[joaquimandrade]

I'm trying to learn assembly, c++ and signature scanning.

On cs_i386.so.objdump there is:

Code:

000e049c <StartDeathCam__11CBasePlayer>:
   e049c:    55                       push   %ebp
   e049d:    89 e5                    mov    %esp,%ebp
   e049f:    83 ec 2c                 sub    $0x2c,%esp
   e04a2:    57                       push   %edi
   e04a3:    56                       push   %esi
   e04a4:    53                       push   %ebx

By mixing code from http://www.sourcemod.net/devlog/?p=55 and jim yang's modules I have this code:

PHP Code:

void *FindSignature(unsigned char *pBaseAddress, size_t baseLength, unsigned char *pSignature, size_t sigLength)
{
   unsigned char *pBasePtr = pBaseAddress;
   unsigned char *pEndPtr = pBaseAddress + baseLength;

   size_t i;

   while (pBasePtr < pEndPtr)
   {
      for (i=0; i<sigLength; i++)
      {
         if (pSignature[i] != 0x2A && pSignature[i] != pBasePtr[i])
            break;
      }

      //iff i reached the end, we know we have a match!
      if (i == sigLength+1)
      {
         return (void *)pBasePtr;
      }

      pBasePtr += sizeof (unsigned char *);  //search memory in an aligned manner
   }
    
   return (void *) NULL;
}

typedef void (*StartDeathCam)(CBasePlayer *);

static cell AMX_NATIVE_CALL startDeathCam(AMX *amx, cell *params)
{
    unsigned char signature[] = {0x55,0x89,0xE5,0x83,0xEC,0x2A,0x57,0x56,0x53};

    MEMORY_BASIC_INFORMATION mem;
    
    if (!VirtualQuery(MDLL_AddToFullPack, &mem, sizeof(mem)))
        return false;

    unsigned char *pBaseAddr = (unsigned char *) mem.AllocationBase;

    size_t memLength = 0x100000;

    StartDeathCam startDeathCam = (StartDeathCam) FindSignature(pBaseAddr,memLength,signature,sizeof signature);

    SERVER_PRINT("\n");

    if(startDeathCam)
    {
        SERVER_PRINT("Function deathcam found");

        edict_t *pPlayer = MF_GetPlayerEdict(1);

        __asm
        {
          mov ecx, pPlayer;
          call startDeathCam;
          ret;
        };
    }
    else
    {
        SERVER_PRINT("Function deathcam not found");
    }

    SERVER_PRINT("\n");

    return !!startDeathCam;
} 


I'm testing it in windows and the problem is that the function is not found.

I know and confirmed that in the address pointed to by pBaseAddr there is the content of mp.dll.

I'm assuming that mp.dll is the equivalent of cs_i386.so but since the function can't be found in memory I've tried using a hex editor to find a portion of the function above (55 89 e5 83) in mp.dll and it doesn't exist so, it is normal that the signature is not being found.

What am I doing wrong?

(I have memLength with a static value because I think it is enough and to make the code more simple)

Edit:

There was a little error on the code here http://www.sourcemod.net/devlog/?p=57

PHP Code:

(i == sigLength+1) 


should be

PHP Code:

(i == sigLength) 


Still, I haven't make it to work.

[jim_yang]

windows binary maybe different from linux, so you should find the sig in windows dll then sigscan it

[joaquimandrade]

Quote:

Originally Posted by jim_yang windows binary maybe different from linux, so you should find the sig in windows dll then sigscan it

Ok thanks I will try.

One question:

Why does, by opening mp.dll in IDA, it show only the name of a small amount of functions and when opening cs_i386.so it shows them all (I believe)?

[jim_yang]

that's the compiler trick, not all function names will keep in the executable files, such as inline function, or some functions will be optimized by compile. some situations will lead function name disappear in binary file. in windows, only rare export function names will keep. damn my poor english

[joaquimandrade]

Quote:

Originally Posted by jim_yang that's the compiler trick, not all function names will keep in the executable files, such as inline function, or some functions will be optimized by compile. some situations will lead function name disappear in binary file. in windows, only rare export function names will keep. damn my poor english

Ok. Thanks. It will be harder by looking at windows binary but I will try. And your text is clearly understandable.

Edit:

Sorry, one more question. If I want to execute a function like

PHP Code:

typedef void (*x)(CGrenade *); 


it will be possible? I'm asking because CGrenade is not present to the compiler when I tried to use it.

[jim_yang]

I don't think it will compile succeed since CGrenade is not declare. Just use inline asm
push parameter
call func
also care about the calling conventions
or just use void *

[joaquimandrade]

Quote:

Originally Posted by jim_yang I don't think it will compile succeed since CGrenade is not declare. Just use inline asm push parameter call func also care about the calling conventions or just use void *

Yes it won't compile. Ok I will leave that for the future. I will be happy for now to execute functions from CBasePlayer and CBasePlayerItem. Thanks for everything.

[joaquimandrade]

Jim, yes the problem was that you have to extract the signature from the own binary (the compiled code is totally different). I moved to linux and called successfully functions. Now I have a new help request. If you can tell me before I figure out I'll be appreciated.

What is the ported code to linux (gcc) of:

PHP Code:

__asm
   {
      mov ecx, pPlayer;
      push name;
      push iSubType;
      call g_GiveItemFunc;
      mov pReturnEnt, eax;
   }; 


I mean, in assembly. I need it that way. I read some articles that show "inline assembly in gcc" and tried to do it and it did compile but the module then doesn't even load.

Edit:

And about that CGrenade* question, it worked with void*.
CGrenade:: Detonate3 against some default grenades:

http://www.youtube.com/watch?v=3adt2qmZ4uc

[jim_yang]

I'm not good at gcc inline asm too, it use AT&T asm format and some input output format which I think is trouble although it's useful and powerful
here are two articles, good luck
http://www.ibiblio.org/gferg/ldp/GCC...bly-HOWTO.html
http://groups.google.com/group/muc.l...8860dd41ddd42b

Edit:
or you can look at the source code of ham, use reinterpret_cast to cast the function pointer to your expected format

[joaquimandrade]

What I want to do is:

instead of calling something like void (*func)(CBasePlayer *,CBasePlayerWeapon *),

having void(*func)() and having an array of void* pointers, iterate over it and push each one of them via

PHP Code:

__asm
{
    push x
} 


and then do

PHP Code:

__asm
{
    call func
}