Updating function call padding

[darksoul577]

What's the best way that you've found to keep the function call padding up to date in your classes? For example, in CBaseEntity and CBaseCombatCharacter?

With the frequent updates to the game these probably get changed a lot with the addition of new functions. Do you use an automated program like what PrayDog built or do you manually reverse engineer the classes with each update? And if you reverse engineer, do you use IDA or something else?

Thank you in advance!

[LWSS]

I run "integrity checks" on startup to see if the number of vfuncs has changed. If so, I go fix it manually, it's not that bad when you get used to it.

Yes I use IDA free, I used to have idascripts that would update these for me but Valve did a compiler update and busted all the function diffs, it was too much work to maintain at that point compared to just updating them myself. When I first started the project it was every other day or so and was very cancerous to deal with, nowadays they rarely change.

[darksoul577]

Thanks man, I appreciate the fast response. I did see the CountVMs function, which from what I can tell looks to see if a portion of memory is executable, and if so increments to the next portion of memory. Pretty smart stuff.

In your code that I ported to Windows, I'm able to get to get to the CGameEntitySystem, and iterate through the entities. I can call the first virtual function for a CBaseEntity. For example, for my hero at index 748, when I call "entity->Schema_DynamicBinding()->binaryName" I get the correct output " C_DOTA_Unit_Hero_Lion".

The issue I have is that the rest of the virtual functions seem to be organized differently for Windows than in Linux, and IDA doesn't give a whole lot of strings. For example, in IDA (with the Class Informer and Function String Associate plugins), the C_BaseEntity vftable shows as:

.rdata:0000000181923280 ; class C_BaseEntity: C_GameEntity, CEntityInstance, IHandleEntity, IPredictionCopyable, IParticlePropertyOuter; [MI] (#classinformer) .rdata:0000000181923280 dq offset ??_R4C_BaseEntity@@6B@ ; const C_BaseEntity::RTTI Complete Object Locator' .rdata:0000000181923288 ; const C_BaseEntity::vftable' .rdata:0000000181923288 ??_7C_BaseEntity@@6B@ dq offset sub_180714E80 .rdata:0000000181923288 ; DATA XREF: sub_1806F1020+1E↑o .rdata:0000000181923288 ; sub_1806F1670+F↑o .rdata:0000000181923290 dq offset sub_180127D90 .rdata:0000000181923298 dq offset sub_180109A50 .rdata:00000001819232A0 dq offset sub_1801C97A0 .rdata:00000001819232A8 dq offset sub_18011F5C0 .rdata:00000001819232B0 dq offset sub_18010C000 .rdata:00000001819232B8 dq offset sub_1806F14E0 .rdata:00000001819232C0 dq offset sub_18014B000 .rdata:00000001819232C8 dq offset sub_1806F2F40 ; #STR: "postdataupdate" .rdata:00000001819232D0 dq offset sub_1806F1990 .rdata:00000001819232D8 dq offset sub_1806F1C40 .rdata:00000001819232E0 dq offset sub_1806F6080 .rdata:00000001819232E8 dq offset sub_1806F2DF0 .rdata:00000001819232F0 dq offset sub_180123180 .rdata:00000001819232F8 dq offset sub_180126080 .rdata:0000000181923300 dq offset sub_1806F87E0 .rdata:0000000181923308 dq offset sub_180126070 .rdata:0000000181923310 dq offset sub_1806F87B0 .rdata:0000000181923318 dq offset sub_1800F15B0 .rdata:0000000181923320 dq offset sub_180109A40

[…]

As you can see, there is very little to work with to guess what each virtual function is (really only postdataupdate and a couple of others I don't really care about). Did you have this problem in Linux too, and if so how did you deal with it?

[LWSS]

yeah this is when u need to put the (debug bin/last ida database) side-by-side with the retail and go through each one and see if the code is similar. I normally go by 10's until I find a mismatch and then go back a few.

Also the windows version is going to be about the same, I know one difference is that the linux version has 2 destructors for some reason.

[darksoul577]

For the debug bin/last ida database, you're referring to the 2016 MAC version that had full debugging information included?

[LWSS]

yep, that's a valuable source of information.

Also, you might find another treat in this manifest 3040374730712014712 :)

[Eastonn]

Can someone share a link to download this leak? Sorry I can not find by myself excuse me.

[darksoul577]

I believe it was pulled from the Steam depot as I could not find it there either. However, Paw on unknown cheats archived a debug version from 26-Jul-2018; I think this may be the one that LWSS was referring to:

https://www.unknowncheats.me/forum/counterstrike-global-offensive/292816-mac-binaries-symbols.html

[LWSS]

that one is not from 2018, i've checked it out before, missing monkeyking in the client

[darksoul577]

ugh... just got all the virtual functions set up exactly how I wanted them and then we got hit with like 5 updates in the past day. what a pain in the @ss!

[LWSS]

yeah they changed quite a bit with the battlepass 2020, should be fixed now

[darksoul577]

I saw your comment in CParticleSystemMgr.h that CreateParticleCollection vfunc offset might be changed. In Windows, the offset of that vfunc was changed, by swapping its position with CreateParticleCollection_Handle, as follows:

virtual CParticleCollection CreateParticleCollection_Handle(CWeakHandle_InfoForResourceTypeIParticleSystemDefinition info, void, IParticleSystemQuery, bool, float, int) = 0; //offset 17

virtual CParticleCollection CreateParticleCollection(const char, void, IParticleSystemQuery, bool, float, int) = 0; //offset 18

virtual void DestroyParticleCollection(CParticleCollection*) = 0; //offset 19

One other thing I think you might be interested in is https://www.unknowncheats.me/forum/other-mmorpg-and-strategy/324989-dota-2-camera-tool.html. In the cheat he disables the particle fog of war, so that all particle effects mapwide are visible. He's using cheat engine, but I'm wondering if the virtual void SetDormant(bool state) vfunc in CParticleCollection might do the same thing. I haven't tested myself since the CParticleCollection vtable is much different for Windows and I haven't yet updated all of the vfunc offsets.

[LWSS]

There is a console command to do that too, would probably start looking there.

Are you making something like nobling? That's kinda what I had in mind with that particle crap