There are two critical things you need to know here:
- DirectX is completely independent of the Console - you can push commands to the console without messig to touch DirectX
- I never said it was a pointer to a pointer to a pointer (and so on) - that was Mr Magician on another post. The signature scan gets the pointer to the current DirectX device. Add an offset to get the virtual function table, and then hook your functions from the pointers to functions pointed by that table.
Apparently it doesn't matter (I wwas still calling console commands from an independent thread yesterday).
Last edited by freedompeace; 12-01-2010 at 05:49 PM.
@freedompeace
Yeas I understand all of that, and sorry I thought it was you who informed me about the pointer to a pointer ect.. which is irrelevant, Even the Vtable is irrelevent because I know the address of EndScene.. But you say you can call PTC outside of DX9, Im sorry I have tried this so many times and failed to call it, So just as Apoc91 has done I am thinking of doing the same thing after being told about the dx function needed to be hooked to call the PTC method. Are you saying you called the PTC command without any hooking of the Directx? if this is the case is there any chance I could look over your code, because I would much prefer NOT to hook any DirectX functions...
@Apoc91
Thats is exactly why im going to hook the DirectX, Maybe I should be looking at hooking "Present" function instead of EmdScene?, saying that if Freedompeace can call the PTC command without hooking then I would rather go down that path
Thanks to both of you guys for your input and infomation it is very much appreciated..
Sorry for the delayed reply, just finished dinner x]
Well, I've just about completed the core functions of my hack rewrite, so I'm just about to add the console functions into it now (on another thread, obviously) and trying it out in a moment.
I'll inform you if I get PTC working via. a non-EndScene thread.
Now, to the reason why the DirectX thread may be the only way to use your PushToConsole functions is that (apparently), HackShield checks the calling address of every command. If your call resides in (or an address that resolves to) one of the game's internal functions - such as a rendering function, your call will pass the test and be allowed to continue.
This means that in theory, you could just NOP the check and be good to go.
Yea, there's definately a check (at least it looks as if it's checking if it's coming from CShell.dll) at *LTClient + 0x208:
Sadly, even called 00485E10 directly, I couldn't get the RCC to run.Code:0046FA40 A1 3C001037 MOV EAX,DWORD PTR DS:[3710003C] 0046FA45 8B88 2C001037 MOV ECX,DWORD PTR DS:[EAX+3710002C] 0046FA4B 8B1424 MOV EDX,DWORD PTR SS:[ESP] 0046FA4E 05 00001037 ADD EAX,37100000 0046FA53 81C1 00001037 ADD ECX,37100000 ; CShell.dll codebase 0046FA59 3BD1 CMP EDX,ECX ; Check if called before CShell base 0046FA5B 72 0E JB SHORT Engine.0046FA6B ; If so, return 0046FA5D 8B40 50 MOV EAX,DWORD PTR DS:[EAX+50] ; size of CShell 0046FA60 03C1 ADD EAX,ECX ; add size and base 0046FA62 3BD0 CMP EDX,EAX ; Check if called afer CShell.dll 0046FA64 73 05 JNB SHORT Engine.0046FA6B ; If so, return 0046FA66 E9 A5630100 JMP Engine.00485E10 ; All's well -- execute the code 0046FA6B C3 RETN
Woah D:
I need you on MSN >:}
And sorries Departure, as you might (not) know, I don't have Combat Arms personally (due to financial, and therefore internet) limitations and I'm too young to legally work <.<), so I kinda rely on a trusted tester who I ping my works in progress to for testing, who then pongs be back the results =P
Unfortunately he wasn't here as he normally would be today, so couldn't test. Better luck next time, but you pretty much have a possible solution there :)
resolved long ago just use the internal console.
https://www.mpgh.net/forum/207-combat...ml#post3030792
or you could vtable hook consolecommand in your hook set it to how it use to be and then you can calll it.
the one after the jump
typedef void (__cdecl *lpSetConsoleVariable)(unsigned long console,char* szVal);
lpSetConsoleVariable SetConsoleVariable;
SetConsoleVariable = (lpSetConsoleVariable)(0x0484BC0);
SetConsoleVariable(0x8003F0,"SkelModelStencil -1");
Yeap I also seen this while looking through Engine.exe, Thats why I was originally trying to call $00485E10 Directly and thought that would have done the trick, maybe by setting EDX and EAX the same values as what this routine sets it as, before calling $00485E10 might just do the trick, only problem is break pointing on this address while the game is running to get those values...
Still though it makes no sense that d3d9 function can call this address directly??\
//Edit
Just read SNal2F post
Unsigned long , Pchar , integer, integerCode:00484BC0 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 00484BC4 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4] 00484BC8 6A 00 PUSH 0 00484BCA 6A 00 PUSH 0 00484BCC 50 PUSH EAX 00484BCD 51 PUSH ECX 00484BCE E8 2DF8FFFF CALL Engine.00484400(unsigned long,szcommand,int,int) //can do here 00484BD3 83C4 10 ADD ESP,10 00484BD6 C3 RETN
What are the 2 Integer arguments? is it 0 from the Push 0, Push 0 ????
The unsigned Long is "0x8003F0"???
so if the above is true then ....
asm
pushad
mov eax, pCharNoFog
mov ecx, 008003F0
Push 0
Push 0
Push eax <--- "EnableFog 0"
Push ecx <--- "008003F0"
Call 00484400
add esp, 10
popad
end
that should work called from any thread???
Last edited by Departure; 12-02-2010 at 05:18 AM.
I may be doing something wrong, but I still don't have it working even using that. Although, I'm not really interested in not hooking DirectX (Since I draw shit etc), but I figured I'd make a quick hackup to see if I could get it to work. If you see something I did wrong just point it out and I'll retry.
Code:typedef void (__cdecl *SetConsoleVariable_T)(DWORD console, LPSTR szVal, int, int); SetConsoleVariable_T SetConsoleVariable = (SetConsoleVariable_T) 0x00484400; static const DWORD dwConsole = 0x008013F0; DWORD WINAPI InitDll(LPVOID lpVoid) { UNREFERENCED_PARAMETER(lpVoid); while(GetModuleHandle(L"cshell.dll") == NULL) Sleep(100); while(true) { SetConsoleVariable(dwConsole, "ShowFps 1", 0, 0); Sleep(100); } } BOOL APIENTRY DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved ) { UNREFERENCED_PARAMETER(hModule); UNREFERENCED_PARAMETER(lpReserved); if(dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) InitDll, NULL, 0, NULL); } return TRUE; }
Last edited by Apoc91; 12-02-2010 at 11:41 AM.
maybe you do have to call it in a game function :S
Some tested results come as follows:
- Yes, you will need to call SetConsoleVariable or pRunConsoleCommand from within the game (drawing) loop - EndScene or Present. I did so through Present(). Doing so outside will cause an instant crash.
- Obviously, but for those who are reading this who don't know, you will need to call the console commands from within your re-routed DirectX function, not by calling another function that will push back your command to the console.
This means that if you have pre-existing frameworks for your GameConsole (such as I do), just prefix your functions with __inline, plus a few other adjustments depending on your code.
K finally got a working PTC method with Delphi, doing what we have talked about I Hooked EndScene function from the d3d9.dll by using base address + offset, Only problem is it only worked for about 3 or 4 minutes before CA just shut down
So here comes a new lot of questions... What causes CA to shut down? is it the hook detection? is it because it uses PTC EVERY SINGLE time the hooked EndScene Callback is called?
for example here is my EndScene, and im thinking it might be shutting down for 1 of 2 reasons..
Here I have ported the PTC C++
First it detects hotkey if its on or offCode:type lpSetConsoleVariable = procedure (console: cardinal; szVal: PAnsiChar); cdecl; RunConsoleCommand_t = function(cmd: PAnsiChar): integer; cdecl; var SetConsoleVariable: lpSetConsoleVariable = nil; pRunConsoleCommand: RunConsoleCommand_t = nil; // assign later
Now in my hooked EndSceneCode:if (GetAsyncKeyState(VK_NUMPAD5) <> 0) then begin bFps:= NOT bFps; Sleep(10); OffOn(bFps); end;
Now im thinking because PTC method get called EVERY time the endScene gets called and maybe this is why its crashing, or it might be because they detect my hook, Im not sure how they go about hook detection and maybe thats why people hook the vTable instead? or maybe its just my PTC within the EndScene thats causing it to crash after 3 or 4 minutes?Code:function EndSceneCallback(const Self: Pointer): HResult; stdcall; begin asm pushad pushfd end; @SetConsoleVariable:= pointer($00484400); if(bFps = False) then SetConsoleVariable($008013F0,'ShowFps 0') else SetConsoleVariable($008013F0,'ShowFps 1'); asm popfd popad end; Result := EndSceneNext(Self); end;
Any help will be appreciated....
It amazing how you over come one problem only to find your self with a heap of new ones.....
Last edited by Departure; 12-05-2010 at 08:25 AM.
K I worked out it must be the hook thats getting detected and not the PTC function
So I ask you guys if you would explain the way you guys hook EndScene?
I think SNal2F might have something with his info about hooking the Vtable instead of EndScene Direct... or anyone with suggestions are welcome
a lot of ways to do it
this is for halo but it also work with ca
halo-devkit - Project Hosting on Google Code
am using Gordon's atm which also bypasses the detection from hackshield
if you want it pm me