Location of _sphere.mdl, _cube.mdl and _shadow.dds

Posted By: oliver2s

Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 13:51

Where can I found these default files?

Code:
#define SPHERE_MDL "_sphere.mdl"
#define CUBE_MDL "_cube.mdl"
#define SHADOW_DDS "_shadow.dds"


I ask this because if I call "add_new()" these files aren't found anymore. So I want add the path or resource they're located in again.
Posted By: LemmyTheSlayer

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 14:44

i think they are hardcoded as char[] in the acknex.dll and loaded at startup with add_buffer. that's why they disappear when calling add_new
(see http://conitec.net/beta/aadd_buffer.htm)

so unless you know the exact location of these buffers in the acknex.dll, you will have difficulties using them.
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 14:54

Well, loadup acknex.dll in ollydbg, search for one the strings.
Add a memory/hardware breakpoint on access and call your ent_create or whatever.
After the execution it will break after or in the call, now read the pointer to the buffer (remind the reversed order of parameters in asm) and there are your bytes.
If I'll find a lil time I could check this for you too laugh
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:11

The strings don't appear in the binary...
Posted By: LemmyTheSlayer

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:24

they do
https://mediacru.sh/ZV4JGCt1d0dx.png
Posted By: oliver2s

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:29

So how can I add the buffers again?
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:43

@JustSid sure they do, they are just not signed or flagged as official strings in olly/ida, do a simple binary search for ascii tongue
Sorry, I wont have much time today, probably tomorrow..
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:45

Originally Posted By: LemmyTheSlayer
they do
https://mediacru.sh/ZV4JGCt1d0dx.png

Can you give me the offset? I can't find it for the life of me, and from the dissassembly of ent_create() it looks a lot like it only takes ASCII strings, not Unicode (and yeah, "strings acknex.dll | grep cube.mdl" doesn't show anything)

I have one instance of shadow.dds, and it looks like this (note: No cube.mdl to be found):
http://cl.widerwille.com/TOlT
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:51

Location for shadow and cube:



Offset: 101F052A - 101EA000 = 652A
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 16:59

Ouh... Well, that explains why it doesn't show up in the strings section, and has this weird non-printable character in it... There is a WRS embedded in the acknex.dll which includes these files.

Which also answers Olivers question.
Posted By: oliver2s

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:04

Originally Posted By: JustSid
Which also answers Olivers question.


Not really. Still don't know how to add these files as buffers.
Posted By: LemmyTheSlayer

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:14

the mdl7 sdk revealed three models in the file (MDL7's magic number is "MDL7").
it would be possible to extract them from the dll.
another way would be to serialize it to disk at runtime using the ent.model pointer.
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:15

Okay, so, the engine does the following in engine_open() to load the WRS:

Code:
10046563 A154031F10                      mov        eax, dword [ds:0x101f0354]
10046568 50                              push       eax
10046569 E822C1FEFF                      call       sub_10032690
1004656e 83C404                          add        esp, 0x4


0x101f0354 is the address which contains the address to the WRS section inside the acknex.dll. It's akin to the following code C:

Code:
sub_10032690(*(char **)(0x101f0354));


sub_10032690() is also called by add_resource(), and it appears to first do some processing/sanity checks on the string and then call into sub_10032690(), so it's fair to assume that simply pumping anything that looks like a WRS into add_resources() will do the trick.

Ideally you would want to get the address to the WRS, hardcoding is meh because dlls change and that would break your stuff and ugh... Well, the symbol isn't exported, so no way. However, WRS has a header, the ASCII string "WRS3".

Sooo, to wrap it all up:
Load the acknex.dll into a buffer, search for the ASCII string "WRS3" (which exists twice, so you probably want to load both(?!)), and then pass the location where you found it into add_resources(). Tada, you are done.

Ideally, you look for the header at startup, store all locations, and then use the cached value, instead of looking for it over and over again.

Edit: You may be able to speed it up by starting your search around the offsets where the WRS files currently are, and only if you can't find it there (+/- 200 bytes or so), search through the whole file.
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:24

You dont need a fixpoint to find addresses on new files.
Do a signature scan (scans for a known/unknown byte sequence) and you will find it in every dll tongue
However, what sid wrote is right, but the section is not loading a WRS file from the directory (I extracted them and theres no _cube.mdl and so on) so I think the buffer might be hardcoded. If you really need those things, you can click them together in MED too xD
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:36

Originally Posted By: Ch40zzC0d3r
However, what sid wrote is right, but the section is not loading a WRS file from the directory

Which one? The one I pasted from engine_open()? It does...

However, I just noticed, the first instance of WRS3 is just a normal string... So, if you find an occurence of WRS3 followed by a null character... That's not an actual WRS but a string. The real WRS3 (of which there only exists one) starts with WRS3 followed by some non ASCII characters.
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:40

Whats the name of the WRS?
I found 2 in GS folder and extracted both, but there were no debug mdls.
Posted By: oliver2s

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:42

Originally Posted By: Ch40zzC0d3r
If you really need those things, you can click them together in MED too xD


Yes, I've wanted to avoid this. But it seems there's no other way than to create my own cube, sphere and shadow.
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:43

It's in the acknex.dll at offset 0x101f04dc.

That's why I'm saying, open the acknex.dll and search for the WRS header, then just throw that location at add_resource().

Edit: Uh? I explained how you get the resource to load and the default files back. You don't need to click them together in MED.
Posted By: oliver2s

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:45

Originally Posted By: JustSid
It's in the acknex.dll at offset 0x101f04dc


But this seems not to be a good solution. The offset might change in future updates.
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:52

Yes... That's why I wrote that you should search for the WRS header...

Here is a quick and untested implementation:
Code:
char *_acknex_dll  = NULL;
char *_default_wrs = NULL;

void reload_defaultWRS()
{
	if(!_acknex_dll)
	{
		// Read the acknex.dll in
		FILE *file = fopen(_chr(str_printf(NULL, "%s\\%s", _chr(exe_dir), "acknex.dll")), "rb");
		fseek(file, 0, SEEK_END);
		long length = ftell(file);
		fseek(file, 0, SEEK_SET);

		_acknex_dll = malloc(length);
		fread(_acknex_dll, length, 1 file);
		fclose(file);

		// Look for the WRS resource
		char *temp = _acknex_dll;
		while(1)
		{
			temp = strstr(temp, "WRS3");
			if(!temp)
				break;

			if(temp[4] == '\0') // strings in the string section are terminated with a 0 byte, so if there is one, this isn't the WRS we are looking for
			{
				temp += 4;
				continue;
			}

			_default_wrs = temp;
			break;
		}
	}

	if(!_default_wrs)
	{
		error("Couldn't find default WRS!");
		return;
	}

	add_resource(_default_wrs);
}


Edit: Dunno if Lite-C has strstr() or not... If it doesn't, here is an implementation:
Code:
char *strstr(char *str1, const char *str2)
{
	size_t index = 0;
	size_t length = strlen(str2);
	char *start = NULL;
	
	for(; *str1 != '\0'; str1++)
	{
		if(*str1 == str2[index])
		{
			if(index == 0)
				start = str1;
			
			index ++;
			if(index == length)
				return start;
		}
		else
		{
			index = 0;
		}
	}
	
	return NULL;
}
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 17:54

Well I thought its loading a "real" WRS from the directory into a buffer located @ this offset, but the file is hardcoded there <_<
Here are 2 functions for a byte signature:
Code:
bool CMisc::bDataCompare(const BYTE *pData, const BYTE *bMask, const char *szMask)
{
    for(; *szMask; ++szMask, ++pData, ++bMask)
	{
        if(*szMask == 'x' && *pData != *bMask) 
		{
            return false;
		}
	}

    return (*szMask) == NULL;
}

DWORD CMisc::FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char *szMask)
{
    for(DWORD i=0; i < dwLen; i++)
	{
		if(bDataCompare((BYTE*)(dwAddress + i), bMask, szMask) )
		{
			return (DWORD)(dwAddress + i);
		}
	}

    return 0;
}


Use:
Code:
FindPattern(0xEntryPoint, 0xSizeOfScan, (BYTE*)"\xFF\xFF\xFF\x00\x00\xFF\x00, "xxx??x?");


x = known byte
? = unknown byte (could change after an update etc.)
Posted By: oliver2s

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:01

Thank you both for your effort. But this really seems to be too much code to get a small cube. I was hoping for a better solution (2-3 lines of code).
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:04

Ask for the symbol that contains the address to the WRS section to be exported. And then hope for an update that contains it within our lifetime laugh

In the meantime, this is probably the best you can do other than dumping the WRS itself from the dll and then putting it in its own file (which isn't future compatible either.
Posted By: FBL

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:06

..or create a sphere mdl in MED tongue
Posted By: WretchedSid

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:10

I thought the premise was that that was equally ugly and to be avoided? Also, where would be the fun in that?
Posted By: jcl

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:22

If someone wants to get the models in a somewhat easier way, here are they:

http://server.conitec.net/down/cube.zip
Posted By: Ch40zzC0d3r

Re: Location of _sphere.mdl, _cube.mdl and _shadow.dds - 01/16/14 18:26

Haha thank you tongue
© 2024 lite-C Forums