Tutorial How to dump vtable

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Lolita1

Newbie
Jun 8, 2015
32
438
2
Tested on Dota 2 (Source Engine), Dota 2 Reborn (Source Engine 2) Worked fine..

You need 2 things :
1. IDA
2. SteamCMD (https://media.steampowered.com/installer/steamcmd.zip)

Create .bat file -
C#:
 steamcmd.exe +@sSteamCmdForcePlatformType macos +login LOGIN +app_update APPID validate +quit
(Replace LOGIN with your steam login and In my case Dota 2 Reborn - APPID 570)

Later it will ask you for a password and code from email.

now.. it will take some time.. you can watch downloading progress.. once it's done it will look like your steam folder so you go steamapps/common/ and name of game

for example i got engine2.dll and i want to dump interface Source2EngineToClient001 so i'm looking for something like engine2.dylib --> In dota 2 Reborn case its "libengine2.dylib"
When i find it ill load it in IDA and go to View>Open Sub Views>Names then you go to Search->Search..
Search for CEngineClient until you find "vtable for" CEngineClient

when you find it doble click it and something like that should pop up



now go File->Script Command and put in this script

#include <idc.idc>

static main()
{
auto pAddress, iIndex;
auto szFilePath, hFile;
auto skipAmt;

SetStatus(IDA_STATUS_WORK);

// User selected vtable block
pAddress = ScreenEA();

if (pAddress == BADADDR)
{
Message("** No vtable selected! Aborted **");
Warning("No vtable selected!\nSelect vtable block first.");
SetStatus(IDA_STATUS_READY);
return;
}

skipAmt = AskLong(1, "Number of vtable entries to ignore for indexing:");

// Request output header file
SetStatus(IDA_STATUS_WAITING);
if ((szFilePath = AskFile(1, "*.txt", "Select output dump file:")) == 0)
{
Message("Aborted.");
SetStatus(IDA_STATUS_READY);
return;
}

// And create it..
if ((hFile = fopen(szFilePath, "wb")) != 0)
{
auto szFuncName, szFullName, BadHits;

BadHits = 0;

// Create the header
fprintf(hFile, "// Auto reconstructed from vtable block @ 0x%08X\n// from \"%s\", by ida_vtables.idc\n", pAddress, GetInputFile());

/* For linux, skip the first entry */
if (Dword(pAddress) == 0)
{
pAddress = pAddress + 8;
}

pAddress = pAddress + (skipAmt * 4);

// Loop through the vtable block
while (pAddress != BADADDR)
{
auto real_addr;
real_addr = Dword(pAddress);

szFuncName = Name(real_addr);
if (strlen(szFuncName) == 0)
{
break;
}

szFullName = Demangle(szFuncName, INF_SHORT_DN);

if (trim(szFullName) == "")
{
szFullName = szFuncName;
}
if (strstr(szFullName, "_ZN") != -1)
{
fclose(hFile);
Warning("You must toggle GCC v3.x demangled names!\n");
break;
}

fprintf(hFile, "%d\t%s\n", iIndex, szFullName);

pAddress = pAddress + 8;
iIndex++;
};

fclose(hFile);
Message("Successfully wrote %d vtable entries.\n", iIndex);
}
else
{
Message("** Error opening \"%s\"! Aborted **\n", szFilePath);
Warning("Error creating \"%s\"!\n", szFilePath);
}

Message("\nDone.\n\n");
SetStatus(IDA_STATUS_READY);
}

and run it it will ask for place where to save it and when it asks for input replace 1 with 0 and that's it. Now open up file you saved it in and here you got your vtable functions

0 CTier2AppSystem<IVEngineClient2,0>::Connect(void * (*)(char const*,int *))
1 CTier2AppSystem<IVEngineClient2,0>::Disconnect(void)
2 CBaseAppSystem<IVEngineClient2>::QueryInterface(char const*)
3 CTier2AppSystem<IVEngineClient2,0>::Init(void)
4 CTier2AppSystem<IVEngineClient2,0>::Shutdown(void)
5 CBaseAppSystem<IVEngineClient2>::preShutdown(void)
6 CBaseAppSystem<IVEngineClient2>::GetDependencies(void)
7 CTier4AppSystem<IVEngineClient2,0>::GetTier(void)
8 CTier2AppSystem<IVEngineClient2,0>::Reconnect(void * (*)(char const*,int *),char const*)
9 CBaseAppSystem<IVEngineClient2>::IsSingleton(void)
10 CBaseAppSystem<IVEngineClient2>::GetBuildType(void)
11 CEngineClient::IsPaused(void)
12 CEngineClient::GetTimescale(void)const
13 CEngineClient::FindOrCreateWorldSession(char const*,CResourceManifestPrerequisite *)
14 CEngineClient::UpdateAddonSearchPaths(bool,bool,char const*)
15 CEngineClient::GetEntityLumpForTemplate(char const*,bool,char const*,char const*)
16 CEngineClient::GetStatsAppID(void)const
17 CEngineClient::GetGameClientFactory(void)
18 CEngineClient::ServerCmd(InputCommandSource_t,char const*)
19 CEngineClient::ClientCmd(InputCommandSource_t,char const*)
20 CEngineClient::GetPlayerInfo(CEntityIndex,google::protobuf::Message &)
21 CEngineClient::GetPlayerForUserID(int)
22 CEngineClient::GetLocalPlayer(CSplitScreenSlot)const
23 CEngineClient::GetLastTimeStamp(void)
24 CEngineClient::GetLastServerTick(void)
25 CEngineClient::GetSentence(CAudioSource *)
26 CEngineClient::GetSentenceLength(CAudioSource *)
27 CEngineClient::IsStreaming(CAudioSource *)const
28 CEngineClient::GetMaxClients(void)const
29 CEngineClient::IsInGame(void)
30 CEngineClient::IsConnected(void)const
31 CEngineClient::Con_NPrintf(int,char const*,...)
32 CEngineClient::Con_NXPrintf(con_nprint_s const*,char const*,...)
33 CEngineClient::GetNetChannelInfo(CSplitScreenSlot)
34 CEngineClient::IsPlayingDemo(void)
35 CEngineClient::IsRecordingDemo(void)
36 CEngineClient::IsPlayingTimeDemo(void)
37 CEngineClient::ExecuteClientCmd(char const*)
38 CEngineClient::ClientCmd_Unrestricted(char const*)
39 CEngineClient::SetRestrictServerCommands(bool)
40 CEngineClient::SetRestrictClientCommands(bool)
41 CEngineClient::IsLowViolence(void)const
42 CEngineClient::GetSplitScreenPlayer(CSplitScreenSlot)
43 CEngineClient::IsSplitScreenActive(void)
44 CEngineClient::IsValidSplitScreenSlot(CSplitScreenSlot)
45 CEngineClient::FirstValidSplitScreenSlot(void)
46 CEngineClient::NextValidSplitScreenSlot(CSplitScreenSlot)
47 CEngineClient::GetAvailableAsyncThread(void)
48 CEngineClient::GetScreenSize(int &,int &)
49 CEngineClient::IsDrawingLoadingImage(void)
50 CEngineClient::HideLoadingPlaque(void)
51 CEngineClient::GetGameDirectory(void)
52 CEngineClient::GetLevelName(void)
53 CEngineClient::GetLevelNameShort(void)
54 CEngineClient::GetVoiceTweakAPI(void)
55 CEngineClient::EngineStats_BeginFrame(void)
56 CEngineClient::EngineStats_EndFrame(void)
57 CEngineClient::CheckPoint(char const*)
58 CEngineClient::IsDemoPaused(void)
59 CEngineClient::IsDemoSkipping(void)
60 CEngineClient::GetDemoRecordingTick(void)
61 CEngineClient::GetDemoPlaybackTick(void)
62 CEngineClient::GetDemoPlaybackStartTick(void)
63 CEngineClient::GetDemoPlaybackTimeScale(void)
64 CEngineClient::GetDemoPlaybackTotalTicks(void)
65 CEngineClient::GetDemoPlaybackFileName(void)
66 CEngineClient::IsTakingScreenshot(void)
67 CEngineClient::IsHLTV(void)
68 CEngineClient::GetMainMenuBackgroundName(char *,int)
69 CEngineClient::GetUILanguage(char *,int)
70 CEngineClient::IsSkyboxVisibleFromPoint(Vector const&)
71 CEngineClient::GetScreenAspectRatio(int,int)
72 CEngineClient::GetEngineBuildNumber(void)
73 CEngineClient::GetProductVersionString(void)
74 CEngineClient::GetBuildVersion(void)const
75 CEngineClient::SendClientOOBPacket(ns_address const&,void const*,int)
76 CEngineClient::GetAppID(void)
77 CEngineClient::CopyFrameBufferToMaterial(char const*)
78 CEngineClient::ReadConfiguration(CSplitScreenSlot)
79 CEngineClient::SetAchievementMgr(IAchievementMgr *)
80 CEngineClient::GetAchievementMgr(void)
81 CEngineClient::StartXboxExitingProcess(void)
82 CEngineClient::OnStorageDeviceAttached(int)
83 CEngineClient::OnStorageDeviceDetached(int)
84 CEngineClient::WriteScreenshot(char const*)
85 CEngineClient::GetActiveSplitScreenPlayerSlot(void)
86 CEngineClient::SetActiveSplitScreenPlayerSlot(CSplitScreenSlot)
87 CEngineClient::SetLocalPlayerIsResolvable(char const*,int,bool)
88 CEngineClient::IsLocalPlayerResolvable(void)
89 CEngineClient::GetSinglePlayerSharedMemorySpace(char const*,int)
90 CEngineClient::RegisterDemoCustomDataCallback(CUtlSymbolLarge,void (*)(unsigned char *,unsigned long))
91 CEngineClient::RecordDemoCustomData(void (*)(unsigned char *,unsigned long),void const*,unsigned long)
92 CEngineClient::SetPitchScale(float)
93 CEngineClient::GetPitchScale(void)
94 CEngineClient::DSPGetCurrentDASRoomNew(void)
95 CEngineClient::DSPGetCurrentDASRoomChanged(void)
96 CEngineClient::DSPGetCurrentDASRoomSkyAbove(void)
97 CEngineClient::DSPGetCurrentDASRoomSkyPercent(void)
98 CEngineClient::SetMixGroupOfCurrentMixer(char const*,char const*,float,int)
99 CEngineClient::GetMixLayerIndex(char const*)
100 CEngineClient::SetMixLayerLevel(int,float)
101 CEngineClient::IsRecordingVoice(void)
102 CEngineClient::SetTimescale(float)
103 CEngineClient::SetGamestatsData(CGamestatsData *)
104 CEngineClient::GetGamestatsData(void)
105 CEngineClient::UpdateDAndELights(void)
106 CEngineClient::GetBugSubmissionCount(void)const
107 CEngineClient::ClearBugSubmissionCount(void)
108 CEngineClient::GetServerSimulationFrameTime(void)const
109 CEngineClient::GetServerTickTimes(unsigned long long,CUtlVector<IVEngineClient2::ServerTickTime_t,CUtlMemory<IVEngineClient2::ServerTickTime_t,int>> &)const
110 CEngineClient::IsInCommentaryMode(void)
111 CEngineClient::SetBlurFade(float)
112 CEngineClient::IsTransitioningToLoad(void)
113 CEngineClient::SearchPathsChangedAfterInstall(void)
114 CEngineClient::SetConnectionPassword(char const*)
115 CEngineClient::GetSteamAPIContext(void)
116 CEngineClient::ServerCmdKeyValues(KeyValues *)
117 CEngineClient::GetStartupImage(char *,int,int,int)
118 CEngineClient::GetBackgroundMovie(char *,int)
119 CEngineClient::GetBackgroundMusic(char *,int,bool)
120 CEngineClient::TickProgressBar(void)
121 CEngineClient::GetMainWindow(void)
122 CEngineClient::DrawSelectedPanel(vgui::VPanelHandle)
123 CEngineClient::IsPanelInFocusList(unsigned long long)
124 CEngineClient::IsViewEntity(CEntityIndex)const
125 CEngineClient::GetViewEntity(CSplitScreenSlot)const
126 CEngineClient::TouchLight(dlight_t *)
127 CEngineClient::SetAreaState(unsigned char *,unsigned char *)
128 CEngineClient::ChangePVSSpawnGroupHandle(unsigned int)
129 CEngineClient::SetDemoTime(float)
130 CEngineClient::FlashWindow(void)
131 CEngineClient::DesktopNotify(char const*,char const*)
132 CEngineClient::GetDemoGameInfo(google::protobuf::Message &)
133 CEngineClient::GetDemoFileGameInfo(char const*,google::protobuf::Message &)
134 CEngineClient::DecompressBZipFile(char const*,char const*)
135 CEngineClient::UnzipZip(char const*,char const*,char const*,bool,bool,bool)
136 CEngineClient::SOSSetOpvarFloat(char const*,float)
137 CEngineClient::SOSGetOpvarFloat(char const*,float &)
138 CEngineClient::GameLoadFailed(void)const
139 CEngineClient::SetGameLoadFailed(bool)
140 CEngineClient::LoadSpawnGroup(SpawnGroupDesc_t const&)
141 CEngineClient::UnloadSpawnGroup(unsigned int,ESpawnGroupUnloadOption)
142 CEngineClient::SetSpawnGroupDescription(unsigned int,char const*)
143 CEngineClient::IsSpawnGroupLoaded(unsigned int)const
144 CEngineClient::IsSpawnGroupLoading(unsigned int)const
145 CEngineClient::FindSpawnGroupByName(char const*)
146 CEngineClient::SynchronouslySpawnGroup(unsigned int)
147 CEngineClient::SynchronizeAndBlockUntilLoaded(unsigned int)
148 CEngineClient::ForceOpenServerPort(void)
149 CEngineClient::ForceOpenClientDefaultPort(void)
150 CEngineClient::GetDemoClosestGameSave(int,google::protobuf::Message *)
151 CEngineClient::GetInstantReplayMinTick(void)
152 CEngineClient::GetInstantReplayMaxTick(void)
153 CEngineClient::GetInstantReplayPlaybackDeltaTick(void)
154 CEngineClient::IsClientLocalToActiveServer(void)
155 CEngineClient::postReceivedNetMessage(NetMessageHandle_t__ *,void

Happy Dumping, cya
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Awesome, thanks! Going to go dump Counter-Strike: Source infos now :p
 

Lolita1

Newbie
Jun 8, 2015
32
438
2
Awesome, thanks! Going to go dump Counter-Strike: Source infos now :p
Wish you good luck. Anyway if you gonna dump Source Engine 1 change in IDA Script from this
C#:
pAddress = pAddress + 8;
iIndex++;
to this
C#:
pAddress = pAddress + 4;
iIndex++;
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Wish you good luck. Anyway if you gonna dump Source Engine 1 change in IDA Script from this
C#:
pAddress = pAddress + 8;
iIndex++;
to this
C#:
pAddress = pAddress + 4;
iIndex++;
I was able to dump the CEngineClient VTable:

[noparse]
// Auto reconstructed from vtable block @ 0x004A72E0
// from "engine.dylib", by ida_vtables.idc
0 `typeinfo for'CEngineClient
1 CEngineClient::GetIntersectingSurfaces
2 CEngineClient::GetLightForPoint
3 CEngineClient::TraceLineMaterialAndLighting
4 CEngineClient::parseFile
5 CEngineClient::CopyLocalFile
6 CEngineClient::GetScreenSize
7 CEngineClient::ServerCmd
8 CEngineClient::ClientCmd
9 CEngineClient::GetPlayerInfo
10 CEngineClient::GetPlayerForUserID
11 CEngineClient::TextMessageGet
12 CEngineClient::Con_IsVisible
13 CEngineClient::GetLocalPlayer
14 CEngineClient::LoadModel
15 CEngineClient::Time
16 CEngineClient::GetLastTimeStamp
17 CEngineClient::GetSentence
18 CEngineClient::GetSentenceLength
19 CEngineClient::IsStreaming
20 CEngineClient::GetViewAngles
21 CEngineClient::SetViewAngles
22 CEngineClient::GetMaxClients
23 CEngineClient::Key_LookupBinding
24 CEngineClient::Key_BindingForKey
25 CEngineClient::StartKeyTrapMode
26 CEngineClient::CheckDoneKeyTrapping
27 CEngineClient::IsInGame
28 CEngineClient::IsConnected
29 CEngineClient::IsDrawingLoadingImage
30 CEngineClient::Con_NPrintf
31 CEngineClient::Con_NXPrintf
32 CEngineClient::IsBoxVisible
33 CEngineClient::IsBoxInViewCluster
34 CEngineClient::CullBox
35 CEngineClient::Sound_ExtraUpdate
36 CEngineClient::GetGameDirectory
37 CEngineClient::WorldToScreenMatrix
38 CEngineClient::WorldToViewMatrix
39 CEngineClient::GameLumpVersion
40 CEngineClient::GameLumpSize
41 CEngineClient::LoadGameLump
42 CEngineClient::LevelLeafCount
43 CEngineClient::GetBSPTreeQuery
44 CEngineClient::LinearToGamma
45 CEngineClient::LightStyleValue
46 CEngineClient::ComputeDynamicLighting
47 CEngineClient::GetAmbientLightColor
48 CEngineClient::GetDXSupportLevel
49 CEngineClient::SupportsHDR
50 CEngineClient::Mat_Stub
51 CEngineClient::GetChapterName
52 CEngineClient::GetLevelName
53 CEngineClient::GetLevelVersion
54 CEngineClient::GetVoiceTweakAPI
55 CEngineClient::EngineStats_BeginFrame
56 CEngineClient::EngineStats_EndFrame
57 CEngineClient::FireEvents
58 CEngineClient::GetLeavesArea
59 CEngineClient::DoesBoxTouchAreaFrustum
60 CEngineClient::SetAudioState
61 CEngineClient::SentenceGroupPick
62 CEngineClient::SentenceGroupPickSequential
63 CEngineClient::SentenceIndexFromName
64 CEngineClient::SentenceNameFromIndex
65 CEngineClient::SentenceGroupIndexFromName
66 CEngineClient::SentenceGroupNameFromIndex
67 CEngineClient::SentenceLength
68 CEngineClient::ComputeLighting
69 CEngineClient::ActivateOccluder
70 CEngineClient::IsOccluded
71 CEngineClient::SaveAllocMemory
72 CEngineClient::SaveFreeMemory
73 CEngineClient::GetNetChannelInfo
74 CEngineClient::DebugDrawPhysCollide
75 CEngineClient::CheckPoint
76 CEngineClient::DrawPortals
77 CEngineClient::IsPlayingDemo
78 CEngineClient::IsRecordingDemo
79 CEngineClient::IsPlayingTimeDemo
80 CEngineClient::GetDemoRecordingTick
81 CEngineClient::GetDemoPlaybackTick
82 CEngineClient::GetDemoPlaybackStartTick
83 CEngineClient::GetDemoPlaybackTimeScale
84 CEngineClient::GetDemoPlaybackTotalTicks
85 CEngineClient::IsPaused
86 CEngineClient::IsTakingScreenshot
87 CEngineClient::IsHLTV
88 CEngineClient::IsLevelMainMenuBackground
89 CEngineClient::GetMainMenuBackgroundName
90 CEngineClient::GetVideoModes
91 CEngineClient::SetOcclusionParameters
92 CEngineClient::GetUILanguage
93 CEngineClient::IsSkyboxVisibleFromPoint
94 CEngineClient::GetMapEntitiesString
95 CEngineClient::IsInEditMode
96 CEngineClient::GetScreenAspectRatio
97 CEngineClient::REMOVED_SteamRefreshLogin
98 CEngineClient::REMOVED_SteamProcessCall
99 CEngineClient::GetEngineBuildNumber
100 CEngineClient::GetProductVersionString
101 CEngineClient::GrabPreColorCorrectedFrame
102 CEngineClient::IsHammerRunning
103 CEngineClient::ExecuteClientCmd
104 CEngineClient::MapHasHDRLighting
105 CEngineClient::GetAppID
106 CEngineClient::GetLightForPointFast
107 CEngineClient::ClientCmd_Unrestricted
108 CEngineClient::SetRestrictServerCommands
109 CEngineClient::SetRestrictClientCommands
110 CEngineClient::SetOverlayBindProxy
111 CEngineClient::CopyFrameBufferToMaterial
112 CEngineClient::ChangeTeam
113 CEngineClient::ReadConfiguration
114 CEngineClient::SetAchievementMgr
115 CEngineClient::GetAchievementMgr
116 CEngineClient::MapLoadFailed
117 CEngineClient::SetMapLoadFailed
118 CEngineClient::IsLowViolence
119 CEngineClient::GetMostRecentSaveGame
120 CEngineClient::SetMostRecentSaveGame
121 CEngineClient::StartXboxExitingProcess
122 CEngineClient::IsSaveInProgress
123 CEngineClient::OnStorageDeviceAttached
124 CEngineClient::OnStorageDeviceDetached
125 CEngineClient::ResetDemoInterpolation
126 CEngineClient::SetGamestatsData
127 CEngineClient::GetGamestatsData
128 CEngineClient::GetMouseDelta
129 CEngineClient::ServerCmdKeyValues
130 CEngineClient::IsSkippingPlayback
131 CEngineClient::IsLoadingDemo
132 CEngineClient::IsPlayingDemoALocallyRecordedDemo
133 CEngineClient::Key_LookupBindingExact
134 CEngineClient::GetProtocolVersion
135 CEngineClient::IsWindowedMode
136 CEngineClient::FlashWindow
137 CEngineClient::GetClientVersion
138 CEngineClient::IsActiveApp
139 CEngineClient::DisconnectInternal
140 CEngineClient::GetInstancesRunningCount
141 CEngineClient::IsInCommentaryMode
142 dword_0
143 `vtable for'__cxxabiv1::__si_class_type_info
144 `typeinfo name for'CEngineClient
145 `typeinfo for'IVEngineClient
146 dword_0
147 dword_0
148 `typeinfo for'CClientState
149 CClientState::~CClientState
150 CClientState::~CClientState
151 CBaseClientState::ConnectionStart
152 CClientState::ConnectionClosing
153 CClientState::ConnectionCrashed
154 CClientState::packetStart
155 CClientState::packetEnd
156 CClientState::FileRequested
157 CClientState::FileReceived
158 CClientState::FileDenied
159 CClientState::FileSent
160 CClientState::processConnectionlessPacket
161 CClientState::processTick
162 CClientState::processStringCmd
163 CBaseClientState::processSetConVar
164 CBaseClientState::processSignonState
165 CBaseClientState::processPrint
166 CClientState::processServerInfo
167 CBaseClientState::processSendTable
168 CClientState::processClassInfo
169 CClientState::processSetPause
170 CBaseClientState::processCreateStringTable
171 CBaseClientState::processUpdateStringTable
172 CBaseClientState::processSetView
173 CClientState::processPacketEntities
174 CBaseClientState::processMenu
175 CBaseClientState::processGameEventList
176 CBaseClientState::processGetCvarValue
177 CBaseClientState::processCmdKeyValues
178 CBaseClientState::GetDemoProtocolVersion
179 CClientState::Clear
180 CClientState::FullConnect
181 CBaseClientState::Connect
182 CClientState::SetSignonState
183 CClientState::Disconnect
184 CBaseClientState::SendConnectPacket
185 CClientState::GetCDKeyHash
186 CClientState::RunFrame
187 CBaseClientState::CheckForResend
188 CClientState::InstallStringTableCallback
189 CClientState::HookClientStringTable
190 CBaseClientState::LinkClasses
191 CBaseClientState::GetConnectionRetryNumber
192 CBaseClientState::GetClientName
193 CClientState::ReadEnterPVS
194 CClientState::ReadLeavePVS
195 CClientState::ReadDeltaEnt
196 CClientState::ReadPreserveEnt
197 CClientState::ReadDeletions
198 CClientState::processVoiceInit
199 CClientState::processVoiceData
200 CClientState::processSounds
201 CClientState::processFixAngle
202 CClientState::processCrosshairAngle
203 CClientState::processBSPDecal
204 CClientState::processGameEvent
205 CClientState::processUserMessage
206 CClientState::processEntityMessage
207 CClientState::processTempEntities
208 CClientState::processPrefetch[/noparse]

:D

EDIT:
C_BasePlayer in client.dylib https://pastebin.com/VFbFhAN6
 
Last edited:

Lolita1

Newbie
Jun 8, 2015
32
438
2
I was able to dump the CEngineClient VTable
Well done, but you missing parameters of those functions. Anyway you can find them in IDA.
Maybe try change
C#:
INF_SHORT_DN
to
C#:
INF_LONG_DN
This i also changed in that script.
 

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Well done, but you missing parameters of those functions. Anyway you can find them in IDA.
Maybe try change
C#:
INF_SHORT_DN
to
C#:
INF_LONG_DN
This i also changed in that script.
Alright, so I spent some time messing around with the script and was able to add the return type and calling convention to the function output.

C#:
#include <idc.idc> 

 static main()
 {
     auto pAddress, iIndex;
     auto szFilePath, hFile;
     auto skipAmt;
     
     SetStatus(IDA_STATUS_WORK);
 

     // User selected vtable block
     pAddress = ScreenEA();
 

     if (pAddress == BADADDR)
     {
         Message("** No vtable selected! Aborted **");
         Warning("No vtable selected!\nSelect vtable block first.");
         SetStatus(IDA_STATUS_READY);
         return;
     }
     
     skipAmt = AskLong(1, "Number of vtable entries to ignore for indexing:");
     
     // Request output header file
     SetStatus(IDA_STATUS_WAITING);
     if ((szFilePath = AskFile(1, "*.txt", "Select output dump file:")) == 0)
     {
         Message("Aborted.");
         SetStatus(IDA_STATUS_READY);
         return;
     }
     
     // And create it..
     if ((hFile = fopen(szFilePath, "wb")) != 0)
     {
         auto szFuncName, szFullName, BadHits;
         
         BadHits = 0;
         
         // Create the header
         fprintf(hFile, "// Auto reconstructed from vtable block @ 0x%08X\n// from \"%s\", by ida_vtables.idc\n", pAddress, GetInputFile());
 

         /* For linux, skip the first entry */
         if (Dword(pAddress) == 0)
         {
             pAddress = pAddress + 4;
         }
 

         pAddress = pAddress + (skipAmt * 4);
         
         // Loop through the vtable block
         while (pAddress != BADADDR)
         {
             auto real_addr;
             real_addr = Dword(pAddress);
             
             szFuncName = Name(real_addr);
             if (strlen(szFuncName) == 0)
             {
                 break;
             }
             
             szFullName = Demangle(szFuncName, INF_LONG_DN);
             auto fullType = GuessType(real_addr); // Get the full type of the function
             auto e = strstr(fullType, '(');     // Get the index at which the parameters start
             auto type = substr(fullType, 0, e); // Grab just the return and function call type
             
             if (trim(szFullName) == "")
             {
                 szFullName = szFuncName;
             }
             if (strstr(szFullName, "_ZN") != -1)
             {
                 fclose(hFile);
                 Warning("You must toggle GCC v3.x demangled names!\n");
                 break;
             }
             
             auto functName = sprintf("%s %s", type, szFullName);
             fprintf(hFile, "%d\t%s\n", iIndex, functName);
             
             pAddress = pAddress + 4;
             iIndex++;
         };
 

         fclose(hFile);

         Message("Successfully wrote %d vtable entries.\n", iIndex);

     }
     else
     {
         Message("** Error opening \"%s\"! Aborted **\n", szFilePath);
         Warning("Error creating \"%s\"!\n", szFilePath);
     }
 

     Message("\nDone.\n\n");
     SetStatus(IDA_STATUS_READY);
 }
Sample Output: https://pastebin.com/haYKwi3N
 

Lolita1

Newbie
Jun 8, 2015
32
438
2
Alright, so I spent some time messing around with the script and was able to add the return type and calling convention to the function output.
Looks great, thanks for upgrade

// Auto reconstructed from vtable block @ 0x004D4EB0
// from "libengine2.dylib", by ida_vtables.idc
0 __int64 __fastcall CTier2AppSystem<IVEngineClient2,0>::Connect(void * (*)(char const*,int *))
1 __int64 __fastcall CTier2AppSystem<IVEngineClient2,0>::Disconnect(void)
2 __int64 __fastcall CBaseAppSystem<IVEngineClient2>::QueryInterface(char const*)
3 __int64 __fastcall CTier2AppSystem<IVEngineClient2,0>::Init(void)
4 __int64 __fastcall CTier2AppSystem<IVEngineClient2,0>::Shutdown(void)
5 __int64 __fastcall CBaseAppSystem<IVEngineClient2>::preShutdown(void)
6 __int64 __fastcall CBaseAppSystem<IVEngineClient2>::GetDependencies(void)
7 __int64 __fastcall CTier4AppSystem<IVEngineClient2,0>::GetTier(void)
8 CTier2AppSystem<IVEngineClient2,0>::Reconnect(void * (*)(char const*,int *),char const*)
9 __int64 __fastcall CBaseAppSystem<IVEngineClient2>::IsSingleton(void)
10 __int64 __fastcall CBaseAppSystem<IVEngineClient2>::GetBuildType(void)
11 __int64 __fastcall CEngineClient::IsPaused(void)
12 __int64 __fastcall CEngineClient::GetTimescale(void)const
13 _QWORD __cdecl CEngineClient::FindOrCreateWorldSession(char const*,CResourceManifestPrerequisite *)
14 __int64 __fastcall CEngineClient::UpdateAddonSearchPaths(bool,bool,char const*)
15 _QWORD __cdecl CEngineClient::GetEntityLumpForTemplate(char const*,bool,char const*,char const*)
16 __int64 __fastcall CEngineClient::GetStatsAppID(void)const
17 __int64 __fastcall CEngineClient::GetGameClientFactory(void)
18 __int64 __fastcall CEngineClient::ServerCmd(InputCommandSource_t,char const*)
19 __int64 __fastcall CEngineClient::ClientCmd(InputCommandSource_t,char const*)
20 __int64 __fastcall CEngineClient::GetPlayerInfo(CEntityIndex,google::protobuf::Message &)
21 __int64 __fastcall CEngineClient::GetPlayerForUserID(int)
22 __int64 __fastcall CEngineClient::GetLocalPlayer(CSplitScreenSlot)const
23 __int64 __fastcall CEngineClient::GetLastTimeStamp(void)
24 __int64 __fastcall CEngineClient::GetLastServerTick(void)
25 __int64 __fastcall CEngineClient::GetSentence(CAudioSource *)
26 __int64 __fastcall CEngineClient::GetSentenceLength(CAudioSource *)
27 __int64 __fastcall CEngineClient::IsStreaming(CAudioSource *)const
28 __int64 __fastcall CEngineClient::GetMaxClients(void)const
29 __int64 __fastcall CEngineClient::IsInGame(void)
30 __int64 __fastcall CEngineClient::IsConnected(void)const
31 _QWORD CEngineClient::Con_NPrintf(int,char const*,...)
32 __int64 __fastcall CEngineClient::Con_NXPrintf(con_nprint_s const*,char const*,...)
33 __int64 __fastcall CEngineClient::GetNetChannelInfo(CSplitScreenSlot)
34 __int64 __fastcall CEngineClient::IsPlayingDemo(void)
35 __int64 __fastcall CEngineClient::IsRecordingDemo(void)
36 __int64 __fastcall CEngineClient::IsPlayingTimeDemo(void)
37 __int64 __fastcall CEngineClient::ExecuteClientCmd(char const*)
38 __int64 __fastcall CEngineClient::ClientCmd_Unrestricted(char const*)
39 __int64 __fastcall CEngineClient::SetRestrictServerCommands(bool)
40 __int64 __fastcall CEngineClient::SetRestrictClientCommands(bool)
41 __int64 __fastcall CEngineClient::IsLowViolence(void)const
42 __int64 __fastcall CEngineClient::GetSplitScreenPlayer(CSplitScreenSlot)
43 __int64 __fastcall CEngineClient::IsSplitScreenActive(void)
44 __int64 __fastcall CEngineClient::IsValidSplitScreenSlot(CSplitScreenSlot)
45 __int64 __fastcall CEngineClient::FirstValidSplitScreenSlot(void)
46 __int64 __fastcall CEngineClient::NextValidSplitScreenSlot(CSplitScreenSlot)
47 __int64 __fastcall CEngineClient::GetAvailableAsyncThread(void)
48 __int64 __fastcall CEngineClient::GetScreenSize(int &,int &)
49 __int64 __fastcall CEngineClient::IsDrawingLoadingImage(void)
50 __int64 __fastcall CEngineClient::HideLoadingPlaque(void)
51 __int64 __fastcall CEngineClient::GetGameDirectory(void)
52 __int64 __fastcall CEngineClient::GetLevelName(void)
53 __int64 __fastcall CEngineClient::GetLevelNameShort(void)
54 __int64 __fastcall CEngineClient::GetVoiceTweakAPI(void)
55 __int64 __fastcall CEngineClient::EngineStats_BeginFrame(void)
56 __int64 __fastcall CEngineClient::EngineStats_EndFrame(void)
57 __int64 __fastcall CEngineClient::CheckPoint(char const*)
58 __int64 __fastcall CEngineClient::IsDemoPaused(void)
59 __int64 __fastcall CEngineClient::IsDemoSkipping(void)
60 __int64 __fastcall CEngineClient::GetDemoRecordingTick(void)
61 __int64 __fastcall CEngineClient::GetDemoPlaybackTick(void)
62 __int64 __fastcall CEngineClient::GetDemoPlaybackStartTick(void)
63 __int64 __fastcall CEngineClient::GetDemoPlaybackTimeScale(void)
64 __int64 __fastcall CEngineClient::GetDemoPlaybackTotalTicks(void)
65 __int64 __fastcall CEngineClient::GetDemoPlaybackFileName(void)
66 __int64 __fastcall CEngineClient::IsTakingScreenshot(void)
67 __int64 __fastcall CEngineClient::IsHLTV(void)
68 _QWORD __cdecl CEngineClient::GetMainMenuBackgroundName(char *,int)
69 _QWORD __cdecl CEngineClient::GetUILanguage(char *,int)
70 __int64 __fastcall CEngineClient::IsSkyboxVisibleFromPoint(Vector const&)
71 __int64 __fastcall CEngineClient::GetScreenAspectRatio(int,int)
72 __int64 __fastcall CEngineClient::GetEngineBuildNumber(void)
73 __int64 __fastcall CEngineClient::GetProductVersionString(void)
74 __int64 __fastcall CEngineClient::GetBuildVersion(void)const
75 _QWORD __cdecl CEngineClient::SendClientOOBPacket(ns_address const&,void const*,int)
76 __int64 __fastcall CEngineClient::GetAppID(void)
77 __int64 __fastcall CEngineClient::CopyFrameBufferToMaterial(char const*)
78 __int64 __fastcall CEngineClient::ReadConfiguration(CSplitScreenSlot)
79 __int64 __fastcall CEngineClient::SetAchievementMgr(IAchievementMgr *)
80 __int64 __fastcall CEngineClient::GetAchievementMgr(void)
81 __int64 __fastcall CEngineClient::StartXboxExitingProcess(void)
82 __int64 __fastcall CEngineClient::OnStorageDeviceAttached(int)
83 __int64 __fastcall CEngineClient::OnStorageDeviceDetached(int)
84 __int64 __fastcall CEngineClient::WriteScreenshot(char const*)
85 __int64 __fastcall CEngineClient::GetActiveSplitScreenPlayerSlot(void)
86 __int64 __fastcall CEngineClient::SetActiveSplitScreenPlayerSlot(CSplitScreenSlot)
87 __int64 __fastcall CEngineClient::SetLocalPlayerIsResolvable(char const*,int,bool)
88 __int64 __fastcall CEngineClient::IsLocalPlayerResolvable(void)
89 __int64 __fastcall CEngineClient::GetSinglePlayerSharedMemorySpace(char const*,int)
90 __int64 __fastcall CEngineClient::RegisterDemoCustomDataCallback(CUtlSymbolLarge,void (*)(unsigned char *,unsigned long))
91 __int64 __fastcall CEngineClient::RecordDemoCustomData(void (*)(unsigned char *,unsigned long),void const*,unsigned long)
92 __int64 __fastcall CEngineClient::SetPitchScale(float)
93 __int64 __fastcall CEngineClient::GetPitchScale(void)
94 __int64 __fastcall CEngineClient::DSPGetCurrentDASRoomNew(void)
95 __int64 __fastcall CEngineClient::DSPGetCurrentDASRoomChanged(void)
96 __int64 __fastcall CEngineClient::DSPGetCurrentDASRoomSkyAbove(void)
97 __int64 __fastcall CEngineClient::DSPGetCurrentDASRoomSkyPercent(void)
98 __int64 __fastcall CEngineClient::SetMixGroupOfCurrentMixer(char const*,char const*,float,int)
99 __int64 __fastcall CEngineClient::GetMixLayerIndex(char const*)
100 __int64 __fastcall CEngineClient::SetMixLayerLevel(int,float)
101 __int64 __fastcall CEngineClient::IsRecordingVoice(void)
102 __int64 __fastcall CEngineClient::SetTimescale(float)
103 __int64 __fastcall CEngineClient::SetGamestatsData(CGamestatsData *)
104 __int64 __fastcall CEngineClient::GetGamestatsData(void)
105 __int64 __fastcall CEngineClient::UpdateDAndELights(void)
106 __int64 __fastcall CEngineClient::GetBugSubmissionCount(void)const
107 __int64 __fastcall CEngineClient::ClearBugSubmissionCount(void)
108 __int64 __fastcall CEngineClient::GetServerSimulationFrameTime(void)const
109 __int64 __fastcall CEngineClient::GetServerTickTimes(unsigned long long,CUtlVector<IVEngineClient2::ServerTickTime_t,CUtlMemory<IVEngineClient2::ServerTickTime_t,int>> &)const
110 __int64 __fastcall CEngineClient::IsInCommentaryMode(void)
111 __int64 __fastcall CEngineClient::SetBlurFade(float)
112 __int64 __fastcall CEngineClient::IsTransitioningToLoad(void)
113 __int64 __fastcall CEngineClient::SearchPathsChangedAfterInstall(void)
114 _QWORD __cdecl CEngineClient::SetConnectionPassword(char const*)
115 __int64 __fastcall CEngineClient::GetSteamAPIContext(void)
116 __int64 __fastcall CEngineClient::ServerCmdKeyValues(KeyValues *)
117 _QWORD __cdecl CEngineClient::GetStartupImage(char *,int,int,int)
118 _QWORD __cdecl CEngineClient::GetBackgroundMovie(char *,int)
119 _QWORD __cdecl CEngineClient::GetBackgroundMusic(char *,int,bool)
120 __int64 __fastcall CEngineClient::TickProgressBar(void)
121 __int64 __fastcall CEngineClient::GetMainWindow(void)
122 __int64 __fastcall CEngineClient::DrawSelectedPanel(vgui::VPanelHandle)
123 __int64 __fastcall CEngineClient::IsPanelInFocusList(unsigned long long)
124 __int64 __fastcall CEngineClient::IsViewEntity(CEntityIndex)const
125 __int64 __fastcall CEngineClient::GetViewEntity(CSplitScreenSlot)const
126 __int64 __fastcall CEngineClient::TouchLight(dlight_t *)
127 __int64 __fastcall CEngineClient::SetAreaState(unsigned char *,unsigned char *)
128 _QWORD __cdecl CEngineClient::ChangePVSSpawnGroupHandle(unsigned int)
129 __int64 __fastcall CEngineClient::SetDemoTime(float)
130 __int64 __fastcall CEngineClient::FlashWindow(void)
131 __int64 __fastcall CEngineClient::DesktopNotify(char const*,char const*)
132 _QWORD __cdecl CEngineClient::GetDemoGameInfo(google::protobuf::Message &)
133 _QWORD __cdecl CEngineClient::GetDemoFileGameInfo(char const*,google::protobuf::Message &)
134 _QWORD __cdecl CEngineClient::DecompressBZipFile(char const*,char const*)
135 _QWORD __cdecl CEngineClient::UnzipZip(char const*,char const*,char const*,bool,bool,bool)
136 __int64 __fastcall CEngineClient::SOSSetOpvarFloat(char const*,float)
137 __int64 __fastcall CEngineClient::SOSGetOpvarFloat(char const*,float &)
138 __int64 __fastcall CEngineClient::GameLoadFailed(void)const
139 __int64 __fastcall CEngineClient::SetGameLoadFailed(bool)
140 __int64 __fastcall CEngineClient::LoadSpawnGroup(SpawnGroupDesc_t const&)
141 __int64 __fastcall CEngineClient::UnloadSpawnGroup(unsigned int,ESpawnGroupUnloadOption)
142 _QWORD __cdecl CEngineClient::SetSpawnGroupDescription(unsigned int,char const*)
143 _QWORD __cdecl CEngineClient::IsSpawnGroupLoaded(unsigned int)const
144 _QWORD __cdecl CEngineClient::IsSpawnGroupLoading(unsigned int)const
145 _QWORD __cdecl CEngineClient::FindSpawnGroupByName(char const*)
146 _QWORD __cdecl CEngineClient::SynchronouslySpawnGroup(unsigned int)
147 _QWORD __cdecl CEngineClient::SynchronizeAndBlockUntilLoaded(unsigned int)
148 __int64 __fastcall CEngineClient::ForceOpenServerPort(void)
149 __int64 __fastcall CEngineClient::ForceOpenClientDefaultPort(void)
150 _QWORD __cdecl CEngineClient::GetDemoClosestGameSave(int,google::protobuf::Message *)
151 __int64 __fastcall CEngineClient::GetInstantReplayMinTick(void)
152 __int64 __fastcall CEngineClient::GetInstantReplayMaxTick(void)
153 __int64 __fastcall CEngineClient::GetInstantReplayPlaybackDeltaTick(void)
154 __int64 __fastcall CEngineClient::IsClientLocalToActiveServer(void)
155 __int64 __fastcall CEngineClient::postReceivedNetMessage(NetMessageHandle_t__ *,void const*,NetChannelBufType_t)

Anyway i tested inject dll by this vtable dump and it all works out ..

C++:
DWORD WINAPI dwMainThread( LPVOID lpArguments )
{
       EngineFactory = (CreateInterfaceFn)GetProcAddress(GetModuleHandleSafe("engine2.dll"), "CreateInterface");
       g_pEngine = (EngineClient*)EngineFactory("Source2EngineToClient001", NULL);

       LogToFile("IsInGame %d", g_pEngine->IsInGame());
       LogToFile("IsConnected %d", g_pEngine->IsConnected());
       g_pEngine->ClientCmd_Unrestricted("sv_cheats 1");
 }

class EngineClient
{
public:
      //29 __int64 __fastcall CEngineClient::IsInGame(void)
      bool IsInGame( void )
      {
         typedef bool ( __thiscall* OriginalFn )( PVOID );
         return getvfunc<OriginalFn>( this, 29 )( this );
       }

      //30 __int64 __fastcall CEngineClient::IsConnected(void)const
      bool IsConnected( void )
      {
         typedef bool ( __thiscall* OriginalFn )( PVOID );
         return getvfunc<OriginalFn>( this, 30 )( this );
      }

     //38 __int64 __fastcall CEngineClient::ClientCmd_Unrestricted(char const*)
     void ClientCmd_Unrestricted( const char* chCommandString )
     {
        typedef void ( __thiscall* OriginalFn )( PVOID, const char * );
        return getvfunc<OriginalFn>(this, 38)(this, chCommandString);
      }
 }
 
Last edited:

Syperus

RTFM
Meme Tier VIP
Dank Tier Donator
Oct 29, 2012
432
2,638
7
Yea this is definitely a good dumping tut. I was using this last year when kila58 posted it here.
 

interval

Newbie
Sep 13, 2015
1
82
0
Could anyone provide old versions of *.dylib for Dota 2 (berfore Reborn)? The bad think that metamod can't be compiled without "-m32" version (am I wrong?). So, I want to develop small alternative for x64.
 

tyguy

Newbie
Full Member
Feb 10, 2016
22
94
0
I have a question: with the interface, can't we call these functions already? Like CEngineClient::IsInGame?

And could someone dump IClientMode? I tried and all I got was a load of purecalls

C++:
// Auto reconstructed from vtable block @ 0x104B75F4
// 
from "client.dll", by ida_vtables.idc
0	sub_1010B440
1	__purecall
2	__purecall
3	__purecall
4	__purecall
5	__purecall
6	__purecall
7	__purecall
8	__purecall
9	__purecall
10	__purecall
11	__purecall
12	__purecall
13	__purecall
14	__purecall
15	__purecall
16	__purecall
17	__purecall
18	__purecall
19	__purecall
20	__purecall
21	__purecall
22	__purecall
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
I have a question: with the interface, can't we call these functions already? Like CEngineClient::IsInGame?

And could someone dump IClientMode? I tried and all I got was a load of purecalls

C++:
// Auto reconstructed from vtable block @ 0x104B75F4
// 
from "client.dll", by ida_vtables.idc
0	sub_1010B440
1	__purecall
2	__purecall
3	__purecall
4	__purecall
5	__purecall
6	__purecall
7	__purecall
8	__purecall
9	__purecall
10	__purecall
11	__purecall
12	__purecall
13	__purecall
14	__purecall
15	__purecall
16	__purecall
17	__purecall
18	__purecall
19	__purecall
20	__purecall
21	__purecall
22	__purecall
You can most definitely directly call the funciton if you've got it appropriately padded.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,298
37,938
269
Uhh... padded?
i.e if the function is the 5th function ( 0 indexed ), then you have functions 0->3 there.

C++:
class yolo{
virtual void pad0();
virtual void pad1();
virtual void pad2();
virtual void pad3();
virtual WOW MoneyShot(Kreygasm 4Head);
}

yolo * yolowwwww = address;
yolowwwww->MoneyShot( Broihon );
 

tyguy

Newbie
Full Member
Feb 10, 2016
22
94
0
i.e if the function is the 5th function ( 0 indexed ), then you have functions 0->3 there.

C++:
class yolo{
virtual void pad0();
virtual void pad1();
virtual void pad2();
virtual void pad3();
virtual WOW MoneyShot(Kreygasm 4Head);
}

yolo * yolowwwww = address;
yolowwwww->MoneyShot( Broihon );
Thanks! How do I call IClientMode like that though?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods