[kossolax]

Hello,

CSGO has now stripped symbols. I'm trying to understand how to find a raw signature on Linux.


Based on this post, the raw signatures of @_ZN14CBaseAnimating16LookupAttachmentEPKc is

PHP Code:

\x55\x89\xE5\x53\x83\xEC\x14\x8B\x5D\x08\x8B\x8B\xB4\x04\x00\x00\x85\xC9\x74\x2A\x8B\x83\xB4\x04\x00\x00\x85\xC0\x74\x2A\x8B\x10\x85\xD2\x74\x2A\x8B\x55\x0C\x89\x04\x24 


I've read the wiki article and I could extract the subroutine. But I still don't get how to find out the linux raw signature. It's getting me confuse.


Anyone could help me ? Thank's for help.

[asherkin]

It is exactly the same process a finding a Windows signature, just use the bytes from / run makesig on the the Linux binary.

[kossolax]

My result is always different than the one on the mentioned post. Mostly because I'm not sure which instruction could be ignored.

PHP Code:

?55 89 e5 53 83 ec 14 8b? 45? 08? 89 04 24 e8? fc? ff? ff? ff? 85 c0 89 c3 74? 17? 8b? 0d? 00? 00? 00? 00? 8b 11 89? 44? 24? 04? 89 0c 24


Size39

Sig:
\x55\x89\xe5\x53\x83\xec\x14\x8b\x45\x08\x89\x04\x24\xe8\xfc\xff\xff\xff\x85\xc0\x89\xc3\x74\x17\x8b\x0d\x00\x00\x00\x00\x8b\x11\x89\x44\x24\x04\x89\x0c\x24

Mask:
xxxxxxx???xxx?????xxxx????????xx????xxx 


I want to use with PrepSDKCall. I found out that I must replace "ignored instruction" with x2A

But still. My signature has too many differences compared to the ones which works.

PHP Code:

\x55\x89\xe5\x53\x83\xec\x14\x2A\x2A\x2A\x89\x04\x24\x2A\x2A\x2A\x2A\x85\xc0\x89\xc3\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x2A\x8b\x11\x2A\x2A\x2A\x2A\x89\x0c\x24 


[Miu]

Your instructions start to be completely different from Peace-Maker's after the fourth. Are you sure you're looking at the same function?

For example, the first 7 are:

Code:

| Your sig       | Your disasm          | PM sig            | PM disasm                 |
|----------------|----------------------|-------------------|---------------------------|
| 55             | push  ebp            | 55                | push  ebp                 |
| 89 e5          | mov   ebp, esp       | 89 e5             | mov   ebp, esp            |
| 53             | push  ebx            | 53                | push  ebx                 |
| 83 ec 14       | sub   esp, 0x14      | 83 ec 14          | sub   esp, 0x14           |
| 8b 45 08       | mov   eax, [ebp + 8] | 8b 5d 08          | mov   ebx, [ebp + 8]      |
| 89 04 24       | mov   [esp], eax     | 8b 8b b4 04 00 00 | mov   ecx, [ebx + 0x04B4] |
| e8 fc ff ff ff | call  rel32 -4       | 85 c9             | test  ecx, ecx            |

Also, call rel32 -4 doesn't make any sense. That would place EIP at the second byte of the call instruction, which is not a valid set of instructions at all. (fc is cld, but ff doesn't exist.)

[kossolax]

kossolax@kaamelott:~/srcds/csgo/bin# objdump -d server_i486.so | grep LookupAttach
00557860 <_ZN14CBaseAnimating16LookupAttachmentEPKc>

I was using @_ZN14CBaseAnimating16LookupAttachmentEPKc before the update... So I would say, yes.?


So I've just tested with the _ZN9CCSPlayer12RoundRespawnEv signatures from here: https://github.com/alliedmodders/sou...34ae9591dcfcaf


The result were again so much different. So I made some check to file date...
12M -rwxrw-r-- 1 srcds srcds 12M Jan 29 2016 server_i486.so
20M -rwxrw-r-- 1 srcds srcds 20M May 4 06:27 server.so

That's why obviously it was so much different. Silly me. Now I have to understand where my function start.


Any tips?

[Miu]

> Any tips?

Find some kind of landmark in the old binary that you can reliably find again in the new one, like a string reference.