Aimbots.net - The N°1 Community For All Your Gaming Needs.
+ Reply to Thread + Post New Thread
Results 1 to 3 of 3

Thread: [ET Linux] Help finding offsets cgs, cg_entities, etc
  • Share This Thread!
    • Share on Facebook

    1. August 27th, 2009 #1
      stealth93
      stealth93 is offline
      Member stealth93 is on a distinguished road
      Join Date
      Oct 2008
      Posts
      50
      Thanks
      13
      Thanked 23 Times in 10 Posts

      Default [ET Linux] Help finding offsets cgs, cg_entities, etc

      Ok so I have managed to disassemble the cggame.mp.i386.so for Jaymod 3.1.7 and have located a few of the actual function offsets such as CG_DamageFeedback, CG_WeaponFireRecoil, etc.

      I am having troubles finding the cgs, cg_entities, offsets / sizes and have located the 5 memset calls. It seems the values are hidden in the registers as opposed to windows *.dll files in IDA actually showing the values.

      I talked with Quandary and he suggested running it through a debugger and setting a breakpoint. Which I have messed around with trying to do with gdb but cannot figure it out. I was wondering if anyone here had some advice.

      Thanks

      Here is the disassembled code:
      Code:
         4ce10:    55                       push   %ebp
   4ce11:    b8 cc 09 00 00           mov    $0x9cc,%eax
   4ce16:    89 e5                    mov    %esp,%ebp
   4ce18:    57                       push   %edi
   4ce19:    31 ff                    xor    %edi,%edi
   4ce1b:    56                       push   %esi
   4ce1c:    31 f6                    xor    %esi,%esi
   4ce1e:    53                       push   %ebx
   4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113>
   4ce24:    81 c3 10 cb 18 00        add    $0x18cb10,%ebx
   4ce2a:    81 ec 2c 01 00 00        sub    $0x12c,%esp
   4ce30:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce34:    8b 83 44 03 00 00        mov    0x344(%ebx),%eax
   4ce3a:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce3e:    8b 83 38 05 00 00        mov    0x538(%ebx),%eax
   4ce44:    89 04 24                 mov    %eax,(%esp)
   4ce47:    e8 44 af ff ff           call   47d90 <memcpy@plt>
   4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce55:    31 c0                    xor    %eax,%eax
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)
    4ce6b:    e8 a0 af ff ff          call   47e10 <memset@plt>
   4ce70:    b8 00 bf 04 00           mov    $0x4bf00,%eax
   4ce75:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce79:    8d 83 0c 72 d9 01        lea    0x1d9720c(%ebx),%eax
   4ce7f:    89 7c 24 04              mov    %edi,0x4(%esp)
   4ce83:    bf 01 00 00 00           mov    $0x1,%edi
   4ce88:    89 04 24                 mov    %eax,(%esp)
   4ce8b:    e8 80 af ff ff           call   47e10 <memset@plt>
   4ce90:    31 d2                    xor    %edx,%edx
   4ce92:    b9 90 c9 a4 01           mov    $0x1a4c990,%ecx
   4ce97:    8d 83 6c e8 09 00        lea    0x9e86c(%ebx),%eax
   4ce9d:    89 54 24 04              mov    %edx,0x4(%esp)
   4cea1:    89 4c 24 08              mov    %ecx,0x8(%esp)
   4cea5:    89 85 10 ff ff ff        mov    %eax,-0xf0(%ebp)
   4ceab:    89 04 24                 mov    %eax,(%esp)
   4ceae:    e8 5d af ff ff           call   47e10 <memset@plt>
   4ceb3:    b8 40 0d 07 00           mov    $0x70d40,%eax
   4ceb8:    89 44 24 08              mov    %eax,0x8(%esp)
   4cebc:    31 c0                    xor    %eax,%eax
   4cebe:    89 44 24 04              mov    %eax,0x4(%esp)
   4cec2:    8d 83 2c db 02 00        lea    0x2db2c(%ebx),%eax
   4cec8:    89 04 24                 mov    %eax,(%esp)
   4cecb:    e8 40 af ff ff           call   47e10 <memset@plt>
   4ced0:    b8 00 c0 2a 00           mov    $0x2ac000,%eax
   4ced5:    89 44 24 08              mov    %eax,0x8(%esp)
   4ced9:    31 c0                    xor    %eax,%eax
   4cedb:    89 44 24 04              mov    %eax,0x4(%esp)
   4cedf:    8d 83 0c b2 ae 01        lea    0x1aeb20c(%ebx),%eax
   4cee5:    89 04 24                 mov    %eax,(%esp)
   4cee8:    e8 23 af ff ff           call   47e10 <memset@plt>
   4ceed:    31 c0                    xor    %eax,%eax
   4ceef:    89 bb f8 b1 ae 01        mov    %edi,0x1aeb1f8(%ebx)
   4cef5:    8d 93 30 db 02 00        lea    0x2db30(%ebx),%edx
   4cefb:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4cf02:    8d b4 26 00 00 00 00     lea    0x0(%esi,%eiz,1),%esi
   4cf09:    8d bc 27 00 00 00 00     lea    0x0(%edi,%eiz,1),%edi
   4cf10:    b9 61 79 fe ff           mov    $0xfffe7961,%ecx
      Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
      Reply With Quote Reply With Quote
    2. August 27th, 2009 #2
      chaplex
      chaplex is offline
      VIP chaplex will become famous soon enough chaplex's Avatar
      Join Date
      Apr 2006
      Location
      Croatia / Hrvatska
      Posts
      732
      Thanks
      0
      Thanked 35 Times in 14 Posts

      Default Re: [ET Linux] Help finding offsets cgs, cg_entities, etc

      Hi, I'll show you an example of how to do it for the first memset, you can figure out later how to do it for the others.

      This code (please note, it does not call strcpy! it calls a function at the address_of(strcpy) + 0x113 which is actually named "get_pc_thunk.bx" or "i686.get_pc_thunk.bx" ... but your disassembler didn't recognize it):
      Code:
      4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113>
      calls this function:
      Code:
      ___i686.get_pc_thunk.bx:
       movl    (%esp), %ebx
       ret
      which is how shared libraries (.dll "equivalents") compiled for linux take care of being loaded at different addresses (DLLs have a relocation section which is used during DLL initialization). Basically it returns the return address in the ebx register. Return address is the address of the instruction that is after the instruction that called the function. So this:
      Code:
         4ce1f:    e8 8f b1 ff ff           call   47fb3 <strcpy@plt+0x113> 
   4ce24:    81 c3 10 cb 18 00        add    $0x18cb10,%ebx
      would result in 0x4ce24 being the value of the ebx register after it returns, and then it adds 0x18cb10 to it. So now the value of ebx is 0x1d9934

      Now we're getting to the call to the first memset:
      Code:
         4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)
   4ce55:    31 c0                    xor    %eax,%eax
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)
   4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)
      This part:
      Code:
         4ce4c:    b8 00 20 00 00           mov    $0x2000,%eax
   4ce51:    89 44 24 08              mov    %eax,0x8(%esp)
      is the size_t parameter (length) of the call to memset. Notice how it doesn't use the push instruction, but instead moves to stack "directly" (it does the same, just using a different way).

      This part:
      Code:
         4ce55:    31 c0                    xor    %eax,%eax ; eax is now zero
   4ce57:    89 44 24 04              mov    %eax,0x4(%esp)
      is the Value parameter - zero.

      ... and finally, this part:
      Code:
         4ce5b:    8d 83 0c 31 de 01        lea    0x1de310c(%ebx),%eax
   4ce61:    c7 45 ec 00 00 00 00     movl   $0x0,-0x14(%ebp)
   4ce68:    89 04 24                 mov    %eax,(%esp)
      sets the starting address where memset will do its job. It is ebx + 0x1de310c and we've calculated ebx above, so the address of the first memset is 0x0x1d9934 + 0x1de310c = 0x1fbca40

      this first memset is equivalent to:
      Code:
      memset((void *) 0x1fbca40, 0, 0x2000);
      http://chaplja.net | http://twitter.com/chaplja
      The DJs took pills to stay awake and play for seven days
      Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
      Reply With Quote Reply With Quote
    3. August 27th, 2009 #3
      stealth93
      stealth93 is offline
      Member stealth93 is on a distinguished road
      Join Date
      Oct 2008
      Posts
      50
      Thanks
      13
      Thanked 23 Times in 10 Posts

      Default Re: [ET Linux] Help finding offsets cgs, cg_entities, etc

      Found what I was looking for, I appreciate your help and the detailed explanation. Now onto CG_RailTrail2...
      Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
      Reply With Quote Reply With Quote
    « Previous Thread | Next Thread »

    Similar Threads

    1. How can I find the offsets for cg,cgs,cg_entities etc for etpro?
      By dEtector in forum Basehooks / Sources
      Replies: 3
      Last Post: June 24th, 2010, 00:49
    2. [HELP]Finding Offsets
      By SyncX in forum Client Hooks
      Replies: 2
      Last Post: May 7th, 2009, 15:52
    3. Finding offsets
      By OddName in forum Guides & Tutorials
      Replies: 2
      Last Post: September 15th, 2008, 19:45
    4. Offsets finding
      By xtech.coder in forum Basehooks / Sources
      Replies: 2
      Last Post: November 20th, 2007, 17:39
    5. Finding offsets dynamically
      By chaplex in forum Tutorials
      Replies: 0
      Last Post: December 14th, 2006, 18:24

    Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts

    Forum Rules

    vBulletin skins by Skinbox
    Quality IPB skins, premium vBulletin styles, cheap Web templates and more!