Вопрос PostReceivedNetMessage is not getting called!

Trna · 9 Фев 2024

Hello there.
After last update, PostReceivedNetMessage index is changed to 71, but when I'm hooking it, it's not getting called.
also I toggled a breakpoint in cheat engine. it seems the function is not getting executed.
Any idea why?

C++:

 Memory::ParseCombo("48 8D 05 ?? ?? ?? ?? 4C 89 69 20", Address, Mask);
    adr = (uintptr_t)Memory::PatternScanExModule(g_GameHandle, g_GamePid, L"networksystem.dll", Address, Mask);
    uintptr_t** networkSystemVTable = (uintptr_t**)GetAbsoluteAddress(adr, 3, 7);
    PostReceivedNetMessage = (PostReceivedNetMessageFn)networkSystemVTable[71];

dotakoder · 9 Фев 2024

Wrong function maybe(i mean wrong index)

Trna · 9 Фев 2024

Для просмотра содержимого вам необходимо авторизоваться.

Thank you for your answer.

C++:

.text:0000000180098930 var_28 = qword ptr -28h
.text:0000000180098930 var_20 = dword ptr -20h
.text:0000000180098930 var_18 = dword ptr -18h
.text:0000000180098930 arg_20 = dword ptr 28h
.text:0000000180098930 arg_28 = dword ptr 30h
.text:0000000180098930
.text:0000000180098930 sub rsp, 48h
.text:0000000180098934 mov eax, [rsp+48h+arg_28]
.text:0000000180098938 add rcx, 110h
.text:000000018009893F mov [rsp+48h+var_18], eax
.text:0000000180098943 mov eax, [rsp+48h+arg_20]
.text:0000000180098947 mov [rsp+48h+var_20], eax
.text:000000018009894B mov [rsp+48h+var_28], r9
.text:0000000180098950 call sub_18009ACC0 ; #STR: "CTSQueue corruption"
.text:0000000180098955 add rsp, 48h
.text:0000000180098959 retn
.text:0000000180098959 sub_180098930 endp

This is the function that I'm hooking, and I double checked that in cheat engine.I guess it's the correct function, because that's exactly what ExistedDim4 showed in his tutorial: https: // yougame.biz/threads/285292/

Liberalist · 10 Фев 2024

Trna написал(а):
Скрытое содержимое

Thank you for your answer.

C++:

.text:0000000180098930 var_28 = qword ptr -28h .text:0000000180098930 var_20 = dword ptr -20h .text:0000000180098930 var_18 = dword ptr -18h .text:0000000180098930 arg_20 = dword ptr 28h .text:0000000180098930 arg_28 = dword ptr 30h .text:0000000180098930 .text:0000000180098930 sub rsp, 48h .text:0000000180098934 mov eax, [rsp+48h+arg_28] .text:0000000180098938 add rcx, 110h .text:000000018009893F mov [rsp+48h+var_18], eax .text:0000000180098943 mov eax, [rsp+48h+arg_20] .text:0000000180098947 mov [rsp+48h+var_20], eax .text:000000018009894B mov [rsp+48h+var_28], r9 .text:0000000180098950 call sub_18009ACC0 ; #STR: "CTSQueue corruption" .text:0000000180098955 add rsp, 48h .text:0000000180098959 retn .text:0000000180098959 sub_180098930 endp

This is the function that I'm hooking, and I double checked that in cheat engine.I guess it's the correct function, because that's exactly what ExistedDim4 showed in his tutorial: https://yougame .biz/threads/285292/

try breakpointing adjacent(69, 70, 72, 73 etc) functions in the vtable and check their arguments, see if arity(number of args) and argument types/values match PostReceivedNetMessage - maybe you just have the wrong index
another way would be to breakpoint some function that's called from inside the PostReceivedNetMessage(such as the one with "CTSQueue corruption" xref) and check the callstack
sometimes function can stop being virtual/can stop being called virtually(when exact type of an object is known)

Morphling · 10 Фев 2024

Trna написал(а):
Hello there.
After last update, PostReceivedNetMessage index is changed to 71, but when I'm hooking it, it's not getting called.
also I toggled a breakpoint in cheat engine. it seems the function is not getting executed.
Any idea why?

C++:

Memory::ParseCombo("48 8D 05 ?? ?? ?? ?? 4C 89 69 20", Address, Mask); adr = (uintptr_t)Memory::PatternScanExModule(g_GameHandle, g_GamePid, L"networksystem.dll", Address, Mask); uintptr_t** networkSystemVTable = (uintptr_t**)GetAbsoluteAddress(adr, 3, 7); PostReceivedNetMessage = (PostReceivedNetMessageFn)networkSystemVTable[71];

Ну значит индекс не верный, логично. Попробуй функции рядом посмотреть

Trna · 10 Фев 2024

Thanks for answers. I checked all virtual functions inside CNetChan.
There is only two off them with "CTSQueue corruption" xref, I toggled breakpoint using cheat engine and they both are not getting called.

Liberalist написал(а):
another way would be to breakpoint some function that's called from inside the PostReceivedNetMessage(such as the one with "CTSQueue corruption" xref) and check the callstack
sometimes function can stop being virtual/can stop being called virtually(when exact type of an object is known)

I tried. I found these 3 functions:
networksystem.dll+95E0D
networksystem.dll+94A3E
networksystem.dll+96916

I checked their parameter list in IDA, it doesn't seem any of them be PostRecivedNetMessage

Trna · 10 Фев 2024

Deleted

Liberalist · 10 Фев 2024

just try hooking CTSQueue<CNetworkMessageSignalQueue<CEventIDManager_NetChan,BogusType_t>::QueuedMessage_t,false>::PushItem if everything else fails.
it's

Код:

.text:0000000180098950 call sub_18009ACC0 ; #STR: "CTSQueue corruption"

in one of your posts above
PostReceivedNetMessage doesn't do anything except adjusting thisptr and calling PushItem

Trna · 10 Фев 2024

Liberalist написал(а):
just try hooking CTSQueue<CNetworkMessageSignalQueue<CEventIDManager_NetChan,BogusType_t>::QueuedMessage_t,false>::PushItem if everything else fails.
it's

Код:

.text:0000000180098950 call sub_18009ACC0 ; #STR: "CTSQueue corruption"

in one of your posts above
PostReceivedNetMessage doesn't do anything except adjusting thisptr and calling PushItem
Посмотреть вложение 270419

Thanks, I tried that too.
It's givinng me this: Unhandled exception at 0x00007FFD56E2ACF6 (networksystem.dll) in dota2.exe: 0xC0000005: Access violation reading location 0x000000008C1BD1C0.

If everything is the same, I don't understand why it is giving me this exception.
Also my function looks like this:

C++:

void Hooks::hkPostReceivedNetMessage(INetChannel* thisptr, NetMessageHandle_t* messageHandle, google::protobuf::Message* msg, void const* type, int bits)
{
    return oPostReceivedNetMessage(thisptr, messageHandle, msg, type, bits);
}

Edit: Okay It seems the function signature is changed.

C++:

inline void hkPostReceivedNetMessage2(void* a, void* b, void* c, void* d, void* e, unsigned int f, unsigned int g)

I tried with this and it's working fine. I just care about second and third parameter, so I guess I don't have to figure out what others are.
but I will be happy if someone tell me :D
Also please let me know if anyone has figured out why PostReceivedNetMessage isn't getting called

Liberalist · 10 Фев 2024

Trna написал(а):
Thanks, I tried that too.
It's givinng me this: Unhandled exception at 0x00007FFD56E2ACF6 (networksystem.dll) in dota2.exe: 0xC0000005: Access violation reading location 0x000000008C1BD1C0.

Посмотреть вложение 270430

If everything is the same, I don't understand why it is giving me this exception.
Also my function looks like this:

C++:

void Hooks::hkPostReceivedNetMessage(INetChannel* thisptr, NetMessageHandle_t* messageHandle, google::protobuf::Message* msg, void const* type, int bits) { return oPostReceivedNetMessage(thisptr, messageHandle, msg, type, bits); }

Edit: Okay It seems the function signature is changed.

C++:

inline void hkPostReceivedNetMessage2(void* a, void* b, void* c, void* d, void* e, unsigned int f, unsigned int g)

I tried with this and it's working fine. I just care about second and third parameter, so I guess I don't have to figure out what others are.
but I will be happy if someone tell me :D
Also please let me know if anyone has figured out why PostReceivedNetMessage isn't getting called

postreceivednetmessage and pushitem are two different functions. just because one calls the other doesn't suddenly mean they have equal arity or argument types.
you get exception at [rax], where rax is [rsp+0xb0] where rsp is rsp - 0x80(there was sub rsp,0x80); in other words, [rsp + 0xb0] is [rsp - 0x80 + 0xb0], or [rsp + 0x30], and that's after the push rdi(push decreases rsp by pointer size, 8 on x64), meaning that it's actually [rsp + 0x28], and also that's after the call(call pushes return address), so actually [rsp + 20], which is the 5th argument(before the call).
in other words, you fuck up the 5th argument(0x8C1BD1C0 in your case. looks like a low dword of a qword - you truncate a qword(int bits in your case(it's not an int, it's a pointer, hence the issues)) to a dword(i.e. set high dword to 0)). it's checked for zero, and if it's not zero(which it wasn't in your case), it's written to, but in your case it's an invalid location, hence the exception. you also don't pass 6th and 7th arguments
to reiterate, it's not some magic PostReceivedNetMessage2, it's a completely different function, with a different signature. it just happens to be invoked by PostReceivedNetMessage.

krobicon1 · 11 Июл 2024

Has this function been removed after crownfall act 3 patch? I tried searching for string reference CTSQueue but it only shows for two unrelated functions. I tried checking CNetchan vtable for any similar function but was not able to find anything.

Liberalist · 11 Июл 2024

krobicon1 написал(а):
Has this function been removed after crownfall act 3 patch? I tried searching for string reference CTSQueue but it only shows for two unrelated functions. I tried checking CNetchan vtable for any similar function but was not able to find anything.

try the filtering approach: https://yougame.biz/threads/320367/#post-3093913

C++:

struct CNetworkSerializerPB : public VClass
{
    const char* unscopedName;
    std::uint32_t categoryMask;
    void* protobufBinding;
    const char* groupName;
    int16_t messageID;
    uint8_t groupID;
    uint8_t defaultBufferType;
};

/*
sample class layout:
    CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>
        client.dll + 0x37d13d0(hierarchy CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>: CNetMessage, CUserMessageAchievementEvent, google::protobuf::Message, google::protobuf::MessageLite)
        client.dll + 0x37d1400 MI offset 32(hierarchy CUserMessageAchievementEvent: google::protobuf::Message, google::protobuf::MessageLite)
                                         ^^ lea rax,qword ptr ds:[rcx+0x20]
*/
class CNetMessage : public VClass
{
    /*
        00007FFCEF88DAD0 | 33D2                     | xor edx,edx
        00007FFCEF88DAD2 | 48:8D41 20               | lea rax,qword ptr ds:[rcx+20]
        00007FFCEF88DAD6 | 48:85C9                  | test rcx,rcx
        00007FFCEF88DAD9 | 48:0F44C2                | cmove rax,rdx
        00007FFCEF88DADD | C3                       | ret
    */
    static inline constexpr auto GetPbMessage_VFTable_INDEX = 2;

    /*
        00007FFCEF890050 | 48:83EC 48               | sub rsp,48
        00007FFCEF890054 | 48:8B05 8D3B1D00         | mov rax,qword ptr ds:[7FFCEFA63BE8]
        00007FFCEF89005B | 48:8B0D C6CC1C00         | mov rcx,qword ptr ds:[7FFCEFA5CD28]
        00007FFCEF890062 | 48:85C0                  | test rax,rax
        00007FFCEF890065 | 75 32                    | jne networksystem.7FFCEF890099
        00007FFCEF890067 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCEF89006A | 4C:8D05 A7AB1900         | lea r8,qword ptr ds:[7FFCEFA2AC18]
        00007FFCEF890071 | C64424 30 00             | mov byte ptr ss:[rsp+30],0
        00007FFCEF890076 | 41:B9 38000000           | mov r9d,38
        00007FFCEF89007C | C64424 28 01             | mov byte ptr ss:[rsp+28],1
        00007FFCEF890081 | BA 00000040              | mov edx,40000000
        00007FFCEF890086 | 48:C74424 20 00000000    | mov qword ptr ss:[rsp+20],0
        00007FFCEF89008F | FF50 10                  | call qword ptr ds:[rax+10]
        00007FFCEF890092 | 48:8905 4F3B1D00         | mov qword ptr ds:[7FFCEFA63BE8],rax
        00007FFCEF890099 | 48:83C4 48               | add rsp,48
        00007FFCEF89009D | C3                       | ret
    */
    static inline constexpr auto GetSerializer_VFTable_INDEX = 3;
public:
    auto GetPbMessage() const
    {
        return CallVFunc<GetPbMessage_VFTable_INDEX, google::protobuf::Message*>();
    }
    auto GetSerializer()
    {
        return CallVFunc<GetSerializer_VFTable_INDEX, CNetworkSerializerPB*>();
    }
};

class CNetChan;
class INetworkMessageProcessingPreFilter
{
protected:
    enum EFilterResult : bool
    {
        ALLOW_MESSAGE,
        DROP_MESSAGE,
    };
    virtual EFilterResult FilterMessage(CNetMessage*, CNetChan*) = 0;
};

class CNetChan : public VClass
{
private:
    /*
    target function assembly:
        00007FFCEF8898F0 | 48:896C24 18             | mov qword ptr ss:[rsp+18],rbp
        00007FFCEF8898F5 | 57                       | push rdi
        00007FFCEF8898F6 | 41:56                    | push r14
        00007FFCEF8898F8 | 41:57                    | push r15
        00007FFCEF8898FA | 48:83EC 20               | sub rsp,20
        00007FFCEF8898FE | 4C:63B9 C0750000         | movsxd r15,dword ptr ds:[rcx+75C0]
        00007FFCEF889905 | 48:8DB9 C8750000         | lea rdi,qword ptr ds:[rcx+75C8]
        00007FFCEF88990C | 45:33C0                  | xor r8d,r8d
        00007FFCEF88990F | 48:8BEA                  | mov rbp,rdx
        00007FFCEF889912 | 4C:8BF1                  | mov r14,rcx
        00007FFCEF889915 | 45:85FF                  | test r15d,r15d
        00007FFCEF889918 | 7E 26                    | jle networksystem.7FFCEF889940
        00007FFCEF88991A | 48:8B07                  | mov rax,qword ptr ds:[rdi]
        00007FFCEF88991D | 41:8BD0                  | mov edx,r8d
        00007FFCEF889920 | 48:3928                  | cmp qword ptr ds:[rax],rbp
        00007FFCEF889923 | 74 11                    | je networksystem.7FFCEF889936
        00007FFCEF889925 | 41:FFC0                  | inc r8d
        00007FFCEF889928 | 48:FFC2                  | inc rdx
        00007FFCEF88992B | 48:83C0 08               | add rax,8
        00007FFCEF88992F | 49:3BD7                  | cmp rdx,r15
        00007FFCEF889932 | 7C EC                    | jl networksystem.7FFCEF889920
        00007FFCEF889934 | EB 0A                    | jmp networksystem.7FFCEF889940
        00007FFCEF889936 | 41:83F8 FF               | cmp r8d,FFFFFFFF
        00007FFCEF88993A | 0F85 D0000000            | jne networksystem.7FFCEF889A10
        00007FFCEF889940 | 44:3BB9 D0750000         | cmp r15d,dword ptr ds:[rcx+75D0]
        00007FFCEF889947 | 0F85 B5000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88994D | F747 0C 00000040         | test dword ptr ds:[rdi+C],40000000
        00007FFCEF889954 | 0F85 A8000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88995A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88995D | 48:895C24 40             | mov qword ptr ss:[rsp+40],rbx
        00007FFCEF889962 | 48:897424 48             | mov qword ptr ss:[rsp+48],rsi
        00007FFCEF889967 | 81F9 FEFFFF7F            | cmp ecx,dbghelp.7FFFFFFE
        00007FFCEF88996D | 7E 0B                    | jle networksystem.7FFCEF88997A
        00007FFCEF88996F | BA 01000000              | mov edx,1
        00007FFCEF889974 | FF15 4E7F1300            | call qword ptr ds:[<&UtlMemory_FailedAllocation>]
        00007FFCEF88997A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88997D | 41:B9 08000000           | mov r9d,8

    invoker:
        00007FFCF5D106A0 | 48:895C24 10             | mov qword ptr ss:[rsp+10],rbx
        00007FFCF5D106A5 | 48:897424 18             | mov qword ptr ss:[rsp+18],rsi
        00007FFCF5D106AA | 48:897C24 20             | mov qword ptr ss:[rsp+20],rdi
        00007FFCF5D106AF | 55                       | push rbp
        00007FFCF5D106B0 | 41:56                    | push r14
        00007FFCF5D106B2 | 41:57                    | push r15
        00007FFCF5D106B4 | 48:8BEC                  | mov rbp,rsp
        00007FFCF5D106B7 | 48:83EC 50               | sub rsp,50
        00007FFCF5D106BB | 48:8BF9                  | mov rdi,rcx
        00007FFCF5D106BE | 48:8BDA                  | mov rbx,rdx
        00007FFCF5D106C1 | 48:8B0D C8385200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D106C8 | 45:33FF                  | xor r15d,r15d
        00007FFCF5D106CB | 48:85FF                  | test rdi,rdi
        00007FFCF5D106CE | 48:8D57 18               | lea rdx,qword ptr ds:[rdi+18]
        00007FFCF5D106D2 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D106D5 | 49:0F44D7                | cmove rdx,r15
        00007FFCF5D106D9 | FF90 20010000            | call qword ptr ds:[rax+120]
        00007FFCF5D106DF | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106E2 | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106E5 | FF90 D0010000            | call qword ptr ds:[rax+1D0]
        00007FFCF5D106EB | 48:893D AE044C00         | mov qword ptr ds:[7FFCF61D0BA0],rdi
        00007FFCF5D106F2 | 48:8D15 9F044C00         | lea rdx,qword ptr ds:[7FFCF61D0B98]
        00007FFCF5D106F9 | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106FC | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106FF | FF90 18020000            | call qword ptr ds:[rax+218]                               <---- invocation here
        00007FFCF5D10705 | 48:8D05 F0180200         | lea rax,qword ptr ds:[7FFCF5D31FFC]
        00007FFCF5D1070C | 48:8BCF                  | mov rcx,rdi
        00007FFCF5D1070F | 48:8945 F8               | mov qword ptr ss:[rbp-8],rax
        00007FFCF5D10713 | E8 0877FFFF              | call engine2.7FFCF5D07E20
        00007FFCF5D10718 | 48:8B0D 79385200         | mov rcx,qword ptr ds:[7FFCF6233F98]
        00007FFCF5D1071F | 48:8D77 28               | lea rsi,qword ptr ds:[rdi+28]

    invoker xref:
        00007FFCF5D12374 | 48:63DA                  | movsxd rbx,edx
        00007FFCF5D12377 | 48:8D15 3ABC3F00         | lea rdx,qword ptr ds:[7FFCF610DFB8]                 | 00007FFCF610DFB8:"server"
        00007FFCF5D1237E | C74424 30 01000000       | mov dword ptr ss:[rsp+30],1
        00007FFCF5D12386 | C74424 28 02000000       | mov dword ptr ss:[rsp+28],2
        00007FFCF5D1238E | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D12391 | 48:895424 20             | mov qword ptr ss:[rsp+20],rdx
        00007FFCF5D12396 | 41:8BD2                  | mov edx,r10d
        00007FFCF5D12399 | FF90 B0000000            | call qword ptr ds:[rax+B0]
        00007FFCF5D1239F | 48:8BD0                  | mov rdx,rax
        00007FFCF5D123A2 | 48:8BCE                  | mov rcx,rsi
        00007FFCF5D123A5 | 48:8BF8                  | mov rdi,rax
        00007FFCF5D123A8 | E8 F3E2FFFF              | call engine2.7FFCF5D106A0                            <---- calls invoker
        00007FFCF5D123AD | 48:8D4B 0A               | lea rcx,qword ptr ds:[rbx+A]
        00007FFCF5D123B1 | 48:8D0C49                | lea rcx,qword ptr ds:[rcx+rcx*2]
        00007FFCF5D123B5 | 48:893CCE                | mov qword ptr ds:[rsi+rcx*8],rdi
        00007FFCF5D123B9 | 48:8B0D D01B5200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D123C0 | C786 4C020000 FFFFFFFF   | mov dword ptr ds:[rsi+24C],FFFFFFFF
        00007FFCF5D123CA | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D123CD | FF90 D8000000            | call qword ptr ds:[rax+D8]
        00007FFCF5D123D3 | 8B0D F7B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123D9 | 0F57C9                   | xorps xmm1,xmm1
        00007FFCF5D123DC | F2:0F5AC8                | cvtsd2ss xmm1,xmm0
        00007FFCF5D123E0 | BA 01000000              | mov edx,1
        00007FFCF5D123E5 | F3:0F118E 50020000       | movss dword ptr ds:[rsi+250],xmm1
        00007FFCF5D123ED | FF15 35F43800            | call qword ptr ds:[<&LoggingSystem_IsChannelEnabled>]
        00007FFCF5D123F3 | 84C0                     | test al,al
        00007FFCF5D123F5 | 74 18                    | je engine2.7FFCF5D1240F
        00007FFCF5D123F7 | 8B0D D3B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123FD | 4C:8D05 CCBC3F00         | lea r8,qword ptr ds:[7FFCF610E0D0]                  | 00007FFCF610E0D0:"CL:  CNetworkGameClientBase::Connect() calling SetSignonState( SIGNONSTATE_CONNECTED )\n"
        00007FFCF5D12404 | BA 01000000              | mov edx,1
        00007FFCF5D12409 | FF15 11F43800            | call qword ptr ds:[<&LoggingSystem_Log>]
        00007FFCF5D1240F | 48:8B06                  | mov rax,qword ptr ds:[rsi]
        00007FFCF5D12412 | 45:33C9                  | xor r9d,r9d
        00007FFCF5D12415 | 48:8BCE                  | mov rcx,rsi
    */
    static inline constexpr auto RegisterFilter_VFTable_INDEX = 67;
    static inline constexpr auto UnregisterFilter_VFTable_INDEX = RegisterFilter_VFTable_INDEX + 1;
public:
    void RegisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<RegisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
    void UnregisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<UnregisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
};

struct MyFilter : INetworkMessageProcessingPreFilter
{
    EFilterResult FilterMessage(CNetMessage* msg, CNetChan*) override
    {
        if(const auto ser = msg->GetSerializer(); ser)
        {
            cout_line(std::format("msg id {} {}", ser->messageID, ser->unscopedName));
        }
        return EFilterResult::ALLOW_MESSAGE;
    }
};
MyFilter filter{};//static(simpler) or local but must be alive at least until it's unregistered, RegisterFilter doesn't manage ownership
...
channel->RegisterFilter(filter);

krobicon1 · 11 Июл 2024

Liberalist написал(а):

try the filtering approach: https://yougame.biz/threads/320367/#post-3093913

C++:

struct CNetworkSerializerPB : public VClass
{
    const char* unscopedName;
    std::uint32_t categoryMask;
    void* protobufBinding;
    const char* groupName;
    int16_t messageID;
    uint8_t groupID;
    uint8_t defaultBufferType;
};

/*
sample class layout:
    CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>
        client.dll + 0x37d13d0(hierarchy CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>: CNetMessage, CUserMessageAchievementEvent, google::protobuf::Message, google::protobuf::MessageLite)
        client.dll + 0x37d1400 MI offset 32(hierarchy CUserMessageAchievementEvent: google::protobuf::Message, google::protobuf::MessageLite)
                                         ^^ lea rax,qword ptr ds:[rcx+0x20]
*/
class CNetMessage : public VClass
{
    /*
        00007FFCEF88DAD0 | 33D2                     | xor edx,edx
        00007FFCEF88DAD2 | 48:8D41 20               | lea rax,qword ptr ds:[rcx+20]
        00007FFCEF88DAD6 | 48:85C9                  | test rcx,rcx
        00007FFCEF88DAD9 | 48:0F44C2                | cmove rax,rdx
        00007FFCEF88DADD | C3                       | ret
    */
    static inline constexpr auto GetPbMessage_VFTable_INDEX = 2;

    /*
        00007FFCEF890050 | 48:83EC 48               | sub rsp,48
        00007FFCEF890054 | 48:8B05 8D3B1D00         | mov rax,qword ptr ds:[7FFCEFA63BE8]
        00007FFCEF89005B | 48:8B0D C6CC1C00         | mov rcx,qword ptr ds:[7FFCEFA5CD28]
        00007FFCEF890062 | 48:85C0                  | test rax,rax
        00007FFCEF890065 | 75 32                    | jne networksystem.7FFCEF890099
        00007FFCEF890067 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCEF89006A | 4C:8D05 A7AB1900         | lea r8,qword ptr ds:[7FFCEFA2AC18]
        00007FFCEF890071 | C64424 30 00             | mov byte ptr ss:[rsp+30],0
        00007FFCEF890076 | 41:B9 38000000           | mov r9d,38
        00007FFCEF89007C | C64424 28 01             | mov byte ptr ss:[rsp+28],1
        00007FFCEF890081 | BA 00000040              | mov edx,40000000
        00007FFCEF890086 | 48:C74424 20 00000000    | mov qword ptr ss:[rsp+20],0
        00007FFCEF89008F | FF50 10                  | call qword ptr ds:[rax+10]
        00007FFCEF890092 | 48:8905 4F3B1D00         | mov qword ptr ds:[7FFCEFA63BE8],rax
        00007FFCEF890099 | 48:83C4 48               | add rsp,48
        00007FFCEF89009D | C3                       | ret
    */
    static inline constexpr auto GetSerializer_VFTable_INDEX = 3;
public:
    auto GetPbMessage() const
    {
        return CallVFunc<GetPbMessage_VFTable_INDEX, google::protobuf::Message*>();
    }
    auto GetSerializer()
    {
        return CallVFunc<GetSerializer_VFTable_INDEX, CNetworkSerializerPB*>();
    }
};

class CNetChan;
class INetworkMessageProcessingPreFilter
{
protected:
    enum EFilterResult : bool
    {
        ALLOW_MESSAGE,
        DROP_MESSAGE,
    };
    virtual EFilterResult FilterMessage(CNetMessage*, CNetChan*) = 0;
};

class CNetChan : public VClass
{
private:
    /*
    target function assembly:
        00007FFCEF8898F0 | 48:896C24 18             | mov qword ptr ss:[rsp+18],rbp
        00007FFCEF8898F5 | 57                       | push rdi
        00007FFCEF8898F6 | 41:56                    | push r14
        00007FFCEF8898F8 | 41:57                    | push r15
        00007FFCEF8898FA | 48:83EC 20               | sub rsp,20
        00007FFCEF8898FE | 4C:63B9 C0750000         | movsxd r15,dword ptr ds:[rcx+75C0]
        00007FFCEF889905 | 48:8DB9 C8750000         | lea rdi,qword ptr ds:[rcx+75C8]
        00007FFCEF88990C | 45:33C0                  | xor r8d,r8d
        00007FFCEF88990F | 48:8BEA                  | mov rbp,rdx
        00007FFCEF889912 | 4C:8BF1                  | mov r14,rcx
        00007FFCEF889915 | 45:85FF                  | test r15d,r15d
        00007FFCEF889918 | 7E 26                    | jle networksystem.7FFCEF889940
        00007FFCEF88991A | 48:8B07                  | mov rax,qword ptr ds:[rdi]
        00007FFCEF88991D | 41:8BD0                  | mov edx,r8d
        00007FFCEF889920 | 48:3928                  | cmp qword ptr ds:[rax],rbp
        00007FFCEF889923 | 74 11                    | je networksystem.7FFCEF889936
        00007FFCEF889925 | 41:FFC0                  | inc r8d
        00007FFCEF889928 | 48:FFC2                  | inc rdx
        00007FFCEF88992B | 48:83C0 08               | add rax,8
        00007FFCEF88992F | 49:3BD7                  | cmp rdx,r15
        00007FFCEF889932 | 7C EC                    | jl networksystem.7FFCEF889920
        00007FFCEF889934 | EB 0A                    | jmp networksystem.7FFCEF889940
        00007FFCEF889936 | 41:83F8 FF               | cmp r8d,FFFFFFFF
        00007FFCEF88993A | 0F85 D0000000            | jne networksystem.7FFCEF889A10
        00007FFCEF889940 | 44:3BB9 D0750000         | cmp r15d,dword ptr ds:[rcx+75D0]
        00007FFCEF889947 | 0F85 B5000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88994D | F747 0C 00000040         | test dword ptr ds:[rdi+C],40000000
        00007FFCEF889954 | 0F85 A8000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88995A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88995D | 48:895C24 40             | mov qword ptr ss:[rsp+40],rbx
        00007FFCEF889962 | 48:897424 48             | mov qword ptr ss:[rsp+48],rsi
        00007FFCEF889967 | 81F9 FEFFFF7F            | cmp ecx,dbghelp.7FFFFFFE
        00007FFCEF88996D | 7E 0B                    | jle networksystem.7FFCEF88997A
        00007FFCEF88996F | BA 01000000              | mov edx,1
        00007FFCEF889974 | FF15 4E7F1300            | call qword ptr ds:[<&UtlMemory_FailedAllocation>]
        00007FFCEF88997A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88997D | 41:B9 08000000           | mov r9d,8

    invoker:
        00007FFCF5D106A0 | 48:895C24 10             | mov qword ptr ss:[rsp+10],rbx
        00007FFCF5D106A5 | 48:897424 18             | mov qword ptr ss:[rsp+18],rsi
        00007FFCF5D106AA | 48:897C24 20             | mov qword ptr ss:[rsp+20],rdi
        00007FFCF5D106AF | 55                       | push rbp
        00007FFCF5D106B0 | 41:56                    | push r14
        00007FFCF5D106B2 | 41:57                    | push r15
        00007FFCF5D106B4 | 48:8BEC                  | mov rbp,rsp
        00007FFCF5D106B7 | 48:83EC 50               | sub rsp,50
        00007FFCF5D106BB | 48:8BF9                  | mov rdi,rcx
        00007FFCF5D106BE | 48:8BDA                  | mov rbx,rdx
        00007FFCF5D106C1 | 48:8B0D C8385200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D106C8 | 45:33FF                  | xor r15d,r15d
        00007FFCF5D106CB | 48:85FF                  | test rdi,rdi
        00007FFCF5D106CE | 48:8D57 18               | lea rdx,qword ptr ds:[rdi+18]
        00007FFCF5D106D2 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D106D5 | 49:0F44D7                | cmove rdx,r15
        00007FFCF5D106D9 | FF90 20010000            | call qword ptr ds:[rax+120]
        00007FFCF5D106DF | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106E2 | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106E5 | FF90 D0010000            | call qword ptr ds:[rax+1D0]
        00007FFCF5D106EB | 48:893D AE044C00         | mov qword ptr ds:[7FFCF61D0BA0],rdi
        00007FFCF5D106F2 | 48:8D15 9F044C00         | lea rdx,qword ptr ds:[7FFCF61D0B98]
        00007FFCF5D106F9 | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106FC | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106FF | FF90 18020000            | call qword ptr ds:[rax+218]                               <---- invocation here
        00007FFCF5D10705 | 48:8D05 F0180200         | lea rax,qword ptr ds:[7FFCF5D31FFC]
        00007FFCF5D1070C | 48:8BCF                  | mov rcx,rdi
        00007FFCF5D1070F | 48:8945 F8               | mov qword ptr ss:[rbp-8],rax
        00007FFCF5D10713 | E8 0877FFFF              | call engine2.7FFCF5D07E20
        00007FFCF5D10718 | 48:8B0D 79385200         | mov rcx,qword ptr ds:[7FFCF6233F98]
        00007FFCF5D1071F | 48:8D77 28               | lea rsi,qword ptr ds:[rdi+28]

    invoker xref:
        00007FFCF5D12374 | 48:63DA                  | movsxd rbx,edx
        00007FFCF5D12377 | 48:8D15 3ABC3F00         | lea rdx,qword ptr ds:[7FFCF610DFB8]                 | 00007FFCF610DFB8:"server"
        00007FFCF5D1237E | C74424 30 01000000       | mov dword ptr ss:[rsp+30],1
        00007FFCF5D12386 | C74424 28 02000000       | mov dword ptr ss:[rsp+28],2
        00007FFCF5D1238E | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D12391 | 48:895424 20             | mov qword ptr ss:[rsp+20],rdx
        00007FFCF5D12396 | 41:8BD2                  | mov edx,r10d
        00007FFCF5D12399 | FF90 B0000000            | call qword ptr ds:[rax+B0]
        00007FFCF5D1239F | 48:8BD0                  | mov rdx,rax
        00007FFCF5D123A2 | 48:8BCE                  | mov rcx,rsi
        00007FFCF5D123A5 | 48:8BF8                  | mov rdi,rax
        00007FFCF5D123A8 | E8 F3E2FFFF              | call engine2.7FFCF5D106A0                            <---- calls invoker
        00007FFCF5D123AD | 48:8D4B 0A               | lea rcx,qword ptr ds:[rbx+A]
        00007FFCF5D123B1 | 48:8D0C49                | lea rcx,qword ptr ds:[rcx+rcx*2]
        00007FFCF5D123B5 | 48:893CCE                | mov qword ptr ds:[rsi+rcx*8],rdi
        00007FFCF5D123B9 | 48:8B0D D01B5200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D123C0 | C786 4C020000 FFFFFFFF   | mov dword ptr ds:[rsi+24C],FFFFFFFF
        00007FFCF5D123CA | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D123CD | FF90 D8000000            | call qword ptr ds:[rax+D8]
        00007FFCF5D123D3 | 8B0D F7B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123D9 | 0F57C9                   | xorps xmm1,xmm1
        00007FFCF5D123DC | F2:0F5AC8                | cvtsd2ss xmm1,xmm0
        00007FFCF5D123E0 | BA 01000000              | mov edx,1
        00007FFCF5D123E5 | F3:0F118E 50020000       | movss dword ptr ds:[rsi+250],xmm1
        00007FFCF5D123ED | FF15 35F43800            | call qword ptr ds:[<&LoggingSystem_IsChannelEnabled>]
        00007FFCF5D123F3 | 84C0                     | test al,al
        00007FFCF5D123F5 | 74 18                    | je engine2.7FFCF5D1240F
        00007FFCF5D123F7 | 8B0D D3B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123FD | 4C:8D05 CCBC3F00         | lea r8,qword ptr ds:[7FFCF610E0D0]                  | 00007FFCF610E0D0:"CL:  CNetworkGameClientBase::Connect() calling SetSignonState( SIGNONSTATE_CONNECTED )\n"
        00007FFCF5D12404 | BA 01000000              | mov edx,1
        00007FFCF5D12409 | FF15 11F43800            | call qword ptr ds:[<&LoggingSystem_Log>]
        00007FFCF5D1240F | 48:8B06                  | mov rax,qword ptr ds:[rsi]
        00007FFCF5D12412 | 45:33C9                  | xor r9d,r9d
        00007FFCF5D12415 | 48:8BCE                  | mov rcx,rsi
    */
    static inline constexpr auto RegisterFilter_VFTable_INDEX = 67;
    static inline constexpr auto UnregisterFilter_VFTable_INDEX = RegisterFilter_VFTable_INDEX + 1;
public:
    void RegisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<RegisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
    void UnregisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<UnregisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
};

struct MyFilter : INetworkMessageProcessingPreFilter
{
    EFilterResult FilterMessage(CNetMessage* msg, CNetChan*) override
    {
        if(const auto ser = msg->GetSerializer(); ser)
        {
            cout_line(std::format("msg id {} {}", ser->messageID, ser->unscopedName));
        }
        return EFilterResult::ALLOW_MESSAGE;
    }
};
MyFilter filter{};//static(simpler) or local but must be alive at least until it's unregistered, RegisterFilter doesn't manage ownership
...
channel->RegisterFilter(filter);

Thank you Liberalist, your filter method works.

Morphologic · 12 Июл 2024

Liberalist написал(а):

try the filtering approach: https://yougame.biz/threads/320367/#post-3093913

C++:

struct CNetworkSerializerPB : public VClass
{
    const char* unscopedName;
    std::uint32_t categoryMask;
    void* protobufBinding;
    const char* groupName;
    int16_t messageID;
    uint8_t groupID;
    uint8_t defaultBufferType;
};

/*
sample class layout:
    CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>
        client.dll + 0x37d13d0(hierarchy CNetMessagePB<101,class CUserMessageAchievementEvent,13,1,1>: CNetMessage, CUserMessageAchievementEvent, google::protobuf::Message, google::protobuf::MessageLite)
        client.dll + 0x37d1400 MI offset 32(hierarchy CUserMessageAchievementEvent: google::protobuf::Message, google::protobuf::MessageLite)
                                         ^^ lea rax,qword ptr ds:[rcx+0x20]
*/
class CNetMessage : public VClass
{
    /*
        00007FFCEF88DAD0 | 33D2                     | xor edx,edx
        00007FFCEF88DAD2 | 48:8D41 20               | lea rax,qword ptr ds:[rcx+20]
        00007FFCEF88DAD6 | 48:85C9                  | test rcx,rcx
        00007FFCEF88DAD9 | 48:0F44C2                | cmove rax,rdx
        00007FFCEF88DADD | C3                       | ret
    */
    static inline constexpr auto GetPbMessage_VFTable_INDEX = 2;

    /*
        00007FFCEF890050 | 48:83EC 48               | sub rsp,48
        00007FFCEF890054 | 48:8B05 8D3B1D00         | mov rax,qword ptr ds:[7FFCEFA63BE8]
        00007FFCEF89005B | 48:8B0D C6CC1C00         | mov rcx,qword ptr ds:[7FFCEFA5CD28]
        00007FFCEF890062 | 48:85C0                  | test rax,rax
        00007FFCEF890065 | 75 32                    | jne networksystem.7FFCEF890099
        00007FFCEF890067 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCEF89006A | 4C:8D05 A7AB1900         | lea r8,qword ptr ds:[7FFCEFA2AC18]
        00007FFCEF890071 | C64424 30 00             | mov byte ptr ss:[rsp+30],0
        00007FFCEF890076 | 41:B9 38000000           | mov r9d,38
        00007FFCEF89007C | C64424 28 01             | mov byte ptr ss:[rsp+28],1
        00007FFCEF890081 | BA 00000040              | mov edx,40000000
        00007FFCEF890086 | 48:C74424 20 00000000    | mov qword ptr ss:[rsp+20],0
        00007FFCEF89008F | FF50 10                  | call qword ptr ds:[rax+10]
        00007FFCEF890092 | 48:8905 4F3B1D00         | mov qword ptr ds:[7FFCEFA63BE8],rax
        00007FFCEF890099 | 48:83C4 48               | add rsp,48
        00007FFCEF89009D | C3                       | ret
    */
    static inline constexpr auto GetSerializer_VFTable_INDEX = 3;
public:
    auto GetPbMessage() const
    {
        return CallVFunc<GetPbMessage_VFTable_INDEX, google::protobuf::Message*>();
    }
    auto GetSerializer()
    {
        return CallVFunc<GetSerializer_VFTable_INDEX, CNetworkSerializerPB*>();
    }
};

class CNetChan;
class INetworkMessageProcessingPreFilter
{
protected:
    enum EFilterResult : bool
    {
        ALLOW_MESSAGE,
        DROP_MESSAGE,
    };
    virtual EFilterResult FilterMessage(CNetMessage*, CNetChan*) = 0;
};

class CNetChan : public VClass
{
private:
    /*
    target function assembly:
        00007FFCEF8898F0 | 48:896C24 18             | mov qword ptr ss:[rsp+18],rbp
        00007FFCEF8898F5 | 57                       | push rdi
        00007FFCEF8898F6 | 41:56                    | push r14
        00007FFCEF8898F8 | 41:57                    | push r15
        00007FFCEF8898FA | 48:83EC 20               | sub rsp,20
        00007FFCEF8898FE | 4C:63B9 C0750000         | movsxd r15,dword ptr ds:[rcx+75C0]
        00007FFCEF889905 | 48:8DB9 C8750000         | lea rdi,qword ptr ds:[rcx+75C8]
        00007FFCEF88990C | 45:33C0                  | xor r8d,r8d
        00007FFCEF88990F | 48:8BEA                  | mov rbp,rdx
        00007FFCEF889912 | 4C:8BF1                  | mov r14,rcx
        00007FFCEF889915 | 45:85FF                  | test r15d,r15d
        00007FFCEF889918 | 7E 26                    | jle networksystem.7FFCEF889940
        00007FFCEF88991A | 48:8B07                  | mov rax,qword ptr ds:[rdi]
        00007FFCEF88991D | 41:8BD0                  | mov edx,r8d
        00007FFCEF889920 | 48:3928                  | cmp qword ptr ds:[rax],rbp
        00007FFCEF889923 | 74 11                    | je networksystem.7FFCEF889936
        00007FFCEF889925 | 41:FFC0                  | inc r8d
        00007FFCEF889928 | 48:FFC2                  | inc rdx
        00007FFCEF88992B | 48:83C0 08               | add rax,8
        00007FFCEF88992F | 49:3BD7                  | cmp rdx,r15
        00007FFCEF889932 | 7C EC                    | jl networksystem.7FFCEF889920
        00007FFCEF889934 | EB 0A                    | jmp networksystem.7FFCEF889940
        00007FFCEF889936 | 41:83F8 FF               | cmp r8d,FFFFFFFF
        00007FFCEF88993A | 0F85 D0000000            | jne networksystem.7FFCEF889A10
        00007FFCEF889940 | 44:3BB9 D0750000         | cmp r15d,dword ptr ds:[rcx+75D0]
        00007FFCEF889947 | 0F85 B5000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88994D | F747 0C 00000040         | test dword ptr ds:[rdi+C],40000000
        00007FFCEF889954 | 0F85 A8000000            | jne networksystem.7FFCEF889A02
        00007FFCEF88995A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88995D | 48:895C24 40             | mov qword ptr ss:[rsp+40],rbx
        00007FFCEF889962 | 48:897424 48             | mov qword ptr ss:[rsp+48],rsi
        00007FFCEF889967 | 81F9 FEFFFF7F            | cmp ecx,dbghelp.7FFFFFFE
        00007FFCEF88996D | 7E 0B                    | jle networksystem.7FFCEF88997A
        00007FFCEF88996F | BA 01000000              | mov edx,1
        00007FFCEF889974 | FF15 4E7F1300            | call qword ptr ds:[<&UtlMemory_FailedAllocation>]
        00007FFCEF88997A | 8B4F 08                  | mov ecx,dword ptr ds:[rdi+8]
        00007FFCEF88997D | 41:B9 08000000           | mov r9d,8

    invoker:
        00007FFCF5D106A0 | 48:895C24 10             | mov qword ptr ss:[rsp+10],rbx
        00007FFCF5D106A5 | 48:897424 18             | mov qword ptr ss:[rsp+18],rsi
        00007FFCF5D106AA | 48:897C24 20             | mov qword ptr ss:[rsp+20],rdi
        00007FFCF5D106AF | 55                       | push rbp
        00007FFCF5D106B0 | 41:56                    | push r14
        00007FFCF5D106B2 | 41:57                    | push r15
        00007FFCF5D106B4 | 48:8BEC                  | mov rbp,rsp
        00007FFCF5D106B7 | 48:83EC 50               | sub rsp,50
        00007FFCF5D106BB | 48:8BF9                  | mov rdi,rcx
        00007FFCF5D106BE | 48:8BDA                  | mov rbx,rdx
        00007FFCF5D106C1 | 48:8B0D C8385200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D106C8 | 45:33FF                  | xor r15d,r15d
        00007FFCF5D106CB | 48:85FF                  | test rdi,rdi
        00007FFCF5D106CE | 48:8D57 18               | lea rdx,qword ptr ds:[rdi+18]
        00007FFCF5D106D2 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D106D5 | 49:0F44D7                | cmove rdx,r15
        00007FFCF5D106D9 | FF90 20010000            | call qword ptr ds:[rax+120]
        00007FFCF5D106DF | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106E2 | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106E5 | FF90 D0010000            | call qword ptr ds:[rax+1D0]
        00007FFCF5D106EB | 48:893D AE044C00         | mov qword ptr ds:[7FFCF61D0BA0],rdi
        00007FFCF5D106F2 | 48:8D15 9F044C00         | lea rdx,qword ptr ds:[7FFCF61D0B98]
        00007FFCF5D106F9 | 48:8B03                  | mov rax,qword ptr ds:[rbx]
        00007FFCF5D106FC | 48:8BCB                  | mov rcx,rbx
        00007FFCF5D106FF | FF90 18020000            | call qword ptr ds:[rax+218]                               <---- invocation here
        00007FFCF5D10705 | 48:8D05 F0180200         | lea rax,qword ptr ds:[7FFCF5D31FFC]
        00007FFCF5D1070C | 48:8BCF                  | mov rcx,rdi
        00007FFCF5D1070F | 48:8945 F8               | mov qword ptr ss:[rbp-8],rax
        00007FFCF5D10713 | E8 0877FFFF              | call engine2.7FFCF5D07E20
        00007FFCF5D10718 | 48:8B0D 79385200         | mov rcx,qword ptr ds:[7FFCF6233F98]
        00007FFCF5D1071F | 48:8D77 28               | lea rsi,qword ptr ds:[rdi+28]

    invoker xref:
        00007FFCF5D12374 | 48:63DA                  | movsxd rbx,edx
        00007FFCF5D12377 | 48:8D15 3ABC3F00         | lea rdx,qword ptr ds:[7FFCF610DFB8]                 | 00007FFCF610DFB8:"server"
        00007FFCF5D1237E | C74424 30 01000000       | mov dword ptr ss:[rsp+30],1
        00007FFCF5D12386 | C74424 28 02000000       | mov dword ptr ss:[rsp+28],2
        00007FFCF5D1238E | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D12391 | 48:895424 20             | mov qword ptr ss:[rsp+20],rdx
        00007FFCF5D12396 | 41:8BD2                  | mov edx,r10d
        00007FFCF5D12399 | FF90 B0000000            | call qword ptr ds:[rax+B0]
        00007FFCF5D1239F | 48:8BD0                  | mov rdx,rax
        00007FFCF5D123A2 | 48:8BCE                  | mov rcx,rsi
        00007FFCF5D123A5 | 48:8BF8                  | mov rdi,rax
        00007FFCF5D123A8 | E8 F3E2FFFF              | call engine2.7FFCF5D106A0                            <---- calls invoker
        00007FFCF5D123AD | 48:8D4B 0A               | lea rcx,qword ptr ds:[rbx+A]
        00007FFCF5D123B1 | 48:8D0C49                | lea rcx,qword ptr ds:[rcx+rcx*2]
        00007FFCF5D123B5 | 48:893CCE                | mov qword ptr ds:[rsi+rcx*8],rdi
        00007FFCF5D123B9 | 48:8B0D D01B5200         | mov rcx,qword ptr ds:[7FFCF6233F90]
        00007FFCF5D123C0 | C786 4C020000 FFFFFFFF   | mov dword ptr ds:[rsi+24C],FFFFFFFF
        00007FFCF5D123CA | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5D123CD | FF90 D8000000            | call qword ptr ds:[rax+D8]
        00007FFCF5D123D3 | 8B0D F7B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123D9 | 0F57C9                   | xorps xmm1,xmm1
        00007FFCF5D123DC | F2:0F5AC8                | cvtsd2ss xmm1,xmm0
        00007FFCF5D123E0 | BA 01000000              | mov edx,1
        00007FFCF5D123E5 | F3:0F118E 50020000       | movss dword ptr ds:[rsi+250],xmm1
        00007FFCF5D123ED | FF15 35F43800            | call qword ptr ds:[<&LoggingSystem_IsChannelEnabled>]
        00007FFCF5D123F3 | 84C0                     | test al,al
        00007FFCF5D123F5 | 74 18                    | je engine2.7FFCF5D1240F
        00007FFCF5D123F7 | 8B0D D3B65300            | mov ecx,dword ptr ds:[7FFCF624DAD0]
        00007FFCF5D123FD | 4C:8D05 CCBC3F00         | lea r8,qword ptr ds:[7FFCF610E0D0]                  | 00007FFCF610E0D0:"CL:  CNetworkGameClientBase::Connect() calling SetSignonState( SIGNONSTATE_CONNECTED )\n"
        00007FFCF5D12404 | BA 01000000              | mov edx,1
        00007FFCF5D12409 | FF15 11F43800            | call qword ptr ds:[<&LoggingSystem_Log>]
        00007FFCF5D1240F | 48:8B06                  | mov rax,qword ptr ds:[rsi]
        00007FFCF5D12412 | 45:33C9                  | xor r9d,r9d
        00007FFCF5D12415 | 48:8BCE                  | mov rcx,rsi
    */
    static inline constexpr auto RegisterFilter_VFTable_INDEX = 67;
    static inline constexpr auto UnregisterFilter_VFTable_INDEX = RegisterFilter_VFTable_INDEX + 1;
public:
    void RegisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<RegisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
    void UnregisterFilter(INetworkMessageProcessingPreFilter& filter_LIFETIME_MANGED_BY_INVOKER)
    {
        CallVFunc<UnregisterFilter_VFTable_INDEX>(&filter_LIFETIME_MANGED_BY_INVOKER);
    }
};

struct MyFilter : INetworkMessageProcessingPreFilter
{
    EFilterResult FilterMessage(CNetMessage* msg, CNetChan*) override
    {
        if(const auto ser = msg->GetSerializer(); ser)
        {
            cout_line(std::format("msg id {} {}", ser->messageID, ser->unscopedName));
        }
        return EFilterResult::ALLOW_MESSAGE;
    }
};
MyFilter filter{};//static(simpler) or local but must be alive at least until it's unregistered, RegisterFilter doesn't manage ownership
...
channel->RegisterFilter(filter);

Any good way to find a pointer to CNetChan?

Liberalist · 12 Июл 2024

Morphologic написал(а):
Any good way to find a pointer to CNetChan?

try this

C++:

/*
rtti/engine2.dll/vobjects.txt
engine2.dll - sha1: d9e7dca45f72bfcc30480a863d2bcd195af7c42e timestamp: 1720742779(00:06:19 12 Jul 2024)
CNetworkClientService
    (hierarchy CNetworkClientService: CBaseEngineService<class INetworkClientService>, CTier4AppSystem<class INetworkClientService,0>, CTier3AppSystem<class INetworkClientService,0>, CTier2AppSystem<class INetworkClientService,0>, CTier1AppSystem<class INetworkClientService,0>, CTier0AppSystem<class INetworkClientService,0>, CBaseAppSystem<class INetworkClientService>, INetworkClientService, IEngineService, IAppSystem, CUtlSlot, IVConCommDataReceived)
        engine2.dll + 0x5edd90

or CreateInterface
    NetworkClientService_001 -> CNetworkClientService
*/
constexpr auto CNetworkClientService_RVA = 0x5edd90;
class CNetworkClientService : public VClass
{
private:
    /*
    invoker:
        00007FFCF5E91808 | EB 07                    | jmp engine2.7FFCF5E91811
        00007FFCF5E9180A | 48:8D05 0FE32600         | lea rax,qword ptr ds:[7FFCF60FFB20]        | 00007FFCF60FFB20:"unknown"
        00007FFCF5E91811 | 8B0D F1E13F00            | mov ecx,dword ptr ds:[7FFCF628FA08]
        00007FFCF5E91817 | 4C:8D05 EAF52B00         | lea r8,qword ptr ds:[7FFCF6150E08]         | 00007FFCF6150E08:"GameEvent:  Posting %s (id:%d group:'%s') from code\n"
        00007FFCF5E9181E | 48:897424 28             | mov qword ptr ss:[rsp+28],rsi
        00007FFCF5E91823 | 4C:8BC8                  | mov r9,rax
        00007FFCF5E91826 | BA 02000000              | mov edx,2
        00007FFCF5E9182B | 44:896424 20             | mov dword ptr ss:[rsp+20],r12d
        00007FFCF5E91830 | FF15 EAFF2000            | call qword ptr ds:[<&LoggingSystem_Log>]
        00007FFCF5E91836 | 4C:8B65 67               | mov r12,qword ptr ss:[rbp+67]
        00007FFCF5E9183A | 33F6                     | xor esi,esi
        00007FFCF5E9183C | 41:807E 28 00            | cmp byte ptr ds:[r14+28],0
        00007FFCF5E91841 | 0F84 D2010000            | je engine2.7FFCF5E91A19
        00007FFCF5E91847 | 48:8B0D 42283A00         | mov rcx,qword ptr ds:[7FFCF6234090]
        00007FFCF5E9184E | 48:8D55 3F               | lea rdx,qword ptr ss:[rbp+3F]
        00007FFCF5E91852 | 83FB FF                  | cmp ebx,FFFFFFFF
        00007FFCF5E91855 | 0F44DE                   | cmove ebx,esi
        00007FFCF5E91858 | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5E9185B | 44:8BC3                  | mov r8d,ebx
        00007FFCF5E9185E | FF90 28010000            | call qword ptr ds:[rax+128]
        00007FFCF5E91864 | 48:8B0D 25283A00         | mov rcx,qword ptr ds:[7FFCF6234090]
        00007FFCF5E9186B | 8BD3                     | mov edx,ebx
        00007FFCF5E9186D | 48:8B01                  | mov rax,qword ptr ds:[rcx]
        00007FFCF5E91870 | FF90 50010000            | call qword ptr ds:[rax+150]                 <---- here is the call
        00007FFCF5E91876 | 4C:8B6D 6F               | mov r13,qword ptr ss:[rbp+6F]
        00007FFCF5E9187A | 48:8BF0                  | mov rsi,rax
        00007FFCF5E9187D | 4C:8B65 5F               | mov r12,qword ptr ss:[rbp+5F]

    target function assembly:
        00007FFA3FDA6BE0 | 4C:8B81 A8000000         | mov r8,qword ptr ds:[rcx+A8]
        00007FFA3FDA6BE7 | 4D:85C0                  | test r8,r8
        00007FFA3FDA6BEA | 75 03                    | jne engine2.7FFA3FDA6BEF
        00007FFA3FDA6BEC | 33C0                     | xor eax,eax
        00007FFA3FDA6BEE | C3                       | ret
        00007FFA3FDA6BEF | 33C9                     | xor ecx,ecx
        00007FFA3FDA6BF1 | 83FA FF                  | cmp edx,FFFFFFFF
        00007FFA3FDA6BF4 | 0F45CA                   | cmovne ecx,edx
        00007FFA3FDA6BF7 | 48:63C9                  | movsxd rcx,ecx
        00007FFA3FDA6BFA | 48:83C1 0A               | add rcx,A
        00007FFA3FDA6BFE | 48:8D0449                | lea rax,qword ptr ds:[rcx+rcx*2]
        00007FFA3FDA6C02 | 49:8B04C0                | mov rax,qword ptr ds:[r8+rax*8]
        00007FFA3FDA6C06 | C3                       | ret
    */
    static inline constexpr auto GetNetChannel_VFTable_INDEX = 42;
public:
    auto GetNetChannel(int split_screen_slot = 0) const volatile
    {
        return CallVFunc<GetNetChannel_VFTable_INDEX, CNetChan*>(split_screen_slot);
    }
};

ATAMOS · 16 Июл 2024

krobicon1 написал(а):
Thank you Liberalist, your filter method works.

А CCLCMsg_Move это про анимацию движения? У меня такой пакет не приходит

Liberalist · 16 Июл 2024

ATAMOS написал(а):
А CCLCMsg_Move это про анимацию движения? У меня такой пакет не приходит

это креейтмув фигня. и ее клиент отправляет(видимо чел на скрине хукнул серверный нетчан а не клиентский).
я в сторону анимаций не копал но наверно анимация движения "одноразовая"(ну тип сервер 1 раз прислал что-то(хз что, возможно со шмотками связано) и это на всю игру) и клиент потом сам разбирается с этим говном(ну либо клиент ваще полностью сам разбирается с этим говном хз не смотрел), в отличии от тычек(ну например тычки могут быть критами а могут быть не критами, у разных героев разные анимации + рандомчик для разнообразия, поэтому сервак это дело присылает, хз)

ATAMOS · 16 Июл 2024

Liberalist написал(а):
видимо чел на скрине хукнул серверный нетчан а не клиентский

Это что? Я только CNetChan и интерфейс INetChannel вижу

Liberalist · 17 Июл 2024

ATAMOS написал(а):
Это что? Я только CNetChan и интерфейс INetChannel вижу

нетчан это класс, его инстанций есть несколько(по крайней мере когда ты в демке(т.е. у тебя локалхост сервер запущен))
забей кароче чел просто не так нетчан получает

ATAMOS · 17 Июл 2024

Liberalist написал(а):
в сторону анимаций не копал

Там еще прикол, что возможно это вообще не про анимации. Типо очевидно, что сервер понятия не имеет, что я там зафорсил эквип арканы ЦМки например и высылает значение мувсета "regular run", что в аркане есть мувсет лоу хп бега, но у меня не появляется так же и псина, которая должна быть(типо фишка арканы) при этом другие эффекты норм грузит, что наводит на мысли, что дело мб не в анимациях, крч у меня уже бошка кипит.

Вопрос PostReceivedNetMessage is not getting called!

Вложения