Raised This Month: $7 Target: $400
 1% 

How to get a signature for an incredibly short function


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
george.
Junior Member
Join Date: May 2014
Old 08-02-2017 , 09:27   How to get a signature for an incredibly short function
Reply With Quote #1

I'm trying to get a signature function for
Code:
CEventAction::__operator_delete
(on CS:GO Linux)

I managed to locate the function in IDA, however the function is incredibly short, how can I create a unique signature to locate this function since the IDA script was unable to generate one, and the function is incredibly short. (For an existing extension)

(I know this isn't 100% coding related, but I didn't think it belonged in the signature request thread as I already have the function just don't know how to make a unique signature to find it)
george. is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 08-02-2017 , 10:26   Re: How to get a signature for an incredibly short function
Reply With Quote #2

Looking at the disassembly in a random server binary I have, three choices come to mind:

Don't mask the address of the global variable used. This will probably break the signature every update.
If you just want to use it, reimplement it yourself. More work, but you might be able to get something that won't break every update. (Alternative: if you do this work and can find the address of the global, you can patch your signature at runtime?)
Find another function that uses it, then use a signature plus offset to pull the address out of the call.
Fyren is offline
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 08-02-2017 , 18:12   Re: How to get a signature for an incredibly short function
Reply With Quote #3

Quote:
Originally Posted by Fyren View Post
Don't mask the address of the global variable used. This will probably break the signature every update.
I haven't looked at this specific function, but this generally doesn't work because the addresses are relocated at runtime - so if you do not wildcard global addresses the signature will never match.
__________________
asherkin is offline
Fyren
FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren FyrenFyrenFyrenFyrenFyren
Join Date: Feb 2106
Old 08-03-2017 , 03:25   Re: How to get a signature for an incredibly short function
Reply With Quote #4

Even so, the offset from the unrelocated binary can be added to the base found at runtime; basically the 'alternative: patch the signature at runtime.'
Fyren is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 03:26.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode