[EXTENSION] Left 4 Downtown 2 (0.5.4.2) - L4D2 Only, Updated Left4Downtown - Page 42

asherkin

VTable reconstruction is already well documented.

spumer

But VTable not for all cases.

V1SoR

Spumer's way of finding offsets isn't quite the most convenient one. I'd recommend enabling opcodes(8-10 are enough) and switching the disasm in between Graph and Text views. This will make your reverse engineering experience a bit more decent.

On a very related note, Left4Downtown2 is designed to operate with signatures and not virtual offsets. You need to find or build them for your platform.

spumer · *Last edited by spumer; 07-05-2013 at 23:10.*

V1SoR, Yes, i use graph (you can see it on my screenshots). But enabled opcodes not show address of the selected bytes, only address of the sequense.

Quote:

Originally Posted by Electr000999

http://nicholashastings.com/gdc_manu...12536-l4d2.log see line "Gamedata: /users/psychonic/gdc/sourcemod-central/gamedata/left4downtown.l4d2.txt", may be correct.. i am don't use this ext.

How i can see, only one signature for linux is broken: ChangeFinaleStage
and new now is: _ZN29CDirectorScriptedEventManager17ChangeFin aleStageENS_18ScriptedEventStageEPKc

AtomicStryker

Here's some sigs i sought out

PHP Code:


			
            /*
            * ZombieManager::SpawnTank(Vector  const&, QAngle  const&)
            *
            * find by Navarea variant method and "Failed to find a tank spawn position i"
            */
            "SpawnTank"
            { 
                "library" "server"
                "linux" "@_ZN13ZombieManager9SpawnTankERK6VectorRK6QAngle"
                "windows" "\x55\x8B\xEC\x57\x8B\xF9\x8B\x0D\x2A\x2A\x2A\x2A\xE8\x2A\x2A\x2A\x2A\x85\xC0\x78\x2A\x8B\x0D\x2A\x2A\x2A\x2A\x39"
                /* 55 8B EC 57 8B F9 8B 0D ? ? ? ? E8 ? ? ? ? 85 C0 78 ? 8B 0D ? ? ? ? 39 */
            }
            
            /*
            * ZombieManager::SpawnWitch(Vector  const&, QAngle  const&)
            *
            * find by Navarea variant method and "Failed to find a witch spawn position i"
            */
            "SpawnWitch"
            { 
                "library" "server"
                "linux" "@_ZN13ZombieManager10SpawnWitchERK6VectorRK6QAngle"
                "windows" "\x55\x8B\xEC\x8B\x0D\x2A\x2A\x2A\x2A\xE8\x2A\x2A\x2A\x2A\x85\xC0\x78\x2A\x8B\x0D\x2A\x2A\x2A\x2A\x39\x81"
                /* 55 8B EC 8B 0D ? ? ? ? E8 ? ? ? ? 85 C0 78 ? 8B 0D ? ? ? ? 39 81 */
            }

            /*
             * CTerrorGameRules::SetCampaignScores(int,int)
             *
             * find via xref and "versus_match_finished", the score block is in a subfunc on windows
             */
            "SetCampaignScores" 
            {
                "library"    "server"
                "linux"        "@_ZN16CTerrorGameRules17SetCampaignScoresEii"
                "windows" "\x55\x8B\xEC\x56\x57\x8B\x7D\x2A\x8B\xF1\x39\xBE\x2A\x2A\x2A\x2A\x74\x2A\xE8\x2A\x2A\x2A\x2A\x89\xBE\x2A\x2A\x2A\x2A\x8B\x7D\x2A\x39"
                /* 55 8B EC 56 57 8B 7D ? 8B F1 39 BE ? ? ? ? 74 ? E8 ? ? ? ? 89 BE ? ? ? ? 8B 7D ? 39 */
            }
            
            /*
             * CTerrorGameRules::ClearTeamScores(bool)
             *
             * find by xref and "change mission now vote - changing to %"
             * heavily inlined on linux
             */
            "ClearTeamScores"
            {
                "library"    "server"
                "linux"        "@_ZN16CTerrorGameRules15ClearTeamScoresEb"
                "windows" "\x55\x8B\xEC\x56\x8B\x75\x2A\x57\x8B\xF9\x8B\x0D\x2A\x2A\x2A\x2A\x85\xC9\x74\x2A\x56\xE8"
                /* 55 8B EC 56 8B 75 ? 57 8B F9 8B 0D ? ? ? ? 85 C9 74 ? 56 E8 */
            }

AtomicStryker

Another one. Enough work for today

PHP Code:


			
            /*
             * CDirector::OnFirstSurvivorLeftSafeArea(CTerrorPlayer *)
             *
             * string "Allowing spawning - %s left safe area\n"
             */
            "OnFirstSurvivorLeftSafeArea"
            { 
                "library" "server"
                "linux" "@_ZN9CDirector27OnFirstSurvivorLeftSafeAreaEP13CTerrorPlayer"
                "windows" "\x55\x8B\xEC\x83\xEC\x2A\x56\x57\x8B\x7D\x2A\x8B\xF1\x8B\x8E\x2A\x2A\x2A\x2A\x57\xE8"
                /* 55 8B EC 83 EC ? 56 57 8B 7D ? 8B F1 8B 8E ? ? ? ? 57 E8 */
            }

adrianman

do you search in server_srv.so or server.so for the signatures?

CanadaRox · *Last edited by CanadaRox; 07-06-2013 at 13:14.*

PHP Code:


			
            /*
             * CDirectorScavengeMode::OnBeginRoundSetupTime
             *  used to reset the setup timer during scavenge mode
             */
            "CDirectorScavengeMode_OnBeginRoundSetupTime"
            {
                "library"  "server"
                "linux"    "@_ZN21CDirectorScavengeMode21OnBeginRoundSetupTimeEv"
                "windows"  "\x55\x8B\xEC\x83\xEC\x10\x56\x8B\xF1\xE8\x2A\x2A\x2A\x2A\x84\xC0\x74\x2A\xF3"
            }

dcx2 · *Last edited by dcx2; 07-27-2013 at 01:57.*

@adrianman - _srv has the symbols, the other one has been stripped of symbols.

@CanadaRox - L4DT2 has a detour for CTerrorPlayer_OnRevived, and the detour patches the beginning of the function. If L4DT2 patches OnRevived before another plugin tries to find OnRevived's signature, the other plugin will fail (see the "L4D2 new custom commands" plugin thread). This is the sig I recommend for OnRevived, as it avoids checking the bytes that are modified at runtime to support the detour.

PHP Code:


			
            /*
            *  CTerrorPlayer::OnRevived(void)
            *
            *  ->Search for string "revive_success", then open vtables window. Should be the 5th member.
            *  Left4Downtown2 patches this function, which will prevent Sourcemod from finding it
            *  That is why the first six bytes are wild cards
            *  With so many wildcards at the start, we need many more bytes to find a unique signature
            *  The original signature remains commented out, for posterity
            */
            "CTerrorPlayer_OnRevived"
            {
                "library"   "server"
                "linux"     "@_ZN13CTerrorPlayer9OnRevivedEv"
                "windows"   "\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\xF1\x8B\x06\x8B\x90\x24\x01\x00\x00\x57\xff\xd2\x84\xc0\x0f\x84\x7C"
                /* ? ? ? ? ? ? ? ? ? F1 8B 06 8B 90 24 01 00 00 57 ff d2 84 c0 0f 84 7C */
                /* "windows"   "\x55\x8B\xEC\x83\xEC\x3C\x53\x56\x8B\xF1\x8B\x06\x8B\x90\x24\x01\x00\x00\x57\xFF\xD2\x84\xC0\x0F\x84\x7C"
                /* 55 8B EC 83 EC 3C 53 56 8B F1 8B 06 8B 90 24 01 00 00 57 ff d2 84 c0 0f 84 7C */
            }

EDIT:

@CanadaRox - did you test your TakeOverBot signature to make sure it loads? I notice you're using part of a sequence that was giving me problems.

I've found that (some?) of the following chunk of bytes changes at runtime. I'm not sure which ones, but if I use a signature with these bytes in it, it fails to load until I wildcard these bytes. A1 58 32 7C 10 33 C5 89 45 FC. IDA says it had something to do with a __security_cookie. EDIT: it appears that only the address of the cookie needs to be wild carded; unlike other addresses which *may* be wild carded, this *must* be wild carded.

That matches the last five bytes of your TakeOverBot signature. Which is why I'm asking if you tested it.

Visual77

That TakeOverBot dosn't seem to work with SetHumanSpec. Or is the latter no longer needed to sucessfully take over the bot?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode