HEX Search patterns

[kLabMouse]

I'll post in this thread some useful HEX Patterns to make our work a little bit more easy.

First, I'll start with Packet 0x0097 check:

PM Packet [ 0x0097 ] (Extended, additional 'int Flag' added):

Code: Select all

89 4D ?? 57 8D 73 04 B9 06 00 00 00 8D 7D ?? F3 A5 8D 45 ?? B9 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 85 C0 74 0B 8B ?? ?? 85 C0 0F ?? ?? ?? ?? ??

PM Packet [ 0x0097 ] (Normal):

Code: Select all

89 4D ?? 57 8D 73 04 B9 06 00 00 00 8D 7D ?? F3 A5 8D 45 ?? B9 ?? ?? ?? ?? 50 C6 45 ?? ?? E8 ?? ?? ?? ?? 85 C0 0F ?? ?? ?? ?? ??

[Technology]

nice, so in IDA you can just use 'search sequence of bytes' on the hex view searching for:

Code: Select all

89 4D ? 57 8D 73 04 B9 06 00 00 00 8D 7D ? F3 A5 8D 45 ? B9 ? ? ? ? 50 C6 45 ? ? E8 ? ? ? ? 85 C0 74 0B 8B ? ? 85 C0 0F ? ? ? ? ?

[kLabMouse]

Patterns to search for 'magic' functions inside binaries (Used for Debugging, and Analysis work on new Additions)

Guide:
[...] -- Optional data (exist in latest binaries).
N:(...) -- Numbered Entry

; const CGameMode::'vftable'
??_7CGameMode@@6B@:

Code: Select all

00 00 20 41 1:(?? ?? ?? ??) 2:(?? ?? ?? ??) 3:(?? ?? ?? ??] 4:(?? ?? ?? ??) 5:(?? ?? ?? ??) [?? ?? ?? ??] 6:(?? ?? ?? ??) 7:(?? ?? ?? ??) [00 00 50 41] 00 00 34 42 00 00 34 C2

1: ??_ECGameMode@@UAEPAXI@Z
2: ?OnRun@CGameMode@@UAEHXZ
3: ?OnInit@CGameMode@@UAEXPBD@Z
4: ?OnExit@CGameMode@@UAEXXZ
5: ?OnUpdate@CGameMode@@UAEXXZ
6: ?SendMsg@CGameMode@@UAEHHHHH@Z
7: ?OnChangeState@CGameMode@@EAEXH@Z

======== cut here ========

; const CLoginMode::'vftable'
??_7CLoginMode@@6B@:

Code: Select all

00 00 70 41 D8 0F 49 40 1:(?? ?? ?? ??) 2:(?? ?? ?? ??) 3:(?? ?? ?? ??) 4:(?? ?? ?? ??) 5:(?? ?? ?? ??) [?? ?? ?? ??] 6:(?? ?? ?? ??) 7:(?? ?? ?? ??) D8 0F 49 40

1: ??_ECLoginMode@@UAEPAXI@Z
2: ?OnRun@CLoginMode@@UAEHXZ
3: ?OnInit@CLoginMode@@UAEXPBD@Z
4: ?OnExit@CLoginMode@@UAEXXZ
5: ?OnUpdate@CLoginMode@@UAEXXZ
6: ?SendMsg@CLoginMode@@UAEHHHHH@Z
7: ?OnChangeState@CLoginMode@@EAEXH@Z

Notes:
To find *::PollNetworkStatus(void) functions, we need to look at *::OnUpdate(void)
there is 2 direct calls inside ther first few asm commands
the first one is:
?CheckSystemMessage@@YAXXZ ; CheckSystemMessage(void)
and the second one is:
?PollNetworkStatus@CGameMode@@AAEXXZ ; CGameMode::PollNetworkStatus(void)
?PollNetworkStatus@CLoginMode@@AAEXXZ ; CLoginMode::PollNetworkStatus(void)
Depending on what 'vftable' we are looking at.

[kLabMouse]

Check for 0x02b5 Internal Struct len:

Mission Hunt Packet [ 0x02b5 ] (Extended, internal len 12):
0F BF 51 02 83 EA 06 B8 ?? ?? ?? ?? F7 E2 8B 75 FC 83 C7 0C 46 C1 EA 03 3B F2 89 75 FC 0F ?? ?? ?? ?? ?? 5E 5B

Mission Hunt Packet [ 0x02b5 ] (Normal, internal len 10):
0F BF 51 02 83 EA 06 B8 ?? ?? ?? ?? F7 E2 8B 75 FC 83 C7 0A 46 C1 EA 03 3B F2 89 75 FC 0F ?? ?? ?? ?? ?? 5E 5B

[kLabMouse]

Check EQUIPMENTITEM_EXTRAINFO3 len (packets: 0x02d0, 0x02d1, 0x02d2):

EQUIPMENTITEM_EXTRAINFO3 Struct [0x02d0, 0x02d1, 0x02d2] (Extended, len 28):
8B 45 08 83 C6 1C 48 89 5D C4 89 5D C8 89 5D ?? 89 45 08 0F ?? ?? ?? ?? ?? 5F

EQUIPMENTITEM_EXTRAINFO3 Struct [0x02d0, 0x02d1, 0x02d2] (Normal, len 26):
8B 45 08 83 C6 1A 48 89 5D C8 89 5D CC 89 5D ?? 89 45 08 0F ?? ?? ?? ?? ?? 5F

[Technology]

nice kLab, would it be hard to get this for all (dynamic len) packets?
And would the hex string stay the same for all EXE's?

[kLabMouse]

nice kLab, would it be hard to get this for all (dynamic len) packets?
And would the hex string stay the same for all EXE's?

Donno if it's possible. I need at least 2 EXE's that have different inner struct len.