[teh ORiON]

Quote:

Originally Posted by Arkshine Tell me what you want to retrieve exactly, I will have a better view of the issue, because dword_xxxx or sub_xxxx doesn't help much.

Ok so, I have this engine function:

Windows

PHP Code:

void __cdecl sub_1D5B210()
{
  int v0; // ecx@1
  _UNKNOWN *v1; // eax@2

  v0 = dword_256D924;
  if ( dword_256D924 > 0 )
  {
    v1 = &unk_256D9C0;
    do
    {
      if ( *(_DWORD *)v1 != 3 )
        *(_DWORD *)v1 = 2;
      v1 = (char *)v1 + 392;
      --v0;
    }
    while ( v0 );
  }
} 


Linux

PHP Code:

int __cdecl Mod_ClearAll()
{
  int result; // eax@1
  char *v1; // edx@1
  int v2; // ecx@2

  result = mod_numknown;
  v1 = mod_known;
  if ( mod_numknown > 0 )
  {
    v2 = mod_numknown;
    result = -mod_numknown & 3;
    if ( !result )
      goto LABEL_25;
    if ( result < 3 )
    {
      if ( result < 2 )
      {
        if ( *(_DWORD *)&mod_known[64] != 3 )
          *(_DWORD *)&mod_known[64] = 2;
        --v2;
        v1 = &mod_known[392];
      }
      if ( *((_DWORD *)v1 + 16) != 3 )
        *((_DWORD *)v1 + 16) = 2;
      --v2;
      v1 += 392;
    }
    if ( *((_DWORD *)v1 + 16) != 3 )
      *((_DWORD *)v1 + 16) = 2;
    v1 += 392;
    --v2;
    if ( v2 )
    {
LABEL_25:
      do
      {
        if ( *((_DWORD *)v1 + 16) != 3 )
          *((_DWORD *)v1 + 16) = 2;
        if ( *((_DWORD *)v1 + 114) != 3 )
          *((_DWORD *)v1 + 114) = 2;
        if ( *((_DWORD *)v1 + 212) != 3 )
          *((_DWORD *)v1 + 212) = 2;
        if ( *((_DWORD *)v1 + 310) != 3 )
          *((_DWORD *)v1 + 310) = 2;
        v2 -= 4;
        v1 += 1568;
      }
      while ( v2 );
    }
  }
  return result;
}
// 2CB048: using guessed type int mod_numknown; 


Which is roughly similar to this q1 function:

Quake function

PHP Code:

int        mod_numknown;

/*
===================
Mod_ClearAll
===================
*/
void Mod_ClearAll (void)
{
    int        i;
    model_t    *mod;
    
    for (i=0 , mod=mod_known ; i<mod_numknown ; i++, mod++)
        if (mod->type != mod_alias)
            mod->needload = true;
} 


Instruction list from IDA for the function:

Instruction list

What im trying to do is retrieve that variable "mod_numknown", which should be an int, and it should also denote the amount of models that's in the cache currently.

[Arkshine]

It works for me.

plugin example

Code:

#include <amxmodx>
#include <orpheu_memory>

public plugin_init()
{
    new mod_numknown = OrpheuMemoryGetAtAddress( OrpheuMemoryGet( "mod_numknown" ), "int" );
    
    log_amx( "mod_numknown = %d", mod_numknown ); //  [Untitled.amxx] mod_numknown = 217
}

mod_numknown

Code:

{ 
    "name"        : "mod_numknown", 
    "library"     : "engine", 
    "type"        : "long", 
    "memoryType"  : "data", 
    "identifiers" :  
    [ 
        { 
            "os"           : "windows", 
            "value"        : [0x8B,"*","*","*","*","*",0x85,"*",0x7E,"*",0xB8], 
            "displacement" : 2 
        }
    ] 
}

int

Code:

{
    "name"        : "int",
    "type"        : "int",
    "memoryType"  : "data",
    "identifiers" :
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : 0
        },
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : 0
        }
    ]
}

[teh ORiON]

Ah nice! That works for me too. I was trying just,

PHP Code:

new mod_numknown =OrpheuMemoryGet( "mod_numknown" ) 


That was the confusion. Thought that was the way to retrieve it in pawn. I guess that way only works if you have a direct address to a constant?

Thanks alot for the help!

[Arkshine]

Here another way, can be useful if you want to support linux and don't want to make signatures :

plugin example

Code:

#include <amxmodx>
#include <orpheu>
#include <orpheu_memory>
#include <orpheu_advanced>

public plugin_init()
{
    new mod_numknown_addr = OrpheuMemoryGetAtAddress( OrpheuGetFunctionAddress( OrpheuGetFunction( "Mod_ClearAll" ) ) + ( is_linux_server() ? 1 : 2 ), "int" );

    new mod_numknown = OrpheuMemoryGetAtAddress( mod_numknown_addr, "int" );
    
    log_amx( "mod_numknown = %d", mod_numknown );
}

Mod_ClearAll

Code:

{
    "name"        : "Mod_ClearAll",
    "library"     : "engine",
    "identifiers" :
    [
        {
            "os"    : "windows",
            "value" : [0x8B,"*","*","*","*","*",0x85,"*",0x7E,"*",0xB8]
        },
        {
            "os"    : "linux",
            "value" : "Mod_ClearAll"
        }
    ]
}

In this case, mod_numknown is retrieved at the start of function, so doing stuffs from the start of the function is enough safe.
what we can do is to retrieve Mod_ClearAll address, adding the displacement ( 1 for linux, 2 for windows ) to point to the address of mod_numknown, then reading the value. This way, we avoid signature for linux.

[teh ORiON]

Ah yes, I see. That's pretty clever. Will keep that in mind! Thanks!

[darktemplar]

@ Arkshine : Can you help me to change the base damage of CS Weapon ?

I've found this :

http://code.google.com/p/cs-sdk/sour...pec=svn83&r=83

And I know the FireBullets and FireBullets3 is the function which calculates and does damage. Can you help me to hook and change the flDamage?

[meTaLiCroSS]

Quote:

Originally Posted by darktemplar @ Arkshine : Can you help me to change the base damage of CS Weapon ? I've found this : http://code.google.com/p/cs-sdk/sour...pec=svn83&r=83 And I know the FireBullets and FireBullets3 is the function which calculates and does damage. Can you help me to hook and change the flDamage?

Arkshine provided Rage's signatures on it's respective thread, search for it, is on the first page

[hornet]

I've found InstallHostageManager, and I'm under the impression that it is an object like g_pGameRules, and that it would allow me to do some fun stuff with hostages?

So from:

Code:

51                                            push    ecx
A1 4C A2 12 10                                mov     eax, dword_1012A24C
56                                            push    esi
33 F6                                         xor     esi, esi
3B C6                                         cmp     eax, esi
74 4E                                         jz      short loc_1004EE9B
53                                            push    ebx
55                                            push    ebp
89 44 24 0C                                   mov     [esp+10h+var_4], eax
57                                            push    edi
8D A8 34 01 00 00                             lea     ebp, [eax+134h]
BB 15 00 00 00                                mov     ebx, 15h

I've come up with:

Code:

{
    "name"    : "InstallHostageManager",
    "library" : "mod",
    "return"  : 
    {
        "type" : "CHalfLifeMultiplay *"
    },
    "identifiers":
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : [0x51,0xA1,0x4C,"*","*","*",0x56,0x33,0xF6,0x3B,0xC6,0x74,"*",0x53,0x55,0x89,0x44,"*","*",0x57,0x8D,0xA8,"*","*","*","*",0xBB,0x15],
        }
    ]
}

But it reports as not found. Can I please have some help?

[Arkshine]

InstallHostageManager() doesn't return. Inside it sets directly g_pHostages.

[hornet]

Okay. I probably should have looked further into this beforehand - It seems that g_pHostages is only used CHostageManager which I don't need.
So the rest of the functions from CHostage and CHostageImprov are virtual and don't need bytes signatures correct?