Really, no one responded?
Okay, so I've been developing with C++ for about 4 years now for non-hacking stuff. I also have some basic experience with D3D. Recently I've wanted to expand my interests into hacking. I'm trying to come up with a new hooking system. I don't have very good knowledge of ASM so I'm going to need some help.
I have a bit of experience with GameGuard and know that it reads the first five bytes to make sure nothing is hooked into it. What if I hooked in between the instructions (don't know if that's correct vocabulary)? Like a midfunction hook kind of, but instead of hooking into Engine, hook into d3d9.dll itself. I've tried and successfully hooked, but for some reason CA crashes after a bit. I'm not sure if I even have the right offset for endscene or even the offset for endscene return because whenever I open d3d9.dll with OllyDbg it wont load the d3d9 module, it stays as ntdll...
Please add me on Windows Live Messenger if you interested: https://profile.live.com/cid-91d3284d046bcb17/
Really, no one responded?
Too bad Hackshield scan's for any d3d hooks in d3d9.dll.
Standard JMP hooks are now starting to get detected so you'll need to become creative.
e.g finding a function that only gets called once per frame within Engine or a different method of hooking.
(Between BeginScene and EndScene)
Last edited by flameswor10; 07-05-2012 at 01:54 AM.
No I do not make game hacks anymore, please stop asking.
So I had the same idea some time ago and for me these detours still work... (I hook after the second push command in the d3d9 function..)
Here is my detour function:
I detour like this:Code:#include "mydetours.h" #define JMP_OPCODE 0xE9 #define POP_EBP_OPCODE 0x5D #define ADD_ESP_OPCODE_1 0x83 #define ADD_ESP_OPCODE_2 0xC4 void *DetourFunc(BYTE *src, BYTE *dst, const int len) { BYTE* first = (BYTE*)malloc(9); BYTE* jmp = (BYTE*)malloc(len + 5); DWORD dwback; VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback); memcpy(jmp, src, len); jmp += len; jmp[0] = JMP_OPCODE; *(DWORD*)(jmp+1) = (DWORD)((src+len) - jmp - 5); src[7] = JMP_OPCODE; *(DWORD*)(src+8) = (DWORD)(first - (src+7) - 5); first[0] = ADD_ESP_OPCODE_1; first[1] = ADD_ESP_OPCODE_2; first[2] = 0x04; first[3] = POP_EBP_OPCODE; first[4] = JMP_OPCODE; *(DWORD*)(first+5) = (DWORD)(dst - (first+4) - 5); return (jmp-len); }
Code:pEndScene = ( EndScene_t )DetourFunc((PBYTE)endsceneaddy, (PBYTE)hkEndScene, 12);
So this works and does not get detected, the bytes get sometimes patched back, but that´s no problem, just check if the bytes are patched back and detour again..
Dont forget if you patch code in engine.exe you need to restore it. so no menu in lobby
Progress with my game - "Disbanded"
- Fixed FPS lag on spawning entities due to the ent_preload buffer!
- Edit the AI code to get some better pathfinding
- Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
- Added a new silencer for ALL weapons. Also fixed the rotation bugs
- Added a ton of new weapons and the choice to choose a silencer for every weapon
- Created a simple AntiCheat, noobs will cry like hell xD
- The name will be Disbanded, the alpha starts on the 18th august 2014
Some new physics fun (Serversided, works on every client)
My new AI
https://www.youtube.com/watch?v=EMSB1GbBVl8
And for sure my 8 months old gameplay with 2 friends
https://www.youtube.com/watch?v=Na2kUdu4d_k
You can use the Engine Device, which won't be portable but will make sure your hacks always stay undetected.
You can also hook BeginScene once, unhook it after saving the device and then re-hooking/unhooking every time the device goes invalid.
Basically, as long as your things are called once between each frame you're all set.
Last edited by flameswor10; 07-15-2012 at 04:08 AM.
No I do not make game hacks anymore, please stop asking.
Very interesting. Thank you for helping me, you seem to know a lot about this stuff. Please feel free to add me on MSN: oyasuna.dev@gmail.com