Finding Output Stream for Source Engine Developer Console

vertigo103

What is cheating?
Sep 18, 2017
3
0
1
#1
So I've looked at a few tutorials and done some searching but haven't been able to find anything specific to my issue.

Basically, I'm trying to find a static address pointer within the Source Engine ( counter strike, tf2, gmod, etc. ) that points to, or at least helps me find the "output" stream for all of the information that gets Printed to the Developer Console in game.


Here is what I tested:




Strings found:



After sending another line:
( appears on same line because i edited the previous string, which messed up the new line character I guess)



how the other addresses changed:




---

Previously I was able to find a somewhat contiguous region where it was writing things, but the area seems to jump around when sending new commands.


When I was able to "see what writes to this" or what "accesses" this, I ran into assembler commands where I didnt know how to get the value of certain parts.

How do I get the value of registers like this:



TL;DR

I'm not sure how to deal with this situation because the region where the information is stored changes so much.

It's not as simple as changing how much ammo a player has since you can't directly edit any lines in console to see what accesses them.

Any suggestions on ways to approach this?

I understand that there may not be a fully contiguous region that the engine always writes to, so I guess I just need to find what is doing the writing, but I'm not sure how to do that.

Thanks
 

seikur0

Expert Cheater
Table Maker
Aug 26, 2017
205
39
28
#2
bp is just the lower 2 bytes of ebp, so in that case 6B->"k".

You shouldn't bother with these low level string duplication functions, try setting a breakpoint on data write and from there find the calling function/trace back the pointer/create one with aob.
 

vertigo103

What is cheating?
Sep 18, 2017
3
0
1
#3
seikur0 post_id=17964 time=1505921252 user_id=8101 said:
bp is just the lower 2 bytes of ebp, so in that case 6B->"k".

You shouldn't bother with these low level string duplication functions, try setting a breakpoint on data write and from there find the calling function/trace back the pointer/create one with aob.
(finally had some time to get back to this.)

Ok, so I've been messing with Break Points / Break and Trace - my issue right now is that I'm not exactly sure what I'm looking for.

Im at a point where I can consistently test the same address though - to see what writes to it.

Steps
> Clear the in-game console
> Write a New command <--- Goes to the same address as previous command
> Repeat


Memory View:




So from their I've created a Breakpoint which shows the instruction that writes to the address.

In this image, the instruction Moves the letter M into the address:



After doing a break point and stepping through the "move" sequence a couple times, it's clear that it goes through 100 or 200 instructions between each character that gets copied to the address.

So I'm assuming that at some point the character is Copied from somewhere into the register that is being used in the Copy instruction.

Here's my problem

I'm not totally sure how to trace the character back to the source, or back to a static address that I can use to find it at any time.

Right now I'm trying to use the Break and Trace option - but I'm not familiar enough with it, so I'm looking for some guidance on what I should look for to find the calling function or pointer that I need.


Here is what the Break and Trace Looks like for when I wrote "a4" to the console address:




From what I read on the wiki page, it seems like it could be useful. I'm just not sure what to look for.

Do ALL the instructions shown in the Break and Trace somehow relate to the address that I created the break on? (cause there are a ton - probably because I had it set to 1000)

anyway - thanks for any help! :D
 

vertigo103

What is cheating?
Sep 18, 2017
3
0
1
#4
thank you very much, appreciate the help - I will read through this and test when I get a chance.

Thanks again! :D
 
Top Bottom