Alright so since someone asked me to post it here we go.

I used an old bin (with symbols) to look at the function/vtable.

The vtable we want is CCSPlayer, so I dumped the old one and here is the part that matters...

PHP Code:

```
``````
484 483 CBasePlayer::Hints(void)
```

485 484 CBasePlayer::IsReadyToPlay(void)

486 485 CBasePlayer::IsReadyToSpawn(void)

487 486 CBasePlayer::ShouldGainInstantSpawn(void)

488 487 CBasePlayer::ResetPerRoundStats(void)

489 488 CBasePlayer::ResetScores(void)

490 489 CCSPlayer::IncrementFragCount(int, int)

Now I looked at the first one that wasnt from CBasePlayer (CCSPlayer::IncrementFragCount(int, int))

The function contains the string "Player '%s'[%08X] got first kill of the round.\n". After finding the function i look at the xrefs to get to the vtable. In the vtable I subtracted 4 functions and boom i got the function address.

Now i jump to the start of the vtable and using the original ida script

https://github.com/alliedmodders/sou...table_dump.idc I dump the vtable making sure to set "Number of vtable entries to ignore for indexing:" to 0 when asked.

Windows is a bit easier to find the vtable, but to find the function is much harder (although in this case i already knew it was 1 off from linux).

To find the function I could use the same method as I did for linux but I'll explain the other method.

Using

http://www.openrce.org/blog/view/134...er_IDA_plug-in you can get the vtable list from RTTI.

Next you jump to the vtable you want and using the same script as above i dumped the vtable.

Now windows optimizes the vtable when functions are identical, since this one and many others simply do return 1; The function name appears a multitude of times in the vtable. So what you can do is compare the entries in the old to the new. I see that the new one has 2 more than the old. So I know it is between 0-2 from the old one (this is a brave assumption but a pretty safe one)

Here is what it looked like after I (stupidly) renamed the function.

PHP Code:

```
``````
473 IsReadyToSpawn
```

474 nullsub_2

475 sub_102EFAC0

476 sub_1041DA70

477 nullsub_49

478 sub_103F1DA0

479 IsReadyToSpawn

480 sub_102F1100

481 nullsub_2

482 sub_1011B360

483 sub_103F5130

484 sub_101E72E0

485 sub_1011B370

486 IsReadyToSpawn

487 IsReadyToSpawn

488 sub_1011B360

489 nullsub_1

490 sub_101E1230

491 IncrementFragCount

Now i know that there is 2 consecutive ones so i found the 2 together and its the bottom one.

I should point out we arent 100% sure its the CCSPlayer but it is either CCSPlayer, CCSBot and CBot<CCSPlayer> so it doesnt really matter but the using the vtable length method may lead to errors if one has more functions