Raised This Month: $70 Target: $400
 17% 

Module: Okapi


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 02-07-2014 , 02:51   Module: Okapi
Reply With Quote #1

Hello. I've spent the last weeks working a new module built around a new idea to avoid using signatures.
I've also took the chance to add it features based on the experience with the making of orpheu.
So this module should be more funnier to use but more powerful than orpheu.

The new idea, is about to identify a function, in an easy manner, hopefully resistant to game updates.
It consists on the following notions:

Half-Life functions are an interconnected tree around a core of engine and dll functions.
Each function has a great chance of being connected to the core functions, and for each connection,
there is a minimal length path between the points.
The idea is to identify a function, based on a group of minimal path length between that function and the core functions.
The tree is built with simple parsing of the assembly call instructions (for example, indirect calls are not parsed)
in the libraries, but the results are solid, from my testing. Trees vary a great deal between mod's and operative systems but
for the main purpose of providing a way of identifying a function in a manner resistant to game updates, they seem quite ok.

So let's see an example. Remember that the purpose of this kind of identifier is to resist to game updates, so I will use and old version
of half life dedicated server, against the latest version. This is to see if identifiers for one of them, find the same function on the other and vice-versa.
I don't know if there is a legal way of testing this for an old cs server, but if you know I would like you to tell me.

I had to pick a name for this identifier and I chose "treemap". From now on I will use this name to refer to them.

hlds versions used:
Code:
Protocol version 46, Exe version 4.1.1.1, Exe build: 10:25:33 Apr 30 2003 (2379)
Protocol version 48, Exe version 1.1.2.2 (valve), Exe build: 13:13:29 Aug 29 2013 (6153)
Now I will take a "random" function and use it to exemplify how treemaps work.

This is a function present in the engine library of the old HLDS server:



Below, it has this portion that will make easy to identify it, in the other HLDS, to verify that we are dealing with the same function.





The first step now is to get it's treemap. This is done executing in the console the command:

Code:
okapi desc 0x550F0


This part:

Code:
Map values {4,4,4,4,4,5,5,4,4,5,6,4,6,6,4,4,4,4,4,5,4,0,4,2,4,6,5,5,5,3,4,5,5,5,5,5,4,3,5,4,0,4,5,5,5,6,3,3,3,3,3,3,3,3,3,3,0,6,5,5,5,3,4,5,0,4,0,6,0,0,0,3,4,0,4,0,0,4,4,4,4,4,5,4,4,4,4,4,0,4,4,4,4,5,4,4,4,4,6,5,0,4,4,4,4,0,4,6,3,5,5,5,4,0,4,5,5,0,5,4,4,4,4,4,4,4,0,5,5,5,0,4,4,0,0,0,0,5,4,4,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0}
is the group of minimal distances that our function 0x550F0, takes to each of engine library core functions.

This:

Code:
"jp='.BU*&.B8u{.N#,#.Q'Z$.z=F'.uYU{.#dJ$. 2I$.T\F'.-)V{.Mp/$.RXS{.00}&.;WU{.!eu{.u~V{.UP_(.c:B.+5 &. 8u{.7,V{.*+w&.j+w&...&~3"
It's the same information, compressed in a string. That is what we will use in plugins.
This string is what I refer to as "treemap".

Now, we will use try to use it as identifier to search it in the new hlds.

Code:
okapi search "jp='.BU*&.B8u{.N#,#.Q'Z$.z=F'.uYU{.#dJ$. 2I$.T\F'.-)V{.Mp/$.RXS{.00}&.;WU{.!eu{.u~V{.UP_(.c:B.+5 &. 8u{.7,V{.*+w&.j+w&...&~3"


In this image we can see a order list of the function that best match the given treemap.
The wanted case is that the first one is the same function in this hlds version as 0x550F0 is in the old one.

We can verify that it is the case in IDA:





Now we can do the inverse:




Now I will exemplify the use of a treemap in CS, with the InstallGameRules functions.
This would be the code to use the treemap, and create and hook the function.

PHP Code:
public OnInstallGameRules()
{
         new 
obj okapi_get_orig_return()
}

public 
plugin_precache()
{
             new 
install_gamerules_ptr okapi_mod_get_symbol_ptr("_Z16InstallGameRulesv"
    
              if(!
install_gamerules_ptr)
                           
install_gamerules_ptr okapi_get_treemap_ptr("[TG.;nC'.pbG.sXQ.J=g(.;OS'.ueA.1/.*K}.`/F'. 8u{.s9s{.Ohi(.,lm{.s9s{.2/#&.*0J.lE>'.1`}&.-]}&.vMa(.zp='.<cN'.=j12")
     
              new 
okapi_func:install_game_rules okapi_build_function(install_gamerules_ptr,arg_int)
     
              
okapi_add_hook(install_game_rules,"OnInstallGameRules",1)

Note that calls to okapi_get_treemap_ptr can take like 1 to 2 seconds, because many calculations are involved but, the results are then cached so
it just takes that time when the server is put on.

I will extend the talk about treemaps on a later ocasion.

Now, to show more of the module, I will continue from the previous code to show how to generically hook virtual functions.

PHP Code:
public OnAllowFlashlight()
{
             
okapi_set_return(1)
             return 
okapi_ret_supercede
}

public 
OnInstallGameRules()
{
             new 
obj okapi_get_orig_return()
    
             new 
okapi_func:allow_flashlight okapi_build_vfunc_ptr(obj,3,arg_int)
    
             
okapi_add_hook(allow_flashlight,"OnAllowFlashlight")

Note that 3 is the offset of the function CHalfLifeMultiplay::FAllowFlashlight in the CHalfLifeMultiplay vtable.

The module supports also searching for signatures with the functions

PHP Code:
okapi_mod_find_sig(const sig[],count)
okapi_engine_find_sig(const sig[],count
You can read about those functions and many others in the includes. Everything is sufficiently documented and I believe it's easy to use.

The signatures should look like this:

Code:
{0x51,0x56,"𐌻","𐌻",0x8B,0x86}
{0x51,0x56,0xDEF,0xDEF,0x8B,0x86}
using the symbol "𐌻", or any value above 0xFF, means that the particular bit is to be skipped from comparisons.

You can hook any function that uses a combination of these types:

PHP Code:
enum okapi_arg
{
             
arg_void,
             
arg_int,
             
arg_cbase,
             
arg_float,
             
arg_vec,
             
arg_entvars,
             
arg_string,
             
arg_edict,
             
arg_vec_ptr

that represent: int,CBaseEntity*,float,Vector,entvars_s*,char *,edict_t*,Vector*

The only exceptions is that when the function return a Vector. That is because when the function returns a Vector, a pointer is passed
in the beginning of the stack, so to handle that situation I would have to make a messy code so I prefered to ignore it.
Still, if you really need to hook or use a function that returns a Vector, it can be made with some lines of code using some tricks.

use "int" for long or for any value that you want to ignore.

Other thing present in the module are natives to handle memory directly.
You can use them to change any value in memory and for example to use structures not exposed via an API like playermove_s.

Example of replacing a string that was painful to do with orpheu, now takes one line:

PHP Code:
public plugin_init()
{
             
okapi_engine_replace_string("#      name userid uniqueid frag time ping loss adr^n","stuff^n")

This will change the max value of money a player can hold (note that this is probably not safe to use since there can be values replaced not related to the money)

PHP Code:
public plugin_init()
{
             
okapi_mod_replace_int(16000,1337000)

The module ended up a little big so I will show more stuff about it later.

Notes:

I tested the module alone since I wanted to make it a surprise so I expect it to need some enhancements or have some bugs.
When you use signatures to use functions, after you attach the module to a function, it modifies the bytes of the functions.
That means that if you use the same signature twice, the second will fail. This means that if you use the same signature in two
plugins, it will fail in one. To avoid this you can as an example, just to signature search in plugin_precache and hooking in plugin_init.

Again, I invite you to check the include files, I'm sure you will find there information that you will put to good use.
Also check the server console commands available, within the command okapi.




Attached Files
File Type: zip okapi_bin.zip (168.1 KB, 3137 views)
File Type: zip okapi_src.zip (116.6 KB, 1183 views)
__________________
joaquimandrade is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 02-07-2014 , 07:50   Re: Module: Okapi
Reply With Quote #2

God, this name sucks. So weird I was hesitating to continue to read.

The idea is interesting, but I'm rather skeptical on the reliability, as I remember depending binaries version, calls order are not always the same ; though this should be ok for most of things (probably!).

I'm not sure to like having a plugin more verbose, hardcoded and less readable. Also, even if dealing with config files is a pain, you can easily share them and build references index ; losing this might not a good point. I think it would be worth to add a parser for those whom want to use a config file ; something where we could use specify an alias for a treemap for example. Same for virtual functions offsets ; that's really not something which should be hardcoded.

Another thing, in your example with InstallGameRules, you're using "_Z16InstallGameRulesv", but that's not going to work for older binaries. So either you need to check x symbols name, or you need to use a treemap like you do ; but for the latter is it going to work properly for windows/linux/osx ?

Oh, where is the OSX support ?

Except that, I guess it could be useful ; I like the idea to have something more 'universal' but I hate it will be stucked like Orpheu to some structures. Well, I guess there is Rage for that.

It's promising, and I would wish you improve usability in a more friendly way to have plugin more easy to maintain and more readable.

Well, good job, anyway, eheh.
__________________
Arkshine is offline
meTaLiCroSS
Gaze Upon My Hat
Join Date: Feb 2009
Location: Viņa del Mar, Chile
Old 02-07-2014 , 16:55   Re: Module: Okapi
Reply With Quote #3

Just, amazing.

I think that we would need to see some examples of many natives (I've read them ) with some kind of explanations, I'm just impressed
__________________
Quote:
Originally Posted by joropito View Post
You're right Metalicross
meTaLiCroSS is offline
yokomo
Surprise Ascot!
Join Date: May 2010
Old 02-08-2014 , 05:52   Re: Module: Okapi
Reply With Quote #4

Hi, can you write a tutorial how to patch value in mod dll using this module?

Ok i try to patch max roundtime:
PHP Code:
#include <amxmodx>
#include <okapi>

//Offset from mp.dll build 4382 by IDA PRO.
#define RoundtimeMaxCheck 0x94163
#define RoundtimeMaxCvarSet 0x9416A
#define RoundtimeMaxSet 0x9417D

//new const SignA[] = {0x3D,0x1C,0xDEF,0xDEF,0xDEF,0x7E,0x1C,0x68}
//new const SignB[] = {0x68,0xDEF,0xDEF,0xDEF,0x41,0x68,0x84,0xE9}
//new const SignC[] = {0xC7,0x46,0x3C,0x1C,0xDEF,0xDEF,0xDEF,0xEB}

public plugin_init()
{
    
register_plugin("Okapi Test""0.0.1""wbyokomo")
    
    
//Just testing searching signature, found and no crash.
    //server_print("SignA: %s", okapi_mod_find_sig(SignA,8) ? "Found":"Not Found")
    //server_print("SignB: %s", okapi_mod_find_sig(SignB,8) ? "Found":"Not Found")
    //server_print("SignC: %s", okapi_mod_find_sig(SignC,8) ? "Found":"Not Found")
    
    //Patch roundtime, game crash here.
    
okapi_set_ptr_int(RoundtimeMaxCheck32400//max check 0x94163
    
okapi_set_ptr_int(RoundtimeMaxCvarSet540//max cvar set 0x9416A
    
okapi_set_ptr_int(RoundtimeMaxSet32400//max set 0x9417D

I wonder why my game always crash? (running amxmodx on localserver). I bet my offsets are not correct, i'm using mp.dll from build 4382. Yes i know it is outdated but i still prefer to use this. My client is up to date according to Steam, but i just replace the mp.dll.

Server/client details
__________________
Hi, 7 years ago i run nosteam servers and i support nosteam community. So please ban me. Thank you legitmodders.
yokomo is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 02-08-2014 , 06:48   Re: Module: Okapi
Reply With Quote #5

Quote:
Originally Posted by yokomo View Post

//new const SignA[] = {0x3D,0x1C,0xDEF,0xDEF,0xDEF,0x7E,0x1C,0x68}
//new const SignB[] = {0x68,0xDEF,0xDEF,0xDEF,0x41,0x68,0x84,0xE9}
//new const SignC[] = {0xC7,0x46,0x3C,0x1C,0xDEF,0xDEF,0xDEF,0xEB}

public plugin_init()
{
register_plugin("Okapi Test", "0.0.1", "wbyokomo")

//Just testing searching signature, found and no crash.
//server_print("SignA: %s", okapi_mod_find_sig(SignA, ? "Found":"Not Found")
//server_print("SignB: %s", okapi_mod_find_sig(SignB, ? "Found":"Not Found")
//server_print("SignC: %s", okapi_mod_find_sig(SignC, ? "Found":"Not Found")

//Patch roundtime, game crash here.
okapi_set_ptr_int(RoundtimeMaxCheck, 32400) //max check 0x94163
okapi_set_ptr_int(RoundtimeMaxCvarSet, 540) //max cvar set 0x9416A
okapi_set_ptr_int(RoundtimeMaxSet, 32400) //max set 0x9417D
}
[/PHP]
This step is incorrect

PHP Code:
okapi_set_ptr_int(RoundtimeMaxCheck32400//max check 0x94163 
That's because you are passing an offset, not the actual address you want.
You would do

PHP Code:
okapi_set_ptr_int(okapi_mod_get_offset_ptr(RoundtimeMaxCheck), 32400
To check if the signature is being searched correctly do:

PHP Code:
new offset okapi_mod_get_ptr_offset(okapi_mod_find_sig(SignA,8))
server_print("offset %x^n",offset
(Notice the name of this function is "the inverse" of the one used before)

After you patch the value by using a signature, remember that after map restart, the signature will be searched again, but now will not be found in the same memory location since it was altered. So be sure to check if the result from okapi_mod_find sig is not null, and be sure to confirm that your signature is unique.
__________________

Last edited by joaquimandrade; 02-08-2014 at 06:59.
joaquimandrade is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 02-08-2014 , 08:52   Re: Module: Okapi
Reply With Quote #6

Another userfriendly module.
__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
bibu
Veteran Member
Join Date: Sep 2010
Old 02-08-2014 , 12:52   Re: Module: Okapi
Reply With Quote #7

Doesn't this work in listen server?

Quote:
] version
Protocol version 48
Exe version 1.1.2.7/Stdio (cstrike)
Exe build: 13:14:12 Aug 29 2013 (6153)
I keep getting a bad load somehow.
__________________
Accepting paid work for clans and communities. !Plugins & Models!
Don't hesitate to contact me.
bibu is offline
DruGzOG
Veteran Member
Join Date: Nov 2007
Location: Unknown
Old 02-08-2014 , 13:08   Re: Module: Okapi
Reply With Quote #8

You mf, I like it.
__________________

Home of the AMX SUPER
SuperCentral Discord

Last edited by DruGzOG; 02-08-2014 at 13:08.
DruGzOG is offline
Send a message via AIM to DruGzOG
JusTGo
Veteran Member
Join Date: Mar 2013
Location: Tunisia
Old 02-08-2014 , 16:18   Re: Module: Okapi
Reply With Quote #9

nice module; too bad i can use it or undrestand it.
__________________
JusTGo is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 02-08-2014 , 20:49   Re: Module: Okapi
Reply With Quote #10

Quote:
Originally Posted by bibu View Post
Doesn't this work in listen server?
It should work, in my PC it does. The only reason for that to be that im seeing is the compilation. In which windows you are testing? I will compile it later with a lower visual studio version and in windows XP 32 bits. I will also test with metamod-p. Thanks for reporting


Quote:
Originally Posted by DruGzOG View Post
You mf, I like it.
thanks MF

Quote:
Originally Posted by JusTGo View Post
nice module; too bad i can use it or undrestand it.
Thanks
__________________

Last edited by joaquimandrade; 02-08-2014 at 20:50.
joaquimandrade is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 13:11.


Powered by vBulletin®
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Theme made by Freecode