[Natsheh]

so far i've found a random signature on windows, the problem is i am encountering a crash when that function is called, which is called on firing a weapon or something.

Function name on windows "sub_100CE920"

signature

Code:

{
	"name" : "Test",
	"library" : "mod",
    "arguments"  :
    [
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "float"
        },
        {
            "type" : "int"
        }
    ],
	"identifiers" :
	[
		{
			"os" : "windows",
			"mod" : "cstrike",
			"value" : [0x51,0x56,0x8B,0xF1,0x8B,0x86,"*","*","*","*",0x83,0xF8,0x01,0x89,0x44,0x24]
		}
	]
}

Outputs :-

Code:

L 02/26/2021 - 16:18:37: 0.64 0.34 0.25 0.01 3.50 2.25 7
L 02/26/2021 - 16:27:25: 1.50 0.44 0.22 0.05 6.50 2.50 7
L 02/26/2021 - 16:51:21: 1.00 0.44 0.28 0.04 3.75 3.00 7
L 02/26/2021 - 16:54:10: 1.10 0.50 0.30 0.05 4.00 3.00 8
L 02/26/2021 - 16:55:46: 0.89 0.44 0.25 0.03 3.50 2.75 7

Edit: Lmao i just found KickBack function from arkshine thread without even noticing it was the same as the example.

although i would like to know how can you tell whats the function purpose from windows signatues & knowing how much parameters it takes?

[klippy]

You can do a signature search in disassembly programs like IDA. Although you still won't know exactly what that function is as there's no debug info, it can possibly help you if it references any string literals. You could search the source code with those.

[Natsheh]

Yes the IDA what I've used to disassemble.

[HamletEagle]

Usually, you don't just go in IDA, look at windows functions and figure out what they are from the assembly(possible, but hard and requires experience). The usual workflow is you look at a project such as regamedll, figure out which function you need to find(depending on what you want to do), then search for it in the windows dll.

How to do that? You look in the regamedll source code to see if it contains strings. If it does, you search in IDA by that string and identify the function. You can compare the output with the output from disassembling the Linux binary(it contains debug symbol so you can search functions by their name).
If the function doesn't use strings, you check where it is used(which functions call the function you want to find). Then, keep doing that until at least one function in the chain contains a string. Search by that string and work your way up the functions call chain until you find yours.

For parameters/return type you can look at regamedll. Don't forget that some functions may be virtual(you don't need a signature for them). In this case, use a tool like https://asherkin.github.io/vtable/

Use regamedll carefully, it is not a 1 to 1 match with the official binary.

[Natsheh]

I think in order to create windows signatures I must first understand how assembly works and how addresses are referenced.

[Bugsy]

I don't think you need to know assembly, just follow the tutorial that I think Arkshine wrote, it's pretty straightforward.

[Natsheh]

that actually what i did but he didn't explain properly how he managed to obtain and recognized the windows signature.

but i will sure use the regamedll engine as reference despite the fact knowing the signatures will differs from the regular gamedll.

[HamletEagle]

Quote:

Originally Posted by Natsheh that actually what i did but he didn't explain properly how he managed to obtain and recognized the windows signature. but i will sure use the regamedll engine as reference despite the fact knowing the signatures will differs from the regular gamedll.

You are missing the point. Again, you do not go into the windows DLL, just look at random functions and figure out what they do. Do not do that, you are approaching the problem from the wrong end.
Figure out what plugin you want to do, check regamedll(not the dll files, the source code on github https://github.com/s1lentq/ReGameDLL...regamedll/dlls), understand the game functions that are related to what you want to do. Check the source code from regamedll to see if the function is using strings or not(see my previous post about what to do if they have/do not have strings).
Then you just build a signature of bytes for your function and do whatever you want to do with it. You can press F5 in IDA to get a C code translation from the assembly, it will help you see if you got the right function.

You don't need to know assembly to be able to use orpheu.

I could write a step by step tutorial about how to identify functions(with examples). Wanted to write one for a long time, but figured no one would be interested.

[Natsheh]

yeah, i was misleading i meant ill check up the regamedll engine code, not the assemble code.

[Bugsy]

I created a tool that would create a signature by just pasting the IDA code into it, but didn't bother making it pretty because I didn't think there was a large enough audience.