First of all i m not like those who afraid on giving a hook..i don't care about this i care bout helping people
First of all include those [they may have smth rong if any corrections i suggest @Swag to tell me]
Code:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <d3d9.h>
#include <d3dx9.h>
okay first lets start naked function
Code:
DWORD* DIP_hook = NULL;
DWORD DIP_return = NULL;
bool wallhack = true;
void myDIP(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount)
{
IDirect3DVertexBuffer9* pStreamData = NULL;
UINT iOffsetInBytes,iStride;
pDevice->GetStreamSource(0,&pStreamData,&iOffsetInBytes,&iStride);
if(wallhack)
if ((iStride==40)||(iStride==44))
{
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE );
pDevice->SetRenderState(D3DRS_ZFUNC, D3DCMP_NEVER);
}
}
_declspec(naked) void dwmyDIP()
{
__asm
{
//Call myDIP
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
CALL myDIP;
ADD ESP, 28;
Then Restore EAX original value:
Code:
MOV EAX,DWORD PTR FS:[0];
Then put back the Original code:
Code:
PUSH EAX;
SUB ESP,0x20;
Then Return ur JMP Back:
Then Close ur naked Function:
Then We Use The bCompare() Method:
Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask) return 0;
return (*szMask) == NULL;
}
Then We Find The Pattern For Our Wall Hack:
Code:
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i<dwLen; i++)
if (bCompare((BYTE*)(dwAddress+i),bMask,szMask)) return (DWORD)(dwAddress+i);
return 0;
}
Then We start our 5 Bytes Hunting:
Code:
void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen)
{
DWORD dwOldProtect, dwBkup, dwRelAddr;
Then we give the paged memory read/write permissions:
Code:
VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
Then We calculate the distance between our address and our target location and subtract the 5bytes, which is the size of the JMP:
Code:
dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
Then We overwrite the byte at pAddress with the jmp opcode (0xE9):
Then We overwrite the next 4 bytes (which is the size of a DWORD) with the dwRelAddr:
Code:
*((DWORD *)(pAddress + 0x1)) = dwRelAddr;
Then we overwrite the remaining bytes with the NOP opcode (0x90):
Code:
for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;
Then we restore the paged memory permissions saved in dwOldProtect:
Code:
VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
Then We close the JMPHook:
Then Create Our Hack Thread:thx to @giniyat101 for the wall hack and to @Coder[Vb10e] for telling me how to put the wallhack
Code:
void WallHack()
{
LoadLibraryA("d3d9.dll");
DWORD D3D9, adr, *VTable;
do
{
D3D9 = (DWORD)LoadLibraryA("d3d9.dll");
Sleep(100);
} while (D3D9 == NULL);
adr = FindPattern(D3D9, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x8", "xx????xx????xx");
if (adr) {
memcpy(&VTable,(void *)(adr+2),4);
MakeJMP((BYTE *)0x4FF51658, (DWORD)dwmyDIP, 0x6);
DWORD dwJMPback = 0x4FF51658;
}
}
Then Finally The DLLMAIN:
Code:
//you put one ur self :)
credits to:
@giniyat101
@Brimir
@Coder[Vb10e]
@Scata
@Royku
@Hero
@Jigsaw
worthes a sticky again?