A library is a set of bytes. Millions of them. They can represent numbers, functions (in machine code), arrays, strings. This tutorial will try to explain how to find functions in libraries so you can use them.
Finding a function means locate its position in the library. What is normally called
offset. It's the number of bytes that it takes to reach the function starting at the first byte of the library.
In libraries compiled by gcc (linux) offsets are labelled with symbolic names with which you can easily recognize what is located at that offset.
In libraries compiled by VC++ there aren't almost no labels so you have to resort to techniques like searching for strings in the library. That because you can easily relate strings to events like, if you see "Terrorists Win" being used you know that you are dealing with a function related to the round end.
Developing over this, the techniques we can use are:
- Finding functions by searching strings.
- After having found a function use it to find more functions like: if you know that a function calls yours or if yours calls another.
- Apply the steps above recursively :twisted:
To make the process easier you should do this with the help of the linux library.
So, grab the libraries of your mod for windows and linux.
Get "IDA Pro Disassembler" (not free).
For each library:
In IDA:
[IMG]http://img208.**************/img208/8749/12820721.png[/IMG]
Press
New
If linux library:
[IMG]http://img694.**************/img694/1284/37280226.png[/IMG]
If windows library:
[IMG]http://img684.**************/img684/5552/cenasx.png[/IMG]
Locate the library and open it.
Press
Ctrl + F5. This will open a dialog so you can chose where you want a file to be saved. This file is the decompiled version of your library (a feature of IDA that converts machine code back to
C code (far from readable code and not exactly resembling the original but easier to inspect than machine code)).
In the decompiled version of the linux library you will have code like:
PHP Code:
//----- (000B3C10) --------------------------------------------------------
int __cdecl InstallGameRules()
{
int result; // eax@2
int v1; // eax@2
int v2; // eax@3
(*(void (__cdecl **)(_DWORD))&g_engfuncs[156])("exec game.cfg\n");
(*(void (**)(void))&g_engfuncs[160])();
if ( *(float *)(gpGlobals + 20) == 0.0 )
{
v2 = __builtin_new(708);
result = __18CHalfLifeMultiplay(v2);
}
else
{
v1 = __builtin_new(728);
result = __17CHalfLifeTraining(v1);
}
return result;
}
This is the function
InstallGameRules where you can easily see the string "
exec game.cfg\n" being used.
Now, searching it on the decompiled version of the windows library you can see:
PHP Code:
//----- (10088530) --------------------------------------------------------
int __cdecl sub_10088530()
{
long double v0; // fst7@1
int v1; // eax@2
int v3; // eax@4
dword_101623DC("exec game.cfg\n");
dword_101623E0();
v0 = *(float *)(LODWORD(dword_101625B8) + 20);
if ( v0 == 0.0 )
{
v1 = (int)operator new(0x2E8u);
if ( v1 )
return sub_100C5EF0(v1, v0);
}
else
{
v3 = (int)operator new(0x2D0u);
if ( v3 )
return sub_10093D80(v3, v0);
}
return 0;
}
From observation you can easily see that you are dealing with the same function (with the bonus of being the only place where the string is located).
This means that at the offset
88530 in the windows binary of Counter Strike we have the function
InstallGameRules. You can see that in the function pseudo-label "sub_10
088530" (ignoring the sub_10). Since this number represents an hexadecimal number let's call it
0x88530.
Know to demonstrate the other technique let's search in the linux decompiled version of the library for
InstallGameRules to find calls to it:
PHP Code:
//----- (0011163C) --------------------------------------------------------
int *__usercall CWorld__Precache<eax>(long double a1<st0>, int a2)
{
unsigned int v2; // edi@8
__int16 v3; // fps@15
long double v4; // fst6@15
char v5; // c0@15
char v6; // c2@15
char v7; // c3@15
int v8; // eax@16
int v9; // ecx@18
int v10; // eax@19
int *result; // eax@25
int v12; // [sp-10h] [bp-58h]@16
float v13; // [sp-Ch] [bp-54h]@16
g_pLastSpawn = 0;
g_pLastCTSpawn = 0;
g_pLastTerroristSpawn = 0;
(*(void (__cdecl **)(_DWORD, char[4]))&g_engfuncs[240])("sv_gravity", "800");
(*(void (__cdecl **)(_DWORD, char[4]))&g_engfuncs[240])("sv_maxspeed", "900");
(*(void (__cdecl **)(_DWORD, _DWORD))&g_engfuncs[240])("sv_stepsize", "18");
(*(void (__cdecl **)(_DWORD, _DWORD))&g_engfuncs[240])("room_type", "0");
if ( g_pGameRules )
__builtin_delete((void *)g_pGameRules);
g_pGameRules = InstallGameRules();
You can see in the last line that the function
InstallGameRules is called from
CWorld__Precache (real name CWorld::Precache), so getting back into the decompiled version of the windows library:
Replace all ocurrences of
sub_10088530 by
InstallGameRules. Search for
InstallGameRules.
PHP Code:
int __usercall sub_100DD350<eax>(int a1<ecx>, int a2<esi>, long double a3<st0>)
{
int v3; // ebp@1
int v4; // eax@3
int v5; // esi@4
int v6; // eax@6
int v7; // ecx@7
int v8; // eax@8
signed int v9; // esi@17
int v10; // eax@28
int v11; // ecx@29
int result; // eax@33
float v13; // [sp-4h] [bp-10h]@25
signed int v14; // [sp-4h] [bp-10h]@31
v3 = a1;
dword_10162EFC = 0;
dword_10163D00 = 0;
dword_10163D04 = 0;
dword_10162430("sv_gravity", "800");
dword_10162430("sv_maxspeed", "900");
dword_10162430("sv_stepsize", "18");
dword_10162430("room_type", L"0");
if ( dword_10162304 )
operator delete(dword_10162304);
dword_10162304 = (void *)InstallGameRules();
And we just found out
CWorld__Precache (offset
0xDD350)
This is basically it. By applying this knowledge and your brain you can find almost any function.
Missing then are the types that the function use. You can check them by seeing the list of functions in the linux version of the library in
IDA window
Names. For the return type I don't know if there is simple way but you can always guess or check half life sdk when it makes sense.
For this case:
Code:
{
"name" : "InstallGameRules",
"library" : "mod",
"return" :
{
"type" : "CHalfLifeMultiplay *"
},
"identifiers":
[
{
"os" : "windows",
"mod" : "cstrike",
"value" : 0x88530
}
]
}
This should now go into a file named
InstallGameRules into the folder
configs/orpheu/functions. (Remembered that if the function belonged to a class you would have to create a folder with the name of the class).
Know there is a thing. This offset is guaranteed to be always the same each time the library loads but that can easily not be true if the library gets updated. That's the reason that motivated the
creation of a technique called signature scanning.
Signature scanning basically means: instead of provide an offset, provide a set of bytes that you can find at that offset (that represent the function). That set of bytes can easily have its location changed but as long as it exists as a block you can still search for it.
You can find more about that
here. I might make an easier tutorial for it later.
__________________