Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: Pro tips for hooking up the function

  1. #21
    Private Whiskas's Avatar
    Join Date
    Jan 2015
    Posts
    84
    Thanks
    69
    Thanked 20 Times in 17 Posts
    Quote Originally Posted by kung foo man View Post
    Do you have a new core dump? The crash should be on another address now, since the old function is overwritten (just to check if it was really hooked).
    Yes I do:

    Code:
    Core was generated by `./cod2_lnxded_1_0 +set net_port 28960 +set dedicated 2 +set fs_game whiskys.lai'.
    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  0xb76d9b42 in ?? ()
    (gdb) bt
    #0  0xb76d9b42 in ?? ()
    #1  0x00000057 in ?? ()
    #2  0x00000057 in ?? ()
    #3  0xbff2a668 in ?? ()
    #4  0x0808f697 in ?? ()
    #5  0x0808fa6f in ?? ()
    #6  0x080943e1 in ?? ()
    #7  0x08061779 in ?? ()
    #8  0x08062451 in ?? ()
    #9  0x0806251d in ?? ()
    #10 0x080d2b22 in ?? ()
    #11 0xb73e7a83 in __libc_start_main (main=0x80d2990, argc=12, argv=0xbff2ecc4,
        init=0x8049b90, fini=0x8139b50, rtld_fini=0xb7782180 <_dl_fini>,
        stack_end=0xbff2ecbc) at libc-start.c:287
    #12 0x0804a4d1 in ?? ()
    Not sure how to find such address in libcod's file

    Edit: Hmm, core dump says its made before your code was implemented (It was voron's version without your if statements). Not sure if core file is overwritten at every crash.
    Last edited by Whiskas; 8th May 2016 at 18:43. Reason: I was probably wrong.

  2. #22
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    Hm, I wonder if #0 is really the last executed opcode address (program counter, aka PC), since the backtrace should probably be a bit more similiar. Can you post the output of layout asm in gdb?


    Should look something like this:

    Code:
       ┌───────────────────────────────────────────────────────────────────────────┐
       │0x7ffff740d756 <__libc_start_main+214>  mov    0x39670b(%rip),%rax        #│
       │0x7ffff740d75d <__libc_start_main+221>  mov    0x8(%rsp),%rsi              │
       │0x7ffff740d762 <__libc_start_main+226>  mov    0x14(%rsp),%edi             │
       │0x7ffff740d766 <__libc_start_main+230>  mov    (%rax),%rdx                 │
       │0x7ffff740d769 <__libc_start_main+233>  callq  *0x18(%rsp)                 │
      >│0x7ffff740d76d <__libc_start_main+237>  mov    %eax,%edi                   │
       │0x7ffff740d76f <__libc_start_main+239>  callq  0x7ffff7427970 <exit>       │
       │0x7ffff740d774 <__libc_start_main+244>  xor    %edx,%edx                   │
       │0x7ffff740d776 <__libc_start_main+246>  jmpq   0x7ffff740d6b9 <__libc_start│
       │0x7ffff740d77b <__libc_start_main+251>  mov    0x39ca2e(%rip),%rax        #│
       │0x7ffff740d782 <__libc_start_main+258>  ror    $0x11,%rax                  │
       │0x7ffff740d786 <__libc_start_main+262>  xor    %fs:0x30,%rax               │
       │0x7ffff740d78f <__libc_start_main+271>  callq  *%rax                       │
       └───────────────────────────────────────────────────────────────────────────┘
    multi-thre process 3718 In: __libc_start_main     Line: ??   PC: 0x7ffff740d76d 
    #3  0x00007ffff7466eb5 in _IO_do_write () from /lib/x86_64-linux-gnu/libc.so.6
    #4  0x00007ffff74671ff in _IO_file_overflow ()
       from /lib/x86_64-linux-gnu/libc.so.6
    #5  0x0000000000408756 in ?? ()
    #6  0x0000000000403980 in ?? ()
    #7  0x00007ffff740d76d in __libc_start_main ()
       from /lib/x86_64-linux-gnu/libc.so.6
    (gdb)
    timescale 0.01

  3. The Following User Says Thank You to kung foo man For This Useful Post:

    Whiskas (12th May 2016)

  4. #23
    Private Whiskas's Avatar
    Join Date
    Jan 2015
    Posts
    84
    Thanks
    69
    Thanked 20 Times in 17 Posts
    Code:
       lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x             [ No Assembly Available ]                                        x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       x                                                                              x
       mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
    multi-thre Thread 0xb7099 In:                            Line: ??   PC: 0xb76d9b42
    Cannot access memory at address 0xb76d9b42
    (gdb)

  5. #24
    Corporal voron00's Avatar
    Join Date
    Nov 2014
    Posts
    248
    Thanks
    64
    Thanked 216 Times in 116 Posts
    Click image for larger version. 

Name:	?????? ?????? (10).png 
Views:	75 
Size:	41.4 KB 
ID:	1106
    Original crash, without overwriting in libcod.
    sudo apt-get rekt

  6. The Following User Says Thank You to voron00 For This Useful Post:

    Whiskas (8th May 2016)

  7. #25
    Private Whiskas's Avatar
    Join Date
    Jan 2015
    Posts
    84
    Thanks
    69
    Thanked 20 Times in 17 Posts
    Got some news about the source of the segfault.

    Kungs code didn't worked, cause if statement is not causing server to crash..

    I've added few more prints:

    PHP Code:
    int hook_BG_IsWeaponValid(int a1int a2) {
        
        
    printf("hook_BG_IsWeaponValid -- Begin\n");
        
    printf("hook_BG_IsWeaponValid -- 1 a1 : %i, a2 : %i \n"a1a2);

        
    int v3;
        
    char v4;
        
        
    signed int (*sub_80E9758)(int a1);
        *(
    int *)&sub_80E9758 0x80E9758;
        
        
    printf("hook_BG_IsWeaponValid -- 2 a1 : %i \n"a1);


        
    int (*sub_80D9E84)(int a1signed int a2);
        *(
    int *)&sub_80D9E84 0x80D9E84;

        
    printf("hook_BG_IsWeaponValid -- 3 a1 : %i, a2 : %i \n"a1a2);
        
        
    int (*sub_80E9270)(int a1);
        *(
    int *)&sub_80E9270 0x80E9270;
        
    printf("hook_BG_IsWeaponValid -- 4 a1 : %i \n"a1);

        
    v4 1;
        if ( !(
    unsigned int8_t)sub_80E9758(a2) )
            
    v4 0;
        
    printf("hook_BG_IsWeaponValid -- 5 a2 : %i \n"a2);
        if ( !(
    unsigned int8_t)sub_80D9E84(a1 1348a2) )
            
    v4 0;
        
    printf("hook_BG_IsWeaponValid -- 6 a2 : %i \n"a2);
        
    v3 sub_80E9270(a2);
        
    printf("hook_BG_IsWeaponValid -- Last weapon used: %s\n", *(char**)(v3 0));
        if ((
    long *)(v3 132) == NULL)
        {
            
    printf("this would later crash 1\n");
            return 
    0;
        }
        if ((
    char *)(a1 1365) == NULL)
        {
            
    printf("this would later crash 2\n");
            return 
    0;
        }
        if ((
    char *)(a1 1366) == NULL)
        {
            
    printf("this would later crash 3\n");
            return 
    0;
        }
        if ((
    long *)(v3 876) == NULL)
        {
            
    printf("this would later crash 4\n");
            return 
    0;
        }
        
    printf("hook_BG_IsWeaponValid -- After Kungs IF statements \n");
        if ( !*(
    long *)(v3 132) && *(char *)(a1 1365) != a2 && *(char *)(a1 1366) != a2 && *(long *)(v3 876) != a2 )
            
    v4 0;
        
    printf("hook_BG_IsWeaponValid -- After IF statement \n");
        
    // printf("Testcall\n");

        
    return (unsigned int8_t)v4;

    Log's of two last segfaults:

    Code:
    hook_BG_IsWeaponValid -- 6 a2 : 0 
    hook_BG_IsWeaponValid -- Last weapon used: none
    hook_BG_IsWeaponValid -- After Kungs IF statements 
    hook_BG_IsWeaponValid -- After IF statement 
    hook_BG_IsWeaponValid -- Begin
    hook_BG_IsWeaponValid -- 1 a1 : 141507876, a2 : 111 
    hook_BG_IsWeaponValid -- 2 a1 : 141507876 
    hook_BG_IsWeaponValid -- 3 a1 : 141507876, a2 : 111 
    hook_BG_IsWeaponValid -- 4 a1 : 141507876 
    hook_BG_IsWeaponValid -- 5 a2 : 111 
    hook_BG_IsWeaponValid -- 6 a2 : 111 
    Segmentation fault (core dumped)
    Code:
    hook_BG_IsWeaponValid -- After Kungs IF statements 
    hook_BG_IsWeaponValid -- After IF statement 
    hook_BG_IsWeaponValid -- Begin
    hook_BG_IsWeaponValid -- 1 a1 : 141559896, a2 : 211 
    hook_BG_IsWeaponValid -- 2 a1 : 141559896 
    hook_BG_IsWeaponValid -- 3 a1 : 141559896, a2 : 211 
    hook_BG_IsWeaponValid -- 4 a1 : 141559896 
    hook_BG_IsWeaponValid -- 5 a2 : 211 
    hook_BG_IsWeaponValid -- 6 a2 : 211 
    Segmentation fault (core dumped)
    As we can see it ends at v3 = sub_80E9270(a2); which is:

    PHP Code:
    int __cdecl sub_80E9270(int a1)
    {
      return 
    dword_8576160[a1];

    According to this thread https://killtube.org/showthread.php?2067-Server-Crash&p=11792&viewfull=1#post11792 I'll have to pay more attention to weapon functions. Let you know if I found anything.

  8. The Following User Says Thank You to Whiskas For This Useful Post:

    kung foo man (10th May 2016)

  9. #26
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    Ok, watching a bit longer the pointer logic going on here, I just realized my if's were total useless, they actually can't check anything. They basically add a number to 0 or greater and test if that number is still 0.

    Lets name that function getWeaponStruct_80E9270 (based on Mitch's comment in the Server Crash thread).

    Lets dissect:

    PHP Code:
    int __cdecl getWeaponStruct_80E9270(int a1)
    {
      return 
    dword_8576160[a1];

    The [] is basically syntax sugar for:

    PHP Code:
    int __cdecl getWeaponStruct_80E9270(int a1)
    {
      return *((
    int *)0x8576160 a1);

    Same game here, this function just cannot fail. It will always point to a valid array element address, implying your debug-printed a1 values of 111 and 211. It could only fail with very large numbers (either positive or negative).

    The only reason you don't see the printf after that line, is because you dereference v3 in the next printf:

    PHP Code:
    printf("hook_BG_IsWeaponValid -- Last weapon used: %s\n", *(char**)(v3 0)); 
    And I guess that's the whole problem here, getWeaponStruct() probably returns 0.

    So the only thing you need to check for in hook_BG_IsWeaponValid() should be:
    PHP Code:
        if ( ! v3)
        {
            
    printf("Warning: getWeaponStruct(%d) returned 0!\n"a2);
            return 
    0;
        } 
    timescale 0.01

  10. The Following 3 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (10th May 2016),voron00 (12th May 2016),Whiskas (10th May 2016)

  11. #27
    Private Whiskas's Avatar
    Join Date
    Jan 2015
    Posts
    84
    Thanks
    69
    Thanked 20 Times in 17 Posts

    Code:
    hook_BG_IsWeaponValid -- 5 a2 : 218 
    hook_BG_IsWeaponValid -- 6 a2 : 218 
    hook_BG_IsWeaponValid -- 7 After v3 = 80E9270(a2) 
    Warning: getWeaponStruct(218) returned 0!
    hook_BG_IsWeaponValid -- 5 a2 : 218 
    hook_BG_IsWeaponValid -- 6 a2 : 218 
    hook_BG_IsWeaponValid -- 7 After v3 = 80E9270(a2) 
    Warning: getWeaponStruct(218) returned 0!
    hook_BG_IsWeaponValid -- 5 a2 : 213 
    hook_BG_IsWeaponValid -- 6 a2 : 213 
    hook_BG_IsWeaponValid -- 7 After v3 = 80E9270(a2) 
    Warning: getWeaponStruct(213) returned 0!
    hook_BG_IsWeaponValid -- 5 a2 : 213 
    hook_BG_IsWeaponValid -- 6 a2 : 213 
    hook_BG_IsWeaponValid -- 7 After v3 = 80E9270(a2) 
    Warning: getWeaponStruct(213) returned 0!
    This totally solved my problem, thank you Kung! You are wise man.


    P.S.
    IMO, it should be added to libcod's repository

  12. The Following 2 Users Say Thank You to Whiskas For This Useful Post:

    kung foo man (12th May 2016),voron00 (12th May 2016)

  13. #28
    Corporal voron00's Avatar
    Join Date
    Nov 2014
    Posts
    248
    Thanks
    64
    Thanked 216 Times in 116 Posts
    Great, i will add it soon, just need to find offsets for 1.2 and 1.3 too

    Edit: Ok here it is: https://github.com/voron00/libcod/co...0a0ec3a4958125

    Didn't test on 1.2 but offsets seems correct so
    Last edited by voron00; 12th May 2016 at 16:07.
    sudo apt-get rekt

  14. The Following 3 Users Say Thank You to voron00 For This Useful Post:

    kung foo man (12th May 2016),Ni3ls (12th May 2016),Whiskas (12th May 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •