Offsets of aCon_Printf

Leonidddd · **Author**

I've studied this and found one offset by the program IDA.I've never worked before with IDA.

Quote:

// Auto reconstructed from vtable block @ 0x0005947C
// from "orpheu_amxx_i386.so", by ida_vtables.idc
0 aCon_printf

For windows "0"
For linux it will be "general rule is windows offset = linux offset - 1" - "1?"

For linux I took such resaults:

Quote:

// Auto reconstructed from vtable block @ 0x0005947C
// from "orpheu_amxx_i386.so", by ida_vtables.idc

P.S.Using a case: server forwards,which class are they belong in the orpheu?
P.P.S.I want find offsets for

Quote:

UTIL_LogPrintf(char *,...)

(I hope,I didn't miss with that finding)...
P.P.P.S.Sorry for bad English.

Bos93 · 01-25-2014 , 12:23 Re: Offsets of aCon_Printf

Quote:

I've studied this and found one offset by the program IDA

This [TUT] only for virtual function. UTIL_LogPrintf is not virtual function. You need make signature.

Build 6027:

Linux:

PHP Code:


			
.text:00128E00 ; UTIL_LogPrintf(char *, ...)
.text:00128E00                 public _Z14UTIL_LogPrintfPcz
.text:00128E00 _Z14UTIL_LogPrintfPcz proc near         ; CODE XREF: printEntities(void)+6Bp
.text:00128E00                                         ; printEntities(void)+B5p ...
.text:00128E00
.text:00128E00 s               = dword ptr -1Ch
.text:00128E00 format          = dword ptr -18h
.text:00128E00 arg             = dword ptr -14h
.text:00128E00 arg_0           = dword ptr  4
.text:00128E00 arg_4           = byte ptr  8
.text:00128E00
.text:00128E00                 sub     esp, 1Ch
.text:00128E03                 lea     eax, [esp+1Ch+arg_4]
.text:00128E07                 mov     [esp+1Ch+arg], eax ; arg
.text:00128E0B                 mov     eax, [esp+1Ch+arg_0]
.text:00128E0F                 mov     [esp+1Ch+s], offset _ZZ14UTIL_LogPrintfPczE6string ; s
.text:00128E16                 mov     [esp+1Ch+format], eax ; format
.text:00128E1A                 call    vsprintf
.text:00128E1F                 mov     eax, offset _ZZ14UTIL_LogPrintfPczE6string ; UTIL_LogPrintf(char *,...)::string
.text:00128E24                 mov     [esp+1Ch+arg], eax
.text:00128E28                 mov     eax, (offset aSS+5)
.text:00128E2D                 mov     [esp+1Ch+format], eax
.text:00128E31                 mov     [esp+1Ch+s], 5
.text:00128E38                 call    dword ptr ds:g_engfuncs+0F4h
.text:00128E3E                 add     esp, 1Ch
.text:00128E41                 retn
.text:00128E41 _Z14UTIL_LogPrintfPcz endp

Signature: _Z14UTIL_LogPrintfPcz

Windows:

PHP Code:


			
.text:100C5340 ; int __cdecl sub_100C5340(char *Format, char Args)
.text:100C5340 sub_100C5340    proc near               ; CODE XREF: sub_10003280+383p
.text:100C5340                                         ; .text:100375C4p ...
.text:100C5340
.text:100C5340 Format          = dword ptr  4
.text:100C5340 Args            = byte ptr  8
.text:100C5340
.text:100C5340                 mov     ecx, [esp+Format]
.text:100C5344                 lea     eax, [esp+Args]
.text:100C5348                 push    eax             ; Args
.text:100C5349                 push    ecx             ; Format
.text:100C534A                 push    offset byte_101754C8 ; Dest
.text:100C534F                 call    _vsprintf
.text:100C5354                 push    offset byte_101754C8
.text:100C5359                 push    offset aS_1     ; "%s"
.text:100C535E                 push    5
.text:100C5360                 call    dword_10161CB4
.text:100C5366                 add     esp, 18h
.text:100C5369                 retn
.text:100C5369 sub_100C5340    endp

Signature: 0x8D,0x44,0x24,0x08,0x50,0x51,0x68,"*","*","* ","*",0xE8,"*","*","*","*",0x68,"*","*","*"," *",0x68,"*","*","*","*",0x6A,0x05,0xFF,0x15," *","*","*","*",0x83,0xC4,0x18,0xC3

Leonidddd · 01-25-2014 , 14:26 Re: Offsets of aCon_Printf

Nice,thanks a lot to you(ну ты понял)).Сигнатуры... емае,как людям усложняют жизнь.Ну да ладно,прорвемся=)

Bos93 · 01-25-2014 , 14:57 Re: Offsets of aCon_Printf

English pls

Leonidddd · 01-25-2014 , 15:26 Re: Offsets of aCon_Printf

You make me happy

But I still worry for you avatar

,but I think I'll get used for it

Bos93 · 01-25-2014 , 15:57 Re: Offsets of aCon_Printf

I'm watching you

Leonidddd · 01-26-2014 , 06:10 Re: Offsets of aCon_Printf

I found for Linux(easy,nice) and for Windows,but how did you know

PHP Code:


			
_cdecl sub_100C5340

,that it's the same as UTIL_LogPrintf?

Bos93 · *Last edited by Bos93; 01-26-2014 at 07:44.*

yes

Leonidddd · 01-26-2014 , 08:35 Re: Offsets of aCon_Printf

Is that right?

PHP Code:


			
{

    "name"       : "UTIL_LogPrintf",

    "library"    : "mod",

    "info" : "Event is calling,when server is logging something",

    "arguments"  :

    [

        {

            "type" : "char *"

        }

    ],

    "identifiers":

    [

        {

            "os"    : "windows",

            "mod"   : "cstrike",

            "value" : [0x8D,0x44,0x24,0x08,0x50,0x51,0x68,"*","*","* ","*",0xE8,"*","*","*","*",0x68,"*","*","*"," *",0x68,"*","*","*","*",0x6A,0x05,0xFF,0x15," *","*","*","*",0x83,0xC4,0x18,0xC3]

        },

        {

            "os"    : "linux",

            "mod"   : "cstrike",

            "value" : "_Z14UTIL_LogPrintfPcz"

        }

    ]

}

Bos93 · 01-26-2014 , 18:35 Re: Offsets of aCon_Printf

I think:

PHP Code:


			
    "arguments" : 
    [
        {
            "type" : "char *" 
        },
        {
            "type" : "char *" 
        }
    ],