As you can see, Engine error: Could not load library client error can create some trouble, but in most cases, you can fix it by downloading Download Microsoft Visual C++ 2010 Service Pack 1 Redistributable files.
Could Not Get Clientdll Interface From Library Client Tf2
After getting that simple client and server set up for Frida, I created a Typescript library which allowed me to interface with the Source Engine more easily. Those familiar with game engines know that very often the engine objects take advantage of C++ polymorphism which expose their functionality through virtual functions. So, in order to work with these objects from Frida, I had to write some vtable wrapper helpers that allowed me to convert native pointer values into actual Typescript objects to call functions on.
The best part of Frida is really its hooking interface, Interceptor. You can hook native functions directly from within Frida, and it handles the entire process of running the Typescript hooks and marshalling arguments to and from the JS engine. This is the primary way you use Frida to introspect, and it worked great for hooking parts of the engine just to see the values of arguments and return values while executing normally.
I quickly learned that the Source engine tooling I had made could also be injected into both a client (hl2.exe) and a server (srcds.exe) at the same time, without any real modification. Therefore, I could write a single PoC that instrumented both the client and server to prove the bug. The server would generate and send some network packets and the client would be hooked to see how it accepted the input. This dual-scripting environment allowed me to instrument practically all of the logic and communication I needed to ensure the prospective bugs I discovered were fully functional and unpatched.
Only one of these values had a lower WORD offset that made sense (0xE4) therefore it was easily selectable from the list of DWORDS. After leaking this pointer, I traced it back in IDA to a return location for the upper stack frame of this function, which makes total sense. I gave it a label Engine_Leak2 in IDA, which could be loaded directly from my ret-sync connection to dynamically calculate the proper base address of the engine.dll module:
The server executes RequestFile to request the test.txt file from the pakfile. The client builds fragments for the new file and begins sending 0x100 sized fragments to the server, leaking stack contents. Inside the stack contents is a leaked stack frame return address from a previous call to bf_read::ReadBytes. By doing some calculations on the server, this achieves a full ASLR protection bypass on the client.
The malicious server calculates the base of engine.dll on the client instance using the leaked pointer. This allows the server to now build a pointer value in the exploit payload to anywhere within engine.dll. Without this infoleak bug, the payload could not be built because the attacker does not know the location of any module due to ASLR.
The server script builds a fake vtable pointer on the target client instance by replicating a ConVar onto the client. This is used to build a fake vtable on the client with a pointer to the fake vtable in a known location (the global ConVar). The PoC replicates the fake vtable onto sv_mumble_positionalaudio which is a replicated ConVar inside of client.dll. The location of the contents of this replicated ConVar can be calculated from sv_mumble_positionalaudio->m_pszString and is used for later exploitation steps.
In Lost Coast, I didn't edit client and server libraries from the beginning, and didn't include them before because of that.In portal I copied the whole "bin" folder with engine dll and etc. This one was used for other versions of the mod.
DLL:In most cases, a DLL file is a library. There are a couple of types of libraries, dynamic and static - read about the difference. DLL stands for dynamic link library which tells us that it's a part of the program but not the whole thing. It's made of reusable software components (library) which you could use for more than a single program. Bear in mind that it's always possible to use the library source code in many applications using copy-paste, but the idea of a DLL/Static Library is that you could update the code of a library and at the same time update all the applications using it - without compiling.
What sakthivignesh says can be true in that one .exe can use another as if it were a library, and this is done (for example) with some COM components. In this case, the "slave" .exe is a separate program (strictly speaking, a separate process - perhaps running on a separate machine), but one that accepts and handles requests from other programs/components/whatever.
One solution, that isn't too complicated, is to create and load a shared library that changes memory inside the game, making our game client think we have items that we don't really own. It's a client-side modification so only you'll see the changes but it'll work on any server. It's a little sketchy though, manipulating the game like this runs the risk of a Valve Anti-Cheat ban. That's one of the reasons we're doing it on Linux though, where the anti-cheat is much weaker.
In the Source Engine, networked entities (players, weapons, physics props, ...) contain variables, such as health and position that are replicated from the server to clients. All of these entities can be accessed programatically from the entity list in the form of a class, usually deriving from C_BaseEntity.
Our shared library will be loosely based off my Chameleon project. The concepts are the same, but to keep thing simple we won't include the view model hook or the kill icon event listener hook. For now we'll only be implementing the skin changer. When the library is loaded into the game it will automatically call the function with the constructor attribute which will retrieve a few game interfaces and hook a certain function that is called on every frame.
Alright, now we can call client_factory and get some interfaces from the client_client.so library. The arguments for CreateInterface are an interface version string and a return code pointer. We don't need to use the return code pointer but the interface versions are important. If we search through the Source SDK 2013 code for long enough we'll find a few lines like these.
No, wait! We can't be sure that this interface version hasn't changed. The Source SDK 2013 repository is a great reference but we can't blindly copy from it and expect everything to work. Instead, use strings on the file in question to get interface versions. You only need to know the initial characters - in this case 'VClient'.
Well.. actually it's not that easy. The above screenshot is from the Mac OS X libraries which, until around April 2015, included all symbols which made reversing a lot easier. Unfortunately, they're long gone now but if you manage to find a copy of them they're still useful as a general guide. If we take a look at the disassembly of CHLClient::FrameStageNotify we can see quite a few string references used by the game's performance profiling functions. We can use these strings as a convenient reference to find the same function in the current client_client.so Linux library.
We need two more interfaces before we can do anything. Specifically, the entity list and engine client. IClientEntityList allows us to find a pointer to any entity from its index, while IVEngineClient has a function that returns the index of our player entity.
When setting up a GitHub Repo it might seem easy to just upload everything, however this method has the potential for mistakes that could lead to trouble later on, it is recommended to use a Git client or to get comfortable with the Git command line. The following instructions will use the Git Command Line and as such they assume you already have it installed and that you have created a repository. 2ff7e9595c
Comments