CSGO basic usage

shortguy · **Author**

I know this has probably been asked a million times, but I am struggling to even find out how to create a CSGO plugin that mimics even the most basic of SourceMod behaviour.

If I can only use header files that are public in the hl2sdk, there isn't much I can do is there? How do I implement even the most basic of CBaseEntity features when all I have is the edict_t struct?

Any sort of getting started info would be great. Should I go off and learn how hl2sdk works in general before even trying my hand at MM:S?

donrevan · 08-05-2015 , 06:40 Re: CSGO basic usage

Well, you have to look at the server binary. Create signatures, look for offsets and call the functions.
https://wiki.alliedmods.net/Signature_scanning

shortguy · 08-05-2015 , 20:42 Re: CSGO basic usage

Okay can I just run something by you?

I've taken the objdump from my server binary (since im on linux) and I'm trying to implement the CommitSuicide method. I find it in my dump here:

Code:

00686550 <_ZN11CBasePlayer13CommitSuicideEv>:
  686550:    55                       push   %ebp
  686551:    89 e5                    mov    %esp,%ebp
  686553:    83 ec 78                 sub    $0x78,%esp
  686556:    89 75 fc                 mov    %esi,-0x4(%ebp)
  686559:    8b 75 08                 mov    0x8(%ebp),%esi
  68655c:    89 5d f8                 mov    %ebx,-0x8(%ebp)
  68655f:    8b 8e a0 00 00 00        mov    0xa0(%esi),%ecx
  686565:    85 c9                    test   %ecx,%ecx
  686567:    0f 85 83 00 00 00        jne    6865f0 <_ZN11CBasePlayer13CommitSuicideEv+0xa0>
  68656d:    d9 86 64 0a 00 00        flds   0xa64(%esi)
  686573:    8b 15 00 00 00 00        mov    0x0,%edx
  686579:    d9 42 0c                 flds   0xc(%edx)
  68657c:    d9 c9                    fxch   %st(1)
  68657e:    dd e9                    fucomp %st(1)
  686580:    df e0                    fnstsw %ax
  686582:    9e                       sahf   
  686583:    77 63                    ja     6865e8 <_ZN11CBasePlayer13CommitSuicideEv+0x98>
  686585:    d8 05 28 c3 83 00        fadds  0x83c328
  68658b:    8b 9e b0 00 00 00        mov    0xb0(%esi),%ebx
  686591:    8d 86 b0 00 00 00        lea    0xb0(%esi),%eax
  686597:    85 db                    test   %ebx,%ebx
  686599:    d9 9e 64 0a 00 00        fstps  0xa64(%esi)
  68659f:    75 59                    jne    6865fa <_ZN11CBasePlayer13CommitSuicideEv+0xaa>
  6865a1:    89 74 24 08              mov    %esi,0x8(%esp)
  6865a5:    ba 00 10 00 00           mov    $0x1000,%edx
  6865aa:    31 c9                    xor    %ecx,%ecx
  6865ac:    89 54 24 10              mov    %edx,0x10(%esp)
  6865b0:    b8 00 00 00 00           mov    $0x0,%eax
  6865b5:    8d 5d a8                 lea    -0x58(%ebp),%ebx
  6865b8:    89 4c 24 14              mov    %ecx,0x14(%esp)
  6865bc:    89 44 24 0c              mov    %eax,0xc(%esp)
  6865c0:    89 74 24 04              mov    %esi,0x4(%esp)
  6865c4:    89 1c 24                 mov    %ebx,(%esp)
  6865c7:    e8 fc ff ff ff           call   6865c8 <_ZN11CBasePlayer13CommitSuicideEv+0x78>
  6865cc:    8b 0e                    mov    (%esi),%ecx
  6865ce:    89 5c 24 04              mov    %ebx,0x4(%esp)
  6865d2:    89 34 24                 mov    %esi,(%esp)
  6865d5:    ff 91 e4 00 00 00        call   *0xe4(%ecx)
  6865db:    8b 16                    mov    (%esi),%edx
  6865dd:    89 34 24                 mov    %esi,(%esp)
  6865e0:    ff 92 78 03 00 00        call   *0x378(%edx)
  6865e6:    eb 08                    jmp    6865f0 <_ZN11CBasePlayer13CommitSuicideEv+0xa0>
  6865e8:    dd d8                    fstp   %st(0)
  6865ea:    8d b6 00 00 00 00        lea    0x0(%esi),%esi
  6865f0:    8b 5d f8                 mov    -0x8(%ebp),%ebx
  6865f3:    8b 75 fc                 mov    -0x4(%ebp),%esi
  6865f6:    89 ec                    mov    %ebp,%esp
  6865f8:    5d                       pop    %ebp
  6865f9:    c3                       ret    
  6865fa:    8b 80 50 ff ff ff        mov    -0xb0(%eax),%eax
  686600:    89 34 24                 mov    %esi,(%esp)
  686603:    ff 90 98 01 00 00        call   *0x198(%eax)
  686609:    31 c9                    xor    %ecx,%ecx
  68660b:    89 8e b0 00 00 00        mov    %ecx,0xb0(%esi)
  686611:    eb 8e                    jmp    6865a1 <_ZN11CBasePlayer13CommitSuicideEv+0x51>
  686613:    90                       nop
  686614:    8d b6 00 00 00 00        lea    0x0(%esi),%esi
  68661a:    8d bf 00 00 00 00        lea    0x0(%edi),%edi

If I was going to scan for it, would I scan for "\x55\x89\xE5\x83" etc. If so, how do I know which bytes I should include in the mask?

asherkin · 08-05-2015 , 20:56 Re: CSGO basic usage

You need to include enough so it is unique, and mask out any absolute addresses.
There is an IDA script that can help in the SM repo.

shortguy · 08-06-2015 , 06:49 Re: CSGO basic usage

Alrighty, so new question,

I'm currently trying to implement the sigscan.cpp shown on the Signature scanning wiki page and I've reached a block in the road.

In the Load() of my MM plugin I am telling the CSigScan::sigscan_dllfunc pointer to point to the server factory as such:

Code:

CSigScan::sigscan_dllfunc = ismm->GetServerFactory(0);

as stated in the header file:

Quote:

/* sigscan_dllfunc is a pointer of something that resides inside the gamedll so we can get
the base address of it. From a SourceMM plugin, just set this to ismm->serverFactory(0)
in Load(). From a Valve Server Plugin, you must set this to an actual factory returned
from gameServerFactory and hope that a SourceMM plugin did not override it. */

Theoretically this should tell the scanner where the gamedll is, and where to start looking in memory, however everytime I hook it up, I get a segfault in the server. Any ideas?

donrevan · 08-07-2015 , 05:58 Re: CSGO basic usage

What's the exact location of the crash? Attach a debugger.
Make sure you call GetDllMemInfo() before any Init(), like in the example:

Code:

void InitSigs(void)
{
CSigScan::GetDllMemInfo();

CBaseAnimating_Ignite_Sig.Init((unsigned char*)
\x56\x8B\xF1\x8B\x86\xBC\x00\x00\x00\xC1\xE8\x1B\xA8\x01\x0F\x85\x9A\x00\x00\x00"
"\x8B\x16\xFF\x92\xF0\x00\x00\x00\x80\x7C\x24\x0C\x00\x74\x08\x84\xC0\x0F\x84\x83"
"\x00\x00\x00\x3C\x01\x75\x20\x80\x7C\x24\x14\x00\x75\x19\x8B\xCE\xE8\x83\x1A\x01"
"\x00\x85\xC0\x74\x0E\x8B\x10\x8B\xC8\xFF\x92\x08\x05\x00\x00\x84\xC0\x74\x5F\x57"
"\x6A\x01\x56\xE8\x48\xEA\x07\x00\x8B\xF8\x83\xC4\x08\x85\xFF\x74\x3D\x8B\x44\x24"
"\x0C\x50\x8B\xCF\xE8\x83\xE5\x07\x00\x68\x00\x00\x00\x08\x8B\xCE"
,
"xxx?????????????????"
"xxx????????????xx???"
"???xx??xxxxx??xxx???"
"?????xxxxx?????xx??x"
"xxxx????xxxxxxx??xxx"
"xxxxx????xxxxxxx"
, 116);
return;
}

shortguy · 08-07-2015 , 07:49 Re: CSGO basic usage

Alright, I've gotten past the segfault, but I'm still at a loss regarding the mask. How do I find out what will change at runtime? Is there an easy method to find which bytes should get masked?

Miu · 08-07-2015 , 16:15 Re: CSGO basic usage

it won't change on runtime, but it could change on update. you need to mask absolute addresses and near relative displacements, basically just mask all symbols