Results 1 to 3 of 3
  1. #1
    SirKinky's Avatar
    Join Date
    Aug 2011
    Gender
    male
    Posts
    191
    Reputation
    5
    Thanks
    14

    Vtable hooking/Vmt hooking

    What's good, it's @Lehsyrus again with some new shit for you. This tutorial is leeched. This is to go together along with the A.V.A SDK I put in the source code section. As I said, this is LEECHED. Credits are all to EddyK from another site that no one needs to ever care about because MPGH is sexy.

    ------------------------------
    ----Vtable/Vmt hooking---
    ------------------------------

    Lately I've been learning about Vtable/VMT hooking and I've been trying to get it working for a hack in APB (UE3). I haven't completely figured it out yet, but I decided to compile what I learn into a tutorial, to help others get started.

    Now I see you wondering: Why make a tutorial when you don't fully understand what you are doing yet? Personally I think this is a perfect time to write a tutorial, because being new to vtable hooking, I can more easily understand the problems newbies will run into. See it as a tutorial written by a newbie for newbies. I am also hoping that more experienced members will correct me if I post any wrong or misleading information.

    For now, just a short textual introduction to VMTs, but eventually I want this to be a full tutorial with code examples and pictures

    What is a VMT/Vtable?

    Whenever a class defines a virtual function (or method), most compilers add a hidden member variable to the class which points to a so called virtual method table (VMT or Vtable). This VMT is basically an array of pointers to (virtual) functions. At runtime these pointers will be set to point to the right function, because at compile time, it is not yet known if the base function is to be called or a derived one implemented by a class that inherits from the base class.

    How do we use a VMT to hook?

    There are two ways to use a VMT to hook a function.

    In the first we simply replace one of the function pointers in the VMT with one of our own, pointing to a function we want to hook (obviously this needs to have the same signature as the original for proper execution of the program). Note that with this option, all instances of a class (objects) that point to the same virtual table will be affected.

    The second option is to copy (or make a new) VMT and set the VMT pointer of an object to our VMT. Obiously we need to have a valid table here, or bad things will happen. So we will need to make sure the new VMT is the same size and points to similar functions. With this option, only the specific instance of a class will be affected.

    To make sure the program resumes properly after we complete our hooked code, we call the original function at the end of the hooked function. This means we need to make sure we store a pointer to the original function!

    How to get a pointer to a VMT?

    In C++ the place where the pointer is stored in a class is compiler dependant. But the MS visual C++ compiler always stores it as the first member or in the first 4 bytes (the size of a pointer) of the class. Now note that this is always a hidden member, so we need to copy the memory of the first 4 bytes of the class into a pointer variable and then we have the pointer to the VMT.

    Hooking the unreal engine

    Now onto some examples of how to hook into the unreal engine using vtables. I will be using the vmthooks library written by Casual_Hacker over at ************* to abstract the whole hooking process. If you wish to adapt your own feel free to do so.

    You will also need an SDK for the game you are hacking (uNrEaL has released alot for the unreal engine).

    First we would create a new DLL. The OnAttach function is what will be called when you inject your DLL into the game.

    Code:
    BOOL WINAPI DllMain ( HMODULE hModule, DWORD dwReason, LPVOID lpReserved )
    {
        if ( dwReason == DLL_PROCESS_ATTACH )    
            OnAttach ();
        
        return TRUE;
    }
    Basic stuff really. Then we will need to declare some global variables and includes that we will be using later one. You can do this in a separate header if you like, or not.

    Code:
    #pragma once //Header guard
    #include <windows.h> // duh
    #include "vmthooks.h" //vmt hooking class
    #include "SDKheaders.h" //SDK headers
    
    toolkit::VMTHook* hook; //Pointer to the VMTHook class
    typedef void (__stdcall *ProcessEvent ) ( UFunction*, void*, void* ); //typedef for the processevent function pointer
    ProcessEvent pProcessEvent = NULL; //pointer to original processevent
    UFunction *pUFunc                        = NULL; //pointers to processevent arguements
    void      *pParms                        = NULL;
    void      *pResult                        = NULL;
    If you aren't sure what these will be used for, I will get to that later. Next you will need to start by implementing the OnAttach function and the first thing you need to do is find an instance of the object you want to hook. Good classes to hook for the unreal engine are the "HUD class", the "Viewport class" and the "PlayerController". In my example I'll be hooking the viewport class, as it allows engine drawing in postrender.

    Code:
    UObject* viewport = getViewport(); //get a pointer to the viewport
        hook = new toolkit::VMTHook(viewport); //hook object
        pProcessEvent = hook->GetMethod<tProcessEvent>(60); //save the orginal funtion in global variable
        hook->HookMethod(&ProcessEventHooked, 60); //replace the orginal function with the hooked function
    I'll leave it up to you to find the viewport, it shouldn't be hard and there are many ways to do it. (tip: use the object dump (GObjects). Next we hook the object using the VMThook class. This will allow you to manipulate teh vtable. Make sure you store a pointer to the old pProcesEvent. Its at index 60 for APB, not sure about other unreal games.

    Then proceed by replacing the Vtable with a copy( Don't modify the orginal or your hack will be much easier to detect) and now replace the pointer at the proper index with a pointer to your own hooked function, which we still need to make.

    Code:
    void __declspec(naked) ProcessEventHooked ()
    {
    
        __asm mov pCallObject, ecx; //get caller from ecx register and save it in pCallObject
    
        __asm
        {
            push eax
            mov eax, dword ptr [esp + 0x8]
            mov pUFunc, eax
            mov eax, dword ptr [esp + 0xC]
            mov pParms, eax
            mov eax, dword ptr [esp + 0x10]
            mov pResult, eax
            pop eax        
        } // Manually get the proper parameters for the function
    
        __asm pushad //Save registers on stack   
        //Do stuff here!
        __asm popad //restore registers from stack
        __asm
        {
            push pResult
            push pParms
            push pUFunc
            call pProcessEvent
    
            retn 0xC
        } //put parameters on stack and call the orginal function
    
    }
    This is an empty template for the a hooked processevent function (thanks lowHertz!). I'll try to explain briefly what goes on here (as far as my understanding of it goes).

    __declspec(naked) is a calling convention that basicly leaves it to the programmer to prepare and clean the stack for the function. Don't ask me for details, I basicly c&p this from lowHertz :P.

    With the first line we take a pointer from the ECX register, this pointer points to the object that called the function. Since in my method we already have a pointer to the correct object this is not really necessary.

    The block that follows is asm for putting the arguments (that the orginal function got called with) into the global variables you declared earlier. You also need these to call the orginal function later.

    pushad saves the registers on the stack. So now you can execute whatever code you want and afterwards it restores the registers to their orginal state by popping them off the stack with popad.

    The last bit pushes the arguments onto the stack and calls the orginal function, which you stored earlier. If all is well then the orginal function executes properly and the game resumes as it would usually.

  2. The Following User Says Thank You to SirKinky For This Useful Post:

    kssiobr (11-10-2013)

  3. #2
    [I]Tfrix's Avatar
    Join Date
    Sep 2011
    Gender
    male
    Location
    In My Room
    Posts
    213
    Reputation
    10
    Thanks
    99
    My Mood
    Fine
    nice tut, but are Vtable hooking steal undetected?

  4. #3
    ☬Ξη†τσρîζ Ζσ♍βîε δτσηε☬
    Former Staff
    Premium Member
    Lehsyrus's Avatar
    Join Date
    Aug 2009
    Gender
    male
    Location
    Jersey
    Posts
    10,899
    Reputation
    1281
    Thanks
    3,064
    Quote Originally Posted by [I]Tfrix View Post
    nice tut, but are Vtable hooking steal undetected?
    To be honest I have no idea, I realized that APB and A.V.A both use UE3 and saw some talk on another site that it was still possible, but this was a few months prior. It might still work, I'm not that in-depth into programming yet to be honest

Similar Threads

  1. [Release] Vtable hook source
    By nitega in forum All Points Bulletin Reloaded Hacks
    Replies: 26
    Last Post: 10-06-2011, 10:24 AM
  2. [CODE]VTable hooking
    By Hell_Demon in forum C++/C Programming
    Replies: 4
    Last Post: 10-31-2010, 02:49 PM
  3. CA D3D VMT Hook with HS bypass
    By FPSH4X0R in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 14
    Last Post: 06-23-2010, 09:36 PM
  4. unable to hook DrawPrimitive in vtable
    By Anddos in forum General Hacking
    Replies: 2
    Last Post: 02-08-2010, 06:19 AM
  5. [Source]Vtable Hook?
    By SoreBack in forum Combat Arms Hacks & Cheats
    Replies: 17
    Last Post: 01-29-2009, 12:46 PM