Finding Direct3D Device Pointer

[lilneo]

No one better not try linking me to this tutorial: https://www.mpgh.net/forum/279-call-d...e-pointer.html

I have been there, I have searched for days, and I have asked people and no one will f*cking help me, at least the little help they attempt to give is completely useless. I am on the brink of snapping, and all I want to do is find the Direct3D Device Pointer in Left 4 Dead 2. Now, I have attempted Void's tutorial with Olly, well, I don't get past step 1 because there is absolutely no calls to "Direct3DCreate9", I tried something HD told me using c++ and doing Direct3DCreate9 then taking the IDirect3D handle or whatever and adding 0x40 to it. Not quite sure what he was telling me to do, but it obviously didn't work. And at this point I have searched my ass off in olly for any sign of it. I asked one of my friends about finding it, and he lol'd then copy/pasted a section of ASM into our conversation

Code:

.text:00490045                 call    D3DXMatrixPerspectiveFovLH
.text:0049004A                 mov     ecx, dword_7E4CE0 ;  D3D device pointer 
.text:00490050                 mov     eax, [ecx]
.text:00490052                 mov     edx, [eax]

then stopped replying. I can see in that code that they put the pointer in ecx. But, that's not from l4d2, and he wont explain how the hell he found it. Now I would absolutely love it if someone just came out and posted the pointer, but I would like it more if someone could actually help me find it, so I can find future pointers.
Thanks in advance
~lilneo

[freedompeace]

DirectX 9 device pointer will also be resolved using the following scan:

[php]
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for( ; *szMask; ++szMask, ++pData, ++bMask)
if(*szMask == 'x' && *pData != *bMask)
return false;
return (*szMask) == NULL;
}


DWORD FindPattern(DWORD dValor,DWORD dLer,BYTE *bMaskara,char * szMaskara)
{
for (DWORD i=0; i < dLer; i++)
if (bCompare((PBYTE)(dValor + i), bMaskara, szMaskara))
return (DWORD)(dValor + i);
return false;
}

DWORD dwDXDevice = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x 00\x00\x89\x86", "xx????xx????xx");

[/php]
The virtual table function listing can be found by adding 2 to the device pointer (ie, (dwDXDevice + 2))

Not sure who made the bCompare and FindPattern functions, but credits to them.

[lilneo]

The pointer is stored in dwDXDevice?
And yeah I've seen this code before. I had trouble making it work, maybe I'll try again

Edit: Okay I think I got the pointer, that code returned an address. Any sure fire way of checking if it works? I tried using Void's hook, then returning false in the endscene hook. HD said it should fuck my
drawing, but it just crashes.

Edit2: So I put the pointer into Void's code... And well it just crashes the game, it doesn't even work. So something is wrong, the pointer seems right, and the code seems fine...
~lilneo

[why06]

The pointer is stored in dwDXDevice?
And yeah I've seen this code before. I had trouble making it work, maybe I'll try again

Edit: Okay I think I got the pointer, that code returned an address. Any sure fire way of checking if it works? I tried using Void's hook, then returning false in the endscene hook. HD said it should fuck my drawing, but it just crashes.
~lilneo

Not really... Only way to test it is if it fails, and if there is one, I'm sure it really elaborate.

PS: Also if your having problems you can just post here. I haven't seen you post here once. You shouldn't wait till your frustrated to do so.

[lilneo]

That's because I have HD on steam. I haven't been here for a while anyways, school and stuff. But yeah, so I used the code, injected, moved the returned value in dwDXDevice into a buffer, and then MessageBox'd that buffer and got 627D3939. So I pop that into Void's code, (0x in front) and I inject his thing, (nothing changed in it) and it says "Hooked" like it should... Then a few seconds later it crashes l4d2.

Edit: actually I had some stuff changed, so I completely copy pasted void's code. Compiled, injected with my addy in place of his and it just crashes. Not even a messagebox.
~lilneo

[freedompeace]

That's because I have HD on steam. I haven't been here for a while anyways, school and stuff. But yeah, so I used the code, injected, moved the returned value in dwDXDevice into a buffer, and then MessageBox'd that buffer and got 627D3939. So I pop that into Void's code, (0x in front) and I inject his thing, (nothing changed in it) and it says "Hooked" like it should... Then a few seconds later it crashes l4d2.

Edit: actually I had some stuff changed, so I completely copy pasted void's code. Compiled, injected with my addy in place of his and it just crashes. Not even a messagebox.
~lilneo

What's Void's code?
And what's this HD on Steam thing?

[lilneo]

https://www.mpgh.net/forum/31-c-c/125...3ddevice9.html
That is void's code. And HD on steam is Hell_Demon, on Steam. Steam = basically chat.
~lilneo

[why06]

Well, there's a myriad of reasons it could be crashing. Like all good experiment we'll need a control. Try testing the same technique in a test environment. Then if it does not work in the game we know the game is doing something different.

[lilneo]

What do you mean by test environment, like a directX game I have compiled myself? To be honest I know close to shitall DirectX programming. I tried learning but got super bored so I want to learn it with a hook on a game, to make it more fun. Also, I am considering my 'control' to be the message box coming up saying "Loaded" and then nothing happening because I haven't done anything. Then after that, once I do things the control will be the message box and whatever I have done. The message box isn't coming up, and the game is directly crashing. So...
~lilneo

[why06]

No look up DirectX9 Test Enviroment. There are applications made to test menu, and D3d code in before we put it in games. Just testing your code in a game would be silly and hard as hell to debug.

https://www.mpgh.net/forum/31-c-c/115...ml#post1535040

[freedompeace]

What do you mean by test environment, like a directX game I have compiled myself? To be honest I know close to shitall DirectX programming. I tried learning but got super bored so I want to learn it with a hook on a game, to make it more fun. Also, I am considering my 'control' to be the message box coming up saying "Loaded" and then nothing happening because I haven't done anything. Then after that, once I do things the control will be the message box and whatever I have done. The message box isn't coming up, and the game is directly crashing. So...
~lilneo

A control being an app that does nothing to prevent anti-hacking, doesn't do any calculations. It's a neutral control, that removes all other possible variables that may affect your code.

Here is the one I use.

https://goo[DOT]gl/arcQ

On mobile so yeah, had that link copied on my clip already. Dun ban me D:

[Hell_Demon]

May be worth adding that you're doing it for left 4 dead 2
* modified source engine(no code available besides a reverse engineered SDK that isn't even close to completion)
* Valve Anti Cheat(external AC that resides inside steam, doesn't prevent you from doing things as far as i'm aware)

The thing I was refering to on steam was "Direct3DCreate9", the return value of that is the direct3d object pointer. CreateDevice is the 16th virtual function, thus 16*0x4 = 0x40.
So you look for something along the lines of
mov ECX, addy
call [ECX+0x40]

Then see where EAX is mov'd into and voila, you have your device pointer.
This is the method I used for CoD:MW2 btw.

L4D2 is special as in they don't load d3d9 lib directly, but rather through a dll of theirs.
I believe what they do is load up launcher.dll, then call launchermain.
launchermain will load up all other DLL's and starts up their factories.
The key dll to find is vgui2.dll, which does all the gui related stuff. I asume they either load d3d9 from vgui dll OR they load it from the matsystem(material system) dll.

If you're unable to figure it out lemme know on steam and i'll see what I can do.

[258456]

wow, i am not going to ask how you even found that out. lol.

[lilneo]

Okay, so, I have tried it with the d3d9 test environment. I used the Pointer Retrieving code and found 6F443939, I put that into void's hook and then injected into the d3d9 test environment and it just crashed. So it must be an incorrect pointer.
~lilneo