Windower: SigScan DLL - Updated 5/23/2009 - Windower

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

SigScan DLL - Updated 5/23/2009 Fast/powerful C++ Byte Signature Scanning Code DLL

#1 User is offline   Aikar 

  • delete world; world = new Planet("Code");
  • PipPipPipPipPipPipPipPipPipPip
  • Group: +Retired Windower Members
  • Posts: 4045
  • Joined: 19-April 05
  • Gender:Male
  • Location:Raleigh, NC
  • Interests:PHP, FFXI, C++
  • Name: Aikar, Aikari
  • Server: Leviathan
  • Jobs: WHM75 BLM75
  • Race: Tarutaru Male
  • Linkshell: Eternia

Posted 05 July 2008 - 02:06 AM

Byte Signature Scanning is a technique used to search static memory of a binary to pinpoint an offset.

This offset may contain a pointer to a desired memory location or a function call you wish to use.

Unlike offsets, signatures still remain the same in most cases when the binary is updated as long as that related code section is not modified, making it an excellent choice to find pointers to memory locations that survive updates.

Windower has been using this technique for years to survive update, and now we are providing it to you guys.

Download here: http://windower.net/...can/SigScan.zip
Documentation: http://windower.net/libs/sigscan

Download contains full examples in C++, C# and VB.NET.
Please read the documentation for usage information.

Note: The documentation does not yet contain a tutorial on FINDING signatures. I'll have to get to writing that up when I get time. If someone else wishes to write a tutorial please do. I highly recommend CheatEngine.


Some useful signatures
UTCTime = (unsigned int*) ((unsigned int)SigScan("b0015ec390518b4c24088d4424005068",36) + 0xC);
IsInCombat = (BYTE*) SigScan("83C408DFE0F6C4050F8A610100005FC605");
Target = (TargetInfo**) SigScan("53568bf18b480433db3bcb75065e33c05b59c38b0d",24); //note this is a double pointer..
MobArray = (Mob**) SigScan("8B560C8B042A8B0485"); //note this is a double pointer..
Party = (PartyDisplay*) SigScan("0fbec38d0c5256578bf58d04488d0c808d0448b9130000008d04c5");
Inventory = (sInventory**) SigScan("3b05XXXXXXXX741285c0"); //note this is a double pointer..

- RETIRED - I am no longer working on the Windower project and have retired from MMO's entirely to work on my personal RL goals and creating my own MMO game, follow up on what im doing @ Aikar.co
- FFOChat - Join the FFXI Community!
0

#2 User is offline   W1z8it 

  • Padawan
  • PipPip
  • Group: Members
  • Posts: 29
  • Joined: 26-January 09

Posted 23 May 2009 - 11:03 AM

Hey Aikar, any chance you can compile that into a dll for those of us that don't use C++?
0

#3 User is offline   Aikar 

  • delete world; world = new Planet("Code");
  • PipPipPipPipPipPipPipPipPipPip
  • Group: +Retired Windower Members
  • Posts: 4045
  • Joined: 19-April 05
  • Gender:Male
  • Location:Raleigh, NC
  • Interests:PHP, FFXI, C++
  • Name: Aikar, Aikari
  • Server: Leviathan
  • Jobs: WHM75 BLM75
  • Race: Tarutaru Male
  • Linkshell: Eternia

Posted 23 May 2009 - 11:31 AM

err i forgot to release it. now posted. Some useful signatures posted too.

If anyone wishes to share signatures, please post them here :)
- RETIRED - I am no longer working on the Windower project and have retired from MMO's entirely to work on my personal RL goals and creating my own MMO game, follow up on what im doing @ Aikar.co
- FFOChat - Join the FFXI Community!
0

#4 User is offline   W1z8it 

  • Padawan
  • PipPip
  • Group: Members
  • Posts: 29
  • Joined: 26-January 09

Posted 23 May 2009 - 01:57 PM

View PostAikar, on May 23 2009, 05:31 PM, said:

err i forgot to release it. now posted. Some useful signatures posted too.

If anyone wishes to share signatures, please post them here :)


Thanks!
0

#5 User is offline   W1z8it 

  • Padawan
  • PipPip
  • Group: Members
  • Posts: 29
  • Joined: 26-January 09

Posted 24 May 2009 - 11:09 AM

Hmmm I can't seem to get it working properly in VB.Net:

 
	Private Shared Pid As Integer
	Public Shared Sub SetPid()
		Try
			Dim ProcList As Process() = Process.GetProcesses()
			For n As Integer = 0 To ProcList.Length - 1
				If ProcList(n).ProcessName = "pol" Then
					Pid = ProcList(n).Id
					Return
				End If
			Next
			MsgBox("Error! PlayOnline Not Found.")
		Catch
		End Try
	End Sub

	Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
		SetPid()
	End Sub

	Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
		Dim hProc As IntPtr
		Dim memloc As UInt32
		Dim Data As UInt32
		hProc = OpenProcess(PROCESS_ACCESS.PROCESS_VM_READ, False, Pid)
		InitializeSigScan(Pid, "FFXIMain.dll")
		memloc = SigScan("53568bf18b480433db3bcb75065e33c05b59c38b0d", 24)
		FinalizeSigScan()
		ReadProcessMemory(hProc, memloc, Data, 4, 0)
		CloseHandle(hProc)
		Readout.AppendText(Hex(Data))
	End Sub


The sig I was scanning is TARGETINFO, but it's giving me 0x4B81A48 which isn't right.

This post has been edited by W1z8it: 24 May 2009 - 11:12 AM

0

#6 User is offline   Aikar 

  • delete world; world = new Planet("Code");
  • PipPipPipPipPipPipPipPipPipPip
  • Group: +Retired Windower Members
  • Posts: 4045
  • Joined: 19-April 05
  • Gender:Male
  • Location:Raleigh, NC
  • Interests:PHP, FFXI, C++
  • Name: Aikar, Aikari
  • Server: Leviathan
  • Jobs: WHM75 BLM75
  • Race: Tarutaru Male
  • Linkshell: Eternia

Posted 24 May 2009 - 10:03 PM

as i noted in the list of sigs, target is a double pointer. You got to read that address to get the real address of TargetInfo
- RETIRED - I am no longer working on the Windower project and have retired from MMO's entirely to work on my personal RL goals and creating my own MMO game, follow up on what im doing @ Aikar.co
- FFOChat - Join the FFXI Community!
0

#7 User is offline   W1z8it 

  • Padawan
  • PipPip
  • Group: Members
  • Posts: 29
  • Joined: 26-January 09

Posted 25 May 2009 - 05:05 AM

Edit: Yeah nevermind, for some reason I was expecting the offset to be returned, I understand now lol.

This post has been edited by W1z8it: 25 May 2009 - 05:08 AM

0

#8 User is offline   Synack 

  • New Member
  • Group: New Members
  • Posts: 1
  • Joined: 01-August 09

Posted 01 August 2009 - 10:17 PM

I figured since it took me forever to put this together I'd share it.
from ctypes import *
import win32defines
import win32process
import win32gui
from time import *
import struct
import time

SigScan = cdll.SigScan
kernel32 = windll.kernel32

addresses = {"gameTime" : {"sigArg1" : "b0015ec390518b4c24088d4424005068", 
                          "sigArg2" : 36, 
                          "address" : None,
                          "size"    : 32
                         },
        }

class ClientApp:
    def __init__(self, windowName, moduleName):
        ## Get the pid
        self.hwnd, self.pid = self.getHwndPID(windowName)
    
        ## Initialize the sigscan dll
        SigScan.InitializeSigScan(self.pid, moduleName)
    
        ## Find all the addresses registered
        for key in addresses.keys():
            addresses[key]["address"] = SigScan.SigScan(addresses[key]["sigArg1"], addresses[key]["sigArg2"])
        ## Allow the scanner to clean up
        SigScan.FinalizeSigScan()
        self.__updateTime()
        print time.gmtime(self.gameTime)
    
    def __updateTime(self):
        self.gameTime = self.ReadInteger(addresses["gameTime"]["address"] + 0xC)
        return self.gameTime
    
    def ReadBytes(self, address, bytes=4):
    buffer = create_string_buffer(bytes)
    bytesRead = c_ulong(0)
    bufferSize = bytes
        
        h = kernel32.OpenProcess(win32defines.PROCESS_VM_READ, False,self.pid)
        try:
            kernel32.ReadProcessMemory(h, address, buffer, bufferSize, byref(bytesRead))
        finally:
            kernel32.CloseHandle(h)
    string = buffer.raw
    return string

    def ReadInteger(self, address):
    string = self.ReadBytes(address,4)
    number = struct.unpack('<i',string)[0]
    return number

    def ReadEight(self, address):
    string = self.ReadBytes(address,8)
    number = struct.unpack('<q',string)[0]
    return number

    def ReadLong(self, address):
    return self.ReadInteger(address)

    def ReadFloat(self, address):
    string = self.ReadBytes(address,4)
    number = struct.unpack('<f',string)[0]
    #number = struct.unpack('>f',string)[0]
    return number

    def ReadString(self, address,bytes):
    buffer = self.ReadBytes(address,bytes)
    i = buffer.find('\x00')
    if i != -1:
        return buffer[:i]
    else:
        return buffer

    def ReadAddress(self, address):
    string = self.ReadBytes(address,4)
    decimal_address = struct.unpack('<i',string)[0]
    return decimal_address

    def getHwndPID(self, winName):
        hwnd = win32gui.FindWindowEx(0, 0, 0, winName)
        pid = win32process.GetWindowThreadProcessId(hwnd)[-1]
        if  pid > 0:
            return (hwnd, pid)


Looks like i can't edit my post? Damn tab space... anyway, some indenting issues in my copy paste but it's an example of a python implementation of SigScan.dll. It's using the dll prebuilt in the zip.
0

#9 User is offline   Jimmythegreat 

  • Advanced Member
  • PipPipPipPip
  • Group: Members
  • Posts: 261
  • Joined: 28-December 06
  • Gender:Male

Posted 04 January 2010 - 06:37 PM

Slight error in the vb_example file:

Declare Sub InitializeSigScan Lib "SigScan.dll" (ByVal PID As UInt32, <MarshalAs(UnmanagedType.LPStr)> ByVal szModule)
should be:
Declare Sub InitializeSigScan Lib "SigScan.dll" (ByVal PID As UInt32, <MarshalAs(UnmanagedType.LPStr)> ByVal szModule As String)
Posted Image
PL Assist - Inactive Development
FFXI Party Window - Inactive Development
Job Assist - Inactive Development
JimmyTheGreat UI Mods - Inactive Development
0

#10 User is offline   Yonko 

  • Jedi Grandmaster
  • PipPipPipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 1846
  • Joined: 09-January 07
  • Gender:Male
  • Location:Lowell Ma
  • Name: Yonko
  • Server: Shiva
  • Jobs: Depends on the day
  • Race: Mithra
  • Linkshell: WorthlessLS

Posted 04 January 2010 - 08:14 PM

found the currently selected itemID thanks to tavik
SigScan("668b56208d4e2c518b0dXXXXXXXX52e8cf9a", 0); //double pointer and need to add an offset of 0x24 to the second read

It might be part of a structure but not sure.

This post has been edited by Yonko: 04 January 2010 - 08:16 PM

for issues with spellcast xml get these 2 things should help
notepad ++
http://notepad-plus....net/uk/site.htm
with the xml tools
http://notepad-plus.sourceforge.net/commun...XMLTools_46.zip
Posted Image
0

#11 User is offline   Alzade 

  • Padawan
  • PipPip
  • Group: Members
  • Posts: 31
  • Joined: 09-October 09
  • Gender:Male
  • Name: Alzade
  • Server: Lakshmi
  • Jobs: THF -- PLD -- RNG -- BLM
  • Race: Elvaan Male
  • Linkshell: SearchanDestroy

Posted 02 December 2010 - 01:29 AM

I'm a big nub when it comes to this stuff, but is there anyway to use this in a visual studio 2010 project? When I try to compile in release mode it complains that the SigScanStatic.lib was compiled using an older compiler and won't let me continue.
0

#12 User is offline   Aikar 

  • delete world; world = new Planet("Code");
  • PipPipPipPipPipPipPipPipPipPip
  • Group: +Retired Windower Members
  • Posts: 4045
  • Joined: 19-April 05
  • Gender:Male
  • Location:Raleigh, NC
  • Interests:PHP, FFXI, C++
  • Name: Aikar, Aikari
  • Server: Leviathan
  • Jobs: WHM75 BLM75
  • Race: Tarutaru Male
  • Linkshell: Eternia

Posted 03 December 2010 - 08:45 PM

the source was included, you could compile it yourself.
- RETIRED - I am no longer working on the Windower project and have retired from MMO's entirely to work on my personal RL goals and creating my own MMO game, follow up on what im doing @ Aikar.co
- FFOChat - Join the FFXI Community!
0

#13 User is offline   cra0 

  • New Member
  • Group: New Members
  • Posts: 1
  • Joined: 30-April 13

Posted 06 May 2013 - 10:02 AM

I can't seem to get SigScan to return the mem location

Posted Image



Using this 3981????0FB789F4000000

it always returns a 0

I'm not sure if that is correctly structured.











0

#14 User is offline   Iryoku 

  • Jedi
  • PipPipPipPipPipPipPip
  • Group: +Plugin Developers
  • Posts: 709
  • Joined: 07-November 08
  • Gender:Male
  • Name: Iryoku
  • Server: Quetzalcoatl
  • Jobs: PLD99 MNK99 SMN99
  • Race: Elvaan Male

Posted 14 May 2013 - 05:45 AM

You need four more question marks. The sig should be "3981????????0FB789F4000000". Though in this case, I'm not sure using wildcards for those bytes makes sense; they look pretty constant to me. Also that's probably not going to get you the value you want. It will return 0xB70F18EB. If you're expecting to get 0x00477816 then you want your sig to be "##3981F40000000FB789F4000000".
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users