How to find the pointer to the D3D9 device by lauwy

**lauwy** · 12-05-2010

This tutorial is by lauwy from MPGH!!!

First download the test envoirment,
Edit the plugin path
Restart olly
load this in ollydbg

Press ctrl a to scan the file
Click on the run button in the top of olly 3x

Click the richt mous button , searth for all intermodulars class.

Find somting like this:
d3d9.Direct3DCreate9

Dubbel click on it,
We need the CALL under it:

Code:

0040315A  |. E8 7F700000    CALL <JMP.&d3d9.Direct3DCreate9>
0040315F  |. A3 10CE4000    MOV DWORD PTR DS:[40CE10],EAX //This is what we need, this is the IDirect3DDevice9 
00403164  |. 6A 38          PUSH 38
00403166  |. 8D45 BC        LEA EAX,DWORD PTR SS:[EBP-44]
00403169  |. 6A 00          PUSH 0
0040316B  |. 50             PUSH EAX
0040316C  |. E8 4F080000    CALL test9.004039C0

40CE10 points to the Createdivice,

40CE10 = [out, retval] IDirect3DDevice9 **ppReturnedDeviceInterface

Code:

HRESULT CreateDevice(
  [in]           UINT Adapter, //6
  [in]           D3DDEVTYPE DeviceType, //5
  [in]           HWND hFocusWindow, //4
  [in]           DWORD BehaviorFlags, //3
  [in, out]      D3DPRESENT_PARAMETERS *pPresentationParameters, //2
  [out, retval]  IDirect3DDevice9 **ppReturnedDeviceInterface //1
);

We need the pointer to CreateDevice, what do we know?
We know one part of CreateDevice, and we know that we need 6 x push, becouse CreateDevice has 6 "parts".
We need to find somting like this:

Code:

MOV EAX,DWORD PTR DS:[40CE10]

Change the addy to yours, this can be different!

Searth for this, I found this 2 times,

Code:

00403171  |. 83C4 0C        ADD ESP,0C
00403174  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
00403177  |. A1 10CE4000    MOV EAX,DWORD PTR DS:[40CE10]
0040317C  |. 8D5D BC        LEA EBX,DWORD PTR SS:[EBP-44]
0040317F  |. 6A 01          PUSH 1 				//This needs to be somting with [40CE10]
00403181  |. 894D D8        MOV DWORD PTR SS:[EBP-28],ECX
00403184  |. 5E             POP ESI				
00403185  |. C745 C4 160000>MOV DWORD PTR SS:[EBP-3C],16
0040318C  |. 68 08CE4000    PUSH test9.0040CE08			
00403191  |. 53             PUSH EBX				
00403192  |. 6A 20          PUSH 20			
00403194  |. 51             PUSH ECX				
00403195  |. 8975 DC        MOV DWORD PTR SS:[EBP-24],ESI
00403198  |. 8975 D4        MOV DWORD PTR SS:[EBP-2C],ESI
0040319B  |. C745 BC 200300>MOV DWORD PTR SS:[EBP-44],320
004031A2  |. C745 C0 580200>MOV DWORD PTR SS:[EBP-40],258
004031A9  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
004031AB  |. 56             PUSH ESI				
004031AC  |. 6A 00          PUSH 0				
004031AE  |. 50             PUSH EAX				
004031AF  |. FF52 40        CALL DWORD PTR DS:[EDX+40]

This isn't create device, this is becouse the first command isn't the IDirect3DDevice9 here is EAX the IDirect3DDevice9, but they push 1, and that isn't EAX
Next!

Code:

00403470  |. A1 10CE4000    MOV EAX,DWORD PTR DS:[40CE10]
00403475  |. 50             PUSH EAX				//This is 40CE10 	|| [out, retval]  IDirect3DDevice9 **ppReturnedDeviceInterface
00403476  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
00403478  |. FF51 08        CALL DWORD PTR DS:[ECX+8]
0040347B  \. C3             RETN
0040347C  /$ 55             PUSH EBP				//2			||  [in, out]      D3DPRESENT_PARAMETERS *pPresentationParameters,
0040347D  |. 8BEC           MOV EBP,ESP
0040347F  |. 833D CCE14000 >CMP DWORD PTR DS:[40E1CC],0
00403486  |. 57             PUSH EDI				//3			||  [in]           DWORD BehaviorFlags,
00403487  |. 8B7D 08        MOV EDI,DWORD PTR SS:[EBP+8]
0040348A  |. 897D 08        MOV DWORD PTR SS:[EBP+8],EDI
0040348D  |. 75 11          JNZ SHORT test9.004034A0
0040348F  |. FF75 10        PUSH DWORD PTR SS:[EBP+10]		//4			||   [in]           D3DDEVTYPE DeviceType,		
00403492  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]		//5			||   [in]           HWND hFocusWindow,
00403495  |. 57             PUSH EDI				//6			||   [in]           UINT Adapter,
00403496  |. E8 550F0000    CALL test9.004043F0

Here is EAX, DWORD PTR DS:[40CE10] and it gets pushed at the top of the call, that is good

There are 6x push and the first is the IDirect3DDevice9

, this is createdevice!!!

To make every thing clear:
0x4043F0 is the "Pointer to the D3D9 device"

Going to find out how this is done in Crossfire, then I'm going to share that 2 If some one know how to do this, contact me. THen I make a tut and give you 80% of the credits

Share what you know (a)

Video:

100% credits lauwy

Scan:

**mechanical2015** · 12-05-2010

woooooooooooo! very good tut help ful!

**lauwy** · 12-05-2010

Np

, I'm alway's here to share what I know (a).

Edit:
I could't find a tutorial for this, so I thought I make one my self

**mechanical2015** · 12-05-2010

i wanna try this!

opss

**Coke** · 12-05-2010

Add Virus scans.

**Derail** · 12-05-2010

Virus scans....

**lauwy** · 12-05-2010

VirusTotal - Free Online Virus, Malware and URL Scanner

Can't find more scanner that can scan so mutch files, why do we need here also scan't, that wasn't before :S.

If you don't trust this, download from my cshell tutorial ollydbg, and searth for the test9.exe on the site:

Test9.exe
https://www.mpgh.net/forum/207-combat...vironment.html

Olly:
https://www.mpgh.net/forum/242-crossf...shell-dll.html

Yes it is showen as a virus by some scan's becouse it is ollydbg xD so useless to add scanners to files like this xD