How to find offset of GetSFXMgr within GCS?

[imaginarysss]

As title states, i would like to learn how to find the position of getsfxmgr within gcs but i cant seem to find.Please dont just post to me the updated GCS class cos i want to know how to find it myself . Searched around the forum with quite many keywords but still cant find a thread on it


Thanks in adv.

[Ch40zz-C0d3r]

Pointers are marked with red in reclass (*-> 0xDEADBEEF)
But I made an easier way to update it some years ago:

Code:

//The pattern of the virtual function, we gonna hook it so do this as early as possible so we dont miss the call!
dwTmp = cMisc.FindPattern(dwCShellEntryPoint, dwCShellCodeSize, (PBYTE)"\x83\xC4\x0C\x88\x5E\x3F\xA1\x00\x00\x00\x00\x8B\x08\x8B\x51\x18", "xxxxxxx????xxxxx");
dwAdrTbl[24] = dwTmp + 0x70; //- 0x40; //GetSFXMgr virtual
dwJumpbackGetSfxMgr = dwAdrTbl[24] + 0x6;
sfxMgrECXOffset = (DWORD)*(DWORD*)(dwAdrTbl[24] + 0x2);

//Saving the original bytes before hooking
ReadProcessMemory(GetCurrentProcess(), (void*)cMisc.dwAdrTbl[24], &origGetSFXMgrbytes, 6, 0); //GetSFXMgr virtual
cMisc.CreateDetour((PBYTE)dwAdrTbl[24], (PBYTE)hkVGetSfxMgr, 6); //Hooking :|

__declspec(naked) HRESULT WINAPI hkVGetSfxMgr()
{
	//Finally our hook, cMisc.sfxMgrECXPointer is your final offset - NOT ADDRESS
	__asm pushad;
	__asm MOV cMisc.sfxMgrECXPointer, ECX
	__asm popad;
	__asm LEA EAX, DWORD PTR DS:[ECX + 0x24B28]
	__asm JMP dwJumpbackGetSfxMgr
}

if(!detouredGetSFXMgr && cMisc.sfxMgrECXPointer) //ReCopy the old bytes if our offset is valid
{
	cMisc.memcpy_s((void*)cMisc.dwAdrTbl[24], (void*)cMisc.origGetSFXMgrbytes, 6);
	detouredGetSFXMgr = true;
}

//And Finally - Lets add the offset to the base and set our pointer to the class
pSFXMgr = (cSFXMgr*)(cMisc.sfxMgrECXPointer + cMisc.sfxMgrECXOffset);

Please, please read my comments and dont be stupid. The sigscan COULD be wrong or the static offset 0x24B28 in the hook has to be updated before using. Always take a look @ Olly

[imaginarysss]

Hi, thanks for the reply.
Right after your find pattern you added "0x70" doesnt that mean you know the offset beforehand? O.o Your method seems to require some already reversed knowledge which i do not have also like when you hooked the function , you needed the offset which i dont have.
So,is it possible to find it just within IDA via strings or something else.Wish to find it from scratch.Thanks once again

[Ch40zz-C0d3r]

I couldnt sigscan the real function cuz it was too small so I took some more bytes from anorher function which means that I have to increase my actual address.
The problem is that all these functions are dynamic because they are virtuals so they dont refer to any other address.
Just try out the sigscan and see if you get something valid, I can also post some old bytes later so you understand the hook better.

[imaginarysss]

I see. Thanks for clarifying the offset part . Tried it out the sig and it didnt return any result
Do you know of any way to find it manually in ida? Currently i wish to start from scratch and avoid sig scan if possible so in future i can find it myself

[Ch40zz-C0d3r]

OK, I downloaded the latest NA CShell and it works perfectly fine.
Lets do it step-by-step:

1. Running the sigscan will result in:

Code:

dwTmp = cMisc.FindPattern(dwCShellEntryPoint, dwCShellCodeSize, (PBYTE)"\x83\xC4\x0C\x88\x5E\x3F\xA1\x00\x00\x00\x00\x8B\x08\x8B\x51\x18", "xxxxxxx????xxxxx");
//dwTmp will result in 0x371CA1D0

2. Adding the offset to reach our wanted Virtual Function:

Code:

dwAdrTbl[24] = dwTmp + 0x70; //dwAdrTbl[24] will result in 0x371CA240 => [LEA EAX, 0xADDRESS]
dwJumpbackGetSfxMgr = dwAdrTbl[24] + 0x6; //dwJumpbackGetSfxMgr will result in 0x371CA246 => [RETN]
sfxMgrECXOffset = (DWORD)*(DWORD*)(dwAdrTbl[24] + 0x2); //sfxMgrECXOffset will result in 0x1EFA8 => Offset to EAX

3. Hooking the virtual to get ECX so we can add our already read offset to the base address:

Code:

ReadProcessMemory(GetCurrentProcess(), (void*)cMisc.dwAdrTbl[24], &origGetSFXMgrbytes, 6, 0); //Backup Original bytes e.g. memory
cMisc.CreateDetour((PBYTE)dwAdrTbl[24], (PBYTE)hkVGetSfxMgr, 6); //Hook the function

4. Reading ECX register value to get base address:

Code:

__declspec(naked) HRESULT WINAPI hkVGetSfxMgr()
{
	__asm pushad; //Save register
	__asm MOV cMisc.sfxMgrECXPointer, ECX //Copy ECX (our basepointer) in a variable so we can use it in the hack later
	__asm popad; //Reload saved register

	//__asm LEA EAX, DWORD PTR DS:[ECX + 0x24B28] //Do the actual code we had overwritten with our hook
	//Notice: You can see that the offset is clearly old, but you also know that we saved it already so no need to re-update it all the time
	//Seems like I forgot to change this, it would crash, use instead:
	__asm LEA EAX, DWORD PTR DS:[ECX + cMisc.sfxMgrECXOffset] //Will work on every update now

	__asm JMP dwJumpbackGetSfxMgr //Jump back to the RETN instruction of the virtual
}

5. Use these informations:
Now that we have all the informations lets use them!

Code:

if(!detouredGetSFXMgr && cMisc.sfxMgrECXPointer != NULL)
{
	cMisc.memcpy_s((void*)cMisc.dwAdrTbl[24], (void*)cMisc.origGetSFXMgrbytes, 6); //Unpatch the hook (Unhook) so we cant be trapped by an HackShield
	detouredGetSFXMgr = true;
}

pSFXMgr = (cSFXMgr*)(cMisc.sfxMgrECXPointer + cMisc.sfxMgrECXOffset);

This works for every virtual function, and you can easily catch the function also in class, without hooking:

Code:

for(int i = 0; i < 120; i++)
{
	//We're gonna try 120 virtual functions and see if they are SFXMgr :)
	//If yes, we're gonna call it and be happy

	if(*(DWORD*)(pGameClientShell + 0x4 * i) == dwAdrTbl[24])
	{
		//This should be our virtual, just call it and get in return our lovely sfxMgr.
		//IDK if this method works, try it if you have time and like experimenting
	}
}

All in all, you can see 2 strings referring to our address:

Code:

SetServerVar End
CCBAGameClientShell

You will find the function manually from there
Have fun!

[imaginarysss]

Thanks alot ch4ozz .You really helped me out