Where can I find a pointer to appSystemFactory? I map the module into the memory of the hl2.exe process, and the pointer is different on each startup :)

I know I can hook Init in client.dll, but I want to create a panel, without hooking anything, and I need appSystemFactory for VGui_InitInterfacesList.

You can probaly sigscan for it too, but I am not really sure on how to find the signatures and such.

Hopefully someone can help, thanks :)

Example of the address during 3 startups:

appSystemFactory: 0x111BEDB0
appSystemFactory: 0x10BAEDB0
appSystemFactory: 0x10F5EDB0

You could sigscan for Init like this:

( I didnt do this so credits to aVitamin )



szClientDLL_InitSig = "\xA1\x04\x62\x53\x20\x8B\x0D\x34\x4C\x37\x20\x8B\x11\x83\xC4\x04\x68\x 60\x6E\x36\x20\x50\x50\xFF\x12";
szClientDLL_InitMask = "x????xx????xxxxxx????xxxx";
dwClientDLL_Init = m_pMemory->dwFindPattern( ((DWORD)GetModuleHandle("engine.dll") + 0x24080), 0x005EF000, (PBYTE)szClientDLL_InitSig, szClientDLL_InitMask );
if( dwClientDLL_Init )
{
CreateInterfaceFn appSystemFactory = (CreateInterfaceFn)*(DWORD*)*(DWORD*)(dwClientDLL_Init + 0x1);

Thanks alot, but where would I obtain the signature? I would love to understand it.

Thanks alot, but where would I obtain the signature? I would love to understand it.

You're welcome :p
Attach Olly to CSS, open engine.dll, search for all referenced text strings, find string "g_ClientDLL" and profit.

When I look in Ollydbg, what would I get to pass to the sigscan?

Currently I found this:

2002508D PUSH engine.202E60F4 "g_ClientDLL->Init"

Then I look in the hex dump:

0002508D 68 F4 60 2E 20

Im not really sure if what I am doing is right, shouldn't that hex dump be equal to the signature you posted?

Short answer: No.


Long answer: You can't scan for something you don't know. (IE the address of g_ClientDLL->Init)


Less cryptic:
You're supposed to scan for bytes you know (like the opcodes) and ignoring bytes you don't know (the address of g_ClientDLL->Init). Conventionally one does that by using a mask where x represents stuff to match and ? stuff to ignore.

I thought you could just GetProcAddress for some function, and then call it with a specific string, and it will return the factories.

Sorry I can't remember the names, ill take a look at home.

I thought you could just GetProcAddress for some function, and then call it with a specific string, and it will return the factories.

Sorry I can't remember the names, ill take a look at home.

Yes but AppSystemFactory is like a factory that can return almost all interfaces except the ones from client.dll...

Thanks for the help, I got it working :)