Rebuilding CCBACharacter members

[HL-SDK]

Code:

mov     edx, [esi+3Ch]
mov     eax, dword_377ED910
mov     ecx, [eax]
push    edx
push    offset aTrue_1  ; "true "
push    offset aCcbacharacterf ; "== CCBACharacterFX::UpdateAimAt(%s) hSe"...
push    eax
mov     eax, [ecx+18h]
call    eax
mov     eax, dword_377ED910
mov     ecx, [eax]
mov     edx, [ecx+18h]
push    offset aTrue    ; "TRUE"
push    offset aBhandleyawS ; "  bHandleYaw : %s"
push    eax
call    edx
fld     dword ptr [esi+88h]
mov     eax, dword_377ED910
fstp    [esp+5Ch+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 14h
push    offset aM_cs_fpitchacc ; "  m_cs.fPitchAccel : %f"
push    eax
call    edx
fld     dword ptr [esi+8Ch]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_cs_fyawaccel ; "  m_cs.fYawAccel   : %f"
push    eax
call    edx
fld     dword ptr [esi+80h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_cs_fpitchvel ; "  m_cs.fPitchVel   : %f"
push    eax
call    edx
fld     dword ptr [esi+84h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_cs_fyawvelF ; "  m_cs.fYawVel     : %f"
push    eax
call    edx
fld     dword ptr [esi+78h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_cs_fpitchF ; "  m_cs.fPitch      : %f"
push    eax
call    edx
fld     dword ptr [esi+7Ch]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_cs_fyawF ; "  m_cs.fYaw        : %f"
push    eax
call    edx
fld     dword ptr [esi+5E8h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_faimpitchvel ; "  m_fAimPitchVel   : %f"
push    eax
call    edx
mov     eax, dword_377ED910
mov     ecx, [eax]
fld     dword ptr [esi+5ECh]
mov     edx, [ecx+18h]
add     esp, 8
fstp    [esp+48h+var_48]
push    offset aM_ftwistyawvel ; "  m_fTwistYawVel   : %f"
push    eax
call    edx
fld     dword ptr [esi+5E0h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_fpitchF ; "  m_fPitch         : %f"
push    eax
call    edx
fld     dword ptr [esi+5E4h]
mov     eax, dword_377ED910
fstp    [esp+50h+var_48]
mov     ecx, [eax]
mov     edx, [ecx+18h]
add     esp, 8
push    offset aM_fyawF ; "  m_fYaw           : %f"
push    eax
call    edx
mov     eax, dword_377ED910
mov     ecx, [eax]
mov     edx, [ecx+18h]
push    offset asc_376E9E88 ; "======================================="...
push    eax
call    edx
add     esp, 18h

You see that
mov eax, dword_377ED910
mov ecx, [eax]
mov edx, [ecx+18h]
loads EDX with a pointer to a relatively interesting function.
My guess is that it is a console output function. I haven't been able to debug the game yet. Assistance with that would be greatly appreciated.

Anyway, for some more important stuff, esi should be a player pointer (not tested)

typedef struct playerangles_s
{
float fPitch;
float fYaw;
float fPitchVel;
float fYawVel;
float fPitchAccel;
float fYawAccel;
} playerangles_t


typedef struct player_s
{
//Waste 0x78? bytes here
playerangles_t m_cs;
} player_t

player_t* otherguy = GetOtherGuy(); //Probably same for local player.
otherguy->m_cs.fPitch;
otherguy->m_cs.fYaw;

In the function from which I obtained these addresses, ecx held a value that was stored in esi soon on, which leads me to believe this is a __thiscall function. There is a function argument passed, I do not know its purpose.

Using RTTI, I found it is a member of CCBACharacterFX.


More questionably useful information later.

---
EDIT

Oh, and I was pretty serious about the debugging ability. If I am able to sit in IDA and breakpoint functions, it makes everything MUCH easier. My "unpacked?" version of CShell still has some packed code in it, in particularly useful locations like member functions. Having this data would be incredibly useful as well. I give my thanks to MPGH and all of the helpful people here.

[freedompeace]

HOLY SHOOT ! Something original from someone amazing.

Too bad code tags are mutilated at 3 characters in mobile theme (and I cant get out of it)

[Stephen]

Wow, Someone who knows how to code O.O

[IcySeal]

Wow, Someone who knows how to code O.O

So rare these days ya know?

[CodeDemon]

Wow, Someone who knows how to code O.O

QFT, Nice share! Welcome to the CA Source Code Section!

[Stephen]

Struct and names are wrong.

[freedompeace]

Struct and names are wrong.

What are you talking about? S:

You can name your structs however you want . . .

[HL-SDK]

Please pardon me if this double post is unnessecary. I'd say it is worth the extra info

[php]
struct CCBAPlayerStats
{
vtable_ptr vtable;

char padding[0x18]; //0x1C (offset) - 0x04 (vtable)

player_ammocount* ammocount; /ay

char padding[0x08]; //0x24 (offset) - 0x1C (others)

player_info01* info_01; /ay
}[/php]


There are actually a huge number of vfuncs for this class. They are probably worth investigating.

---
EDIT

Stephen, if you have updated information on these classes and structures, please let me know. I'd kill for a MAC/linux binary or some debugging symbols.

[Stephen]

o.O .

Code:

---
EDIT

Stephen, if you have updated information on these classes and structures, please let me know. I'd kill for a MAC/linux binary or some debugging symbols.[/QUOTE]

I would too. Ima get my friend in here. see what he can do

[mmbob]

What are you talking about? S:

You can name your structs however you want . . .

There are names defined by the FEAR sdk for these classes.
@OP Soooo.... yeah?

[freedompeace]

There are names defined by the FEAR sdk for these classes.
@OP Soooo.... yeah?

Yes, but as a programmer, you can name the structures to whatever name suits you

[Mr.Magicman]

Yes, but as a programmer, you can name the structures to whatever name suits you

You do have a point.

[HL-SDK]

If anyone is interested in helping, like I mentioned: an improved CShell unpacking and some debugging help would be greatly appreciated. I won't be able to / feel like going much further without debugging. Currently I am in the CCBAPlayerMgr class looking at the 'target manager'

This would probably serve as the basis for a triggerbot, using a variable that changes when your crosshair is over another player.

[php]pTargetMgr = *(DWORD *)(playerMgr_ + 28);[/php]
There is a CPlayerMgr in addition to CCBAPlayerMgr. I can find much less about it due to a lack of cross references.

[CodeDemon]

If anyone is interested in helping, like I mentioned: an improved CShell unpacking and some debugging help would be greatly appreciated. I won't be able to / feel like going much further without debugging. Currently I am in the CCBAPlayerMgr class looking at the 'target manager'

This would probably serve as the basis for a triggerbot, using a variable that changes when your crosshair is over another player.

[php]pTargetMgr = *(DWORD *)(playerMgr_ + 28);[/php]

I'm guessing you used the CShell from my sticky? I'll see if I can get you one that is unpacked a bit better. But I am leaving at the moment unfortunately.

[HL-SDK]

I am using your 9-22 posted version, yes.

A better one would definitely help, although I'm not sure what can be done to improve the unpacking.