Decided to test my skill in disassembly. Have some updated gamedata.
For anyone that wants to follow along or update it for next time, assuming Valve didn't completely overhaul the halloween taunt logic since then:
Here's an image for reference.
- Load up the server binary in IDA.
- Open up the Strings subview and look up the IsHalloweenTaunt string.
- Find cross-references to the string, then head over to one of those subroutines. Switch to graph view so you have a sense of what you're looking at.
- In the Linux binary, since you have signatures, you'll be in CTFPlayer::ModifyOrAppendCriteria(). There's a call to rand right before to decide if the Halloween taunt is applied. I ended up patching the near JA instruction with a near JO (from 0F 87 to 0F 80). Add one to the instruction offset and set the payload in the gamedata file to 128 (0x80). Use the symbol for the signature.
- Same thing in the Windows binary, except no symbols. Structure is about the same, though; find those floating point operations right before. I patched the short JBE with a short JNO. Grab the offset. Use makesig for the signature.
The forum image proxy doesn't seem too fond of it, so it's linked.
There's probably a more resilient signature that doesn't involve offsets deep into the function (since this will absolutely break if ModifyOrAppendCriteria
changes), but that's an exercise for the next person.