Raised This Month: $7 Target: $400
 1% 

Orpheu: Searching for functions in libraries


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 02-15-2010 , 20:49   Orpheu: Searching for functions in libraries
Reply With Quote #1

A library is a set of bytes. Millions of them. They can represent numbers, functions (in machine code), arrays, strings. This tutorial will try to explain how to find functions in libraries so you can use them.

Finding a function means locate its position in the library. What is normally called offset. It's the number of bytes that it takes to reach the function starting at the first byte of the library.

In libraries compiled by gcc (linux) offsets are labelled with symbolic names with which you can easily recognize what is located at that offset.

In libraries compiled by VC++ there aren't almost no labels so you have to resort to techniques like searching for strings in the library. That because you can easily relate strings to events like, if you see "Terrorists Win" being used you know that you are dealing with a function related to the round end.

Developing over this, the techniques we can use are:
  1. Finding functions by searching strings.
  2. After having found a function use it to find more functions like: if you know that a function calls yours or if yours calls another.
  3. Apply the steps above recursively :twisted:
To make the process easier you should do this with the help of the linux library.

So, grab the libraries of your mod for windows and linux.
Get "IDA Pro Disassembler" (not free).

For each library:

In IDA:

[IMG]http://img208.**************/img208/8749/12820721.png[/IMG]

Press New

If linux library:

[IMG]http://img694.**************/img694/1284/37280226.png[/IMG]

If windows library:

[IMG]http://img684.**************/img684/5552/cenasx.png[/IMG]

Locate the library and open it.

Press Ctrl + F5. This will open a dialog so you can chose where you want a file to be saved. This file is the decompiled version of your library (a feature of IDA that converts machine code back to C code (far from readable code and not exactly resembling the original but easier to inspect than machine code)).

In the decompiled version of the linux library you will have code like:
PHP Code:

//----- (000B3C10) --------------------------------------------------------
int __cdecl InstallGameRules()
{
  
int result// eax@2
  
int v1// eax@2
  
int v2// eax@3

  
(*(void (__cdecl **)(_DWORD))&g_engfuncs[156])("exec game.cfg\n");
  (*(
void (**)(void))&g_engfuncs[160])();
  if ( *(
float *)(gpGlobals 20) == 0.0 )
  {
    
v2 __builtin_new(708);
    
result __18CHalfLifeMultiplay(v2);
  }
  else
  {
    
v1 __builtin_new(728);
    
result __17CHalfLifeTraining(v1);
  }
  return 
result;

This is the function InstallGameRules where you can easily see the string "exec game.cfg\n" being used.

Now, searching it on the decompiled version of the windows library you can see:
PHP Code:
//----- (10088530) --------------------------------------------------------
int __cdecl sub_10088530()
{
  
long double v0// fst7@1
  
int v1// eax@2
  
int v3// eax@4

  
dword_101623DC("exec game.cfg\n");
  
dword_101623E0();
  
v0 = *(float *)(LODWORD(dword_101625B8) + 20);
  if ( 
v0 == 0.0 )
  {
    
v1 = (int)operator new(0x2E8u);
    if ( 
v1 )
      return 
sub_100C5EF0(v1v0);
  }
  else
  {
    
v3 = (int)operator new(0x2D0u);
    if ( 
v3 )
      return 
sub_10093D80(v3v0);
  }
  return 
0;

From observation you can easily see that you are dealing with the same function (with the bonus of being the only place where the string is located).

This means that at the offset 88530 in the windows binary of Counter Strike we have the function InstallGameRules. You can see that in the function pseudo-label "sub_10088530" (ignoring the sub_10). Since this number represents an hexadecimal number let's call it 0x88530.

Know to demonstrate the other technique let's search in the linux decompiled version of the library for InstallGameRules to find calls to it:
PHP Code:
//----- (0011163C) --------------------------------------------------------
int *__usercall CWorld__Precache<eax>(long double a1<st0>, int a2)
{
  
unsigned int v2// edi@8
  
__int16 v3// fps@15
  
long double v4// fst6@15
  
char v5// c0@15
  
char v6// c2@15
  
char v7// c3@15
  
int v8// eax@16
  
int v9// ecx@18
  
int v10// eax@19
  
int *result// eax@25
  
int v12// [sp-10h] [bp-58h]@16
  
float v13// [sp-Ch] [bp-54h]@16

  
g_pLastSpawn 0;
  
g_pLastCTSpawn 0;
  
g_pLastTerroristSpawn 0;
  (*(
void (__cdecl **)(_DWORDchar[4]))&g_engfuncs[240])("sv_gravity""800");
  (*(
void (__cdecl **)(_DWORDchar[4]))&g_engfuncs[240])("sv_maxspeed""900");
  (*(
void (__cdecl **)(_DWORD_DWORD))&g_engfuncs[240])("sv_stepsize""18");
  (*(
void (__cdecl **)(_DWORD_DWORD))&g_engfuncs[240])("room_type""0");
  if ( 
g_pGameRules )
    
__builtin_delete((void *)g_pGameRules);
  
g_pGameRules InstallGameRules(); 
You can see in the last line that the function InstallGameRules is called from CWorld__Precache (real name CWorld::Precache), so getting back into the decompiled version of the windows library:

Replace all ocurrences of sub_10088530 by InstallGameRules. Search for InstallGameRules.
PHP Code:
int __usercall sub_100DD350<eax>(int a1<ecx>, int a2<esi>, long double a3<st0>)
{
  
int v3// ebp@1
  
int v4// eax@3
  
int v5// esi@4
  
int v6// eax@6
  
int v7// ecx@7
  
int v8// eax@8
  
signed int v9// esi@17
  
int v10// eax@28
  
int v11// ecx@29
  
int result// eax@33
  
float v13// [sp-4h] [bp-10h]@25
  
signed int v14// [sp-4h] [bp-10h]@31

  
v3 a1;
  
dword_10162EFC 0;
  
dword_10163D00 0;
  
dword_10163D04 0;
  
dword_10162430("sv_gravity""800");
  
dword_10162430("sv_maxspeed""900");
  
dword_10162430("sv_stepsize""18");
  
dword_10162430("room_type"L"0");
  if ( 
dword_10162304 )
    
operator delete(dword_10162304);
  
dword_10162304 = (void *)InstallGameRules(); 
And we just found out CWorld__Precache (offset 0xDD350)

This is basically it. By applying this knowledge and your brain you can find almost any function.

Missing then are the types that the function use. You can check them by seeing the list of functions in the linux version of the library in IDA window Names. For the return type I don't know if there is simple way but you can always guess or check half life sdk when it makes sense.

For this case:

Code:
{
    "name" : "InstallGameRules",
    "library" : "mod",
    "return" : 
    {
        "type" : "CHalfLifeMultiplay *"
    },
    "identifiers":
    [
        {
            "os" : "windows",
            "mod" : "cstrike",
            "value" : 0x88530
        }
    ]
}
This should now go into a file named InstallGameRules into the folder configs/orpheu/functions. (Remembered that if the function belonged to a class you would have to create a folder with the name of the class).

Know there is a thing. This offset is guaranteed to be always the same each time the library loads but that can easily not be true if the library gets updated. That's the reason that motivated the creation of a technique called signature scanning.

Signature scanning basically means: instead of provide an offset, provide a set of bytes that you can find at that offset (that represent the function). That set of bytes can easily have its location changed but as long as it exists as a block you can still search for it.

You can find more about that here. I might make an easier tutorial for it later.
__________________

Last edited by joaquimandrade; 02-15-2010 at 21:58.
joaquimandrade is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 02-16-2010 , 01:03   Re: Orpheu: Searching for functions in libraries
Reply With Quote #2

Another tut !!!
Any free software that can do the same job ?
__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
wrecked_
Veteran Member
Join Date: Jan 2010
Location: New York (GMT-5)
Old 02-16-2010 , 01:19   Re: Orpheu: Searching for functions in libraries
Reply With Quote #3

From what I looked up about the program, it said the program was ~$500 USD. Is that the cheapest it gets?

*Restate Connor's Question*
__________________
[ Paid Requests ]
DO NOT PM ME ABOUT BLOCKMAKER
NO PRIVATE SUPPORT
wrecked_ is offline
01101101
BANNED
Join Date: Nov 2009
Location: 9`su 09`n0n7e`r0f76a
Old 02-16-2010 , 04:17   Re: Orpheu: Searching for functions in libraries
Reply With Quote #4

Download the free version.
01101101 is offline
joaquimandrade
Veteran Member
Join Date: Dec 2008
Location: Portugal
Old 02-16-2010 , 07:51   Re: Orpheu: Searching for functions in libraries
Reply With Quote #5

I have here in my pocket a free machine code decompiler that does this but I preferred doing the tutorial with this one.

No, I don't know of a free one. Search it by yourself and stop asking.

Doubts about the tutorial are welcome.
__________________
joaquimandrade is offline
ConnorMcLeod
Veteran Member
Join Date: Jul 2006
Location: France (95)
Old 02-16-2010 , 12:13   Re: Orpheu: Searching for functions in libraries
Reply With Quote #6

Quote:
Originally Posted by joaquimandrade View Post
Doubts about the tutorial are welcome.
Ofc it is !
__________________
- tired and retired -

- my plugins -
ConnorMcLeod is offline
Doc-Holiday
AlliedModders Donor
Join Date: Jul 2007
Old 02-16-2010 , 14:17   Re: Orpheu: Searching for functions in libraries
Reply With Quote #7

What exactly can you do with that though

Or is that how ark is going to remove clamps on cvars?
Doc-Holiday is offline
Immortal_BLG
Member
Join Date: Feb 2010
Location: RUSSIA
Old 02-21-2010 , 00:52   Re: Orpheu: Searching for functions in libraries
Reply With Quote #8

How to possible to view the decompiled code in IDA pro free?
Immortal_BLG is offline
Arkshine
AMX Mod X Plugin Approver
Join Date: Oct 2005
Old 02-26-2010 , 05:57   Re: Orpheu: Searching for functions in libraries
Reply With Quote #9

You can't, since the decompiler is not included.
__________________
Arkshine is offline
Doc-Holiday
AlliedModders Donor
Join Date: Jul 2007
Old 02-28-2010 , 09:09   Re: Orpheu: Searching for functions in libraries
Reply With Quote #10

Quote:
Originally Posted by Arkshine View Post
You can't, since the decompiler is not included.

how much is that pro version? i havent looked into it yet.
Doc-Holiday is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 05:39.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode