Code:
#include <windows.h>
#include <d3d9.h>
#include <d3dx9.h>
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")
#define PresentEngine 0x004C41AF
DWORD retPresentEngine = ( PresentEngine + 0x5 );
#define Red D3DCOLOR_ARGB( 255, 255, 000, 000 )
#define Green D3DCOLOR_ARGB( 255, 000, 255, 000 )
#define Blue D3DCOLOR_ARGB( 255, 000, 000, 255 )
#define Black D3DCOLOR_ARGB( 255, 000, 000, 000 )
LPD3DXFONT Font;
VOID StartFont( LPDIRECT3DDEVICE9 pDevice )
{
if( Font )
{
Font->Release();
Font = NULL;
}
if( !Font )
{
D3DXCreateFont( pDevice,
14,
0,
FW_BOLD,
1,
0,
DEFAULT_CHARSET,
OUT_DEFAULT_PRECIS,
DEFAULT_QUALITY,
DEFAULT_PITCH | FF_DONTCARE,
"Arial",
&Font );
}
}
VOID WriteText( LPDIRECT3DDEVICE9 pDevice, INT x, INT y, DWORD color, CHAR *text )
{
RECT rect;
SetRect( &rect, x, y, x, y );
Font->DrawText( NULL, text, -1, &rect, DT_NOCLIP | DT_LEFT, color );
}
__declspec( naked ) HRESULT WINAPI PresentMidfunction( )
{
static LPDIRECT3DDEVICE9 pDevice;
__asm
{
MOV ECX, DWORD PTR DS:[EAX]
MOV EDX, DWORD PTR DS:[ECX + 0x44]
MOV DWORD PTR DS:[pDevice], EAX
PUSH 0
PUSHAD
}
StartFont( pDevice );
if( Font )
WriteText( pDevice, 300, 300, Red, "CrossFire: Hook Present Engine" );
__asm
{
POPAD
JMP retPresentEngine
}
}
VOID *DetourCreate( BYTE *src, CONST BYTE *dst, CONST INT len )
{
BYTE *jmp =( BYTE * ) malloc( len + 5 );
DWORD dwBack;
VirtualProtect( src, len, PAGE_READWRITE, &dwBack );
memcpy( jmp, src, len );
jmp += len;
jmp[0] = 0xE9;
*( DWORD * )( jmp + 1 ) = ( DWORD )( src + len - jmp ) - 5;
src[0] = 0xE9;
*( DWORD * )( src + 1 ) = ( DWORD )( dst - src ) - 5;
for( INT i = 5; i < len; i++ )
src[i] = 0x90;
VirtualProtect( src, len, dwBack, &dwBack );
return( jmp - len );
}
DWORD WINAPI StartRoutine( LPVOID )
{
while( TRUE )
{
if( memcmp( ( VOID * )PresentEngine, ( VOID * )( PBYTE )"\x8B\x51", 2 ) == 0 )
{
Sleep( 100 );
DetourCreate( ( PBYTE )PresentEngine, ( PBYTE )PresentMidfunction, 5 );
}
Sleep( 50 );
}
return 0;
}
BOOL WINAPI DllMain( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
if( dwReason == DLL_PROCESS_ATTACH )
{
DisableThreadLibraryCalls( hDll );
MessageBox( 0, "Hook Present Engine", "Crossfire", 0 );
CreateThread( 0, 0, (LPTHREAD_START_ROUTINE)StartRoutine, 0, 0, 0 );
}
return TRUE;
}
Code:
Present:
004C40C0 6A FF PUSH -1
004C40C2 68 78DC6200 PUSH 62DC78
004C40C7 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004C40CD 50 PUSH EAX
004C40CE 51 PUSH ECX
004C40CF A1 40446A00 MOV EAX,DWORD PTR DS:[6A4440]
004C40D4 33C4 XOR EAX,ESP
004C40D6 50 PUSH EAX
004C40D7 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
004C40DB 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
004C40E1 68 F82F6C00 PUSH 6C2FF8
004C40E6 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004C40EA E8 E12BF5FF CALL 416CD0
004C40EF C74424 10 00000000 MOV DWORD PTR SS:[ESP+10],0
004C40F7 A1 702E6C00 MOV EAX,DWORD PTR DS:[6C2E70]=> DeviceGame
004C40FC 85C0 TEST EAX,EAX
004C40FE 0F84 CB000000 JE 4C41CF
004C4104 F64424 18 04 TEST BYTE PTR SS:[ESP+18],4
004C4109 74 0A JE SHORT 4C4115
004C410B E8 C0EAFFFF CALL 4C2BD0
004C4110 E9 A6000000 JMP 4C41BB
004C4115 803D 1B536B00 00 CMP BYTE PTR DS:[6B531B],0
004C411C 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C411E 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C4120 6A 00 PUSH 0
004C4122 0F84 87000000 JE 4C41AF
004C4128 803D 40556B00 00 CMP BYTE PTR DS:[6B5540],0
004C412F 74 7E JE SHORT 4C41AF
004C4131 8B15 D04D6B00 MOV EDX,DWORD PTR DS:[6B4DD0]
004C4137 52 PUSH EDX
004C4138 68 C04D6B00 PUSH 6B4DC0
004C413D 68 C04D6B00 PUSH 6B4DC0
004C4142 50 PUSH EAX
004C4143 8B41 44 MOV EAX,DWORD PTR DS:[ECX+44]
004C4146 FFD0 CALL EAX
004C4148 8B0D 702E6C00 MOV ECX,DWORD PTR DS:[6C2E70]
004C414E 8B01 MOV EAX,DWORD PTR DS:[ECX]
004C4150 8B0D D04D6B00 MOV ECX,DWORD PTR DS:[6B4DD0]
004C4156 8B10 MOV EDX,DWORD PTR DS:[EAX]
004C4158 8B52 44 MOV EDX,DWORD PTR DS:[EDX+44]
004C415B 6A 00 PUSH 0
004C415D 51 PUSH ECX
004C415E 68 E84D6B00 PUSH 6B4DE8
004C4163 68 E84D6B00 PUSH 6B4DE8
004C4168 50 PUSH EAX
004C4169 FFD2 CALL EDX
004C416B 8B15 D04D6B00 MOV EDX,DWORD PTR DS:[6B4DD0]
004C4171 A1 702E6C00 MOV EAX,DWORD PTR DS:[6C2E70]
004C4176 8B00 MOV EAX,DWORD PTR DS:[EAX]
004C4178 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C417A 6A 00 PUSH 0
004C417C 52 PUSH EDX
004C417D 68 FC4D6B00 PUSH 6B4DFC
004C4182 68 FC4D6B00 PUSH 6B4DFC
004C4187 50 PUSH EAX
004C4188 8B41 44 MOV EAX,DWORD PTR DS:[ECX+44]
004C418B FFD0 CALL EAX
004C418D 8B0D 702E6C00 MOV ECX,DWORD PTR DS:[6C2E70]
004C4193 8B01 MOV EAX,DWORD PTR DS:[ECX]
004C4195 8B0D D04D6B00 MOV ECX,DWORD PTR DS:[6B4DD0]
004C419B 8B10 MOV EDX,DWORD PTR DS:[EAX]
004C419D 8B52 44 MOV EDX,DWORD PTR DS:[EDX+44]
004C41A0 6A 00 PUSH 0
004C41A2 51 PUSH ECX
004C41A3 68 D84D6B00 PUSH 6B4DD8
004C41A8 68 D84D6B00 PUSH 6B4DD8
004C41AD EB 09 JMP SHORT 4C41B8
004C41AF 8B51 44 MOV EDX,DWORD PTR DS:[ECX+44]=> Present
004C41B2 6A 00 PUSH 0
004C41B4 6A 00 PUSH 0
004C41B6 6A 00 PUSH 0
004C41B8 50 PUSH EAX
004C41B9 FFD2 CALL EDX
004C41BB B8 702E6C00 MOV EAX,6C2E70
004C41C0 E8 9B20F9FF CALL 456260
004C41C5 C705 54556B00 00000000 MOV DWORD PTR DS:[6B5554],0
004C41CF 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
004C41D3 E8 182BF5FF CALL 416CF0
004C41D8 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
004C41DC 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
004C41E3 59 POP ECX
004C41E4 83C4 10 ADD ESP,10
004C41E7 C3 RETN
Code:
Pattern Scan for to update adress PresentEngine:
\x8B\x51\x00\x6A\x00\x6A\x00\x6A\x00\x50\xFF\xD2\xB8\x00\x00\x00\x00\xE8\x00\x00\x00\x00\xC7\x05\x00\x00\x00\x00
xx?x?x?x?xxxx????x????xx????
Code:
Binary Scan for to update adress PresentEngine:
8B 51 ?? 6A ?? 6A ?? 6A ?? 50 FF D2 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? C7 05 ?? ?? ?? ??
IF YOU RELEASE HACK, GIVE CREDITS TO WE11ington
Credits:
Detour -> Azorbix
Midfunction -> Shad0w_
Me -> WE11ington