Raised This Month: $12 Target: $400
 3% 

Solved [CS:GO] CBaseAnimating


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-12-2018 , 22:08   [CS:GO] CBaseAnimating
Reply With Quote #1

Hello everyone, i have a problems with find those signatures to the current CS:GO update
PHP Code:
CBaseAnimating::LookupAttachment
CBaseAnimating
::GetAttachment 
I want to use the first one to check the attachments in the player models and apply the costume if it exist or try to find another one,
and second one (is quite more important for me) i need to get the position of attachment (shoot position) on the precache_viewmodel, (Not a real view model of weapon) i already have code with use the attachment of the worldplayermodel position, but it still not quite nice compare to getting the proper shoot position of the custom view model for creating nice beam, i already use one sig for the view model which called (CBaseAnimating::GetSequenceActivity) and it work for precache_viewmodel, so anyone can help me find the two signatures above, and the GetAttachment should work for precached_viewmodel?, The guide which i found on wiki is quite incomprehensible for me, Sorry guyz) Thanks a million. And other question how frequenly i need to update them?

I have already some sig and dont sure abount them, i found one for windows here: https://forums.alliedmods.net/showthread.php?t=306114 and i think is quite new, but i am dont know about the LookupAttachment sig at all, i think they quite old
PHP Code:
            "Animating_GetAttachment"
            
{
                
"library"    "server"
                "windows"    "\x55\x8B\xEC\x83\xE4\xF8\x83\xEC\x30\x56\x57\x8B\xF9\x83\xBF\x9C\x04\x00\x00\x00\x75\x2A\xA1\x2A\x2A\x2A\x2A\x8B\x30\x8B\x07\xFF\x50\x18\x8B\x0D\x2A\x2A\x2A\x2A\x50\xFF\x56\x04\x85\xC0\x74\x2A\x8B\xCF\xE8\x2A\x2A\x2A\x2A\x8B\x8F\x9C\x04\x00\x00\x85\xC9\x74\x2A\x83\x39\x00\x74\x2A\x8B\x55\x08"
                "linux"      ""
            
}
            
"Animating_LookupAttachment"
            
{
                
"library"    "server"
                "windows"    "\x55\x8B\xEC\x56\x8B\xF1\x80\xBE\x2A\x2A\x2A\x2A\x00\x75\x2A\x83\xBE\x2A\x2A\x2A\x2A\x00\x75\x2A\xE8\x2A\x2A\x2A\x2A\x85\xC0\x74\x2A\x8B\xCE\xE8\x2A\x2A\x2A\x2A\x8B\x2A\x2A\x2A\x2A\x2A\x85\xF6\x74\x2A\x83\x2A\x2A\x75\x2A\x33\xC0"
                "linux"      "\x55\x89\xE5\x53\x83\xEC\x14\x8B\x5D\x08\x8B\x8B\xB4\x04\x00\x00\x85\xC9\x74\x2A\x8B\x83\xB4\x04\x00\x00\x85\xC0\x74\x2A\x8B\x10\x85\xD2\x74\x2A\x8B\x55\x0C\x89\x04\x24"
            

__________________

Last edited by gubka; 07-25-2018 at 09:14.
gubka is offline
Send a message via ICQ to gubka
hmmmmm
Great Tester of Whatever
Join Date: Mar 2017
Location: ...
Old 07-13-2018 , 04:14   Re: [CS:GO] CBaseAnimating
Reply With Quote #2

I'll go through this one and try to explain how I did it, but only because it isn't as straightforward as most functions are with strings where you can directly search for inside the function. One thing that you need to understand however is that there isn't just "a way" to find the functions you're looking for. Think of it as a puzzle where all the function names are gone and you need to use your head to find out where the function you're looking for is. More often than not this is done with strings since they are the easiest to find, but it can also be done in other ways, for example using references to globals or using the vtable.

The easiest way to do this in CS:GO is to find an old binary that has symbols so you can easily find the function. You can find CS:GO binaries with symbols here: https://users.alliedmods.net/~asherk.../csgo_symbols/

In this example I'll use server.so to find the functions, then use the info I get from there to find them in an up-to-date server.dll where I'll get the signature.

So to start you open the server.so file with symbols and then click File->New Instance to open the server.dll simultaneously in another window and wait for the autoanalysis to finish. We'll be working out of server.so from here on and only using server.dll in case we need to check things. Click View->Open Subviews->Names to open the Names window. Do the same to open the Strings window. To keep things clean you can close all windows except for IDA View, Names window and Strings window, they're (usually) all you need.

I'll also be using IDA Pro which has the pseudocode view, but that isn't a must. You can find all the strings and info you need in the assembly view but it might be a bit harder to navigate. To open the pseudocode view, go to the IDA view and press Tab. You can press it again to switch back.

Next, open the Names window and press Ctrl+F to do a search for the function you want. In this case I'll do a search for CBaseAnimating::GetAttachment. This specific function has about 5 different overloads, each with a different set of parameters. Looking at the thread you linked, Pelipoika seems to use the one that takes (char *, Vector &, QAngle &) so double click on that one to go into it. Should look something like this:



The first thing you should be looking for is strings so that you can identify the function, but clearly this function doesn't have any so we'll have to find another way to do this. To do this we'll find cross-references to the function and try to find something to go off of from there. Cross-references (or xrefs for short) are places where the function or variable or string are referenced. For example if function X was used in functions Y and Z, the xrefs for X would show me Y and Z. IDA lets you see the xrefs by pressing your 'X' key on a function, variable or string. Finding xrefs is one of the tools you'll use the most in IDA so try to remember it and understand it. Let's try to use it on the CBaseAnimating::GetAttachment function.



Open the first function and you'll find that there are lots of strings that we can use here. In fact CBaseAnimating::GetAttachment is called with a string "Muzzle".



To make sure this string is unique and can be used to easily find our function, press X on it to see the xrefs. You'll see it is only used twice and both times with the GetAttachment function, so this string should work fine. Let's switch over to server.dll and open the Strings window to do a quick search for "Muzzle".



Unfortunately our "Muzzle" doesn't show up. You might think that the top result "muzzle" is the same, but the casing matters and if you look at the xrefs you'll see it's used in a different function. We still have a lot of other xrefs to GetAttachment we can look at so let's look for others in server.so again. After skimming through the list I found that it's used in CBaseServerVehicle::GetPassengerExitPoint (second last function) with the string "vehicle_driver_exit" which has only 1 xref, so it's unique. Once again, switch over to server.dll and do a string search for "vehicle_driver_exit".



There's only 1 result, so double click on it to go to it. IDA will take you to the rdata section which looks like this:



To find where the string is used click on aVehicleDriverE and press X. There's only 1 xref, go to it.



This should look familiar, it's the same CBaseServerVehicle::GetPassengerExitPoint function from server.so but without symbols. For comparison this is what it looks like in server.so with symbols.



Clearly sub_101A50D0 is CBaseAnimating::GetAttachment. To make things clearer, press N on it to rename it. This will also let you find it easily in the future in case you need it again. Now all you have to do is use the makesig.idc script (replace dtyp with dtype in the script if it fails on IDA 7 for you).

This generates the signature:
\x56\x04\x85\xC0\x74\x2A\x8B\xCF\xE8\x2A\x2A\ x2A\x2A\x8B\x8F\x9C\x04\x00\x00\x85\xC9\x74\x 2A\x83\x39\x00\x74\x2A\x8B\x55\x08

A similar process can be used to find LookupAttachment, try to find it yourself. Hope this helps.

Last edited by hmmmmm; 07-13-2018 at 04:22.
hmmmmm is offline
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-13-2018 , 17:23   Re: [CS:GO] CBaseAnimating
Reply With Quote #3

hmmmmm, Thanks a million, so i appreciate that kind of datails in guide, i will try to extract some of sginatures using your guide, if i will have success or not, i will tell here, but i hope i wont have problems with using your great guide!
__________________
gubka is offline
Send a message via ICQ to gubka
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-13-2018 , 23:07   Re: [CS:GO] CBaseAnimating
Reply With Quote #4

i am still just had a tiny question about that great guide which use wrote, so i am have diffuculties to see smth like that after i am going to xref of the call, i already understand how to use the sig excrator when i know the string like "Muzzle", i just dont see any of them in the reference, can you tell me more detaily where i should see those kind of strings?



I have smth like that

__________________

Last edited by gubka; 07-13-2018 at 23:09.
gubka is offline
Send a message via ICQ to gubka
hmmmmm
Great Tester of Whatever
Join Date: Mar 2017
Location: ...
Old 07-14-2018 , 03:24   Re: [CS:GO] CBaseAnimating
Reply With Quote #5

It isn't a guarantee that you will find functions with strings when you go to the first xref (or any). Try going to the next one if the current one doesn't have any strings. Also if you're on the Pro version of IDA then press Tab to go into pseudocode view, it'll make navigating a lot easier.

Also remember what I mentioned about there not being "a way" to do this, try to get creative and find something you can use to identify the function. Even if it takes you an hour the first time, it'll be 5 minutes the next time. In the end it all comes down to experience.
hmmmmm is offline
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-15-2018 , 11:51   Re: [CS:GO] CBaseAnimating
Reply With Quote #6

Quote:
Originally Posted by hmmmmm View Post
It isn't a guarantee that you will find functions with strings when you go to the first xref (or any). Try going to the next one if the current one doesn't have any strings. Also if you're on the Pro version of IDA then press Tab to go into pseudocode view, it'll make navigating a lot easier.

Also remember what I mentioned about there not being "a way" to do this, try to get creative and find something you can use to identify the function. Even if it takes you an hour the first time, it'll be 5 minutes the next time. In the end it all comes down to experience.
I install the IDA Pro and preudo code helped a lot, now i see something like that

PHP Code:
v8 CBaseAnimating::LookupAttachment((CBaseAnimating *)a2"muzzle");
  
CBaseAnimating::GetAttachment(a2v8, &v35, &v54);
  if ( 
a4 )
  {
    
v10 = (float *)(*(int (__fastcall **)(intchar *, int))(*(_DWORD *)a4 600))(v9, &v54a4);
    
v11 v10[2] - v37;
    
v12 = *v10 v35;
    
v39 v10[1] - v36;
    
v40 v11;
    
v38 v12;
    
a1 VectorNormalize(&v38);
  } 
Just last question, where exectly i should call the IDA makesig script? In the call sub_? section bellow the aVehicleDriverE ?

For example i found that aMuzzle and i try to use script both with dtype/dtyp and IDA just freeze, may be i should use script in different place? What i do wrong? Thanks a million
__________________

Last edited by gubka; 07-15-2018 at 13:11.
gubka is offline
Send a message via ICQ to gubka
hmmmmm
Great Tester of Whatever
Join Date: Mar 2017
Location: ...
Old 07-15-2018 , 14:59   Re: [CS:GO] CBaseAnimating
Reply With Quote #7

Just open the function you want the signature and then use the script. Not sure about the freezing issue, hasn't happened to me before.
hmmmmm is offline
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-16-2018 , 19:36   Re: [CS:GO] CBaseAnimating
Reply With Quote #8

Do i need to select that function to run the script?
__________________
gubka is offline
Send a message via ICQ to gubka
hmmmmm
Great Tester of Whatever
Join Date: Mar 2017
Location: ...
Old 07-17-2018 , 02:59   Re: [CS:GO] CBaseAnimating
Reply With Quote #9

You just have to be anywhere in the function, the script will automatically go to the beginning of the function and generate a signature for that.
hmmmmm is offline
gubka
Veteran Member
Join Date: Jan 2012
Location: Russia
Old 07-17-2018 , 20:05   Re: [CS:GO] CBaseAnimating
Reply With Quote #10

Quote:
Originally Posted by hmmmmm View Post
You just have to be anywhere in the function, the script will automatically go to the beginning of the function and generate a signature for that.
I just waited for longer and I got the signature. Thanks a lot for help
But if the signature which I need to find won't have a strings, how I should find it?
__________________
gubka is offline
Send a message via ICQ to gubka
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 18:43.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode