nyet,

In my quest to get proper signature matching working i've started to re-write Andy's ME7 IDA Plug-in, close to having something now that could be used to match signatures without recompiling any code. See the IDA Plugin thread here;
http://nefariousmotorsports.com/forum/index.php?topic=35.msg29602#new

This got me thinking though, and the best way to do signatures is via (you've guessed it) an external config file. This way it can also identify map locations too so later we can integrate all of these functions into an ME7 'busybox' style tool which can also do map editing, reversing of functions, etc. fully self contained from the xterm. Its ambitious but it wouldn't be too much of a stretch to get this working brilliantly for multiple purposes.

T

nyet,

Watch this space on masking 
 
I have been experimenting and you can make 'automatic' masks based on a big instruction table being defined of all valid instructions with all relative addresses being masked in the table so every time it identifies a menomic it knows what mask to apply by looking it up in the table! this means any byte sig will work with it unmodified as it knows where to apply masks automatically!

So two things are holding me back right now: detecting CRC offsets in those allroad files (AA, R, S) and the ferrari bin

Also, any opinions on detecting the position of the EPK, software/hardware revisions, etc? should i just search for known strings?

eg:

EPK - sesarch for ME7.x
PartNUmber - search for 551 (wont work for ferrari)
EngineId - search for 2.7l (wont work for ferrari)
SWversion - ?? just offset from EngineID?
HWnumber/SWnumber - search for 1037

obviously a more generalizable way is preferable... or is it just not important?

Also, at this point it would be really great to get a few testers on board, preferably people who can use git and know how to compile... I dont think im ready to post .exes...

or should i?

v0.0.4

WARNING! BACK UP ALL BINARIES BEFORE USING THIS  

http://nyet.org/cars/files/me7sum-v0.0.4.zip

ETA: v0.0.3 had a bad bug. please dload v0.0.4 ..

If i am going to make a database of exception patterns, and i can more reliably and generally find the ids/versions than I can find, say CRC offsets, then I can use the result of that pattern match to look up the id in a database to tell me either what pattern to use for that id, or what hardcoded offsets to use.

Also, if i need to make a whitelist or a blacklist.

based on the files posted here:

http://nefariousmotorsports.com/forum/index.php?topic=1002.0

There appear to be two differences that are new to me

there is a large block at 16a8a-16b09 (128 bytes). i guess thats the RSA stuff he talks about

there is a LL HH pair at aa46e and aa472 that is changed... must be a crc location, but its different from ME7.1 because its split into two short words rather than contiguous LLHH

Unfortunately, i'd need a file that is changed in more places to see if there are patterns (i.e more than one CRC is "wrong")

PLEASE, i'd love to get more help

either way its a dead end until somebody has access to a version of winols (or checksum fixer) that can do BEL and can help me .. basically, change a bunch more stuff and see what the checksum routines try to fix.

Have a go at this.  It's fairly significantly changed from the CS corrected file I run.  Let me know if you need still more changes.

Here's range No. 4. I hope, anyway.