Hooking idea

**oyasuna.dev** · 06-28-2012

Okay, so I've been developing with C++ for about 4 years now for non-hacking stuff. I also have some basic experience with D3D. Recently I've wanted to expand my interests into hacking. I'm trying to come up with a new hooking system. I don't have very good knowledge of ASM so I'm going to need some help.

I have a bit of experience with GameGuard and know that it reads the first five bytes to make sure nothing is hooked into it. What if I hooked in between the instructions (don't know if that's correct vocabulary)? Like a midfunction hook kind of, but instead of hooking into Engine, hook into d3d9.dll itself. I've tried and successfully hooked, but for some reason CA crashes after a bit. I'm not sure if I even have the right offset for endscene or even the offset for endscene return because whenever I open d3d9.dll with OllyDbg it wont load the d3d9 module, it stays as ntdll...

Please add me on Windows Live Messenger if you interested: https://profile.live.com/cid-91d3284d046bcb17/

**oyasuna.dev** · 07-04-2012

Really, no one responded?

**0xe9** · 07-04-2012

Too bad Hackshield scan's for any d3d hooks in d3d9.dll.

**flameswor10** · 07-04-2012

Standard JMP hooks are now starting to get detected so you'll need to become creative.
e.g finding a function that only gets called once per frame within Engine or a different method of hooking.

(Between BeginScene and EndScene)

**BadBurrito** · 07-04-2012

So I had the same idea some time ago and for me these detours still work... (I hook after the second push command in the d3d9 function..)

Here is my detour function:

Code:

#include "mydetours.h"

#define JMP_OPCODE 0xE9
#define POP_EBP_OPCODE 0x5D
#define ADD_ESP_OPCODE_1 0x83
#define ADD_ESP_OPCODE_2 0xC4

void *DetourFunc(BYTE *src, BYTE *dst, const int len)
{
BYTE* first = (BYTE*)malloc(9);
BYTE* jmp = (BYTE*)malloc(len + 5);
DWORD dwback;
VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwback);
memcpy(jmp, src, len);
jmp += len;
jmp[0] = JMP_OPCODE;
*(DWORD*)(jmp+1) = (DWORD)((src+len) - jmp - 5);
src[7] = JMP_OPCODE;
*(DWORD*)(src+8) = (DWORD)(first - (src+7) - 5);
first[0] = ADD_ESP_OPCODE_1;
first[1] = ADD_ESP_OPCODE_2;
first[2] = 0x04;
first[3] = POP_EBP_OPCODE;
first[4] = JMP_OPCODE;
*(DWORD*)(first+5) = (DWORD)(dst - (first+4) - 5);
return (jmp-len);
}

I detour like this:

Code:

pEndScene = ( EndScene_t )DetourFunc((PBYTE)endsceneaddy, (PBYTE)hkEndScene, 12);

So this works and does not get detected, the bytes get sometimes patched back, but that´s no problem, just check if the bytes are patched back and detour again..

**oyasuna.dev** · 07-05-2012

Originally Posted by flameswor10

Standard JMP hooks are now starting to get detected so you'll need to become creative.
e.g finding a function that only gets called once per frame within Engine or a different method of hooking.

(Between BeginScene and EndScene)

Interesting... So basically find a function in the Engine that is called after Beginscene and before Endscene. Why not in d3d9?

**Ch40zz-C0d3r** · 07-05-2012

Dont forget if you patch code in engine.exe you need to restore it. so no menu in lobby

**flameswor10** · 07-06-2012

Originally Posted by oyasuna.dev

Interesting... So basically find a function in the Engine that is called after Beginscene and before Endscene. Why not in d3d9?

If you want, you can hook a function that is called between Endscene and BeginScene.
Theres a lot of things you can do to render over DirectX.
You just gotta make sure it's undetected by anti-hacks

**oyasuna.dev** · 07-14-2012

Originally Posted by flameswor10

If you want, you can hook a function that is called between Endscene and BeginScene.
Theres a lot of things you can do to render over DirectX.
You just gotta make sure it's undetected by anti-hacks

How exactly would I do that? I would have to get a device from somewhere, and to do that I need to hook...

**flameswor10** · 07-15-2012

Originally Posted by oyasuna.dev

How exactly would I do that? I would have to get a device from somewhere, and to do that I need to hook...

You can use the Engine Device, which won't be portable but will make sure your hacks always stay undetected.
You can also hook BeginScene once, unhook it after saving the device and then re-hooking/unhooking every time the device goes invalid.

Basically, as long as your things are called once between each frame you're all set.

**oyasuna.dev** · 07-15-2012

Originally Posted by flameswor10

You can use the Engine Device, which won't be portable but will make sure your hacks always stay undetected.
You can also hook BeginScene once, unhook it after saving the device and then re-hooking/unhooking every time the device goes invalid.

Basically, as long as your things are called once between each frame you're all set.

Very interesting. Thank you for helping me, you seem to know a lot about this stuff. Please feel free to add me on MSN: oyasuna.dev@gmail.com

Thread: Hooking idea

Thread Tools

Display

Hooking idea

Similar Threads

There.com Any Hack Ideas?

Does anybody have any idea to use UNREAL BASE HOOK 2.0?

Google Having To Copy Ideas?

Kwarrock an idea...