AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   Solved [ORPHEU] How to identify windows signatures ?? (https://forums.alliedmods.net/showthread.php?t=330912)

Natsheh 02-26-2021 10:00

[ORPHEU] How to identify windows signatures ??
 
so far i've found a random signature on windows, the problem is i am encountering a crash when that function is called, which is called on firing a weapon or something.

Function name on windows "sub_100CE920"

signature


Outputs :-
Code:

L 02/26/2021 - 16:18:37: 0.64 0.34 0.25 0.01 3.50 2.25 7
L 02/26/2021 - 16:27:25: 1.50 0.44 0.22 0.05 6.50 2.50 7
L 02/26/2021 - 16:51:21: 1.00 0.44 0.28 0.04 3.75 3.00 7
L 02/26/2021 - 16:54:10: 1.10 0.50 0.30 0.05 4.00 3.00 8
L 02/26/2021 - 16:55:46: 0.89 0.44 0.25 0.03 3.50 2.75 7

Edit: Lmao i just found KickBack function from arkshine thread without even noticing it was the same as the example.

although i would like to know how can you tell whats the function purpose from windows signatues & knowing how much parameters it takes?

klippy 02-26-2021 11:32

Re: [ORPHEU] How to identify windows signatures ??
 
You can do a signature search in disassembly programs like IDA. Although you still won't know exactly what that function is as there's no debug info, it can possibly help you if it references any string literals. You could search the source code with those.

Natsheh 02-26-2021 12:13

Re: [ORPHEU] How to identify windows signatures ??
 
Yes the IDA what I've used to disassemble.

HamletEagle 02-26-2021 12:32

Re: [ORPHEU] How to identify windows signatures ??
 
Usually, you don't just go in IDA, look at windows functions and figure out what they are from the assembly(possible, but hard and requires experience). The usual workflow is you look at a project such as regamedll, figure out which function you need to find(depending on what you want to do), then search for it in the windows dll.

How to do that? You look in the regamedll source code to see if it contains strings. If it does, you search in IDA by that string and identify the function. You can compare the output with the output from disassembling the Linux binary(it contains debug symbol so you can search functions by their name).
If the function doesn't use strings, you check where it is used(which functions call the function you want to find). Then, keep doing that until at least one function in the chain contains a string. Search by that string and work your way up the functions call chain until you find yours.

For parameters/return type you can look at regamedll. Don't forget that some functions may be virtual(you don't need a signature for them). In this case, use a tool like https://asherkin.github.io/vtable/

Use regamedll carefully, it is not a 1 to 1 match with the official binary.

Natsheh 02-26-2021 13:00

Re: [ORPHEU] How to identify windows signatures ??
 
I think in order to create windows signatures I must first understand how assembly works and how addresses are referenced.

Bugsy 02-26-2021 13:30

Re: [ORPHEU] How to identify windows signatures ??
 
I don't think you need to know assembly, just follow the tutorial that I think Arkshine wrote, it's pretty straightforward.

Natsheh 02-26-2021 14:37

Re: [ORPHEU] How to identify windows signatures ??
 
that actually what i did but he didn't explain properly how he managed to obtain and recognized the windows signature.

but i will sure use the regamedll engine as reference despite the fact knowing the signatures will differs from the regular gamedll.

HamletEagle 02-26-2021 15:30

Re: [ORPHEU] How to identify windows signatures ??
 
Quote:

Originally Posted by Natsheh (Post 2738421)
that actually what i did but he didn't explain properly how he managed to obtain and recognized the windows signature.

but i will sure use the regamedll engine as reference despite the fact knowing the signatures will differs from the regular gamedll.

You are missing the point. Again, you do not go into the windows DLL, just look at random functions and figure out what they do. Do not do that, you are approaching the problem from the wrong end.
Figure out what plugin you want to do, check regamedll(not the dll files, the source code on github https://github.com/s1lentq/ReGameDLL...regamedll/dlls), understand the game functions that are related to what you want to do. Check the source code from regamedll to see if the function is using strings or not(see my previous post about what to do if they have/do not have strings).
Then you just build a signature of bytes for your function and do whatever you want to do with it. You can press F5 in IDA to get a C code translation from the assembly, it will help you see if you got the right function.

You don't need to know assembly to be able to use orpheu.

I could write a step by step tutorial about how to identify functions(with examples). Wanted to write one for a long time, but figured no one would be interested.

Natsheh 02-26-2021 15:53

Re: [ORPHEU] How to identify windows signatures ??
 
yeah, i was misleading i meant ill check up the regamedll engine code, not the assemble code.

Bugsy 02-26-2021 16:16

Re: [ORPHEU] How to identify windows signatures ??
 
I created a tool that would create a signature by just pasting the IDA code into it, but didn't bother making it pretty because I didn't think there was a large enough audience.


All times are GMT -4. The time now is 17:36.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.