Here are windows signatures for the functions:
SetEnemy
CAI_ScriptedSchedule::StartSchedule -> "Scripted schedule %s specified an invalid enemy %s\n" -> CAI_BaseNPC::SetEnemy
PHP Code:
.text:1004EC70 55 push ebp
.text:1004EC71 8B EC mov ebp, esp
.text:1004EC73 53 push ebx
.text:1004EC74 56 push esi
.text:1004EC75 8B F1 mov esi, ecx
.text:1004EC77 57 push edi
.text:1004EC78 8B 96 48 09 00 00 mov edx, [esi+948h]
.text:1004EC7E 83 FA FF cmp edx, 0FFFFFFFFh
.text:1004EC81 74 23 jz short loc_1004ECA6
.text:1004EC83 A1 78 46 4A 10 mov eax, off_104A4678
.text:1004EC88 8B CA mov ecx, edx
.text:1004EC8A 81 E1 FF 0F 00 00 and ecx, 0FFFh
.text:1004EC90 83 C0 04 add eax, 4
.text:1004EC93 C1 E1 04 shl ecx, 4
.text:1004EC96 03 C1 add eax, ecx
.text:1004EC98 74 0C jz short loc_1004ECA6
.text:1004EC9A C1 EA 0C shr edx, 0Ch
.text:1004EC9D 39 50 04 cmp [eax+4], edx
.text:1004ECA0 75 04 jnz short loc_1004ECA6
.text:1004ECA2 8B 00 mov eax, [eax]
.text:1004ECA4 EB 02 jmp short loc_1004ECA8
.text:1004ECA6 ; ---------------------------------------------------------------------------
.text:1004ECA6
.text:1004ECA6 loc_1004ECA6: ; CODE XREF: sub_1004EC70+11↑j
.text:1004ECA6 ; sub_1004EC70+28↑j ...
.text:1004ECA6 33 C0 loc_1004ECA8: ; CODE XREF: sub_1004EC70+34↑j
CineCleanup
"Script failed for %s\n" -> CAI_BaseNPC::CineCleanup
PHP Code:
.text:1003E270 55 push ebp
.text:1003E271 8B EC mov ebp, esp
.text:1003E273 83 EC 48 sub esp, 48h
.text:1003E276 53 push ebx
.text:1003E277 8B D9 mov ebx, ecx
.text:1003E279 8B 0D 78 46 4A 10 mov ecx, off_104A4678
.text:1003E27F 56 push esi
.text:1003E280 57 push edi
.text:1003E281 8B 93 54 0A 00 00 mov edx, [ebx+0A54h]
.text:1003E287 83 FA FF cmp edx, 0FFFFFFFFh
.text:1003E28A 74 1D jz short loc_1003E2A9
.text:1003E28C 8B C2 mov eax, edx
.text:1003E28E 8D 71 04 lea esi, [ecx+4]
.text:1003E291 25 FF 0F 00 00 and eax, 0FFFh
.text:1003E296 C1 E0 04 shl eax, 4
.text:1003E299 03 F0 add esi, eax
.text:1003E29B 74 0C jz short loc_1003E2A9
.text:1003E29D C1 EA 0C shr edx, 0Ch
.text:1003E2A0 39 56 04 cmp [esi+4], edx
.text:1003E2A3 75 04 jnz short loc_1003E2A9
.text:1003E2A5 8B 36 mov esi, [esi]
.text:1003E2A7 EB 02 jmp short loc_1003E2AB
.text:1003E2A9 ; ---------------------------------------------------------------------------
.text:1003E2A9
.text:1003E2A9 loc_1003E2A9: ; CODE XREF: sub_1003E270+1A↑j
.text:1003E2A9 ; sub_1003E270+2B↑j ...
.text:1003E2A9 33 F6 xor esi, esi
You will have to set wildcards to use them. There are 3 ways to do it:
1) Compare the signatures from two different builds of the library. The bytes which don't match should be replaced with 2A
2) Find an ASM book/document where the commands are described and replace all bytes which change with 2A
3) Replace all but first bytes in each line with 2A (not a very beautiful way, but should work). It will look like: "\x55\x8B\x2A....
What about the variables, I see them in the *.so, but it is not clear what the result signatures should be. If it should be the places where the variables are stored, then there are only zeros around which makes it hardly possible to create unique segnatures. If it a sort of reference from a function, then it's not clear what should be the start of the signature.
For g_AIFriendliesTalkSemaphore there are 3 references, here is a signature of one of them:
PHP Code:
.text:100A9AAE BF BC 60 49 10 mov edi, offset dword_104960BC
.text:100A9AB3 B9 C4 60 49 10 mov ecx, offset dword_104960C4
.text:100A9AB8 0F 44 F9 cmovz edi, ecx
.text:100A9ABB 85 FF test edi, edi
.text:100A9ABD 74 5D jz short loc_100A9B1C
.text:100A9ABF 8B 56 40 mov edx, [esi+40h]
.text:100A9AC2 83 FA FF cmp edx, 0FFFFFFFFh
.text:100A9AC5 74 23 jz short loc_100A9AEA
.text:100A9AC7 A1 78 46 4A 10 mov eax, off_104A4678
.text:100A9ACC 8B CA mov ecx, edx
.text:100A9ACE 81 E1 FF 0F 00 00 and ecx, 0FFFh
.text:100A9AD4 83 C0 04 add eax, 4
.text:100A9AD7 C1 E1 04 shl ecx, 4
.text:100A9ADA 03 C8 add ecx, eax
.text:100A9ADC 74 0C jz short loc_100A9AEA
.text:100A9ADE C1 EA 0C shr edx, 0Ch
.text:100A9AE1 39 51 04 cmp [ecx+4], edx
.text:100A9AE4 75 04 jnz short loc_100A9AEA
.text:100A9AE6 8B 09 mov ecx, [ecx]
.text:100A9AE8 EB 02 jmp short loc_100A9AEC
Here 104960BC (BC 60 49 10) is the address of the variable. You could try these two signatures:
Quote:
\xBF\xBC\x60\x49\x10...
\xBC\x60\x49\x10\xB9... (1 byte shifted)
|
If it works, I'll try to find signatures for the other variables.