Orpheu: Searching for functions in libraries
A library is a set of bytes. Millions of them. They can represent numbers, functions (in machine code), arrays, strings. This tutorial will try to explain how to find functions in libraries so you can use them.
Finding a function means locate its position in the library. What is normally called offset. It's the number of bytes that it takes to reach the function starting at the first byte of the library. In libraries compiled by gcc (linux) offsets are labelled with symbolic names with which you can easily recognize what is located at that offset. In libraries compiled by VC++ there aren't almost no labels so you have to resort to techniques like searching for strings in the library. That because you can easily relate strings to events like, if you see "Terrorists Win" being used you know that you are dealing with a function related to the round end. Developing over this, the techniques we can use are:
So, grab the libraries of your mod for windows and linux. Get "IDA Pro Disassembler" (not free). For each library: In IDA: [IMG]http://img208.**************/img208/8749/12820721.png[/IMG] Press New If linux library: [IMG]http://img694.**************/img694/1284/37280226.png[/IMG] If windows library: [IMG]http://img684.**************/img684/5552/cenasx.png[/IMG] Locate the library and open it. Press Ctrl + F5. This will open a dialog so you can chose where you want a file to be saved. This file is the decompiled version of your library (a feature of IDA that converts machine code back to C code (far from readable code and not exactly resembling the original but easier to inspect than machine code)). In the decompiled version of the linux library you will have code like: PHP Code:
Now, searching it on the decompiled version of the windows library you can see: PHP Code:
This means that at the offset 88530 in the windows binary of Counter Strike we have the function InstallGameRules. You can see that in the function pseudo-label "sub_10088530" (ignoring the sub_10). Since this number represents an hexadecimal number let's call it 0x88530. Know to demonstrate the other technique let's search in the linux decompiled version of the library for InstallGameRules to find calls to it: PHP Code:
Replace all ocurrences of sub_10088530 by InstallGameRules. Search for InstallGameRules. PHP Code:
This is basically it. By applying this knowledge and your brain you can find almost any function. Missing then are the types that the function use. You can check them by seeing the list of functions in the linux version of the library in IDA window Names. For the return type I don't know if there is simple way but you can always guess or check half life sdk when it makes sense. For this case: Code:
{ Know there is a thing. This offset is guaranteed to be always the same each time the library loads but that can easily not be true if the library gets updated. That's the reason that motivated the creation of a technique called signature scanning. Signature scanning basically means: instead of provide an offset, provide a set of bytes that you can find at that offset (that represent the function). That set of bytes can easily have its location changed but as long as it exists as a block you can still search for it. You can find more about that here. I might make an easier tutorial for it later. |
Re: Orpheu: Searching for functions in libraries
Another tut !!!
Any free software that can do the same job ? |
Re: Orpheu: Searching for functions in libraries
From what I looked up about the program, it said the program was ~$500 USD. Is that the cheapest it gets?
*Restate Connor's Question* |
Re: Orpheu: Searching for functions in libraries
Download the free version.
|
Re: Orpheu: Searching for functions in libraries
I have here in my pocket a free machine code decompiler that does this but I preferred doing the tutorial with this one.
No, I don't know of a free one. Search it by yourself and stop asking. Doubts about the tutorial are welcome. |
Re: Orpheu: Searching for functions in libraries
Quote:
|
Re: Orpheu: Searching for functions in libraries
What exactly can you do with that though
Or is that how ark is going to remove clamps on cvars? |
Re: Orpheu: Searching for functions in libraries
How to possible to view the decompiled code in IDA pro free?
|
Re: Orpheu: Searching for functions in libraries
You can't, since the decompiler is not included.
|
Re: Orpheu: Searching for functions in libraries
Quote:
how much is that pro version? i havent looked into it yet. |
All times are GMT -4. The time now is 13:22. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.