AlliedModders - [ANY-dev] Raw Entity Dump

DO NOT INSTALL ON A LIVE SERVER

Here's a list of commands it registers. They're documented in more detail below...
- red_dump [entityIdx OR entityClassname] [endPosition] [filepathRelativeToServerGameDir] (startPosition)
- red_dump_key [entityIdx OR entityClassname] [endPosition] [keyId-OR-commandName] [filepathRelativeToServerGameDir] (startPosition)
- red_dump_floats [entityIdx OR entityClassname] [endPosition] [filepathRelativeToServerGameDir] (startPosition)
- red_diff [filename1] [filename2]
- red_exclude_diff [filename1] [filename2] [filename3] [excludeIdx (1-3)]
- red_find_value [entity] [endPosition] [value] [type]
- red_find_similar [entity] [endPosition] [knownNetProp] [type] [netClassname]

These commands which allow you to dump the raw data of an entity (or the first instance of an entity with a specific classname) to a file, as well as allowing diffing of the files you've dumped! You can also search for values...either a known value, or a value shared by a known network variable.

I was inspired to make this after seeing how wizards like voogru and FlaminSarge found all sorts of hidden props for various entities. Since I personally can't get a better way to do so up and running (i.e. I don't have a TF2 SDK with the sentry class) and I'm too VAC paranoid to use a program that reads memory, I figured getting a raw hex dump of entities would be the best way to go.

This plugin is only intended for a test server and it does not even do things like safe file path checking. Misuse could possibly crash a server. So don't blame me if you failed to read the giant text at the start of this thread.

USAGE
red_dump [entityIdx OR entityClassname] [endPosition] [filepathRelativeToServerGameDir] (startPosition)

EXAMPLES
red_dump 23 8770 tfplayer.dmp
red_dump obj_sentrygun 2832 tfsentry.dmp
red_dump obj_sentrygun 2832 tfsentry2.dmp 1000

Only tested in TF2 but I don't see why this wouldn't work on any Source game.
Also only tested with SM 1.5.X but it's probably good for many older versions.

HOW TO USE
So first you'll want to figure out the classname (NOT net classname) of whatever entity you want to discern state changes under normal circumstances for. I'll use obj_sentrygun of TF2 and a known net prop as an example. You need to have a current dump of all net props as well, so you can determine a good limit for reading an entity's data. (I think attempting to read beyond an entity's bounds may cause an error)

With obj_sentrygun, I saw that the highest offset was a 4-byte integer at position 2828:
Member: m_hAutoAimTarget (offset 2828) (type integer) (bits 21)
so I set my bytesToDump to 2832, though I could easily experiment with something higher if I wanted to. (there could be hidden props beyond 2832)

So I bound a couple keys on a server with just bots, went as engie with the Wrangler, and these are my two keybound commands:
red_dump obj_sentrygun 2832 tfsentry1.dmp
red_dump obj_sentrygun 2832 tfsentry2.dmp

I know the prop for a wrangled sentry is m_bPlayerControlled (offset 2780). I built a sentry and once it was complete, I did my first dump. Then when I wrangled the sentry, I did my second dump. I then opened both files in HxD (my favorite hex editor) and went to offset 2780. The difference couldn't be more clear:
http://www.pamelabowman.org/sm/red_dump.png

So if I wanted to find some hidden netprop, I could use HxD's diff feature, or a dedicated binary diff program, and figure out where my desired hidden prop is by dumping before and during the state change I want to emulate by code. :D

An optional parameter is (startPosition), which allows you to start at a specified offset instead of zero. You do not need to subtract this from total bytes -- this is already done for you...since your entity's upper limit probably won't change except when a new version of your game is released. Makes it more convenient.

ADDED IN VERSION 0.2
First of all, I fixed a bug with Windows where 0x0A and/or 0x0D was being output as 0x0A0D...forgot to use the "wb" file flags. Whoops.

Second, I've added two commands:
RED_DUMP_KEY
Usage: red_dump_key [entityIdx OR entityClassname] [endPosition] [keyId-OR-commandName] [filepathRelativeToServerGameDir] (startPosition)
Example: red_dump_key 23 8770 IN_RELOAD tfplayer.dmp
Example: red_dump_key 23 8770 taunt tfplayer2.dmp
Example: red_dump_key obj_sentrygun 2832 IN_ATTACK2 tfsentry.dmp
Example: red_dump_key obj_sentrygun 2832 IN_ATTACK tfsentry2.dmp 1000

What it does: It's similar to the above, except it creates three dumps. The first dump is made when the command is executed and outputs to the file listed. The second dump executes before a key is pressed or command is executed by the user who calls the command and appends .1 to the filename, i.e. tfsentry.dmp.1. The third dump executes in the next frame, and appends .2 to the filename. i.e. tf2sentry.dmp.2. Since the whole point of this plugin was to emulate how hidden props were found, and the example that inspired me (FlaminSarge's force sentry fire prop) could only be found in a very tiny timing window and was dependent on user input, may as well fill this gap.

An optional parameter is (startPosition), which allows you to start at a specified offset instead of zero. You do not need to subtract this from total bytes -- this is already done for you...since your entity's upper limit probably won't change except when a new version of your game is released. Makes it more convenient.

RED_DIFF
Usage: red_diff [filename1] [filename2]
Example: red_diff tfsentry1.dmp tfsentry2.dmp

What it does: It's a file differ! It'll print out diffs of bytes, shorts, ints, and floats at the current offset -and- up to three bytes before the current offset. It outputs to [filename1].cmp...so for the example it would output to tfsentry1.dmp.cmp. Here's some example output from where I just change a sentry's angle, since the big draw with this differ is getting floats (note: the forum stripped the formatting, but there is indentation in the real thing!):

Spoiler

Limitations: Max file size is 32kb. Also, both files must be the same size.

ADDED IN VERSION 0.3
Bugfixes and the addition of an optional parameter for start position for the dump commands. (edited the documentation above) Also added the following command:

RED_EXCLUDE_DIFF
Usage: red_exclude_diff [filename1] [filename2] [filename3] [excludeIdx (1-3)]
Example: red_exclude_diff tfsentry1.dmp tfsentry2.dmp tfsentry3.dmp 3

What it does: It's an unusual but useful diff involving three files. First, bytes of the files which haven't been excluded are compared. Then they're both diffed against the excluded file. If this byte is different in all three files, no analysis is made for this difference. The reason I made this was because of common spam entries like animations or position changes. If you make one dump in one state and two dumps in a different state, red_exclude_diff will get rid of a lot of entries you won't care about since it's unrelated to the state change you're trying to emulate. It makes finding the hidden props you want less time consuming.

ADDED IN VERSION 0.4
Bugfixes, the ability for red_dump_key to also listen for commands (edited the documentation above) and dumps with startPosition set will fill the unwanted bytes with periods so diffs have the correct offset. Also added the following command:

RED_DUMP_FLOATS
Usage: red_dump_floats [entityIdx OR entityClassname] [endPosition] [filepathRelativeToServerGameDir] (startPosition)
Example: red_dump_floats 23 8770 tfplayer.txt
Example: red_dump_floats obj_sentrygun 2832 tfsentry.txt
Example: red_dump_floats obj_sentrygun 2832 tfsentry2.txt 1000

What it does: It checks every offset from startPosition to (endPosition - 3) and writes it to a human-readable file as a float. It also shows the hex value for reference. It's useful if you have a sense of range (but not an exact value) for a hidden float you're trying to find.

RED_FIND_VALUE
Usage: red_find_value [entityIdx OR entityClassname] [endPosition] [value] [type]
Example: red_find_value 23 9814 180.0 float

What it does: It finds a specific value. Note that it obviously can't do real type checking, so it'll just find raw matches for the value and type's length. (1, 2, or 4) The result is printed to both your local console and the server console.

RED_FIND_SIMILAR
Usage: red_find_similar [entityIdx OR entityClassname] [endPosition] [knownNetProp] [type] [netClassname]
Example: red_find_similar 23 9814 m_flTauntYaw float CTFPlayer

What it does: It gets the value of a known netprop that you specify and then searches the entity for matching values. Note that it obviously can't do real type checking, so it'll just find raw matches for the value and type's length. (1, 2, or 4) The result is printed to both your local console and the server console.

RELEASE HISTORY/SOURCES
v0.4 (2014-06-30)
- Added red_dump_floats
- Added red_find_similar
- Added red_find_value
- red_dump_key now accepts commands as well as input keys, as the trigger for the second and third dumps.
- Changing the start position when doing a hex dump will now fill the skipped bytes with periods, so that when you go to diff them, your offsets will be correct. (and these bytes will not be counted in diffs since both files will have them the same)
- Minor bugfixes

v0.3 (2014-06-25)
- Added red_exclude_diff
- Added optional parameter to red_dump and red_dump_key for a start position.
- Fixed diff to print out offsets in decimal as well as hex, since sm_dump_netprops outputs in decimal.
- Fixed the usage printouts. (was calling everything red_dump lol)

v0.2 (2014-06-24)
- Added red_dump_key
- Added red_diff
- Fixed a glitch where 0x0A and/or 0x0D would be turned into windows newlines in the dump.

v0.1 (2014-06-04)
- Initial release