[ET Linux] Help finding offsets cgs, cg_entities, etc

**stealth93** · August 27th, 2009

Ok so I have managed to disassemble the cggame.mp.i386.so for Jaymod 3.1.7 and have located a few of the actual function offsets such as CG_DamageFeedback, CG_WeaponFireRecoil, etc.

I am having troubles finding the cgs, cg_entities, offsets / sizes and have located the 5 memset calls. It seems the values are hidden in the registers as opposed to windows *.dll files in IDA actually showing the values.

I talked with Quandary and he suggested running it through a debugger and setting a breakpoint. Which I have messed around with trying to do with gdb but cannot figure it out. I was wondering if anyone here had some advice.

Thanks

Here is the disassembled code:

Code:

   4ce10:    55                       push   %ebp
   4ce11:    b8 cc 09 00 00           mov    $0x9cc,%eax
   4ce16:    89 e5                    mov    %esp,%ebp
   4ce18:    57                       push   %edi
   4ce19:    31 ff                    xor    %edi,%edi
   4ce1b:    56                       push   %esi
   4ce1c:    31 f6                    xor    %esi,%esi
   4ce1e:    53                       push   %ebx
   4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113>
   4ce24:    81 c3 10 cb 18 00        add    $0x18cb10,%ebx
   4ce2a:    81 ec 2c 01 00 00        sub    $0x12c,%esp
   4ce30:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce34:    8b 83 44 03 00 00        mov    0x344(%ebx),%eax
   4ce3a:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce3e:    8b 83 38 05 00 00        mov    0x538(%ebx),%eax
   4ce44:    89 04 24                 mov    %eax,(%esp)
   4ce47:    e8 44 af ff ff           call   47d90 <memcpy@plt>
   4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce55:    31 c0                    xor    %eax,%eax
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)
    4ce6b:    e8 a0 af ff ff          call   47e10 <memset@plt>
   4ce70:    b8 00 bf 04 00           mov    $0x4bf00,%eax
   4ce75:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce79:    8d 83 0c 72 d9 01        lea    0x1d9720c(%ebx),%eax
   4ce7f:    89 7c 24 04              mov    %edi,0x4(%esp)
   4ce83:    bf 01 00 00 00           mov    $0x1,%edi
   4ce88:    89 04 24                 mov    %eax,(%esp)
   4ce8b:    e8 80 af ff ff           call   47e10 <memset@plt>
   4ce90:    31 d2                    xor    %edx,%edx
   4ce92:    b9 90 c9 a4 01           mov    $0x1a4c990,%ecx
   4ce97:    8d 83 6c e8 09 00        lea    0x9e86c(%ebx),%eax
   4ce9d:    89 54 24 04              mov    %edx,0x4(%esp)
   4cea1:    89 4c 24 08              mov    %ecx,0x8(%esp)
   4cea5:    89 85 10 ff ff ff        mov    %eax,-0xf0(%ebp)
   4ceab:    89 04 24                 mov    %eax,(%esp)
   4ceae:    e8 5d af ff ff           call   47e10 <memset@plt>
   4ceb3:    b8 40 0d 07 00           mov    $0x70d40,%eax
   4ceb8:    89 44 24 08              mov    %eax,0x8(%esp)
   4cebc:    31 c0                    xor    %eax,%eax
   4cebe:    89 44 24 04              mov    %eax,0x4(%esp)
   4cec2:    8d 83 2c db 02 00        lea    0x2db2c(%ebx),%eax
   4cec8:    89 04 24                 mov    %eax,(%esp)
   4cecb:    e8 40 af ff ff           call   47e10 <memset@plt>
   4ced0:    b8 00 c0 2a 00           mov    $0x2ac000,%eax
   4ced5:    89 44 24 08              mov    %eax,0x8(%esp)
   4ced9:    31 c0                    xor    %eax,%eax
   4cedb:    89 44 24 04              mov    %eax,0x4(%esp)
   4cedf:    8d 83 0c b2 ae 01        lea    0x1aeb20c(%ebx),%eax
   4cee5:    89 04 24                 mov    %eax,(%esp)
   4cee8:    e8 23 af ff ff           call   47e10 <memset@plt>
   4ceed:    31 c0                    xor    %eax,%eax
   4ceef:    89 bb f8 b1 ae 01        mov    %edi,0x1aeb1f8(%ebx)
   4cef5:    8d 93 30 db 02 00        lea    0x2db30(%ebx),%edx
   4cefb:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4cf02:    8d b4 26 00 00 00 00     lea    0x0(%esi,%eiz,1),%esi
   4cf09:    8d bc 27 00 00 00 00     lea    0x0(%edi,%eiz,1),%edi
   4cf10:    b9 61 79 fe ff           mov    $0xfffe7961,%ecx

**chaplex** · August 27th, 2009

Hi, I'll show you an example of how to do it for the first memset, you can figure out later how to do it for the others.

This code (please note, it does not call strcpy! it calls a function at the address_of(strcpy) + 0x113 which is actually named "get_pc_thunk.bx" or "i686.get_pc_thunk.bx" ... but your disassembler didn't recognize it):

Code:

4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113>

calls this function:

Code:

___i686.get_pc_thunk.bx:
       movl    (%esp), %ebx
       ret

which is how shared libraries (.dll "equivalents") compiled for linux take care of being loaded at different addresses (DLLs have a relocation section which is used during DLL initialization). Basically it returns the return address in the ebx register. Return address is the address of the instruction that is after the instruction that called the function. So this:

Code:

   4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113> 
   4ce24:    81 c3 10 cb 18 00        add    $0x18cb10,%ebx

would result in 0x4ce24 being the value of the ebx register after it returns, and then it adds 0x18cb10 to it. So now the value of ebx is 0x1d9934

Now we're getting to the call to the first memset:

Code:

   4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce55:    31 c0                    xor    %eax,%eax
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)

This part:

Code:

   4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)

is the size_t parameter (length) of the call to memset. Notice how it doesn't use the push instruction, but instead moves to stack "directly" (it does the same, just using a different way).

This part:

Code:

   4ce55:    31 c0                    xor    %eax,%eax ; eax is now zero
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)

is the Value parameter - zero.

... and finally, this part:

Code:

   4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)

sets the starting address where memset will do its job. It is ebx + 0x1de310c and we've calculated ebx above, so the address of the first memset is 0x0x1d9934 + 0x1de310c = 0x1fbca40

this first memset is equivalent to:

Code:

memset((void *) 0x1fbca40, 0, 0x2000);

**stealth93** · August 27th, 2009

Found what I was looking for, I appreciate your help and the detailed explanation. Now onto CG_RailTrail2...

Thread: [ET Linux] Help finding offsets cgs, cg_entities, etc

LinkBack

Thread Tools

Display

[ET Linux] Help finding offsets cgs, cg_entities, etc

Re: [ET Linux] Help finding offsets cgs, cg_entities, etc

Re: [ET Linux] Help finding offsets cgs, cg_entities, etc

Similar Threads

[HELP]Finding Offsets

Jaymod 2.1.8 0125 Offsets + Hints on further finding

Finding offsets

Offsets finding

Finding offsets dynamically

Bookmarks

Bookmarks

Posting Permissions