First of all, i already searched that one and its part of left4downtown2
PHP Code:
/*
* CTerrorPlayer::OnShovedBySurvivor(CTerrorPlayer*, Vector const&) - used by L4D2 on Special Infected (got melee'd)
*/
"CTerrorPlayer_OnShovedBySurvivor"
{
"library" "server"
"linux" "@_ZN13CTerrorPlayer18OnShovedBySurvivorEPS_RK6Vector"
"windows" "\x81\xEC\x2A\x2A\x2A\x2A\x56\x8B\xF1\xE8\x2A\x2A\x2A\x2A\x84\xC0\x0F\x2A\x2A\x2A\x2A\x2A\x8B\x8C\x2A\x2A\x2A\x2A\x2A\x55\x33\xED\x3B\xCD\x74"
/* 81 EC ? ? ? ? 56 8B F1 E8 ? ? ? ? 84 C0 0F ? ? ? ? ? 8B 8C ? ? ? ? ? 55 33 ED 3B CD 74 */
}
And in the Signature Scanning Tutorial i want to write at some point you'll have 3 methods to work yourself through the disassembly:
- Unique Strings: because theyre the same for Linux and Windows
- Xrefs being similar (Functions calling other functions)
- Function Structure / Graph View similarity
For this particular case, select the Function Linux Signature "_ZN13CTerrorPlayer18OnShovedBySurvivorEPS_RK 6Vector" and press CTRL-X to get a list of its XRefs, which is OTHER functions calling it.
Among the very short list is "CTerrorPlayer::OnLeptOnSurvivor(CTerrorPlaye r*)". Scanning that functions code, you will find a unique String, "SurvivorJockeyedOther".
Search for that String both in Linux and Windows Disassembly (having toggled 'find all occurences') to make sure its really unique. I think you get 2 or 3 functions calling it as result, you open each and look at them in text and graph mode to figure out which is OnLeptOnSurvivor - its easy because one function was some loading list i believe and the other differs in function calls and graph view.
Anyway once you have pinned down OnLeptOnSurvivor in Windows, look at it in Graph View, compare it to Linux Graph view, and find where it calls OnShovedBySurvivor.
Ta-dah, you reversed the binary and found your Function. Then use the opcode bytes to create a Signature ... brutally short tut:
- First byte of every Line is function call, static, use it
- ebx, ecx are local variables, static, use them
- anything else is changible (which means the opcode bytes will change on l4d2 recompile), so you want to use wildcards. Its '*' for IDA byte search.
Once you have a couple of bytes like "81 EC ? ? ? ? 56 8B F1 E8 ? ? ? ? 84 C0 0F" you can check if they're unique already. Use ALT-B to call signature searching in Windows IDA, put in the bytes, see if it returns the function youre trying to sig (if its not found you screwed up the bytes) and ONLY that one. If it returns more you have to add more bytes to the signature.
Once you have the unique complete Signature "81 EC ? ? ? ? 56 8B F1 E8 ? ? ? ? 84 C0 0F ? ? ? ? ? 8B 8C ? ? ? ? ? 55 33 ED 3B CD 74" you replace all '?' with '2A' and all whitespaces with '\x' (make sure theres one infront of the first byte) and you made the Signature Sourcemod gamedata compliant.