[S34Qu4K3]

Hi, I want to make a signature for SV_CheckProtocol, but I have lots of problems, principally, IDA shows me the disambled dll messy, i don´t get something like this:
[IMG]http://img232.**************/img232/3022/orpheuhowtomakesigofbyt.png[/IMG]

Really, I need some help to get started
I´m following the tut by Arkshine: http://forums.alliedmods.net/showthread.php?t=147998


PD: I´m disassembling swds.dll

[ConnorMcLeod]

Why would you need that function ?

[Arkshine]

For windows, you have to find the function before. There is a tutorial about that.

[S34Qu4K3]

Quote:

Originally Posted by ConnorMcLeod Why would you need that function ?

I want to KNOW, if is posible to "change" the client protocol. Only I want to know this, I don´t want to allow Non Steam players in my server. And principally, I want to learn the module usage

Quote:

Originally Posted by Arkshine For windows, you have to find the function before. There is a tutorial about that.

I´ve already had it:

PHP Code:

signed int __cdecl sub_1D97BD0(const void *a1, signed int a2)
{
  void *v2; // eax@5
  int v3; // eax@5
  unsigned __int8 v4; // zf@5
  unsigned __int8 v5; // sf@5
  signed int result; // eax@7

  if ( !a1 )
    sub_1DABC60("SV_CheckProtocol:  Null address\n");
  if ( a2 == 48 )
  {
    result = 1;
  }
  else
  {
    if ( a2 <= 48 )
    {
      sub_1D97980(
        a1,
        "This server is using a newer protocol ( %i ) than your client ( %i ).  You should check for updates to your client.\n",
        48,
        a2);
      result = 0;
    }
    else
    {
      v3 = sub_1D35480((int)off_1E61DD8);
      v4 = v3 == 0;
      v5 = v3 < 0;
      v2 = off_1E61DD8;
      if ( v5 | v4 )
        v2 = "(no email address specified)";
      sub_1D97980(
        a1,
        "This server is using an older protocol ( %i ) than your client ( %i ).  If you believe this server is outdated, you can contact the server administrator at %s.\n",
        48,
        a2,
        v2);
      result = 0;
    }
  }
  return result;
}
// 1E61DD8: using guessed type void *off_1E61DD8; 


But in I don´t know what HEX values I must get
[IMG]http://img132.**************/img132/2342/idadis.png[/IMG]

[Arkshine]

So, read carefully the tutorial, it's explained how to configure IDA to show opcode bytes.

[S34Qu4K3]

Well, I´ve made some tests and I get this:

PHP Code:

{
    "name"       : "SV_CheckProtocol",
    "library"    : "engine",
    "arguments"  :
    [
        {
            "type" : "dword"
        },
        {
            "type" : "dword"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : [55,0x8B,0xEC,0x56,0x57,0x8B,0x7D,"*",0x85,0xFF,0x75,0x13,0x68,0x88,0x2C,0xE6]
        }
    ]
} 


I´ve put it in configs/orpheu/functions folder and I´ve made a simple plugin:

PHP Code:


#include <amxmodx>
#include <amxmisc>
#include <orpheu>

#define PLUGIN "New Plug-In"
#define VERSION "1.0"
#define AUTHOR "S34Qu4K3"

public plugin_precache()
{    
    OrpheuRegisterHook(OrpheuGetFunction("SV_CheckProtocol"),"SV_CheckProtocol_function")
}
public plugin_init() 
{
    register_plugin(PLUGIN, VERSION, AUTHOR)
}
public OrpheuHookReturn:SV_CheckProtocol_function()
{
    new variable_1[100]   
    new variable_2[100]  
    new variable_3[100]   
    new variable_4[100]  
    
    read_argv(1,variable_1, 99)
    read_argv(2,variable_2, 99)
    read_argv(3,variable_3, 99) 
    read_argv(4,variable_4, 99)

    log_to_file("c_1.log", variable_1)
    log_to_file("c_2.log", variable_2)
    log_to_file("c_3.log", variable_3)
    log_to_file("c_4.log", variable_4)
    
    server_print("Acepted")

    
    
} 


But it seems that not work
Server console:

PHP Code:



    Parsing functions started.
        Parsing file "EndRoundMessage" started
                Function is updated
        Parsing file "EndRoundMessage" ended
        Parsing file "InstallGameRules" started
                Function is updated
        Parsing file "InstallGameRules" ended
        Parsing file "SV_ConnectClient" started
                Function is updated
        Parsing file "SV_ConnectClient" ended
        Parsing folder "CHalfLifeMultiplay" started
            Parsing file "CheckWinConditions" started
                Function is updated
            Parsing file "CheckWinConditions" ended
            Parsing file "UpdateTeamScores" started
                Function is updated
            Parsing file "UpdateTeamScores" ended
        Parsing folder "CHalfLifeMultiplay" ended
    Parsing functions ended. 


It seems that Orpheu doesn´t load my signature, any message error apears

[Arkshine]

[55 -> [0x55

Weird you have missed that.

[S34Qu4K3]

Thanks, at least, the console show somethin:

PHP Code:

        Parsing file "SV_CheckProtocol" started
                Argument has invalid type "dword"
                FAILED 


I will change dword to int

EDIT: Works, but no works

PHP Code:

        Parsing file "SV_CheckProtocol" started
                Argument type "int" validated
                Argument type "int" validated
                Searching for signature "[0x55][0x8b][0xec][0x56][0x57](...)" ... NOT FOUND
        Parsing file "SV_CheckProtocol" ended 


The signature is bad

Arkshine, in your tutorial you have something like this

PHP Code:

51                     push    ecx                  // no memory reference.
 └────── Opcode ────────┴───────┘                   // 51
      (fixed form)
      
56                     push    esi                  // no memory reference.
 └────── Opcode ────────┴───────┘                   // 51 56
      (fixed form)
      
8B F1                  mov     esi, ecx             // no memory reference.
 └──┼───── Opcode ──────┘       │    │              // 51 56 8B F1
    └───── ModR/M ──────────────┴────┘

8B 86 00 01 00 00      mov     eax, [esi+100h]      // 100h is an offset. It may change.  
 └──┼──┼── Opcode ──────┘       │     │   │         // 51 56 8B F1 8B 86 ? ? ? ?
    └──┼── ModR/M ──────────────┴─────┘   │
       └── Displacement ──────────────────┘
83 F8 01               cmp     eax, 1               // no memory reference, but an hardcoded value. It may change by a plugin or something.
 └──┼──┼── Opcode ──────┘       │   │               // 51 56 8B F1 8B 86 ? ? ? ? 83 F8 ?
    └──┼── ModR/M ──────────────┘   │
       └── Immediate ───────────────┘
 
89 44 24 04            mov     [esp+8+var_4], eax   // When you click right on it, you see 8+var_4 is equal to 4, a relative offset.
 └──┼──┼──┼─ Opcode ────┘        │  │   │      │    // Anyway, it may change. I've notived also the SIB is generally different on cz.
    └──┼──┼─ ModR/M ─────────────┼──┼───┼──────┘    // 51 56 8B F1 8B 86 ? ? ? ? 83 F8 ? 89 44 ? ? 
       └──┼─ SIB ────────────────┘  │   │
          └─ Displacement ──────────┴───┘ 


I don´t have things like ecx or eax
I have:

HEX Value (first 16 bytes)

PHP Code:

55 8B EC 56 57 8B 7D 08  85 FF 75 13 68 88 2C E6 


In Function:

PHP Code:

.text:01D97BD0 55                                            push    ebp
.text:01D97BD1 8B EC                                         mov     ebp, esp
.text:01D97BD3 56                                            push    esi
.text:01D97BD4 57                                            push    edi
.text:01D97BD5 8B 7D 08                                      mov     edi, [ebp+arg_0]
.text:01D97BD8 85 FF                                         test    edi, edi
.text:01D97BDA 75 13                                         jnz     short loc_1D97BEF
.text:01D97BDC 68 88 2C E6 01                                push    offset aSv_checkprotoc ; "SV_CheckProtocol:  Null address\n"
.text:01D97BE1 E8 7A 40 01 00                                call    sub_1DABC60
.text:01D97BE6 83 C4 04                                      add     esp, 4
.text:01D97BE9 33 C0                                         xor     eax, eax
.text:01D97BEB 5F                                            pop     edi
.text:01D97BEC 5E                                            pop     esi
.text:01D97BED 5D                                            pop     ebp
.text:01D97BEE C3                                            retn 


I think I´ve made this part bad:

PHP Code:

text:01D97BDA 75 13                                         jnz     short loc_1D97BEF
.text:01D97BDC 68 88 2C E6 01                                push    offset aSv_checkprotoc ; 


[Arkshine]

It should be ok : 55 8B EC 56 57 8B 7D ? 85 FF 75 ? 68 ? ? ? ? E8 ? ? ? ? 83 C4 ? 33 C0 5F 5E 5D C3 8B 75

[S34Qu4K3]

Still not working:

[0x55,0x8B,0xEC,0x56,0x8B,0x7D,"*",0x85,0xFF,0 x75,"*",0x68,"*","*","*","*",0xE8,"*","*","*" ,"*",0x83,0xC4,"*",0x33,0xC0,0x5F,0x5E,0x5D,0 xC3,0x8B,0x75]

Can you tell met what have you done? Why 33 hex characters?