[Arkshine]

You have just that as sig? Where is the identifiers section ? To hook a function you need to tell where to hook.

[NiHiLaNTh]

Quote:

Originally Posted by Arkshine You have just that as sig? Where is the identifiers section ? To hook a function you need to tell where to hook.

And what should I write in identifiers section? Something like this

Code:

"identifiers":
[
    {
        "os"      : "windows",
        "mod"   : "cstrike",
        "value"  : // ehm, what should be placed here?
    }
    {
        "os"      : "linux",
        "mod"   : "cstrike",
        "value"  : // ehm, what should be placed here?
    }
]

P.S. Is it correct place to put the sig?

Quote:

.../configs/orpheu/functions/CBasePlayer/DeathSound

[Arkshine]

Try :

Code:

{
    "name"        : "DeathSound",
    "class"       : "CBasePlayer",
    "library"     : "mod",
    "identifiers" :
    [
        {
            "os"    : "windows",
            "mod"   : "cstrike",
            "value" : [0x56,0x6A,"*","*","*","*","*",0xFF,"*","*","*","*","*",0x83,"*","*",0x48,0x83,"*","*",0x0F]
        },
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : "DeathSound__11CBasePlayer"
        }
    ]
}

[NiHiLaNTh]

Thanks man.You saved my day.

[Bugsy]

Can you elaborate on how you came up with that sig? I was under the impression that you always keep the first byte of a given line, or is it really the first byte of a function you always keep? Sorry to keep asking you questions about this but I am really trying to understand better. The existing tutorials are not so good.

Here you are leaving out bytes for "mov esi, ecx" and "push 1". Are these common to mask out (push and mov) or do you need to read the instructions as a whole to determine which pieces to keep?

[0x56,0x6A,"*","*","*","*","*",0xFF,"*","*","* ","*","*",0x83,"*","*",0x48,0x83,"*","*", 0x0F]

Code:

56                                            push    esi
6A 04                                         push    4
8B F1                                         mov     esi, ecx
6A 01                                         push    1
FF 15 A8 24 16 10                             call    dword_101624A8
83 C4 08                                      add     esp, 8
48                                           dec     eax
83 F8 03                                      cmp     eax, 3          ; switch 4 cases
0F 87 95 00 00 00                             ja      loc_100A4C0F    ; default

[Arkshine]

Quote:

The existing tutorials are not so good.

What ! How you insult my awesome-not-complete-unreadable tutorial !
I don't mind you ask questions. Actually, I'm waiting people asking more and more, it will be used as materials to complete the tutorial.

The answer is simple : because of the fucking hlbeta update.

In the stable version you have :

Code:

8B F1                                         mov     esi, ecx
6A 01                                         push    1

and on the hlbeta :

Code:

6A 01                                         push    1
8B F1                                         mov     esi, ecx

You notice it's reversed... Yeah, the hlbeta, since compiled differently without a particular flag (don't remember exacly, probably -fomit-frame-pointer), you will have different register used, reversed lines, and such.. In others works it will mess a lot the existing signatures and you have to check on hlbeta.

So, instead to make 2 signatures (It's possible to have 2 signatures or more, orpheu will search the first, then the second if not found etc. ), you can just mask these 2 lines.

[Bugsy]

Ok, so you have 2 different libraries so you can just compare the two to see which bytes have changed? I read about doing this on a tut on the web somewhere.

I wasn't referring to your tutorial directly but I must say, none of the existing tutorials make it easy for a first-time reader to prepare a signature mask. They all require that you have a basic understanding of ASM to decipher what is going on with each byte\command. I personally do not have the time to learn more ASM than I need to just to create signatures so I'm note sure where to start. I am hoping a table of some sort or a basic-level tutorial can be made for a simple reference for making signature masks.

Something like this would be nice:
If you see XX on the line, only use first byte, ? for remaining
If you see YYY or ZZZ, use first two bytes, ? for remaining
If you see AA and LLL then use all bytes

[Arkshine]

To make properly a signature for CS you should have 6 IDA opened, CS/CZ win/linux stable/hlbeta and checking one and see if it matches for others, then seeing if you can simply put more mask or if a new signature is needed. Linux helps a lot for functions since you don't need most of time a signature, just getting his symbols name.

I have almost no asm knowledege too, just used to read asm and like said, to make a signature you need more or less :

- The first byte is always static
- [e]*x can be kept too but there are cases not because :
- You need to understand when an address is used (easy to see)

But yes, I guess putting more example would help.
At least an example of most common situations.

Meanwhile, don't hesitate to ask.

[Owyn]

how do i hook this?

Code:

Vector CBaseEntity::FireBullets3( Vector vecSrc, Vector vecDirShooting, Vector vecSpread,
                                      float flDistance, int iPenetration, int iBulletType, int iDamage, float flRangeModifier,
                                      entvars_t *pevAttacker, _, int shared_rand )

i should replace entvars_t pointer with some dummy type of the same byte length and vector with float or vector pointer? or just can't atm?

[Arkshine]

You can't for now because of 'Vector' (alone) which is not and can't be implemented the way orpheu is.