[Craxor]

OKKKKKKKKKK, so i've founded a function called SG_Detonate, i assume means Smoke Grenade Detonate, i've do as you say, and here's the byte searching / signature + (windos)Symbol:

PHP Code:

?SG_Detonate@CGrenade@@QAEXXZ
83 ? ? 56 8B ? 57 8D ? ? ? 8B ? ? 83 ? ? D9
0x83,0xDFF,0xDFF,0x56,0x8B,0xDFF,0x57,0x8D,0xDFF,0xDFF,0xDFF,0x8B,0xDFF,0xDFF,0x83,0xDFF,0xDFF,0xD9 


Here's a test plugin, it's working perfectly but i still have a question because something is still not clear for me.

PHP Code:

#include <amxmodx>
#include <okapi>

public plugin_init()
{
    new const Symbl[ ] = "?SG_Detonate@CGrenade@@QAEXXZ"
    new const Signa[ ] = { 0x83,0xDFF,0xDFF,0x56,0x8B,0xDFF,0x57,0x8D,0xDFF,0xDFF,0xDFF,0x8B,0xDFF,0xDFF,0x83,0xDFF,0xDFF,0xD9 }

    new Handle
    if
    ( 
        (Handle = okapi_mod_get_symbol_ptr(Symbl)) || 
        (Handle = okapi_mod_find_sig(Signa, sizeof Signa))
    ) 
    { 
        okapi_add_hook(okapi_build_method(Handle, arg_void, arg_cbase ), "test", .post = 1) 
    } 
}

public test(ent)
{
    client_print(0, print_chat, "SG Detonated!!!" );
} 


1.How do you know in the example of BuyZoneTouched that the function have the parameters Const Ent, and const Id .... howver' ent+id' how do you know that and from where i can take those information?

2/ Can you explain more about the okapi_hook_method, but only just about the Arguments i have to pass , thanks.

[HamletEagle]

Currently, your plugin will work only in windows. You are confused about it, let me explain. You have to provide identifiers for both windows and linux, in order to make the plugin work in all servers.
The symbol is used for linux and bytes signature for windows. Currently, your plugins uses both the symbol and the signature for windows.

The linux symbol, found in cs.so is: _ZN8CGrenade11SG_DetonateEv
And the same as the previous function, SG_Detonate is exported on windows, this means you don't need a signature of bytes, just use the symbol that you found: ?SG_Detonate@CGrenade@@QAEXXZ

So the code would be:

PHP Code:

#include <amxmodx>
#include <okapi>

public plugin_init()
{
    new const SG_DetonateLinuxSymbol  [] = "_ZN8CGrenade11SG_DetonateEv"
    new const SG_DetonateWindowsSymbol[] = "?SG_Detonate@CGrenade@@QAEXXZ"
    
    new HandleSGDetonate
    if
    ( 
        (HandleSGDetonate = okapi_mod_get_symbol_ptr(SG_DetonateLinuxSymbol)) || 
        (HandleSGDetonate = okapi_mod_get_symbol_ptr(SG_DetonateWindowsSymbol))
    ) 
    { 
        okapi_add_hook(okapi_build_method(HandleSGDetonate, arg_void, arg_cbase), "test", .post = 1) 
    } 
}

public test(const entity,)
{
} 


Again, since the function is exported(it has a name) you can use a symbol, making a signature is not needed.

Now, if you still made the signature, let's check it because it seems to be wrong. You are either using an old server build(in this case please update so I can reliably help you), or you made some mistakes. What I found is "83 ? ? 56 8B ? 57 8B ? ? D9 ? ? D9 ? ? ? D9". Half of yours is wrong. But your code still works because the module is using the symbol you provided.

My IDA View A is:

PHP Code:

.text:100824A0 83 EC 5C                                      sub     esp, 5Ch
.text:100824A3 56                                            push    esi
.text:100824A4 8B F1                                         mov     esi, ecx
.text:100824A6 57                                            push    edi
.text:100824A7 8B 46 04                                      mov     eax, [esi+4]
.text:100824AA D9 40 08                                      fld     dword ptr [eax+8]
.text:100824AD D9 5C 24 08                                   fstp    [esp+64h+var_5C]
.text:100824B1 D9 40 0C                                      fld     dword ptr [eax+0Ch]
.text:100824B4 D9 5C 24 0C                                   fstp    [esp+64h+var_58]
.text:100824B8 D9 40 10                                      fld     dword ptr [eax+10h] 


To recap:
1.You have to search in both windows and linux: cs.so and mp.dll
2.For linux, you always use a symbol.
3.For windows, if the function has a name other than sub_, then you use a symbol, WITHOUT a signature
4.For windows, if function does not have a name, it's called sub_, then you make a signature.

Now, about your questions:
1.How do you know in the example of BuyZoneTouched that the function have the parameters Const Ent, and const Id .... howver' ent+id' how do you know that and from where i can take those information?

If you have IDA pro, press F5 in cs.so in that function and you'll get the decompiled output. The output will be:

Code:

void __cdecl CBuyZone::BuyTouch(CBuyZone *const this, CBaseEntity *pOther)

You see the two params. The hidden object this is the instace of the class. Since the class is CBuyZone it's easy to guess that it's the buyzone id. About the pOther param, since it's CBaseEntity it's still an entity.
To know more about it I checked here: https://github.com/s1lentq/ReGameDLL...gers.cpp#L1748
In the function you see this code if (!pOther->IsPlayer()). This check means to see if pOther is not a player and will return. This tells that function expects pOther to be a player.
It's basically looking in IDA and at Regamedll, checking the param name, how it's used, printing eventually it's value and guessing.

Another way: you can also check directly on regamedll, but remember that the first param is the hidden object "this" for such functions. You have to add the params that you found in regamedll after the first one. https://github.com/s1lentq/ReGameDLL...gers.cpp#L1748

For example, given that header:

PHP Code:

void CBuyZone::BuyTouch(CBaseEntity *pOther) 


The pOther param is actually the second one, the first param is the class object, which in pawn translates to the entity index. So your params will be: entity, pOther(which is player id).

2/ Can you explain more about the okapi_hook_method, but only just about the Arguments i have to pass , thanks.

Code:

/**
 *  Attaches okapi to a method (class member function) so you can hook it and call it
 *  
 * @param ptr				the address of the method
 * @param okapi_arg:ret		the return type of the method
 * @param okapi_arg:arg		the type of the method class
 * @param okapi_arg:...		the rest of the types for the arguments of the function
 *
 * @return					an handler to the function attached
 *
 */

ptr = the address
ret = what the function returns, int/char/void etc. Look at the function definition in regamedll to know that. In C++ function are declared as returnType FunctionName. So void CBuyZone::BuyTouch means it returns nothing, so arg_void should be used.
arg = the type of the class. As I said, we have a class called CBuyZone, and since you know buyzone is an entity it means that the function actually is about an entity, so we use arg_cbase, because that's the argument for entities. Usually, you will only use arg_cbase for that param.
... = the params of the function that you want to hook.

[Craxor]

I show you the example with windows because i'm actualy using Windows i know i have to use both symbols+the signature to make working for all servers.

I believe yes, i'm using an old build, here's what ida show's me:

Code:

; Exported entry 117. ?SG_Detonate@CGrenade@@QAEXXZ



                              ; public: void __thiscall CGrenade::SG_Detonate(void)
                              public ?SG_Detonate@CGrenade@@QAEXXZ
                              ?SG_Detonate@CGrenade@@QAEXXZ proc near

                              var_5C= dword ptr -5Ch
                              var_58= dword ptr -58h
                              var_54= dword ptr -54h
                              var_50= dword ptr -50h
                              var_4C= dword ptr -4Ch
                              var_48= dword ptr -48h
                              var_44= dword ptr -44h
                              var_40= dword ptr -40h
                              var_3C= dword ptr -3Ch
                              var_38= dword ptr -38h

83 EC 5C                      sub     esp, 5Ch
56                            push    esi
8B F1                         mov     esi, ecx
57                            push    edi
8D 4C 24 08                   lea     ecx, [esp+64h+var_5C]
8B 46 04                      mov     eax, [esi+4]
83 C0 08                      add     eax, 8
D9 00                         fld     dword ptr [eax]
D9 5C 24 14                   fstp    [esp+64h+var_50]
D9 40 04                      fld     dword ptr [eax+4]
D9 5C 24 18                   fstp    [esp+64h+var_4C]
D9 40 08                      fld     dword ptr [eax+8]
D8 05 64 F8 0F 10             fadd    ds:flt_100FF864
8D 44 24 14                   lea     eax, [esp+64h+var_50]
50                            push    eax
D9 5C 24 20                   fstp    [esp+68h+var_48]
E8 7B 7C F7 FF                call    sub_10001BA0
D9 44 24 08                   fld     [esp+64h+var_5C]
8B 4C 24 08                   mov     ecx, [esp+64h+var_5C]
8B 54 24 0C                   mov     edx, [esp+64h+var_58]
D9 5C 24 14                   fstp    [esp+64h+var_50]
D9 44 24 0C                   fld     [esp+64h+var_58]
8B 44 24 10                   mov     eax, [esp+64h+var_54]
89 4C 24 20                   mov     [esp+64h+var_44], ecx
8B 4E 04                      mov     ecx, [esi+4]
89 54 24 24                   mov     [esp+64h+var_40], edx
D9 5C 24 18                   fstp    [esp+64h+var_4C]
D9 44 24 10                   fld     [esp+64h+var_54]
D8 25 4C F1 0F 10             fsub    ds:flt_100FF14C
89 44 24 28                   mov     [esp+64h+var_3C], eax
8B B9 08 02 00 00             mov     edi, [ecx+208h]
8D 54 24 14                   lea     edx, [esp+64h+var_50]
8D 4C 24 08                   lea     ecx, [esp+64h+var_5C]
D9 5C 24 1C                   fstp    [esp+64h+var_48]
52                            push    edx
E8 2E 7C F7 FF                call    sub_10001BA0
8D 44 24 2C                   lea     eax, [esp+64h+var_38]
8D 4C 24 08                   lea     ecx, [esp+64h+var_5C]
50                            push    eax
57                            push    edi
6A 01                         push    1
8D 54 24 2C                   lea     edx, [esp+70h+var_44]
51                            push    ecx
52                            push    edx
E8 F7 48 04 00                call    sub_100CE880
8B 46 04                      mov     eax, [esi+4]
83 C4 14                      add     esp, 14h
8B 80 98 01 00 00             mov     eax, [eax+198h]
85 C0                         test    eax, eax
75 0E                         jnz     short loc_10089FA7

Edit:

I've tried just with the signature and works fine:

PHP Code:

#include <amxmodx>
#include <okapi>

public plugin_init()
{
    new const Signa[ ] = { 0x83,0xDFF,0xDFF,0x56,0x8B,0xDFF,0x57,0x8D,0xDFF,0xDFF,0xDFF,0x8B,0xDFF,0xDFF,0x83,0xDFF,0xDFF,0xD9 }

    new Handle = okapi_mod_find_sig(Signa, sizeof Signa)
    okapi_add_hook(okapi_build_method(Handle, arg_void, arg_cbase ), "test", .post = 1) 
     
}

public test(ent)
{
    client_print(0, print_chat, "SG Detonated!!!" );
} 


So my signa is correct but yes i will use a Symbol if the function has a name, i've wanted to know if i correctly made the signature, i've tried making a signature for CGrenade Detonate3 and it is a helll, it's more easy to use the symbol.

Can you edit your first reply variable naming for the ones who read your reply here:

PHP Code:

    new const BuyTouchLinuxSymbol  [] = "?BuyTouch@CBuyZone@@QAEXPAVCBaseEntity@@@Z"
    new const BuyTouchWindowsSymbol[] = "_ZN8CBuyZone8BuyTouchEP11CBaseEntity" 


There should be reversed.

[HamletEagle]

Glad you noticed, I'll fix it. But update to the latest build, it's better if we both use the same binary.

Now go learn how to find functions without a name in windows.

[Craxor]

1. That's not possibile, if i simply download also mp.so , the .so file don't have sub_XXX and have an Name for all functions? Because i can at least take the signature from them, il use the name just to discen them ... however il will download and see with my eyes .

2. Ultra-Dumb-Question: 'How do i update my server '

3. Can you show me more about what okapi can do? Example how can i supercede the function so it won't be called? Is realy necesary to hook GameRules to do that?

4. Off-Topic: Why arkshine doesn't update the module, i can know he is very busy, but is not necesary to release okapi in the same time with amxx 1.8.3, he can release the update for okapi soon Because that's an amazing module.

5. Can we make a thread for okapi signature/symbols and even some small example with use like the orpheu one's.

[klippy]

2. Search SteamCMD.

3. If you take a look at okapi_const.inc, there's:

Code:

enum okapi_ret
{
	okapi_ret_ignore,
	okapi_ret_override,
	okapi_ret_supercede
}

return one of those values from an okapi hook.

5. Orpheu and Okapi use the same symbols/signatures. If one works with one module, it will work with the other too.

[HamletEagle]

Quote:

1. That's not possibile, if i simply download also mp.so , the .so file don't have sub_XXX and have an Name for all functions? Because i can at least take the signature from them, il use the name just to discen them ... however il will download and see with my eyes .

There is no file called mp.so. There is only mp.dll which is for windows and cs.so which is for linux. Don't let the different names confuse you, they are the same file.
For windows, you can only learn how to search functions, there's no other way.

Quote:

3. Can you show me more about what okapi can do? Example how can i supercede the function so it won't be called? Is realy necesary to hook GameRules to do that?

Just return okapi_ret_supercede, works like any other forward(ham, fakemeta, etc). InstallGameRules is a function that we are using to retrieve the g_pGameRules object, which is used for altering game rules offsets and hooking functions from CHalfLifeMultiplay class without signatures, by providing an offset. This are what's called virtual function, functions that are part of a class and can be hooked using their position in that virtual class.

The virtual table of the class is like an array:

Code:

0 - function1
1 - function2
.
.
.
n - function n

How do you retrieve an element from an array? By doing array[element]. It's the same for virtual tables, just by providing the position of that function in the table(it's offset) and the base address of that vtable you can hook the function(so no signature/symbol is needed).

Quote:

4. Off-Topic: Why arkshine doesn't update the module, i can know he is very busy, but is not necesary to release okapi in the same time with amxx 1.8.3, he can release the update for okapi soon Because that's an amazing module.

Ask him.

Quote:

5. Can we make a thread for okapi signature/symbols and even some small example with use like the orpheu one's.

Bytes are bytes, they will work for whatever module. Only the format in which you write them is different. Another thread is not needed.

[HamletEagle]

5. Look at orpheu signature format:

Code:

[0x56,0x8B,"*",0x8B,"*",0xFF,"*","*","*","*","*",0x85,"*",0x75,"*",0x5E,0xC2]

Remove [ ] and replace all "*" by 0xDFF.

ez conversion.

3. If you hooked the function as post, I'm not surprised that it did nothing.

[Craxor]

you viewed my deteled reply, that's illegal, but thank anyway So if it works like that is more than cool, i can remove the entity after i took it's origin and do some nice things

[HamletEagle]

Now, as I said, learn how to search for functions.