AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Code Snippets/Tutorials (https://forums.alliedmods.net/forumdisplay.php?f=83)
-   -   Orpheu: Searching for functions in libraries (https://forums.alliedmods.net/showthread.php?t=118934)

joaquimandrade 02-15-2010 20:49

Orpheu: Searching for functions in libraries
 
A library is a set of bytes. Millions of them. They can represent numbers, functions (in machine code), arrays, strings. This tutorial will try to explain how to find functions in libraries so you can use them.

Finding a function means locate its position in the library. What is normally called offset. It's the number of bytes that it takes to reach the function starting at the first byte of the library.

In libraries compiled by gcc (linux) offsets are labelled with symbolic names with which you can easily recognize what is located at that offset.

In libraries compiled by VC++ there aren't almost no labels so you have to resort to techniques like searching for strings in the library. That because you can easily relate strings to events like, if you see "Terrorists Win" being used you know that you are dealing with a function related to the round end.

Developing over this, the techniques we can use are:
  1. Finding functions by searching strings.
  2. After having found a function use it to find more functions like: if you know that a function calls yours or if yours calls another.
  3. Apply the steps above recursively :twisted:
To make the process easier you should do this with the help of the linux library.

So, grab the libraries of your mod for windows and linux.
Get "IDA Pro Disassembler" (not free).

For each library:

In IDA:

[IMG]http://img208.**************/img208/8749/12820721.png[/IMG]

Press New

If linux library:

[IMG]http://img694.**************/img694/1284/37280226.png[/IMG]

If windows library:

[IMG]http://img684.**************/img684/5552/cenasx.png[/IMG]

Locate the library and open it.

Press Ctrl + F5. This will open a dialog so you can chose where you want a file to be saved. This file is the decompiled version of your library (a feature of IDA that converts machine code back to C code (far from readable code and not exactly resembling the original but easier to inspect than machine code)).

In the decompiled version of the linux library you will have code like:
PHP Code:


//----- (000B3C10) --------------------------------------------------------
int __cdecl InstallGameRules()
{
  
int result// eax@2
  
int v1// eax@2
  
int v2// eax@3

  
(*(void (__cdecl **)(_DWORD))&g_engfuncs[156])("exec game.cfg\n");
  (*(
void (**)(void))&g_engfuncs[160])();
  if ( *(
float *)(gpGlobals 20) == 0.0 )
  {
    
v2 __builtin_new(708);
    
result __18CHalfLifeMultiplay(v2);
  }
  else
  {
    
v1 __builtin_new(728);
    
result __17CHalfLifeTraining(v1);
  }
  return 
result;


This is the function InstallGameRules where you can easily see the string "exec game.cfg\n" being used.

Now, searching it on the decompiled version of the windows library you can see:
PHP Code:

//----- (10088530) --------------------------------------------------------
int __cdecl sub_10088530()
{
  
long double v0// fst7@1
  
int v1// eax@2
  
int v3// eax@4

  
dword_101623DC("exec game.cfg\n");
  
dword_101623E0();
  
v0 = *(float *)(LODWORD(dword_101625B8) + 20);
  if ( 
v0 == 0.0 )
  {
    
v1 = (int)operator new(0x2E8u);
    if ( 
v1 )
      return 
sub_100C5EF0(v1v0);
  }
  else
  {
    
v3 = (int)operator new(0x2D0u);
    if ( 
v3 )
      return 
sub_10093D80(v3v0);
  }
  return 
0;


From observation you can easily see that you are dealing with the same function (with the bonus of being the only place where the string is located).

This means that at the offset 88530 in the windows binary of Counter Strike we have the function InstallGameRules. You can see that in the function pseudo-label "sub_10088530" (ignoring the sub_10). Since this number represents an hexadecimal number let's call it 0x88530.

Know to demonstrate the other technique let's search in the linux decompiled version of the library for InstallGameRules to find calls to it:
PHP Code:

//----- (0011163C) --------------------------------------------------------
int *__usercall CWorld__Precache<eax>(long double a1<st0>, int a2)
{
  
unsigned int v2// edi@8
  
__int16 v3// fps@15
  
long double v4// fst6@15
  
char v5// c0@15
  
char v6// c2@15
  
char v7// c3@15
  
int v8// eax@16
  
int v9// ecx@18
  
int v10// eax@19
  
int *result// eax@25
  
int v12// [sp-10h] [bp-58h]@16
  
float v13// [sp-Ch] [bp-54h]@16

  
g_pLastSpawn 0;
  
g_pLastCTSpawn 0;
  
g_pLastTerroristSpawn 0;
  (*(
void (__cdecl **)(_DWORDchar[4]))&g_engfuncs[240])("sv_gravity""800");
  (*(
void (__cdecl **)(_DWORDchar[4]))&g_engfuncs[240])("sv_maxspeed""900");
  (*(
void (__cdecl **)(_DWORD_DWORD))&g_engfuncs[240])("sv_stepsize""18");
  (*(
void (__cdecl **)(_DWORD_DWORD))&g_engfuncs[240])("room_type""0");
  if ( 
g_pGameRules )
    
__builtin_delete((void *)g_pGameRules);
  
g_pGameRules InstallGameRules(); 

You can see in the last line that the function InstallGameRules is called from CWorld__Precache (real name CWorld::Precache), so getting back into the decompiled version of the windows library:

Replace all ocurrences of sub_10088530 by InstallGameRules. Search for InstallGameRules.
PHP Code:

int __usercall sub_100DD350<eax>(int a1<ecx>, int a2<esi>, long double a3<st0>)
{
  
int v3// ebp@1
  
int v4// eax@3
  
int v5// esi@4
  
int v6// eax@6
  
int v7// ecx@7
  
int v8// eax@8
  
signed int v9// esi@17
  
int v10// eax@28
  
int v11// ecx@29
  
int result// eax@33
  
float v13// [sp-4h] [bp-10h]@25
  
signed int v14// [sp-4h] [bp-10h]@31

  
v3 a1;
  
dword_10162EFC 0;
  
dword_10163D00 0;
  
dword_10163D04 0;
  
dword_10162430("sv_gravity""800");
  
dword_10162430("sv_maxspeed""900");
  
dword_10162430("sv_stepsize""18");
  
dword_10162430("room_type"L"0");
  if ( 
dword_10162304 )
    
operator delete(dword_10162304);
  
dword_10162304 = (void *)InstallGameRules(); 

And we just found out CWorld__Precache (offset 0xDD350)

This is basically it. By applying this knowledge and your brain you can find almost any function.

Missing then are the types that the function use. You can check them by seeing the list of functions in the linux version of the library in IDA window Names. For the return type I don't know if there is simple way but you can always guess or check half life sdk when it makes sense.

For this case:

Code:

{
    "name" : "InstallGameRules",
    "library" : "mod",
    "return" :
    {
        "type" : "CHalfLifeMultiplay *"
    },
    "identifiers":
    [
        {
            "os" : "windows",
            "mod" : "cstrike",
            "value" : 0x88530
        }
    ]
}

This should now go into a file named InstallGameRules into the folder configs/orpheu/functions. (Remembered that if the function belonged to a class you would have to create a folder with the name of the class).

Know there is a thing. This offset is guaranteed to be always the same each time the library loads but that can easily not be true if the library gets updated. That's the reason that motivated the creation of a technique called signature scanning.

Signature scanning basically means: instead of provide an offset, provide a set of bytes that you can find at that offset (that represent the function). That set of bytes can easily have its location changed but as long as it exists as a block you can still search for it.

You can find more about that here. I might make an easier tutorial for it later.

ConnorMcLeod 02-16-2010 01:03

Re: Orpheu: Searching for functions in libraries
 
Another tut !!!
Any free software that can do the same job ?

wrecked_ 02-16-2010 01:19

Re: Orpheu: Searching for functions in libraries
 
From what I looked up about the program, it said the program was ~$500 USD. Is that the cheapest it gets?

*Restate Connor's Question*

01101101 02-16-2010 04:17

Re: Orpheu: Searching for functions in libraries
 
Download the free version.

joaquimandrade 02-16-2010 07:51

Re: Orpheu: Searching for functions in libraries
 
I have here in my pocket a free machine code decompiler that does this but I preferred doing the tutorial with this one.

No, I don't know of a free one. Search it by yourself and stop asking.

Doubts about the tutorial are welcome.

ConnorMcLeod 02-16-2010 12:13

Re: Orpheu: Searching for functions in libraries
 
Quote:

Originally Posted by joaquimandrade (Post 1090538)
Doubts about the tutorial are welcome.

Ofc it is !

Doc-Holiday 02-16-2010 14:17

Re: Orpheu: Searching for functions in libraries
 
What exactly can you do with that though

Or is that how ark is going to remove clamps on cvars?

Immortal_BLG 02-21-2010 00:52

Re: Orpheu: Searching for functions in libraries
 
How to possible to view the decompiled code in IDA pro free?

Arkshine 02-26-2010 05:57

Re: Orpheu: Searching for functions in libraries
 
You can't, since the decompiler is not included.

Doc-Holiday 02-28-2010 09:09

Re: Orpheu: Searching for functions in libraries
 
Quote:

Originally Posted by Arkshine (Post 1100848)
You can't, since the decompiler is not included.


how much is that pro version? i havent looked into it yet.


All times are GMT -4. The time now is 02:08.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.