[Malak]

Quote:

Originally Posted by Peace-Maker Code: 55 8b ec 66 8b 45 08 66 3b 05 ? ? ? ? 72 ? B8 01 00 00 00 84

Thanks Peace-Maker for the signature (appears to work from my console). I was wondering if you or someone else would also be kind enough to get a new Windows sigscan for "NET_SendPacket" on the DOD:S, HL2-DM & TF2 engine(s)?

Code:

			"NET_SendPacket"
			{
				"linux_symbol"	"_Z14NET_SendPacketP11INetChanneliRK8netadr_sPKhiP8bf_writeb"
				"sigscan"		"55 8B EC B8 ? ? ? ? E8 ? ? ? ? 53 56 8B ? ? 57 8B ? ? ? ? ? ? 57 6A 00"
				"win_type"		"Direct"		
			}

-Malak

[kadet.89]

Can someone give instructions on how to search for signatures? I tried to use the manual, but it is already outdated... or perhaps my server.dll (hl2mp) incorrect

[kadet.89]

I'm trying to find a signature for SwitchTeam in server.dll

I got it from a file sourcemod\gamedata\sm-cstrike.games.txt

Code:

"windows"	"\x55\x8B\xEC\x83\xEC\x2A\x89\x4D\x2A\x8B\x45\x2A\x50\xE8\x2A\x2A\x2A\x2A\x83\xC4\x04\x85\xC0\x74"

And I can't find it in the recent server.dll. Does it mean that the signature is wrong or am I wrong? I can only find a piece of this signature:

Code:

\x55\x8B\xEC\x83\xEC

Can somebody share server.dll and server.pdb, It seems that my hl2mp dll is too old

[Powerlord]

Quote:

Originally Posted by kadet.89 I'm trying to find a signature for SwitchTeam in server.dll I got it from a file sourcemod\gamedata\sm-cstrike.games.txt Code: "windows" "\x55\x8B\xEC\x83\xEC\x2A\x89\x4D\x2A\x8B\x45\x2A\x50\xE8\x2A\x2A\x2A\x2A\x83\xC4\x04\x85\xC0\x74" And I can't find it in the recent server.dll. Does it mean that the signature is wrong or am I wrong? I can only find a piece of this signature: Code: \x55\x8B\xEC\x83\xEC Can somebody share server.dll and server.pdb, It seems that my hl2mp dll is too old

\x2A is the wildcard symbol (for whatever reason), meaning that anything could be there in place of it.

[Dr!fter]

Quote:

Originally Posted by kadet.89 I'm trying to find a signature for SwitchTeam in server.dll I got it from a file sourcemod\gamedata\sm-cstrike.games.txt Code: "windows" "\x55\x8B\xEC\x83\xEC\x2A\x89\x4D\x2A\x8B\x45\x2A\x50\xE8\x2A\x2A\x2A\x2A\x83\xC4\x04\x85\xC0\x74" And I can't find it in the recent server.dll. Does it mean that the signature is wrong or am I wrong? I can only find a piece of this signature: Code: \x55\x8B\xEC\x83\xEC Can somebody share server.dll and server.pdb, It seems that my hl2mp dll is too old

It sounds like you are compiling the sdk which doesn't give you the game specific functions.

Heres a very quick break down for sigs.

Go to your mods bin folder and open both the server.dll and server(_srv).so files locate the function in the linux bin, try to find a string in the function or a function that calls the one you want with a string in it (there is other ways but that's the easiest). Search for the string in the windows one (make sure the string is semi unique and isn't used everywhere). After finding the function compare it to the linux one if it looks to be the correct one. Create a sig on the windows bin making sure the sig is unique and wildcarding anything that should be.

[Malak]

Quote:

Originally Posted by Dr!fter It sounds like you are compiling the sdk which doesn't give you the game specific functions. Heres a very quick break down for sigs. Go to your mods bin folder and open both the server.dll and server(_srv).so files locate the function in the linux bin, try to find a string in the function or a function that calls the one you want with a string in it (there is other ways but that's the easiest). Search for the string in the windows one (make sure the string is semi unique and isn't used everywhere). After finding the function compare it to the linux one if it looks to be the correct one. Create a sig on the windows bin making sure the sig is unique and wildcarding anything that should be.

I wanted to see if I could learn how to create signatures but I'm currently stuck. Looking at the above "CCSPlayer::SwitchTeam" signature, I used Peace-Maker's "escsig_search.idc" to change:

Code:

"\x55\x8B\xEC\x83\xEC\x2A\x89\x4D\x2A\x8B\x45\x2A\x50\xE8\x2A\x2A\x2A\x2A\x83\xC4\x04\x85\xC0\x74"

Into

Code:

"55 8B EC 83 EC ? 89 4D ? 8B 45 ? 50 E8 ? ? ? ? 83 C4 04 85 C0 74"

Now I understand that 4 bytes needs to be changed into wildcards (\x2A) or masks (?), but what I am not understanding is how other wildcards/masks in the above signature(s) are determined.

//IDA Windows CCSPlayer::SwitchTeam function snippet

Code:

.text:10260280 55                                                              push    ebp
.text:10260281 8B EC                                                           mov     ebp, esp
.text:10260283 83 EC 5C                                                        sub     esp, 5Ch
.text:10260286 89 4D A8                                                        mov     [ebp+var_58], ecx
.text:10260289 8B 45 08                                                        mov     eax, [ebp+arg_0]

Bytes "55" to the second row "EC" are written into the signature but the following bytes: "5C", "A8" & "O8" are turned into a wildcards/masks. Could someone please explain how these are determined?

[kadet.89]

Malak, As you can see, "5C", "A8" & "O8" - addresses, which are normally changes when updating the library.
I opened server_srv.so in IDA and found SwitchTeam, but these look absolutely different than the in the server.dll http://s019.radikal.ru/i604/1308/76/10c61d33f3bf.png How can I find the key to get the dll signature?

[Malak]

Quote:

Originally Posted by kadet.89 I opened server_srv.so in IDA and found SwitchTeam, but these look absolutely different than the in the server.dll http://s019.radikal.ru/i604/1308/76/10c61d33f3bf.png How can I find the key to get the dll signature?

Give these tutorials a read:
http://forums.eventscripts.com/viewt...376443#p376443
http://forums.eventscripts.com/viewt...?f=125&t=45240

Now assuming you found your "CCSPlayer::SwitchTeam(int)" function again in the server_srv.so. You need a easy to search string for the Windows binary, I recommend using this string:

Code:

"CCSPlayer::SwitchTeam( %d ) - invalid t"

From the first linked tutorial, read on from part 2 section 5 to get an idea of what to do with that string and where I got it.

Quote:

Originally Posted by kadet.89 Malak, As you can see, "5C", "A8" & "O8" - addresses, which are normally changes when updating the library.

Am I to assume that the third byte on each row needs to be changed into a wildcard, or is there a more specific pattern I'm supposed to keep an eye out for? I'll compare some more SM sigs and see.

Edit: I looked at "CCSPlayer::RoundRespawn" and the last two bytes on row 4 & 5 are wildcards. What am I not seeing here?

//IDA Windows CCSPlayer::RoundRespawn function snippet

Code:

.text:10265DF0 55                                                              push    ebp
.text:10265DF1 8B EC                                                           mov     ebp, esp
.text:10265DF3 51                                                              push    ecx
.text:10265DF4 89 4D FC                                                        mov     [ebp+var_4], ecx
.text:10265DF7 8B 45 FC                                                        mov     eax, [ebp+var_4]
.text:10265DFA 8B 10                                                           mov     edx, [eax]
.text:10265DFC 8B 4D FC                                                        mov     ecx, [ebp+var_4]

//RoundRespawn SM signature

Code:

\x55\x8B\xEC\x51\x89\x2A\x2A\x8B\x2A\x2A\x8B\x10\x8B

[Dr!fter]

Quote:

Originally Posted by Malak Give these tutorials a read: http://forums.eventscripts.com/viewt...376443#p376443 http://forums.eventscripts.com/viewt...?f=125&t=45240 Now assuming you found your "CCSPlayer::SwitchTeam(int)" function again in the server_srv.so. You need a easy to search string for the Windows binary, I recommend using this string: Code: "CCSPlayer::SwitchTeam( %d ) - invalid t" From the first linked tutorial, read on from part 2 section 5 to get an idea of what to do with that string and where I got it. Am I to assume that the third byte on each row needs to be changed into a wildcard, or is there a more specific pattern I'm supposed to keep an eye out for? I'll compare some more SM sigs and see. Edit: I looked at "CCSPlayer::RoundRespawn" and the last two bytes on row 4 & 5 are wildcards. What am I not seeing here? //IDA Windows CCSPlayer::RoundRespawn function snippet Code: .text:10265DF0 55 push ebp .text:10265DF1 8B EC mov ebp, esp .text:10265DF3 51 push ecx .text:10265DF4 89 4D FC mov [ebp+var_4], ecx .text:10265DF7 8B 45 FC mov eax, [ebp+var_4] .text:10265DFA 8B 10 mov edx, [eax] .text:10265DFC 8B 4D FC mov ecx, [ebp+var_4] //RoundRespawn SM signature Code: \x55\x8B\xEC\x51\x89\x2A\x2A\x8B\x2A\x2A\x8B\x10\x8B

You wild card things that are likely to change, there is no set pattern.

[kadet.89]

Can somebody help me to find a css linux/windows signature for "g_Collisions" (with an explanation, if possible)?
Old signature:

Code:

	"g_Collisions" // "Putting entity to sleep: %s\"
	{
		"library"	"server"
		//"windows"	"\x55\x8B\xEC\x83\xEC\x10\x83\x3D\x04\xA8\x5C\x10\x00\x53\x56\x57\x0F\x84\xBB\x02\x00\x00\x08\x3D\x98\xE1\x56\x10\x00\x0F\x85\xAE\x02\x00\x00\xF3" //Old dll
		"windows"	"\x55\x8B\xEC\x83\xEC\x10\x83\x3D\x2A\x2A\x2A\x2A\x00"
	}

What can I do if I can not find the signature? Are there alternatives?