help with okapi
Hy, i have free ida pro, but i HAVE NO IDEA how to find signatures for okapi, can someone show an example ???
- Wich .dll/.so file a have to open to search for signatures? - How i do the search? - Any examples please ? |
Re: help with okapi
There are a few tutorials throughout the forum, one can't tell you much more than what is already written there.
|
Re: help with okapi
can you post some links ? I'm to newbie so i realy can't discern what i'm looking for.
|
Re: help with okapi
Only a handful of people know how to use it. Arkshine and Hamlet know it, as well as a few others round here. I personally never got around to it, preferred orpheu. Maybe I'll try it some day.
Module: https://forums.alliedmods.net/showthread.php?t=234986 Follow the tutorial here very closely. Tree Maps: https://forums.alliedmods.net/showthread.php?t=250479 Offset usage: https://forums.alliedmods.net/showthread.php?t=250166 Changing Orpheu plugin to Okapi: https://forums.alliedmods.net/showthread.php?t=250178 (Also useful) How to make a signature of bytes (Orpheu): https://forums.alliedmods.net/showthread.php?t=147998 |
Re: help with okapi
Hornet: treemaps are deprecated as it turned out they don't work as expected (IIRC).
|
Re: help with okapi
Yes, i've already read about this, i'm focusing on working with byte signatures.
Edit, ok i have this function: PHP Code:
PHP Code:
PHP Code:
PHP Code:
PHP Code:
Q2 - Wich native i should use to hook the function and print an debug message ? |
Re: help with okapi
With the above info, i've tried something like that and have no succes, someone can give a look?
PHP Code:
|
Re: help with okapi
Please note that okapi has a memory leak, somewhere. I noticed it only when hooking virtual functions under linux. Until Arkshine decides to fix the module, you can only hope that you don't do something that will cause the crash.
Also treemap will be removed, I remember Arkshine saying that they are not as reliable as we thought at the beginning. Now, about your question: To find the function you need it's symbol for linux and a signature of bytes for windows for most functions. But, BuyTouch function is exported, this means that in windows it has a name, it's not called sub_*****. So, for this kind of functions a signature is not needed, you can still use a symbol, as for linux. 1.On linux function is easy to find. Open cs.so with IDA and search for it's name. The right symbol is: Code:
_ZN8CBuyZone8BuyTouchEP11CBaseEntity You will find this symbol: Code:
?BuyTouch@CBuyZone@@QAEXPAVCBaseEntity@@@Z Just for the sake of it, I'll show you how to make a signature for this function. I don't know from where you got that signature, but it's wrong. Load mp.dll in IDA(if you didn't already), go to Option -> general and in the right panel, at "Number of opcode bytes" put 10. Go back to IDA View - A, you should see something like this: Code:
.text:100C0AC0 56 push esi So, for example: 8B 74 24 08 become 8B ? ? ? Let's do this: PHP Code:
In IDA go to search -> sequence of bytes, paste and search. You'll get something like: Code:
Address Function Instruction PHP Code:
Code:
0x56,0x8B,0xDFF,0xDFF,0xDFF,0x57,0x8B,0xDFF,0x8B,0xDFF,0x8B,,0xDFF,0xFF,0xDFF,0xDFF,0xDFF,0xDFF,0xDFF,0x85,0xDFF,0x74,0xDFF,0x8B,0xDFF,0xDFF,0x8B,0xDFF,0xDFF,0xDFF,0xDFF,0xDFF,0x85,0xDFF,0x74 Now, we found the function, let's create a plugin for hooking it. PHP Code:
In linux function have names, so we can identify them by a symbol. In windows, very few functions have names, the others are called sub_****. In this case, the BuyTouch is part of the few function, so a signature is not needed, we can do it easily with a symbol, same as for linux. Now, next thing that you'll see is that I used okapi_build_method instead of okapi_build_function. okapi is a bit harder to use than orpheu due to that. okapi_build_function should be used for function with no class(i.e no CSomething::FunctionName, they are called only FunctionName, for example InstallGameRules). okapi_build_method is used for functions that are part of a class. Let's look here: https://github.com/s1lentq/ReGameDLL...gers.cpp#L1748 Code:
void CBuyZone::BuyTouch(CBaseEntity *pOther) The first argument is the address, which we retrieved from the symbol. The second argument is the return value of the function. Since it's "void", we use arg_void. The third argument is the type of the class, since it's CBuyZone and we know a buyzone is an entity, we can safely say it's the same as CBaseEntity, which in okapi is represented by an arg_cbase. The next parameters for okapi_build_method are the parameters of the function that you need to hook. Look again at the link, the param is CBaseEntity *pOther, so again arg_cbase. I said that okapi is harder to use because orpheu would have added internally for you the class param, based on the file that you provide. So the first arg_cbase is not needed while working with orpheu, it does that automatically. But, again, for the sake of it, let's assume that this function would not have a name, so we have to hook it from a signature. PHP Code:
Ask anything that's not clear. |
Re: help with okapi
HOLY SHIT, i was waiting for you hamlet 2 days, where you was :P :) ?
Ok, i'm going to study a little your reply and come back with answer , Thank you so much. This thread i think will be quite resoursfull for newbies like me. |
Re: help with okapi
Quote:
I wanted since a long time to write a thread about this stuff, something simple that beginners can understand, some steps that anyone can do. But I never got the time and the motivation to do so. |
All times are GMT -4. The time now is 14:28. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.