[HL2DM] UTIL_ImpactTrace

[VinciT]

While working on Painkiller's request, I tried to hook UTIL_ImpactTrace, but I'm not getting anywhere.

Syntax: Select all

# ../util_impact/util_impact.py

# Source.Python
import core
import memory
from memory import Convention, DataType
from memory.hooks import PreHook


server = memory.find_binary('server')

if core.PLATFORM == 'windows':
    identifier = b'\x55\x8B\xEC\x8B\x55\x08\x8B\x4A\x4C'
else:
    identifier = '_Z16UTIL_ImpactTraceP10CGameTraceiPKc'

# void UTIL_ImpactTrace(
# trace_t *pTrace, int iDamageType, const char *pCustomImpactName = NULL);
UTIL_ImpactTrace = server[identifier].make_function(
    Convention.CDECL,
    (DataType.POINTER, DataType.INT, DataType.STRING),
    DataType.VOID
    )
    
@PreHook(UTIL_ImpactTrace)
def impact_trace_pre(stack_data):
    print(stack_data)

Nothing's being printed with the signature (I'm running this on Windows). So I tried hooking the virtual function instead:

Syntax: Select all

# CBaseEntity::ImpactTrace(CGameTrace*, int, char const*)
[[impact_trace]]
    offset_linux = 78
    offset_windows = 77
    arguments = POINTER, INT, STRING

And.. still nothing. Any idea what's going on?

[InvisibleSoldiers]

I'm sometimes faced with the fact that the offsets on https://asherkin.github.io/vtable/ seems outdated or wrong for Windows(As I know it can successfully parse only Linux binaries and for windows binares it only predicts)(I guess you used it)
You can get function address through virtual func and check what a function really does or get a signature later which will be more stable through:

Syntax: Select all

server_binary = find_binary('server')
func = pointer.get_virtual_func(offset)
print(func.address - server_binary.base)

and then find the function by address and pressing G in IDA

Probably Windows signature:
void CBaseEntity::ImpactTrace( trace_t *pTrace, int iDamageType, const char *pCustomImpactName )
\x55\x8B\xEC\x81\xEC\x8C\x00\x00\x00\x56\x8B\x75\x08\x8D\x8D\x74\xFF\xFF\xFF

[VinciT]

You're spot on. I used asherkin's vtable dumper. But turns out that the issue was my server. Don't know how or why, but it got corrupted. So I reinstalled it along with SP and now the above signature and offset seem to work.

You can get function address through virtual func and check what a function really does or get a signature later which will be more stable through:

Syntax: Select all

server_binary = find_binary('server')
func = pointer.get_virtual_func(offset)
print(func.address - server_binary.base)

and then find the function by address and pressing G in IDA

Thank you for sharing this, I'm not that great at working with memory/offsets yet, but this will surely make it a bit easier.