A library is a set of bytes. Millions of them. They can represent numbers, functions (in machine code), arrays, strings. This tutorial will try to explain how to find functions in libraries so you can use them.
Finding a function means locate its position in the library. What is normally called offset
. It's the number of bytes that it takes to reach the function starting at the first byte of the library.
In libraries compiled by gcc (linux) offsets are labelled with symbolic names with which you can easily recognize what is located at that offset.
In libraries compiled by VC++ there aren't almost no labels so you have to resort to techniques like searching for strings in the library. That because you can easily relate strings to events like, if you see "Terrorists Win" being used you know that you are dealing with a function related to the round end.
Developing over this, the techniques we can use are:
- Finding functions by searching strings.
- After having found a function use it to find more functions like: if you know that a function calls yours or if yours calls another.
- Apply the steps above recursively :twisted:
To make the process easier you should do this with the help of the linux library.
So, grab the libraries of your mod for windows and linux.
Get "IDA Pro Disassembler" (not free).
For each library:
If linux library:
If windows library:
Locate the library and open it.
Press Ctrl + F5
. This will open a dialog so you can chose where you want a file to be saved. This file is the decompiled version of your library (a feature of IDA that converts machine code back to C
code (far from readable code and not exactly resembling the original but easier to inspect than machine code)).
In the decompiled version of the linux library you will have code like:
//----- (000B3C10) --------------------------------------------------------
int __cdecl InstallGameRules()
int result; // [email protected]
int v1; // [email protected]
int v2; // [email protected]
(*(void (__cdecl **)(_DWORD))&g_engfuncs)("exec game.cfg\n");
if ( *(float *)(gpGlobals + 20) == 0.0 )
v2 = __builtin_new(708);
result = __18CHalfLifeMultiplay(v2);
v1 = __builtin_new(728);
result = __17CHalfLifeTraining(v1);
This is the function InstallGameRules
where you can easily see the string "exec game.cfg\n
" being used.
Now, searching it on the decompiled version of the windows library you can see:
//----- (10088530) --------------------------------------------------------
int __cdecl sub_10088530()
long double v0; // [email protected]
int v1; // [email protected]
int v3; // [email protected]
v0 = *(float *)(LODWORD(dword_101625B8) + 20);
if ( v0 == 0.0 )
v1 = (int)operator new(0x2E8u);
if ( v1 )
return sub_100C5EF0(v1, v0);
v3 = (int)operator new(0x2D0u);
if ( v3 )
return sub_10093D80(v3, v0);
From observation you can easily see that you are dealing with the same function (with the bonus of being the only place where the string is located).
This means that at the offset 88530
in the windows binary of Counter Strike we have the function InstallGameRules.
You can see that in the function pseudo-label "sub_10088530
" (ignoring the sub_10). Since this number represents an hexadecimal number let's call it 0x88530
Know to demonstrate the other technique let's search in the linux decompiled version of the library for InstallGameRules
to find calls to it:
//----- (0011163C) --------------------------------------------------------
int *__usercall CWorld__Precache<eax>(long double a1<st0>, int a2)
unsigned int v2; // [email protected]
__int16 v3; // [email protected]
long double v4; // [email protected]
char v5; // [email protected]
char v6; // [email protected]
char v7; // [email protected]
int v8; // [email protected]
int v9; // [email protected]
int v10; // [email protected]
int *result; // [email protected]
int v12; // [sp-10h] [bp-58h]@16
float v13; // [sp-Ch] [bp-54h]@16
g_pLastSpawn = 0;
g_pLastCTSpawn = 0;
g_pLastTerroristSpawn = 0;
(*(void (__cdecl **)(_DWORD, char))&g_engfuncs)("sv_gravity", "800");
(*(void (__cdecl **)(_DWORD, char))&g_engfuncs)("sv_maxspeed", "900");
(*(void (__cdecl **)(_DWORD, _DWORD))&g_engfuncs)("sv_stepsize", "18");
(*(void (__cdecl **)(_DWORD, _DWORD))&g_engfuncs)("room_type", "0");
if ( g_pGameRules )
g_pGameRules = InstallGameRules();
You can see in the last line that the function InstallGameRules
is called from CWorld__Precache
(real name CWorld::Precache), so getting back into the decompiled version of the windows library:
Replace all ocurrences of sub_10088530
Search for InstallGameRules
And we just found out CWorld__Precache
This is basically it. By applying this knowledge and your brain you can find almost any function.
Missing then are the types that the function use. You can check them by seeing the list of functions in the linux version of the library in IDA
. For the return type I don't know if there is simple way but you can always guess or check half life sdk when it makes sense.
For this case:
"name" : "InstallGameRules",
"library" : "mod",
"type" : "CHalfLifeMultiplay *"
"os" : "windows",
"mod" : "cstrike",
"value" : 0x88530
This should now go into a file named InstallGameRules
into the folder configs/orpheu/functions
. (Remembered that if the function belonged to a class you would have to create a folder with the name of the class).
Know there is a thing. This offset is guaranteed to be always the same each time the library loads but that can easily not be true if the library gets updated. That's the reason that motivated the creation of a technique called signature scanning
Signature scanning basically means: instead of provide an offset, provide a set of bytes that you can find at that offset (that represent the function). That set of bytes can easily have its location changed but as long as it exists as a block you can still search for it.
You can find more about that here
. I might make an easier tutorial for it later.