MW2 Hooking

**aanthonyz** · 03-27-2011

Ok, I have this working D3D Hook for MW2:

Code:

#include <windows.h>
#include <d3d9.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"d3d9.lib")

typedef HRESULT(__stdcall* Real_EndScene)(LPDIRECT3DDEVICE9);
Real_EndScene oEndScene = NULL;

const D3DCOLOR textRed = D3DCOLOR_ARGB(255, 255, 0, 0);



void DrawRect (LPDIRECT3DDEVICE9 pDevice, int X, int Y, int L, int H, D3DCOLOR color)
{
D3DRECT rect = {X, Y, X+L, Y+H};
pDevice->Clear(1, &rect, D3DCLEAR_TARGET, color, 0, 0);
}

HRESULT __stdcall hook_EndScene(LPDIRECT3DDEVICE9 pDevice)
{
	DrawRect(pDevice, 10, 10, 20, 20, textRed);
	return oEndScene(pDevice);
}
void Hook()
{
	while(!GetModuleHandle("d3d9.dll"))
	{
		Sleep(100);
	}
	while( *(DWORD*)0x4FE571B0 == 0)
	{
		Sleep(100);
	}
	MessageBox(NULL,L"Hooked",L"Successful",0);
	oEndScene = (Real_EndScene)DetourFunction((PBYTE)0x4FE571B0,(PBYTE)hook_EndScene);
}

bool __stdcall DllMain(HINSTANCE hInstance,DWORD reason, void* useless)
{
if(reason == DLL_PROCESS_ATTACH)
	{
	CreateThread(0,0,(LPTHREAD_START_ROUTINE)Hook,0,0,0);
	}
if(reason == DLL_PROCESS_DETACH)
	{
	}
return true;
}

The red code, is the pointer to EndScene, which I obtained by opening d3d9.dll in my System32 folder. I attempted using the device pointer in Hell_Demon's tutorial. I found it, implemented it, and it crashed.

Is there a difference between using the DevicePointer and the EndScene address I found in the dll? When should I use a certain method?

**Hell_Demon** · 03-27-2011

Static addies is a big no no.
You're better off changing the pointer in the vtable or hooking the address that the vtable tells you.

**aanthonyz** · 03-27-2011

Everything always goes back to the vtable...wdf is that?

**why06** · 03-27-2011

Originally Posted by aanthonyz

Everything always goes back to the vtable...wdf is that?

Virtual Method Table

**whit** · 03-27-2011

Originally Posted by aanthonyz

Everything always goes back to the vtable...wdf is that?

Virtual Table ..Derp..
I have never not hooked using it idk what your doing

**aanthonyz** · 03-29-2011

Ok, so I found the device pointer for MW2. Now how do I get the VTable with that?

I know I have to turn VTable into this: VTable[], so I can use the function numbers, but can anyone give me an explanation on how to do it and an example?

**Hell_Demon** · 03-29-2011

Originally Posted by aanthonyz

Ok, so I found the device pointer for MW2. Now how do I get the VTable with that?

I know I have to turn VTable into this: VTable[], so I can use the function numbers, but can anyone give me an explanation on how to do it and an example?

Taken from my old AlterIW MW2 hack:

Code:

	DWORD *VirtualTable;
	while(*(DWORD*)0x06737268 == NULL)
	{
		Sleep(1000);
	}
	pDevice = *(IDirect3DDevice9**)0x06737268; //673BAE8;
	VirtualTable = **(DWORD***)0x06737268; //673BAE8;

As you can see, the IDirect3DDevice9 pointer points to the vtable

**aanthonyz** · 03-29-2011

0x06737268 is your device pointer right?

Can you explain these last two lines in more detail please?
What is with the 673BAE8?
One last thing, what is with all the * asterisks???

Code:

pDevice = *(IDirect3DDevice9**)0x06737268; //673BAE8;
	VirtualTable = **(DWORD***)0x06737268; //673BAE8;

How would you declare pDevice, would you do this?

Code:

DWORD *pDevice;

Then implement it like this?

Code:

#include <windows.h>
#include <d3d9.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"d3d9.lib")

DWORD *pDevice = *(IDirect3DDevice9**)0x4FE571B0;
DWORD *VirtualTable = **(DWORD***)0x4FE571B0;
typedef HRESULT(__stdcall* Real_EndScene)(LPDIRECT3DDEVICE9);
Real_EndScene oEndScene = NULL;

const D3DCOLOR textRed = D3DCOLOR_ARGB(255, 255, 0, 0);

void DrawRect (LPDIRECT3DDEVICE9 pDevice, int X, int Y, int L, int H, D3DCOLOR color)
{
D3DRECT rect = {X, Y, X+L, Y+H};
pDevice->Clear(1, &rect, D3DCLEAR_TARGET, color, 0, 0);
}

HRESULT __stdcall hook_EndScene(LPDIRECT3DDEVICE9 pDevice)
{
	DrawRect(pDevice, 10, 10, 20, 20, textRed);

	if(GetAsyncKeyState(VK_INSERT))
	{pDevice-> SetRenderState (D3DRS_FILLMODE, D3DFILL_SOLID);}
	if(GetAsyncKeyState(VK_CONTROL))
	{pDevice->SetRenderState(D3DRS_FILLMODE, D3DFILL_WIREFRAME);}

	return oEndScene(pDevice);
}
void Hook()
{
	while(!GetModuleHandle("d3d9.dll"))
	{
		Sleep(100);
	}
	while( *(DWORD*)0x4FE571B0 == 0) //Device Pointer
	{
		Sleep(100);
	}
	MessageBox(NULL,"Hooked","Successful",0);
	oEndScene = (Real_EndScene)DetourFunction((PBYTE)VirtualTable[42],(PBYTE)hook_EndScene); //42 for EndScene
}

bool __stdcall DllMain(HINSTANCE hInstance,DWORD reason, void* useless)
{
if(reason == DLL_PROCESS_ATTACH)
	{
	CreateThread(0,0,(LPTHREAD_START_ROUTINE)Hook,0,0,0);
	}
if(reason == DLL_PROCESS_DETACH)
	{
	}
return true;
}

So would this be a almost working code?

**Hell_Demon** · 03-29-2011

Code:

#include <windows.h>
#include <d3d9.h>
#include "detours.h"
#pragma comment(lib,"detours.lib")
#pragma comment(lib,"d3d9.lib")

IDirect3DDevice9 *pDevice;
DWORD *VirtualTable;
typedef HRESULT(__stdcall* Real_EndScene)(LPDIRECT3DDEVICE9);
Real_EndScene oEndScene = NULL;

const D3DCOLOR textRed = D3DCOLOR_ARGB(255, 255, 0, 0);

void DrawRect (LPDIRECT3DDEVICE9 pDevice, int X, int Y, int L, int H, D3DCOLOR color)
{
D3DRECT rect = {X, Y, X+L, Y+H};
pDevice->Clear(1, &rect, D3DCLEAR_TARGET, color, 0, 0);
}

HRESULT __stdcall hook_EndScene(LPDIRECT3DDEVICE9 pDevice)
{
	DrawRect(pDevice, 10, 10, 20, 20, textRed);

	if(GetAsyncKeyState(VK_INSERT))
	{pDevice-> SetRenderState (D3DRS_FILLMODE, D3DFILL_SOLID);}
	if(GetAsyncKeyState(VK_CONTROL))
	{pDevice->SetRenderState(D3DRS_FILLMODE, D3DFILL_WIREFRAME);}

	return oEndScene(pDevice);
}
void Hook()
{
	while(!GetModuleHandle("d3d9.dll"))
	{
		Sleep(100);
	}
	while( *(DWORD*)0x4FE571B0 == 0) //Device Pointer
	{
		Sleep(100);
	}
	pDevice = *(IDirect3DDevice9**)0x4FE571B0;
	VirtualTable = **(DWORD***)0x4FE571B0;//or *(DWORD**)pDevice; if you prefer.
	MessageBox(NULL,"Hooked","Successful",0);
	oEndScene = (Real_EndScene)DetourFunction((PBYTE)VirtualTable[42],(PBYTE)hook_EndScene); //42 for EndScene
}

bool __stdcall DllMain(HINSTANCE hInstance,DWORD reason, void* useless)
{
if(reason == DLL_PROCESS_ATTACH)
	{
	CreateThread(0,0,(LPTHREAD_START_ROUTINE)Hook,0,0,0);
	}
if(reason == DLL_PROCESS_DETACH)
	{
	}
return true;
}

/fixed

**aanthonyz** · 03-29-2011

I want to see if I got the concept down.
So basically, you give the device pointer to pDevice, and create the Virtual Table out of that. So does that mean that Device Pointer and Virtual Table are the same?
If they are, couldnt I just say:

Code:

VirtualTable = *(IDirect3DDevice9**)0x4FE571B0;

Then not declare a pDevice at all?

One more question wont the pDevice I declared, mess with the pDevice in my other functions, or are they supposed to be the same?

**[MPGH]master131** · 03-29-2011

If you don't know what the asterisks are, perhaps you should do some reading on pointers. It's very important to know about them when it comes to things like this.

**Hell_Demon** · 03-30-2011

Originally Posted by aanthonyz

I want to see if I got the concept down.
So basically, you give the device pointer to pDevice, and create the Virtual Table out of that. So does that mean that Device Pointer and Virtual Table are the same?
If they are, couldnt I just say:

Code:

VirtualTable = *(IDirect3DDevice9**)0x4FE571B0;

Then not declare a pDevice at all?

The device pointer points to the virtual table. You'll need pDevice to be able to execute functions of the IDirect3DDevice9 class. The vtable isn't supposed to be used by us if we'd be good programmers(we'd have no reason to need the vtable)

Originally Posted by aanthonyz

One more question wont the pDevice I declared, mess with the pDevice in my other functions, or are they supposed to be the same?

They're supposed to be the same ^^

Thread: MW2 Hooking

Thread Tools

Display

MW2 Hooking

The Following User Says Thank You to Hell_Demon For This Useful Post:

The Following 2 Users Say Thank You to master131 For This Useful Post: