Page 1 of 3 123 LastLast
Results 1 to 15 of 31
  1. #1
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh

    [Question] Hook EndScene

    Just a couple of question about the d3d9 EndScene Function and hooking it...

    Would i be correct in saying I can use IDA and get the address of that function and then when im injected into the engine process I could CodeHook EndScene function address - Baseaddress of d3d9.dll - ?

    for example..
    According to IDA EndScene Function starts at "7542CE09"

    And lets just say the base address of d3d9.dll is "75410000"

    EndScene - Base = 1CE09 <--- this would be our offset

    So once injected would I be correct in saying HookCode(GetModuleHandleA( "d3d9.dll" ) + $1CE09) ???

    Or does anyone have these "Device Pointers" they could explain how its working and what they hook or how they get the address of EndScene function dynamically? or explain in detail about this Vtable? and why it is used ...

    Actually anyone with information about the EndScene hooks would be nice enough to explain what they know...

    im not interested in the hook itself just mainly about the address's to the function
    Last edited by Departure; 11-30-2010 at 07:39 AM.

  2. #2
    Mr.Magicman's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Sitting in my cave full of thoughts learning Asembly
    Posts
    2,103
    Reputation
    16
    Thanks
    648
    My Mood
    Cold
    Yes your right. There are countless of ways to hook endscene and the other VTables. This is the most commonly known way of detouring or " hooking ". There is also a pointer in engine which is a p->p->p->p->D3DIRECTDEVICE9 if i can explain it that way (p = pointer) which gellins base uses.

    (Note: Hooking DrawIndexedPrimitive and SetStreamSource cant be hooked the regular way without D/C'ing)

  3. The Following User Says Thank You to Mr.Magicman For This Useful Post:

    Departure (11-30-2010)

  4. #3
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Thanks for the info, I just want to hook EndScene so I can use PTC methods, Im not interested about including Dx9 library headers with my code and using it so all arguments coming into my hooked EndScene callback will just get directed to original EndScene, but I will call PTC method and hopfully it should work because im in the context of d3d9 function.

    I will try the theory d3d9Base + Offset to hook that address and see what happends..

    Can anyone confirm the EndScene address for me ????

  5. #4
    Mr.Magicman's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Sitting in my cave full of thoughts learning Asembly
    Posts
    2,103
    Reputation
    16
    Thanks
    648
    My Mood
    Cold
    To get one thing clear... Endscene and LTClient + 0xSomething is 2 compleatly different things..

  6. #5
    GodHack2's Avatar
    Join Date
    May 2010
    Gender
    male
    Posts
    645
    Reputation
    38
    Thanks
    762
    My Mood
    Amused
    What you are trying to accomplish here is called Midfunction Hook there are a lot of tutorials about it just google it

    btw: i hate mid function hooks cause they are pain in the ass! works on one OS and doesn't work on another :/





    beat this bitches ^^^^^^^

    Current Stats : Bored :/


    Respect list :
    Crash !
    Gordon'
    Markoj

  7. #6
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,785
    My Mood
    Sad
    Quote Originally Posted by Mr.Magicman View Post
    Yes your right. There are countless of ways to hook endscene and the other VTables. This is the most commonly known way of detouring or " hooking ". There is also a pointer in engine which is a p->p->p->p->D3DIRECTDEVICE9 if i can explain it that way (p = pointer) which gellins base uses.

    (Note: Hooking DrawIndexedPrimitive and SetStreamSource cant be hooked the regular way without D/C'ing)
    What is this "regular way"? |:

  8. #7
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Quote Originally Posted by Mr.Magicman View Post
    To get one thing clear... Endscene and LTClient + 0xSomething is 2 compleatly different things..
    Yeah I understand that like I said "d3d9.dll base" I was looking in olly again and found the table you guys call "Vtable" I really have no idea why alot of people go through all the trouble using a pointer of a pointer of pointer ect... I thought d3d9.dll is the same on any system? and therefore will have the same offset from base address, Even if there was a different d3d9.dll for lets say windows XP you could get the offset from base address in the d3d9.dll for XP and then in your code just check OS version, Anyway I doubt they would release different d3d9.dll for each system...

  9. #8
    Apoc91's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    59
    Reputation
    10
    Thanks
    35
    My Mood
    Twisted
    Quote Originally Posted by Departure View Post
    Yeah I understand that like I said "d3d9.dll base" I was looking in olly again and found the table you guys call "Vtable" I really have no idea why alot of people go through all the trouble using a pointer of a pointer of pointer ect... I thought d3d9.dll is the same on any system? and therefore will have the same offset from base address, Even if there was a different d3d9.dll for lets say windows XP you could get the offset from base address in the d3d9.dll for XP and then in your code just check OS version, Anyway I doubt they would release different d3d9.dll for each system...
    He's saying that mid-function hooking causes trouble... but really, to accomplish what you're wanting (and I'm pretty sure this is how you're doing it in your head)

    You could do:

    Code:
    typedef HRESULT (WINAPI* EndScene_T)(LPDIRECT3DDEVICE9 lpDirect3DDevice9);
    static EndScene_T fnEndScene = NULL;
    
    HRESULT WINAPI MyEndScene(LPDIRECT3DDEVICE9 lpDevice)
    { 
       RunConsoleCommand("ShowFps 1");
       // Do other stuff
       fnEndScene(lpDevice);
    }
    
    ...
    
    DWORD WINAPI MyMainThread()
    {
       fnEndScene = (EndScene_T) CreateDetour(ENDSCENE_ADDRESS, (PVOID) MyEndScene);
    }

  10. #9
    GodHack2's Avatar
    Join Date
    May 2010
    Gender
    male
    Posts
    645
    Reputation
    38
    Thanks
    762
    My Mood
    Amused
    Quote Originally Posted by Apoc91 View Post
    He's saying that mid-function hooking causes trouble... but really, to accomplish what you're wanting (and I'm pretty sure this is how you're doing it in your head)

    You could do:

    Code:
    typedef HRESULT (WINAPI* EndScene_T)(LPDIRECT3DDEVICE9 lpDirect3DDevice9);
    static EndScene_T fnEndScene = NULL;
    
    HRESULT WINAPI MyEndScene(LPDIRECT3DDEVICE9 lpDevice)
    { 
       RunConsoleCommand("ShowFps 1");
       // Do other stuff
       fnEndScene(lpDevice);
    }
    
    ...
    
    DWORD WINAPI MyMainThread()
    {
       fnEndScene = (EndScene_T) CreateDetour(ENDSCENE_ADDRESS, (PVOID) MyEndScene);
    }
    he is a delphi coder
    and he is talking about the hook not the function it self





    beat this bitches ^^^^^^^

    Current Stats : Bored :/


    Respect list :
    Crash !
    Gordon'
    Markoj

  11. #10
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,785
    My Mood
    Sad
    @OP and FP (first post)

    Yes, you're correct.

    Quote Originally Posted by Apoc91 View Post
    He's saying that mid-function hooking causes trouble... but really, to accomplish what you're wanting (and I'm pretty sure this is how you're doing it in your head)

    You could do:

    Code:
    typedef HRESULT (WINAPI* EndScene_T)(LPDIRECT3DDEVICE9 lpDirect3DDevice9);
    static EndScene_T fnEndScene = NULL;
    
    HRESULT WINAPI MyEndScene(LPDIRECT3DDEVICE9 lpDevice)
    { 
       RunConsoleCommand("ShowFps 1");
       // Do other stuff
       fnEndScene(lpDevice);
    }
    
    ...
    
    DWORD WINAPI MyMainThread()
    {
       fnEndScene = (EndScene_T) CreateDetour(ENDSCENE_ADDRESS, (PVOID) MyEndScene);
    }
    He doesn't want to do that.

    Quote Originally Posted by Departure View Post
    Yeah I understand that like I said "d3d9.dll base" I was looking in olly again and found the table you guys call "Vtable" I really have no idea why alot of people go through all the trouble using a pointer of a pointer of pointer ect... I thought d3d9.dll is the same on any system? and therefore will have the same offset from base address, Even if there was a different d3d9.dll for lets say windows XP you could get the offset from base address in the d3d9.dll for XP and then in your code just check OS version, Anyway I doubt they would release different d3d9.dll for each system...
    The "Vtable" is the virtual function table in it.

    You can just create a DX device with the same parameters gives you the same pointer to the current DX Device as well as all its functions.

    You can also do a signature scan for the device pointer, which will be the same on all applications using the same DirectX version as the one you're scanning (scan for 8, 9, 10 and 11 if you want them all).

  12. #11
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Actually Apoc91 is correct. This is exactly What I had in mind to get the PTC method working.. Difference is I will be using inline assembly in hooked EndScene Callback, As much as I would like to create DX device I wont be doing it as I dont want to even deal with DX9(not in Delphi anyway) thus I will not have any of the DX9 headers and units. I did'nt even want to hook from the start but after some info supplyed by freedompeace and other members I now relize you can'nt call the PTC method from your own thread, it must be called from a context of d3d9 thus the reason why I want to hook the simplest dx function(EndScene) as it only requires a pointer for arguments and will be passed straight to the original EndScene...


    My idea...

    Hook(d3d9Base + EndSceneOffset, @NewEndScene, @OriginalEndScene)

    Then in my NewEndScene Callback...
    Code:
    function NewEndScene(const Self: Pointer): HResult; stdcall;
    const
     FogOn = 'FogEnable 0';
     FogOff = 'FogEnable 1';
    begin
    
      Result := OriginalEndScene(Self); <-- forward on to original
    
    //PTC console Method, I disassembled some working C++ hacks and ripped the assembly)
      asm
          cmp dword ptr [bFogOnOff],0 <--- Check our Boolean
          jle @FogON
          push FogOff
          mov edx,$00485e10
          call edx
          jmp @Finish
    
         @FogON:
    
           push FogOn
           mov eax,$00485e10
           call eax
    
         @Finish:
    
           add esp, $00000004
        end;
    end;
    I have not tested this but now I think you get the what my mind set is to get PTC method working...

    Once I get PTC working I will go further and start using the DX9 Types and classes(there is a delphi implementation I seen on the net for the DX9). But for now I just want to be able to use PushToConsole.


    //Edit

    I got rapped up in what I want to do that I forgot to tell you guys why I want to find out about the Vtables...

    I dont understand why people are using a sig scanner on d3d9.dll to get the pointer to the vTable, Because in my head the Vtable address should always be the same offset from the d3d9 base address, As should the EndScene scene address, The only reason I can think why it would be different is because a different version of d3d9.dll for different OS's... And freedompeace even said some people get the pointer to the pointer of the pointer to the Vtable from Engine.exe, this in my mind makes no sense, why go through all that trouble? you should be only calculating from the base address of d3d9.dll when its loaded... So my question is what is the reason behind this because I lot of source I seen do this, So im guessing there must be a reason.... even if you wanted multiple d3d9 functions wouldn't it be easyer just to do something like d3d9base + OffsetToVTable which would land you on the first Vtable entry?

    This Vtable is just DB pointers to function addresses, so im not sure why this is even used unless it changes which would make the d3d9.dll polymorphic code(which it is not)
    Last edited by Departure; 12-01-2010 at 06:23 AM.

  13. #12
    Mr.Magicman's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Sitting in my cave full of thoughts learning Asembly
    Posts
    2,103
    Reputation
    16
    Thanks
    648
    My Mood
    Cold
    LISTEN ENDSCENE HAS NOTHING TO DO WITH THIS!

    ptc is a part of the LTbase.

  14. #13
    Crash's Avatar
    Join Date
    Aug 2009
    Gender
    male
    Location
    JAville
    Posts
    2,889
    Reputation
    163
    Thanks
    3,290
    My Mood
    Sleepy
    Quote Originally Posted by Mr.Magicman View Post
    LISTEN ENDSCENE HAS NOTHING TO DO WITH THIS!

    ptc is a part of the LTbase.
    Apparently calling from endscene works as opposed to calling from your thread.

  15. #14
    DoubleDutch's Avatar
    Join Date
    Sep 2007
    Gender
    male
    Posts
    10,892
    Reputation
    949
    Thanks
    1,071
    My Mood
    Bored
    Quote Originally Posted by Mr.Magicman View Post
    LISTEN ENDSCENE HAS NOTHING TO DO WITH THIS!

    ptc is a part of the LTbase.
    I would follow that advice. ^

  16. #15
    Apoc91's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Posts
    59
    Reputation
    10
    Thanks
    35
    My Mood
    Twisted
    Quote Originally Posted by Mr.Magicman View Post
    LISTEN ENDSCENE HAS NOTHING TO DO WITH THIS!

    ptc is a part of the LTbase.
    It has something to do with it (well, any D3D function you hook does, really) when you consider that you can't call RunConsoleCommand from your thread. (I'd say you could hack it up and do it, but imo it's a lot less effort to just hook EndScene/Present or something and handle it there.)


    Quote Originally Posted by Departure View Post
    //Edit

    I got rapped up in what I want to do that I forgot to tell you guys why I want to find out about the Vtables...

    I dont understand why people are using a sig scanner on d3d9.dll to get the pointer to the vTable, Because in my head the Vtable address should always be the same offset from the d3d9 base address, As should the EndScene scene address, The only reason I can think why it would be different is because a different version of d3d9.dll for different OS's... And freedompeace even said some people get the pointer to the pointer of the pointer to the Vtable from Engine.exe, this in my mind makes no sense, why go through all that trouble? you should be only calculating from the base address of d3d9.dll when its loaded... So my question is what is the reason behind this because I lot of source I seen do this, So im guessing there must be a reason.... even if you wanted multiple d3d9 functions wouldn't it be easyer just to do something like d3d9base + OffsetToVTable which would land you on the first Vtable entry?

    This Vtable is just DB pointers to function addresses, so im not sure why this is even used unless it changes which would make the d3d9.dll polymorphic code(which it is not)
    You should be able to use Base + Offset, since as you said it's pretty much the same thing. I think what happened was one person showed you could do it one way (whether it's via Engine.exe or just creating your own device), and everyone leeched it from there.
    Last edited by Apoc91; 12-01-2010 at 03:32 PM.

Page 1 of 3 123 LastLast