I didn't fully understand the magic stuff and database thing but apparently you want to find what causes the segfault.
When a program crashes it should generate a core dump file. For more or less modern systems it should be in /var/lib/systemd/coredump core.cod2_lnxded.1000.etc.
Move this core dump to your home dir, if its compressed (lz4), unlz4 it (unlz4 filename.lz4), move the uncompressed core dump to your cod2_lnxded dir and start GDB like:
PHP Code:
gdb cod2_lnxded corefilename
You should see the crash now (if not, type 'bt'). The adress where it's crashed should be the toppest one. Search this adress in ida and it should point you the spot of the crash (proably will be inside of some sub).
If you can't understand what exactly this function does you proably want to hook it.
Hooking is quite easy, there are multiple ways to do it. Basicly you redirect this function, do some stuff e.g read it's params and call the original function. You can hook a function, function call or use a cHook class.
For hooking a function, use the way kung posted above, for a function call there is alot of references in libcod.cpp just search cracking_hook_call but basicly it works like:
PHP Code:
cracking_hook_call(0x0812A3EC, (int)hook_test_func);
void hook_test_func(int a1, int a2) {
printf("Test: %i, %i", a1, a2);
int (*Orig)(int a1, int a2);
*(int *)&Orig = 0x0812A004; // The real adress of a function you are trying to hook as a call
Orig(a1, a2);
}
1. Hook the call
2. Get stuff and do stuff
3. Call the original
You can find where the function e.g sub_812A004 is called by just searching it as text in IDA and you will find something like:
PHP Code:
.text:0812A3EC call sub_812A004
Where 0812A3EC is the hook call adress.
You don't have to call the original function if you are rewriting it as a reverse, for this you can also use cracking_hook_function but do NOT use craacking_hook_function if you are calling the original inside a hooked function. Reversing though can be a lot of pain in the arse. As kung said above you can look at q3 source to see some useful references.
BTW: I had a segfaults with playFxOnTag() function, which was related to models without that tag in some way, also feel free to upload your coredump file, or share the code where that crash is so we can look for it aswell.