Results 1 to 14 of 14
  1. #1
    DagothUr's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    403
    Reputation
    10
    Thanks
    31

    Post Chams (crudely explained)

    I was rummaging through my old project file in order to find 2 things I can release ;P, and I found this source for chams. I think I just compiled this from a few bases, twas easier than you think.

    I just need someone to compile it because my VS is being a Fa*got and wont recognise some functions and i dont know... it will work... in theory.

    It is also explained as well as I can...

    Here it is:




    [html]#include <windows.h>

    //If I am not mistaken (and if I am I have been making stuff out of gibberish) this tells it to #include# the following header (base) into the thingy.

    #include <d3d9.h>
    #pragma comment(lib, "d3d9.lib")

    //Places a library-search record in the object file. This comment type must be accompanied by a commentstring parameter containing the name (and possibly the path) of the library that you want the linker to search.
    //I will now explain what a commentstring parameter is:
    //MMnmnmNM. The commentstring is a string literal that provides additional information for some comment types. Because commentstring is a string literal, it obeys all the rules for string literals with respect to escape characters, embedded quotation marks ("), and concatenation...
    //Which basicly means: type #pragma comment(lib, "nameoflibrary.lib")
    //lib because it is a library file.

    #include <d3dx9.h>
    #pragma comment(lib, "d3dx9.lib")
    #include <time.h>
    #include <stdlib.h>
    #include <fstream>
    #include <vector>
    #include <D3dx9tex.h>
    #include <stdio.h>
    #include <time.h>
    #include <tchar.h>
    #include <iostream>
    #pragma warning(disable:4996)//This is to disable the sprintf warning in VC++...
    bool fCall = true;
    bool Chams = false;

    //Just assigning an expression that evaluates to bool to a bool
    //Just google boolean values if you want to know more about bools and what they do.
    //*bool Chams = false* is asigning false to the bool "Chams"

    IDirect3DPixelShader9 *Front,
    *Back;



    HRESULT CreateMyShader(IDirect3DPixelShader9 **pShader, IDirect3DDevice9 *Device, float red, float green, float blue, float alpha )

    //Just recalling colours

    {
    ID3DXBuffer *MyBuffer = NULL;
    char MyShader[ 256 ];
    sprintf( MyShader, "ps.1.1\ndef c0, %f, %f, %f, %f\nmov r0,c0", red/255, green/255, blue/255, alpha/255 );
    D3DXAssembleShader( MyShader, sizeof( MyShader ), NULL, NULL, 0, &MyBuffer , NULL );
    if( FAILED( Device->CreatePixelShader((const DWORD*)MyBuffer ->GetBufferPointer(), pShader)) )return E_FAIL;
    return S_OK;

    //Assigning shades to different characters... cant realy explain much further...

    }

    typedef HRESULT (WINAPI* CreateDevice_Prototype) (LPDIRECT3D9, UINT, D3DDEVTYPE, HWND, DWORD, D3DPRESENT_PARAMETERS*, LPDIRECT3DDEVICE9*);
    typedef HRESULT (WINAPI* Reset_Prototype) (LPDIRECT3DDEVICE9, D3DPRESENT_PARAMETERS*);
    typedef HRESULT (WINAPI* EndScene_Prototype) (LPDIRECT3DDEVICE9);
    typedef HRESULT (WINAPI* DrawIndexedPrimitive_Prototype)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT);

    //This is kinda one of the hardest things to explain. Its (correct me if I'm wrong) "terminating" the original skin for the characters.

    CreateDevice_Prototype CreateDevice_Pointer = NULL;
    Reset_Prototype Reset_Pointer = NULL;
    EndScene_Prototype EndScene_Pointer = NULL;
    DrawIndexedPrimitive_Prototype DrawIndexedPrimitive_Pointer = NULL;

    //It substitutes the new skin in.

    HRESULT WINAPI Direct3DCreate9_VMTable (VOID);
    HRESULT WINAPI CreateDevice_Detour (LPDIRECT3D9, UINT, D3DDEVTYPE, HWND, DWORD, D3DPRESENT_PARAMETERS*, LPDIRECT3DDEVICE9*);
    HRESULT WINAPI Reset_Detour (LPDIRECT3DDEVICE9, D3DPRESENT_PARAMETERS*);
    HRESULT WINAPI EndScene_Detour (LPDIRECT3DDEVICE9);
    HRESULT WINAPI DrawIndexedPrimitive_Detour(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT);

    DWORD WINAPI VirtualMethodTableRepatchingLoopToCounterExtension Repatching(LPVOID);
    PDWORD Direct3D_VMTable = NULL;

    //This may be the wrong line to do this but im pritty sure the above is creating the 3d model... Correct me plox...

    BOOL WINAPI DllMain(HINSTANCE hinstModule, DWORD dwReason, LPVOID lpvReserved)
    {
    if(dwReason == DLL_PROCESS_ATTACH)
    {
    DisableThreadLibraryCalls(hinstModule);

    if(Direct3DCreate9_VMTable() == D3D_OK)
    return TRUE;
    }

    return FALSE;
    }

    HRESULT WINAPI Direct3DCreate9_VMTable(VOID)
    {
    LPDIRECT3D9 Direct3D_Object = Direct3DCreate9(D3D_SDK_VERSION);

    if(Direct3D_Object == NULL)
    return D3DERR_INVALIDCALL;

    Direct3D_VMTable = (PDWORD)*(PDWORD)Direct3D_Object;
    Direct3D_Object->Release();

    //Im kinda rushing this but I will edit it later. the above states the distance in which the object (character) is seen on your screen. So he will not show through walls.

    DWORD dwProtect;

    if(VirtualProtect(&Direct3D_VMTable[16], sizeof(DWORD), PAGE_READWRITE, &dwProtect) != 0)
    {
    *(PDWORD)&CreateDevice_Pointer = Direct3D_VMTable[16];
    *(PDWORD)&Direct3D_VMTable[16] = (DWORD)CreateDevice_Detour;

    if(VirtualProtect(&Direct3D_VMTable[16], sizeof(DWORD), dwProtect, &dwProtect) == 0)
    return D3DERR_INVALIDCALL;
    }
    else
    return D3DERR_INVALIDCALL;

    return D3D_OK;
    }

    HRESULT WINAPI CreateDevice_Detour(LPDIRECT3D9 Direct3D_Object, UINT Adapter, D3DDEVTYPE DeviceType, HWND FocusWindow,
    DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* PresentationParameters,
    LPDIRECT3DDEVICE9* Returned_Device_Interface)
    {
    HRESULT Returned_Result = CreateDevice_Pointer(Direct3D_Object, Adapter, DeviceType, FocusWindow, BehaviorFlags,
    PresentationParameters, Returned_Device_Interface);

    DWORD dwProtect;

    if(VirtualProtect(&Direct3D_VMTable[16], sizeof(DWORD), PAGE_READWRITE, &dwProtect) != 0)
    {
    *(PDWORD)&Direct3D_VMTable[16] = *(PDWORD)&CreateDevice_Pointer;
    CreateDevice_Pointer = NULL;
    //maybe this is where it renders the object over distance...
    if(VirtualProtect(&Direct3D_VMTable[16], sizeof(DWORD), dwProtect, &dwProtect) == 0)
    return D3DERR_INVALIDCALL;
    }
    else
    return D3DERR_INVALIDCALL;

    if(Returned_Result == D3D_OK)
    {
    Direct3D_VMTable = (PDWORD)*(PDWORD)*Returned_Device_Interface;

    *(PDWORD)&Reset_Pointer = (DWORD)Direct3D_VMTable[16];
    *(PDWORD)&EndScene_Pointer = (DWORD)Direct3D_VMTable[42];
    *(PDWORD)&DrawIndexedPrimitive_Pointer = (DWORD)Direct3D_VMTable[82];
    //Just basic structuring for the program (need to find a better word...) I do not expect most of you who are starting coding to try to understand the structuring or arcutecture (even though you realy dont need to know it...).
    if(CreateThread(NULL, 0, VirtualMethodTableRepatchingLoopToCounterExtension Repatching, NULL, 0, NULL) == NULL)
    return D3DERR_INVALIDCALL;
    }

    return Returned_Result;
    }

    HRESULT WINAPI Reset_Detour(LPDIRECT3DDEVICE9 Device_Interface, D3DPRESENT_PARAMETERS* PresentationParameters)
    {
    return Reset_Pointer(Device_Interface, PresentationParameters);
    }

    HRESULT WINAPI EndScene_Detour(LPDIRECT3DDEVICE9 Device_Interface)
    {
    return EndScene_Pointer(Device_Interface);
    }

    HRESULT WINAPI DrawIndexedPrimitive_Detour(LPDIRECT3DDEVICE9 Device_Interface, D3DPRIMITIVETYPE Type, INT BaseIndex,
    UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount)
    {
    LPDIRECT3DVERTEXBUFFER9 Stream_Data;
    UINT Offset = 0;
    UINT Stride = 0;

    //I COMPLETELY forget wtf this above does... Help?

    if(Device_Interface->GetStreamSource(0, &Stream_Data, &Offset, &Stride) == D3D_OK)
    Stream_Data->Release();

    //This is like... Help here... I swear I have the next.

    if(fCall)
    {
    CreateMyShader( &Front, Device_Interface, 255, 0, 0, 255 );
    CreateMyShader( &Back, Device_Interface, 255, 255, 0, 255 );
    fCall = false;
    }

    //OK, I got this. Its calling forth the shader to "shade" the characters front and back, it goes red, green, blue, black if I remember correctly...

    if ( GetAsyncKeyState ( VK_NUMPAD1 ) &1 )
    {
    Chams = !Chams;
    }

    //Its assigning a activation method, aka if you press 1 on your numberpad it will activate the hack, chams, which we labbled a bool at the start... you with me?

    if(Chams && (Stride == 32 && StartIndex == 0))
    {
    DWORD dwOldZEnable = D3DZB_TRUE;
    Device_Interface->GetRenderState(D3DRS_ZENABLE, &dwOldZEnable);
    Device_Interface->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
    Device_Interface->SetPixelShader( Front );
    DrawIndexedPrimitive_Pointer(Device_Interface, Type, BaseIndex, MinIndex, NumVertices, StartIndex, PrimitiveCount);
    Device_Interface->SetRenderState(D3DRS_ZENABLE, dwOldZEnable);
    Device_Interface->SetPixelShader( Back );
    }

    //now seeing this part this may also be a wallhack... I forget if ZENABLE or ZFALSE renders your object over everything else... I think its ZFALSE because I remember not liking it over everything.

    return DrawIndexedPrimitive_Pointer(Device_Interface, Type, Nipples, BaseIndex, MinIndex, NumVertices, StartIndex, PrimitiveCount);
    }

    DWORD WINAPI VirtualMethodTableRepatchingLoopToCounterExtension Repatching(LPVOID Param)
    {
    UNREFERENCED_PARAMETER(Param);

    while(1)
    {
    Sleep(100);

    *(PDWORD)&Direct3D_VMTable[42] = (DWORD)EndScene_Detour;
    *(PDWORD)&Direct3D_VMTable[82] = (DWORD)DrawIndexedPrimitive_Detour;
    *(PDWORD)&Direct3D_VMTable[16] = (DWORD)Reset_Detour;
    }

    return 1;
    }

    //Structuring the stuff again... please dont judge me on my teaching skills lol...


    [/html]

    And thats it... easy right? *sarcasm*
    I didnt learn how to compile an injector so just use a pre-made one.
    You can either learn from this (slightly) or copy and paste it all into a empty dll project and it will work... (no it wont I put a false command in it somewhere so you would be forced to read it)

    Hopefully you pro's can help me explain this further because it has been many a year that I have booted up the old VS.

    Also hopefully this counts as one release and if you give me the source (Major...) I will release it and it will count as two... (cheeky...) lol

    Have fun-ish.

    P.S I did not search through the forums to see if this was already made so... sorry if it is I just wasted my own time...
    Last edited by /b/oss; 04-21-2011 at 02:49 PM.

  2. #2
    CAflames3's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    Behind you 0.o
    Posts
    34
    Reputation
    10
    Thanks
    9
    My Mood
    Worried
    Only one comment was right.

    [YOUTUBE]<object width="960" height="745"><param name="movie" value="http://www.youtube.com/v/ztMdOZiFKo0&hl=en_US&fs=1&color1=0x2b405b&color2=0 x6b8ab6&hd=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/ztMdOZiFKo0&hl=en_US&fs=1&color1=0x2b405b&color2=0 x6b8ab6&hd=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="960" height="745"></embed></object>[/YOUTUBE]

  3. #3
    DagothUr's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    403
    Reputation
    10
    Thanks
    31
    Which one? Actualy im supprised that any of them are right :/

  4. #4
    sciart4885's Avatar
    Join Date
    Oct 2009
    Gender
    male
    Posts
    6
    Reputation
    10
    Thanks
    0
    what's the use of making a hack if you cant get it through gameguard?
    and please don't tell me that you ACTUALLY BYPASSED A ROOTKIT, by the looks of it you hardly know how to code at all.

  5. #5
    /b/oss's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Posts
    13,652
    Reputation
    795
    Thanks
    3,543
    /added source code thingy.. to make it more nicely

    and i mean two relases.. =)

    @DagothUr

  6. #6
    DagothUr's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    403
    Reputation
    10
    Thanks
    31
    Oh cmon. You cant get past gameguard (to my knowlege) and I'm not gonna be cheap and make crosshares or anything like that. and thanks for the box thingy, I forgot which one that was.

    edit: I can code... Like 2 years ago. I only started to dig through my old stuff when I learnt that I need to know C for a course I want to enroll in. But the source above is valid and should work unless they have completely remodeled the game. So I was multitasking by posting this and trying to remember the function names and what they do.
    Last edited by DagothUr; 04-21-2011 at 05:46 PM.

  7. #7
    Battlefield 3's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Location
    One Man's Trash Is Another Man's Pleasure!
    Posts
    2,911
    Reputation
    -119
    Thanks
    587
    My Mood
    Devilish
    Quote Originally Posted by CAflames3 View Post
    Only one comment was right.
    invisible HACKS
    but i dont play CA ( i still like to mod it )

  8. #8
    sciart4885's Avatar
    Join Date
    Oct 2009
    Gender
    male
    Posts
    6
    Reputation
    10
    Thanks
    0
    Quote Originally Posted by DagothUr View Post
    Oh cmon. You cant get past gameguard (to my knowlege) and I'm not gonna be cheap and make crosshares or anything like that. and thanks for the box thingy, I forgot which one that was.

    edit: I can code... Like 2 years ago. I only started to dig through my old stuff when I learnt that I need to know C for a course I want to enroll in. But the source above is valid and should work unless they have completely remodeled the game. So I was multitasking by posting this and trying to remember the function names and what they do.
    Yes, the source code is valid, just the comments are misleading. Good job hooking directx , but there's load of basehooks that's capable of doing that (no insult or offense, just saying that there's nothing new.). Also it won't work not because they recoded the entire game, but because GameGuard had an major update last year to more of an "advanced" rootkit and as far as I know the only possible way to bypass them is to create a hack at the same level as GamGuard (kernel driver or something). I've seen one of the guys at Game Deception code an lower level WDDM hook to get D3D Device through ATi/Nvidia drivers but that also hooks the functions at user level so it is also caught.

    P.S: Apologies about the first reply, I was pretty pissed about something back then.

    EDIT: Specific for A.V.A, I'm not sure but I think that GG hooks A.V.A functions and make it a "Stealth" process - atleast it did for the Korean version.
    Last edited by sciart4885; 04-21-2011 at 09:05 PM.

  9. #9
    Cal's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Location
    MPGH faggots.
    Posts
    5,554
    Reputation
    394
    Thanks
    825
    Very nice .

  10. #10
    Battlefield 3's Avatar
    Join Date
    Feb 2010
    Gender
    male
    Location
    One Man's Trash Is Another Man's Pleasure!
    Posts
    2,911
    Reputation
    -119
    Thanks
    587
    My Mood
    Devilish
    Quote Originally Posted by MC Modder View Post
    Very nice .
    i know i hope add aimbot code (i know how )

  11. #11
    DagothUr's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    403
    Reputation
    10
    Thanks
    31
    Holy, I knew gameguard was hardcore, but yeh, I'm at no state to attempt that. Maybe in a couple of months or so I will attempt to do stuff more advanced...

  12. #12
    sciart4885's Avatar
    Join Date
    Oct 2009
    Gender
    male
    Posts
    6
    Reputation
    10
    Thanks
    0
    I actually might have found a way to bypass GameGuard, but right now my code is very crude and involves a lot of brute-force at ring2~ring0 level, also takes up quite a resource. maybe i'll share this to some of the pros at GD and see what they think.

  13. #13
    DagothUr's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    403
    Reputation
    10
    Thanks
    31
    yeh your probably best off doing that...

  14. #14
    jessehotmail's Avatar
    Join Date
    Dec 2010
    Gender
    male
    Location
    @home
    Posts
    325
    Reputation
    10
    Thanks
    10
    My Mood
    Psychedelic
    Looks Nice , Good job!!
    add me on your xbox 360 buddy list! : xXServl4sXx