You do know you cant hook DrawIndexedPrimitive without a HS bypass?
The LT in LTClient stand for LithTech - It's the game engine that CA runs on.
Well, I've written a hack which uses D3D, and it seems to work almost perfectly. However, at seemingly random times, it'll crash Combat Arms. Is this because it was detected by HackShield or what? It's crashed the game both in the lobby and in-game although it usually crashes around 1 minute after the game is started.
Here's a log which it outputs. Seems the exception happens in d3d9.dll which makes me think something's wrong with a detour. Or possibly it's just hackshield. I've tried both unpacked and packed with UPX and both turned out the same.
And, here's all my code related to Direct3d.Code:2010/9/8 ----- 2:8:16 - CombatArms Debug Start! Exception code: C0000005 Fault address: 6FB015AC 01:000405AC C:\Windows\system32\d3d9.dll EAX:00000002 EBX:03E16FE4 ECX:03E16FE0 EDX:00000000 ESI:00000060 EDI:12EBDA20 CS:EIP:001B:6FB015AC SS:ESP:0023:0012ED5C EBP:0012ED8C DS:0023 ES:0023 FS:003B GS:0000 Flags:00010206 Call stack: Address Frame Logical addr Module Call_Static[0]: 6FB015AC 0012ED8C 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[1]: 6FB015AC 0012EE08 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[2]: 6FB015AC 0012EF54 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[3]: 6FB015AC 0012EF80 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[4]: 6FB015AC 0012F070 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[5]: 6FB015AC 0012F258 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[6]: 6FB015AC 0012F288 0001:000405AC C:\Windows\system32\d3d9.dll Call_Static[7]: 6FB015AC 377E934C 0001:000405AC C:\Windows\system32\d3d9.dll Client_Version: VER_US_2.1008.05 Player uID: 20932607 CPUSpeed: 2394 MHz Identifier: x86 Family 6 Model 23 Stepping 10 ProcessType: Intel Pentium (II/Pro) VideoCard: Mobile Intel(R) 45 Express Chipset Family (Microsoft Corporation - WDDM 1.1) System_Memory Total: 2147483647 Use: 947384319 [debug_info_end] 2010/9/8 ----- 2:8:16 - CombatArms Debug End
Any ideas?Code:HRESULT WINAPI DrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type, int BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimCount) { HRESULT res; if(lightChams) { IDirect3DDevice9_SetRenderState(pDevice, D3DRS_ZENABLE, D3DZB_FALSE); SetLightChams(pDevice, 255, 255, 0, 0); } res = origDIP(pDevice, Type, BaseVertexIndex, MinIndex, NumVertices, StartIndex, PrimCount); if(lightChams) { IDirect3DDevice9_SetRenderState(pDevice, D3DRS_ZENABLE, D3DZB_TRUE); SetLightChams(pDevice, 255, 0, 255, 255); } return res; } HRESULT WINAPI EndScene(LPDIRECT3DDEVICE9 pDevice) { RECT rct; char buf[128]; int y = 20, k; PTCHack ptc; if(hFont == NULL) D3DXCreateFont(pDevice, 16, 0, 0, 0, 0, DEFAULT_CHARSET, OUT_DEFAULT_PRECIS, DEFAULT_QUALITY, DEFAULT_PITCH | FF_DONTCARE, "Arial", &hFont); if(menu.isEnabled) { D3DRECT rec = { 15, 15, 215, 315 }; IDirect3DDevice9_Clear(pDevice, 1, &rec, D3DCLEAR_TARGET, DGRAY, 0, 0); for(k = 0; k < menu.nItems; k++) { ptc = menu.items[k]; sprintf(buf, "%s: %s", ptc.name, ptc.on ? "on" : "off"); MAKECOORD(&rct, 20, y); ID3DXFont_DrawText(hFont, NULL, buf, -1, &rct, DT_NOCLIP, k == menu.selection ? CYAN : RED); y += 20; } } return origEndScene(pDevice); }
Edit: random side question: what does the LT in LTClient stand for?
You do know you cant hook DrawIndexedPrimitive without a HS bypass?
The LT in LTClient stand for LithTech - It's the game engine that CA runs on.
Tekkn0logik (09-07-2010)
Last edited by Tekkn0logik; 09-07-2010 at 01:43 PM.
Many "pro" coders such as Gordon claim it's easy. But most of us are having trouble doing it.
I'm hooking it currently and it's not Dcing at all, But my chams wont show up. So it leaves me to two things.
a - It's not hooking properly
b - The DIP is Hooking and my chams are not working/outdated.
why are you using IDirect3DDevice9_Clear when you can use pDevice->Clear, same with SetRenderState etc.
maybe the registers are fucked up, try to save then at the beginning of the function (__asm pushad) and restore them before returning at the end of the function (__asm popad)
doesnt look like hackshield is detecting something, cause then it wouldnt generate the debug file.
also check the detoursize. normally its 5 on a stdcall function (all direct3ddevice9 functions are stdcall) but it depends on how the detour is done (JMP, NOP NOP JMP, PUSH RET, etc)
Last edited by Gordon`; 09-07-2010 at 07:25 PM.
kotentopf (09-07-2010),Tekkn0logik (09-07-2010)