CLTClient Hooks

**jayjay153** · 03-08-2019

VMT

Code:

class VMT
{
public:

    VMT(PDWORD* ppdwClassBase)
    {
        this->m_ClassBase = ppdwClassBase;

        for (int i = 0; i < 400; i++)
            if (reinterpret_cast<signed int*>(ppdwClassBase)[i])
                method_count++;

        m_OldVT = new DWORD[method_count];
        memcpy(m_OldVT, ppdwClassBase, sizeof(DWORD) * method_count);

        m_NewVT = new DWORD[method_count];
        memcpy(m_NewVT, ppdwClassBase, sizeof(DWORD) * method_count);
    }

    void HookVTBL(DWORD dwNewFunc, size_t iIndex)
    {
        m_NewVT[iIndex] = dwNewFunc;
        this->AddToArray(iIndex);
    }

    template<typename Fn>
    Fn GetOriginalFunction(size_t methodIndex)
    {
        return reinterpret_cast<Fn>(m_OldVT[methodIndex]);
    }

    void UnHook()
    {
        for (int i = 0; i < this->patchcount; i++)
        {
            DWORD dwAddress = (DWORD)this->m_ClassBase + (sizeof(DWORD) * vtblindexes[i]);
            *(DWORD*)dwAddress = this->m_OldVT[vtblindexes[i]];
        }
    }

    void Hook()
    {
        for (int i = 0; i < this->patchcount; i++)
        {
            DWORD dwAddress = (DWORD)this->m_ClassBase + (sizeof(DWORD) * vtblindexes[i]);
            *(DWORD*)dwAddress = this->m_NewVT[vtblindexes[i]];
        }
    }

protected:

    int patchcount = 0;
    int vtblindexes[100];
    void AddToArray(int iIndex)
    {
        vtblindexes[patchcount] = iIndex;
        patchcount += 1;
    }

private:  

    PDWORD*    m_ClassBase;
    PDWORD m_NewVT, m_OldVT;

    size_t method_count = 0;
};

Declare

Code:

VMT* ILTCSBase;

using End3DFn = unsigned int(__cdecl*)(unsigned int);
using FlipScreenFn = unsigned int(__cdecl*)(unsigned int);
using IntersectSegment = bool(__cdecl*)(CIntersectQuery& rQuery, CIntersectInfo *rInfo);

Class

Code:

class ILTCSBase : public ICLTClient
{
public:
    ICLTClient*, GetICLTClient
public:
    static ILTCSBase* Instance()
    {
        return (ILTCSBase*)0x11B3890;
    }
};

Hook

Code:

ILTCSBase = new VMT((DWORD**)ILTCSBase::Instance());

ILTCSBase->HookVTBL((DWORD)MyRemoteKill, 31);
ILTCSBase->HookVTBL((DWORD)MyFlipScreen, 45); 
ILTCSBase->HookVTBL((DWORD)MyEnd3D, 56);

ILTCSBase->Hook();

Function

Code:

bool MyRemoteKill(CIntersectQuery *iQuery, CIntersectInfo *qInfo)
{
    // do your job
    return ILTCSBase->GetOriginalFunction<IntersectSegment>(31)(*iQuery, qInfo);
}

unsigned int __cdecl MyFlipScreen(unsigned int flags)
{
    // draw your stuff
    return ILTCSBase->GetOriginalFunction<FlipScreenFn>(45)(flags);
}

unsigned int __cdecl MyEnd3D(unsigned int flags)
{
    // draw your stuff
    return ILTCSBase->GetOriginalFunction<End3DFn>(56)(flags);
}

END

HIT THANKS

**uNdExEd_CheAtEr** · 03-08-2019

ok, 2 things

i think you got it wrong, at the SDK you can clearly see

Code:

class ILTClient : public ILTCSBase

when you're actually doing

Code:

class ILTCSBase : public ICLTClient

and those functions:

Code:

 LTRESULT (*FlipScreen)(uint32 flags);
bool (*IntersectSegment)(ClientIntersectQuery *pQuery, ClientIntersectInfo *pInfo);
	bool (*IntersectSweptSphere)(const LTVector& vStart, const LTVector& vEnd, float fRadius, LTVector& vFinalPos, LTVector& vNormal);

etc..

are not virtuals but class members functions.

ok secondly, you're harcoding the indexes

Code:

int vtblindexes[100];

where you can grab them using a simple loop with VirtualQuery.

anyway, i just wanna say that's not a virtual hook but you're actually just changing the ptr to your function.

virtuals functions are inside CLTClient, for example

Code:

   virtual LTRESULT SetObjectPos(HLOCALOBJ hObj, const LTVector *pPos, bool bForce=true) = 0;

straight from the sdk..

**jayjay153** · 03-08-2019

Originally Posted by uNdExEd_CheAtEr

ok, 2 things

i think you got it wrong, at the SDK you can clearly see

Code:

class ILTClient : public ILTCSBase

when you're actually doing

Code:

class ILTCSBase : public ICLTClient

and those functions:

Code:

 LTRESULT (*FlipScreen)(uint32 flags);
bool (*IntersectSegment)(ClientIntersectQuery *pQuery, ClientIntersectInfo *pInfo);
	bool (*IntersectSweptSphere)(const LTVector& vStart, const LTVector& vEnd, float fRadius, LTVector& vFinalPos, LTVector& vNormal);

etc..

are not virtuals but class members functions.

ok secondly, you're harcoding the indexes

Code:

int vtblindexes[100];

where you can grab them using a simple loop with VirtualQuery.

anyway, i just wanna say that's not a virtual hook but you're actually just changing the ptr to your function.

virtuals functions are inside CLTClient, for example

Code:

   virtual LTRESULT SetObjectPos(HLOCALOBJ hObj, const LTVector *pPos, bool bForce=true) = 0;

straight from the sdk..

thanks for the info

- - - Updated - - -

ILTCSBase::Instance()->GetICLTClient. vtable..

FlipScreen End3D is in Iltcsbase
and SetObjectPos GetObjectPos GetBoxMax GetBoxMin is in cltclient

- - - Updated - - -

*this->m_ClassBase = m_NewVT <- result send error report

Thread: CLTClient Hooks

Thread Tools

Display

CLTClient Hooks

Similar Threads

WR D3D Hook - =o - 03/22/07

tut How to hook tut 6

D3D hooking tutorial 5 i think

How can i hook the punkbuster?

New Hacks Announced & Warrock DX Hook Update