Hooking Project Blackout [Help with DIP]

[Andyi]

Hey,

im trying to make some chams for that game and got a problem:
i successfully hook DIP (Draw Indexed Primitive) but its getting unhooked by HS so i want rehooking it.
I tried to wait till my msgbox called by DIP when i press a key does not appear so i know that HS unhooked it. then i press another key to activate my rehook, but then it crashs. I think that it should work because im using croner's B8 Detour, in wr that also worked a long time (idk if it now does).

I hope you got some solutions

[Chuck Norris]

You use the correct VTable?

[SNal2F]

Hey,

im trying to make some chams for that game and got a problem:
i successfully hook DIP (Draw Indexed Primitive) but its getting unhooked by HS so i want rehooking it.
I tried to wait till my msgbox called by DIP when i press a key does not appear so i know that HS unhooked it. then i press another key to activate my rehook, but then it crashs. I think that it should work because im using croner's B8 Detour, in wr that also worked a long time (idk if it now does).

I hope you got some solutions

hook it on the vtable?


the game also has a wrapper function

Code:

Names in i3GfxDx, item 1183
 Address=006B8D80
 Section=.text
 Type=Export
 Name=?DrawIndexedPrim@i3RenderContext@@QAEPAVi3Shader@@pav2@W4I3G_PRIMITIVE@@II@Z




006B8D80 > 56               PUSH ESI
006B8D81   57               PUSH EDI
006B8D82   8B7C24 18        MOV EDI,DWORD PTR SS:[ESP+18]
006B8D86   8BF1             MOV ESI,ECX
006B8D88   FF86 50090000    INC DWORD PTR DS:[ESI+950]
006B8D8E   01BE 4C090000    ADD DWORD PTR DS:[ESI+94C],EDI
006B8D94   A1 CCC77F00      MOV EAX,DWORD PTR DS:[?m_pCaps@i3RenderContext@@1PAVi3GfxCaps@@A]
006B8D99   83B8 58010000 00 CMP DWORD PTR DS:[EAX+158],0
006B8DA0   74 0E            JE SHORT i3GfxDx.006B8DB0
006B8DA2   8B4C24 0C        MOV ECX,DWORD PTR SS:[ESP+C]
006B8DA6   6A 00            PUSH 0
006B8DA8   51               PUSH ECX
006B8DA9   8BCE             MOV ECX,ESI
006B8DAB   E8 70E5FFFF      CALL i3GfxDx.?SelectShader@i3RenderContext@@QAEXPAVi3Shader@@H@Z
006B8DB0   8B4C24 14        MOV ECX,DWORD PTR SS:[ESP+14]
006B8DB4   8B86 60540000    MOV EAX,DWORD PTR DS:[ESI+5460]
006B8DBA   8B10             MOV EDX,DWORD PTR DS:[EAX]
006B8DBC   8B92 48010000    MOV EDX,DWORD PTR DS:[EDX+148]
006B8DC2   57               PUSH EDI
006B8DC3   51               PUSH ECX
006B8DC4   8B4E 24          MOV ECX,DWORD PTR DS:[ESI+24]
006B8DC7   8B89 80020000    MOV ECX,DWORD PTR DS:[ECX+280]
006B8DCD   51               PUSH ECX
006B8DCE   8B4C24 1C        MOV ECX,DWORD PTR SS:[ESP+1C]
006B8DD2   6A 00            PUSH 0
006B8DD4   6A 00            PUSH 0
006B8DD6   51               PUSH ECX
006B8DD7   50               PUSH EAX  //pDevice
006B8DD8   FFD2             CALL EDX //dip
006B8DDA   8B86 70520000    MOV EAX,DWORD PTR DS:[ESI+5270]
006B8DE0   5F               POP EDI
006B8DE1   5E               POP ESI
006B8DE2   C2 1000          RETN 10

[Rigby]

i love all the new people know so much and i dont

[Andyi]

So i'm hooking the correct vTable and rehook works but its crashing after about 15 mins ... just while i'm playing nothing special idk if it's trying to rehook in this moment.
i'm using memcmp to check if HS unhooked my DIP, can this be a reason for a crash?
i'm just wondering because once it works a certain time and then it crashs...

// Edit: BTW if it crashs, BugTrap says "ACCESS_VIOLATION" in d3d9.dll

[sam22]

U may have to post ur dip code in order for us to see what is happing and make sure add a log and see if dip is hooked or not

[Andyi]

Okay..

i'm hooking DIP with Croner's B8 Detour (don't know if i should post here anyways it works).

Code:

DWORD DIP = vtbl[82];
pDrawIndexedPrimitive = (oDrawIndexedPrimitive)	DetourCreateB8((DWORD)DIP, (DWORD)myDrawIndexedPrimitive, 7);

Then i start another function for my rehook:

Code:

while(true)
{
if(memcmp((void *)DIP,(void*)*private,*private*) == 0 )
{
pDrawIndexedPrimitive = (oDrawIndexedPrimitive)	DetourCreateB8((DWORD)DIP, (DWORD)myDrawIndexedPrimitive, 7);
}
Sleep(500);
}

Rehook works ..
So my DIP:

Code:

HRESULT WINAPI  myDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE pType D3DparamX ,UINT nMinIndex, UINT nNumVertices, UINT nStartIndex, UINT nPrimitiveCount )
{
if(color == false)
{
GenerateTexture1(pDevice, &txtRed, texRed); // textures for chams
GenerateTexture1(pDevice, &txtGreen, texGreen);
color = true;
}
if(pDevice->GetStreamSource(0, &StreamBuffer, &OffsetInBytes, &m_Stride) == D3D_OK)
{
if(getstrides == false)
{
StreamBuffer->Release();
getstrides = true; // need to get strides without SetStreamSource
}
if(GetAsyncKeyState(VK_NUMPAD1))
{
wallhack =! wallhack;
Sleep(50);
}
if(GetAsyncKeyState(VK_NUMPAD2))
{
chams =! chams;
Sleep(50);
}
// This is just a simple method to activate and deactivate wallhack/chams.
if(wallhack == true)
{
if(m_Stride == *private*)
{
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
}
else
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
}
else
{
if(m_Stride == 44)
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
else
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
}
if(chams == true)
{
if(m_Stride == *private*)
{
pDevice->SetRenderState( D3DRS_ZENABLE,false );
pDevice->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
pDevice->SetTexture( 0, txtRed );
pDrawIndexedPrimitive(pDevice,pType D3DparamvalX,nMinIndex,nNumVertices,nStartIndex,nPrimitiveCount);
pDevice->SetRenderState( D3DRS_ZENABLE, true );
pDevice->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
pDevice->SetTexture( 0, txtGreen );
}
}

    return pDrawIndexedPrimitive(pDevice,pType D3DparamvalX,nMinIndex,nNumVertices,nStartIndex,nPrimitiveCount);
}

Yeah, that it, hope you will find something wrong^^

// Edit:
Screen of BugTrap:
https://www.ab lo ad . de/img/bugtrapmehv.png
And DIP is hooked (chams is activ) when it crashs..

[goblox]

guess you must review your
all system hook bypass/hooks target/offset,SC Attack to PBlackout.i3exec and file dll d3dx9
....

[Andyi]

goblox my main problem is posted in another thread in pb hack coding/source

[trapcode]

Okay..

i'm hooking DIP with Croner's B8 Detour (don't know if i should post here anyways it works).

Code:

DWORD DIP = vtbl[82];
pDrawIndexedPrimitive = (oDrawIndexedPrimitive)	DetourCreateB8((DWORD)DIP, (DWORD)myDrawIndexedPrimitive, 7);

Then i start another function for my rehook:

Code:

while(true)
{
if(memcmp((void *)DIP,(void*)*private,*private*) == 0 )
{
pDrawIndexedPrimitive = (oDrawIndexedPrimitive)	DetourCreateB8((DWORD)DIP, (DWORD)myDrawIndexedPrimitive, 7);
}
Sleep(500);
}

Rehook works ..
So my DIP:

Code:

HRESULT WINAPI  myDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE pType D3DparamX ,UINT nMinIndex, UINT nNumVertices, UINT nStartIndex, UINT nPrimitiveCount )
{
if(color == false)
{
GenerateTexture1(pDevice, &txtRed, texRed); // textures for chams
GenerateTexture1(pDevice, &txtGreen, texGreen);
color = true;
}
if(pDevice->GetStreamSource(0, &StreamBuffer, &OffsetInBytes, &m_Stride) == D3D_OK)
{
if(getstrides == false)
{
StreamBuffer->Release();
getstrides = true; // need to get strides without SetStreamSource
}
if(GetAsyncKeyState(VK_NUMPAD1))
{
wallhack =! wallhack;
Sleep(50);
}
if(GetAsyncKeyState(VK_NUMPAD2))
{
chams =! chams;
Sleep(50);
}
// This is just a simple method to activate and deactivate wallhack/chams.
if(wallhack == true)
{
if(m_Stride == *private*)
{
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
}
else
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
}
else
{
if(m_Stride == 44)
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
else
{
pDevice->SetRenderState(D3DRS_ZENABLE, TRUE);
}
}
if(chams == true)
{
if(m_Stride == *private*)
{
pDevice->SetRenderState( D3DRS_ZENABLE,false );
pDevice->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
pDevice->SetTexture( 0, txtRed );
pDrawIndexedPrimitive(pDevice,pType D3DparamvalX,nMinIndex,nNumVertices,nStartIndex,nPrimitiveCount);
pDevice->SetRenderState( D3DRS_ZENABLE, true );
pDevice->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
pDevice->SetTexture( 0, txtGreen );
}
}

    return pDrawIndexedPrimitive(pDevice,pType D3DparamvalX,nMinIndex,nNumVertices,nStartIndex,nPrimitiveCount);
}

Yeah, that it, hope you will find something wrong^^

// Edit:
Screen of BugTrap:
https://www.ab lo ad . de/img/bugtrapmehv.png
And DIP is hooked (chams is activ) when it crashs..

try using midfunction hook, its undetectable for PB
but its vista and higher os compatible
i got mine working undetected for PB indo