It first starts with simple string match searches (functions that have the same strings in both databases are renamed). Then it searches for all functions that only have one unnamed xref_to or xref_from function left. Those are easy to find. After that it repeats the steps again, because the string match search is now able to find new results. This is running in a while loop until no more results are found. If I remember correctly, it is able to find 8-12% of all functions, although it is in a very basic state and could possibly be improved a lot.
After running these scripts it's a lot easier to find other functions by finding/renaming global pointers, comparing the code (a decompiler helps a lot), function size, renaming the functions in a vtable or marking multiple functions as "possible findings". Generally speaking: the more you discover, the more it will ease finding other functions.
However, if you have a function that is really difficult to find, you can try running these scripts:
https://github.com/Ayuto/discover_win
It first starts with simple string match searches (functions that have the same strings in both databases are renamed). Then it searches for all functions that only have one unnamed xref_to or xref_from function left. Those are easy to find. After that it repeats the steps again, because the string match search is now able to find new results. This is running in a while loop until no more results are found. If I remember correctly, it is able to find 8-12% of all functions, although it is in a very basic state and could possibly be improved a lot.
After running these scripts it's a lot easier to find other functions by finding/renaming global pointers, comparing the code (a decompiler helps a lot), function size, renaming the functions in a vtable or marking multiple functions as "possible findings". Generally speaking: the more you discover, the more it will ease finding other functions.
Re: Finding a signature for Windows without a string
VinciT wrote:I'm using IDA to find a couple of signatures for HL2DM, and I keep getting stuck with signatures that don't have any strings. The function itself doesn't have any strings, and neither do the xrefs.
How could I get a signature for a function like that? (e.g. _ZN11CHL2_Player14StartSprintingEv)
Signature Scanning
MakeSig.idc (IDA script for making signature of selected code block)
Do you need it? (My English not so good. xP)
Last edited by Sam on Wed Oct 16, 2019 3:24 pm, edited 1 time in total.
Reason: Original post version
Reason: Original post version
Re: Finding a signature for Windows without a string
Whoops.. You're right. I guess I didn't look at the entire function.Ayuto wrote:Actually, that function has two strings: HL2Player.SprintNoPower and HL2Player.SprintStart.
Thank you for the scripts, they helped a lot.
I've read that wiki page and I have that script, thanks thought.Sam wrote:Signature Scanning
MakeSig.idc (IDA script for making signature of selected code block)
Do you need it? (My English not so good. xP)
Return to “Plugin Development Support”
Who is online
Users browsing this forum: No registered users and 27 guests