Raised This Month: $170 Target: $400
 42% 

Solved [csgo] retrieving a vtable offset from CBasePlayer::


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
blacklagoon
Senior Member
Join Date: Jun 2012
Old 09-10-2017 , 01:40   [csgo] retrieving a vtable offset from CBasePlayer::
Reply With Quote #1

hi and sorry to bother you again, would you know how to retrieve this offset on linux ? (CBasePlayer::IsReadyToSpawn function is quite complicated to retrieve with the vtables)
I don't have a good recent server.dll to make a diff with windows if anyone can provide me one without me needing to overload my harddrive, it would be nice.

Code:
0	sub_588960
1	sub_588980
2	sub_5010C0
3	sub_3F7C60
4	sub_3F7BE0
5	sub_3F7BF0
6	sub_3F7C00
7	sub_3F7C30
8	sub_3F7C10
9	sub_3FB3A0
10	sub_588910
11	sub_588920
12	sub_588900 < this is CBasePlayer::IsReadyToSpawn in IDA
13	sub_500C20
14	sub_3F7C40
15	sub_500E00
16	sub_500E10
17	sub_500E30
18	sub_521C70
19	sub_503C60
20	sub_5010F0
21	sub_507B40
22	sub_5889D0
23	sub_501CF0
24	sub_524B40
25	sub_589910
26	sub_441FB0
27	sub_501C80
28	sub_500F80
29	sub_3F76F0
...
I can't believe it has the same offset as GetDataDescMap, what value should i add?
IDA xrefs points me to this vtable so it's the only vtable i can get it from with my knowledge...

Last edited by blacklagoon; 09-13-2017 at 07:37.
blacklagoon is offline
Dr!fter
The Salt Boss
Join Date: Mar 2007
Old 09-11-2017 , 14:40   Re: [csgo] retrieving a vtable offset from CBasePlayer::
Reply With Quote #2

lin 488 win 487 if you really want to know how i got them i can post it.

Last edited by Dr!fter; 09-11-2017 at 14:42.
Dr!fter is offline
Dr!fter
The Salt Boss
Join Date: Mar 2007
Old 09-12-2017 , 08:11   Re: [csgo] retrieving a vtable offset from CBasePlayer::
Reply With Quote #3

Alright so since someone asked me to post it here we go.

I used an old bin (with symbols) to look at the function/vtable.

The vtable we want is CCSPlayer, so I dumped the old one and here is the part that matters...

PHP Code:
 484  483 CBasePlayer::Hints(void)
 
485  484 CBasePlayer::IsReadyToPlay(void)
 
486  485 CBasePlayer::IsReadyToSpawn(void)
 
487  486 CBasePlayer::ShouldGainInstantSpawn(void)
 
488  487 CBasePlayer::ResetPerRoundStats(void)
 
489  488 CBasePlayer::ResetScores(void)
 
490  489 CCSPlayer::IncrementFragCount(intint
Now I looked at the first one that wasnt from CBasePlayer (CCSPlayer::IncrementFragCount(int, int))

The function contains the string "Player '%s'[%08X] got first kill of the round.\n". After finding the function i look at the xrefs to get to the vtable. In the vtable I subtracted 4 functions and boom i got the function address.

Now i jump to the start of the vtable and using the original ida script https://github.com/alliedmodders/sou...table_dump.idc I dump the vtable making sure to set "Number of vtable entries to ignore for indexing:" to 0 when asked.

Windows is a bit easier to find the vtable, but to find the function is much harder (although in this case i already knew it was 1 off from linux).

To find the function I could use the same method as I did for linux but I'll explain the other method.

Using http://www.openrce.org/blog/view/134...er_IDA_plug-in you can get the vtable list from RTTI.

Next you jump to the vtable you want and using the same script as above i dumped the vtable.

Now windows optimizes the vtable when functions are identical, since this one and many others simply do return 1; The function name appears a multitude of times in the vtable. So what you can do is compare the entries in the old to the new. I see that the new one has 2 more than the old. So I know it is between 0-2 from the old one (this is a brave assumption but a pretty safe one)

Here is what it looked like after I (stupidly) renamed the function.

PHP Code:
473    IsReadyToSpawn
474    nullsub_2
475    sub_102EFAC0
476    sub_1041DA70
477    nullsub_49
478    sub_103F1DA0
479    IsReadyToSpawn
480    sub_102F1100
481    nullsub_2
482    sub_1011B360
483    sub_103F5130
484    sub_101E72E0
485    sub_1011B370
486    IsReadyToSpawn
487    IsReadyToSpawn
488    sub_1011B360
489    nullsub_1
490    sub_101E1230
491    IncrementFragCount 
Now i know that there is 2 consecutive ones so i found the 2 together and its the bottom one.

I should point out we arent 100% sure its the CCSPlayer but it is either CCSPlayer, CCSBot and CBot<CCSPlayer> so it doesnt really matter but the using the vtable length method may lead to errors if one has more functions

Last edited by Dr!fter; 09-13-2017 at 08:33.
Dr!fter is offline
blacklagoon
Senior Member
Join Date: Jun 2012
Old 09-13-2017 , 07:37   Re: [csgo] retrieving a vtable offset from CBasePlayer::
Reply With Quote #4

Thanks for the awnsers that's pretty helpful, since i have more to dig out from this class.
I guess it's solved
blacklagoon is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 13:09.


Powered by vBulletin®
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Theme made by Freecode