General
Reply With QuoteYea, it happens to me too. Try hooking Present/Reset insteadOriginally Posted by Departure
Also, Here's the thread with all the vtable offsets: https://www.mpgh.net/forum/207-combat...ions-more.html
Thread: EndScene Hook Test
Results 1 to 15 of 17
-
12-05-2010 #1Bobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
125- Thanks
- 1,794
- My Mood
-
EndScene Hook Test
Can anyone try there hooking methods on EndScene for me and play CA for a little while and see if they get shut down... I am hooking EndScene With Delphi and CA must be detecting it and closing it down, So I would really like if someone could test this for me to see if they get the same result... If they are getting the same result, It means I will be needing to hook another D3d9 Function and see if that works... Also why im on the subject I seen a topic here about a week ago(maybe more) with all the Vtables for d3d9, I couldn't find it again, So if someone knows what Each Vtable pointer is as in Functions I would really appreciate it, for example EndScene is Vtable 42 ect... I
-
12-05-2010 #2Newbie
- Join Date
- Apr 2010
- Gender
- Posts
- 59
- Reputation
- 10
- Thanks
- 35
- My Mood
-
Last edited by Apoc91; 12-05-2010 at 10:30 AM.
-
The Following User Says Thank You to Apoc91 For This Useful Post:
Departure (12-05-2010)
-
12-05-2010 #3
ThreadstarterBobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
- 125
- Thanks
- 1,794
- My Mood
-
Only problem is I dont know the index of Reset from the Vtable, I wont try Present because I think that has some custom d3d9 structures and types for parameters, But if you have the input structures and types for reset and the Vtable index I would try and convert that to Delphi, The only reason I used EndScene is because it takes a pointer only>
-
12-05-2010 #4Newbie
- Join Date
- Apr 2010
- Gender
- Posts
- 59
- Reputation
- 10
- Thanks
- 35
- My Mood
-
I may be wrong, but I think reset is only called when you minimize/maximize the game. Present doesn't have a prototype in that thread, but I can give you the one from that Hotkey base (which for some reason was deleted > Originally Posted by Departure
) that I released.
Here's the types:
Code:typedef HRESULT (WINAPI* Reset_T)(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS * params); typedef HRESULT (WINAPI* Present_T)(LPDIRECT3DDEVICE9 pDevice, const RECT* pSourceRect, const RECT* pDestRect, HWND hDestWindowOverride, const RGNDATA* pDirtyRegion);
Code:typedef int HWND; // I think this should work struct RECT { int x, y, width, height; // iirc }
Reset is vtable index 16
Present is vtable index 17
RGNDATA is declared in WinGDI.h I can give you a struct for it too if you need.Last edited by Apoc91; 12-05-2010 at 10:37 AM.
-
12-05-2010 #5
ThreadstarterBobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
- 125
- Thanks
- 1,794
- My Mood
-
yeap thanks, here is the Vtable from olly
Just minus the base address and then when you want to hook it after d3d9 has loaded just add the base address of d3d9.dll, in this case here the base address was 71BE0000, for example EndScene is Vtable 42Code:0 DD d3d9.71BE6E99 1 DD d3d9.71BE67F2 2 DD d3d9.71BE67C9 3 DD d3d9.71BFCD54 4 DD d3d9.71C9BCFD 5 DD d3d9.71CD971F 6 DD d3d9.71BEBB76 7 DD d3d9.71BE6F78 8 DD d3d9.71C17DFB 9 DD d3d9.71C1B972 10 DD d3d9.71C9B1C4 11 DD d3d9.71C9B69D 12 DD d3d9.71C17D10 13 DD d3d9.71C1CD50 14 DD d3d9.71BFB46C 15 DD d3d9.71C3711E 16 DD d3d9.71C38DDA 17 DD d3d9.71C210C3 18 DD d3d9.71C42A9F 19 DD d3d9.71C18945 20 DD d3d9.71C9B789 21 DD d3d9.71C9BA0F 22 DD d3d9.71C9BB4D 23 DD d3d9.71C0476B 24 DD d3d9.71C9C0B8 25 DD d3d9.71C2E93F 26 DD d3d9.71BFD40D 27 DD d3d9.71C0ED61 28 DD d3d9.71C423B8 29 DD d3d9.71C9C3D8 30 DD d3d9.71C9D72C 31 DD d3d9.71C16611 32 DD d3d9.71C34331 33 DD d3d9.71C9C687 34 DD d3d9.71C20430 35 DD d3d9.71C1A5D3 36 DD d3d9.71C34F4F 37 DD d3d9.71C20EE9 38 DD d3d9.71C211D2 39 DD d3d9.71C26E97 40 DD d3d9.71C26D10 41 DD d3d9.71BFD8BC 42 DD d3d9.71BFCE09 43 DD d3d9.71BEF244 44 DD d3d9.71BEE9D6 45 DD d3d9.71CE07A2 46 DD d3d9.71CD986F 47 DD d3d9.71CD9987 48 DD d3d9.71C257A0 49 DD d3d9.71CD9C94 50 DD d3d9.71CE111B 51 DD d3d9.71C15700 52 DD d3d9.71CE11CA 53 DD d3d9.71C15803 54 DD d3d9.71CE1313 55 DD d3d9.71CDB054 56 DD d3d9.71CE0E27 57 DD d3d9.71C22ED1 58 DD d3d9.71CE0365 59 DD d3d9.71C2F1FC 60 DD d3d9.71C21467 61 DD d3d9.71C230E3 62 DD d3d9.71CE0936 63 DD d3d9.71CE09E0 64 DD d3d9.71CDA368 65 DD d3d9.71C1B175 66 DD d3d9.71CE054C Couldn't be bothered continuing adding numbers... 71BE4D44 |E3B2C171 DD d3d9.71C1B2E3 71BE4D48 |CA06CE71 DD d3d9.71CE06CA 71BE4D4C |1EB2C171 DD d3d9.71C1B21E 71BE4D50 |B3CBC271 DD d3d9.71C2CBB3 71BE4D54 |57ACCD71 DD d3d9.71CDAC57 71BE4D58 |91AFCD71 DD d3d9.71CDAF91 71BE4D5C |5AAACD71 DD d3d9.71CDAA5A 71BE4D60 |B6ABCD71 DD d3d9.71CDABB6 71BE4D64 |B19ACD71 DD d3d9.71CD9AB1 71BE4D68 |D89BCD71 DD d3d9.71CD9BD8 71BE4D6C |EE0ECE71 DD d3d9.71CE0EEE 71BE4D70 |4803CE71 DD d3d9.71CE0348 71BE4D74 |0E5BC271 DD d3d9.71C25B0E 71BE4D78 |8957C271 DD d3d9.71C25789 71BE4D7C |6036C071 DD d3d9.71C03660 71BE4D80 |5176C071 DD d3d9.71C07651 71BE4D84 |7354C271 DD d3d9.71C25473 71BE4D88 |C6C4CD71 DD d3d9.71CDC4C6 71BE4D8C |AC1FCE71 DD d3d9.71CE1FAC 71BE4D90 |22F5C071 DD d3d9.71C0F522 71BE4D94 |46F4C071 DD d3d9.71C0F446 71BE4D98 |6577CD71 DD d3d9.71CD7765 71BE4D9C |6AB5CD71 DD d3d9.71CDB56A 71BE4DA0 |A0B6CD71 DD d3d9.71CDB6A0 71BE4DA4 |9F12C471 DD d3d9.71C4129F 71BE4DA8 |AE2BC271 DD d3d9.71C22BAE 71BE4DAC |5C43CE71 DD d3d9.71CE435C 71BE4DB0 |48EEC271 DD d3d9.71C2EE48 71BE4DB4 |D68DCD71 DD d3d9.71CD8DD6 71BE4DB8 |3478CD71 DD d3d9.71CD7834 71BE4DBC |C38FCD71 DD d3d9.71CD8FC3 71BE4DC0 |A679CD71 DD d3d9.71CD79A6 71BE4DC4 |B391CD71 DD d3d9.71CD91B3 71BE4DC8 |D15CC271 DD d3d9.71C25CD1 71BE4DCC |AAB1CD71 DD d3d9.71CDB1AA 71BE4DD0 |A1B2CD71 DD d3d9.71CDB2A1 71BE4DD4 |E1B3CD71 DD d3d9.71CDB3E1 71BE4DD8 |C25DC271 DD d3d9.71C25DC2 71BE4DDC |9CB4CD71 DD d3d9.71CDB49C 71BE4DE0 |77B1C371 DD d3d9.71C3B177 71BE4DE4 |7A2CC271 DD d3d9.71C22C7A 71BE4DE8 |5147CE71 DD d3d9.71CE4751 71BE4DEC |C3EFC271 DD d3d9.71C2EFC3 71BE4DF0 |1A48CE71 DD d3d9.71CE481A 71BE4DF4 |447CCD71 DD d3d9.71CD7C44 71BE4DF8 |5C49CE71 DD d3d9.71CE495C 71BE4DFC |B67DCD71 DD d3d9.71CD7DB6 71BE4E00 |AC4ACE71 DD d3d9.71CE4AAC 71BE4E04 |76BFCD71 DD d3d9.71CDBF76 71BE4E08 |1FC2CD71 DD d3d9.71CDC21F 71BE4E0C |287FCD71 DD d3d9.71CD7F28 71BE4E10 |26E4BF71 DD d3d9.71BFE426 71BE4E14 |F1A5CD71 DD d3d9.71CDA5F1 71BE4E18 |C8A8CD71 DD d3d9.71CDA8C8 71BE4E1C |10D6C971 DD d3d9.71C9D610 71BE4E20 |05D4C971 DD d3d9.71C9D405 71BE4E24 |B66CC171 DD d3d9.71C16CB6 71BE4E28 |B5CEC971 DD d3d9.71C9CEB5 71BE4E2C |C0CFC971 DD d3d9.71C9CFC0 71BE4E30 |67DAC171 DD d3d9.71C1DA67 71BE4E34 |F3D4C971 DD d3d9.71C9D4F3 71BE4E38 |6C8CC171 DD d3d9.71C18C6C 71BE4E3C |4EC2C971 DD d3d9.71C9C24E 71BE4E40 |ADD6C971 DD d3d9.71C9D6AD 71BE4E44 |F4C4C971 DD d3d9.71C9C4F4 71BE4E48 |85D5C971 DD d3d9.71C9D585 71BE4E4C |50A8C171 DD d3d9.71C1A850 71BE4E50 |6E56C071 DD d3d9.71C0566E 71BE4E54 |BAEEBE71 DD d3d9.71BEEEBA 71BE4E58 |C4EFBE71 DD d3d9.71BEEFC4 71BE4E5C |CA17BF71 DD d3d9.71BF17CA 71BE4E60 |46F6C071 DD d3d9.71C0F646 71BE4E64 |31E8C371 DD d3d9.71C3E831 71BE4E68 |2CCBCD71 DD d3d9.71CDCB2C 71BE4E6C |CFCCCD71 DD d3d9.71CDCCCF 71BE4E70 |0C26C471 DD d3d9.71C4260C 71BE4E74 |1A1CC471 DD d3d9.71C41C1A 71BE4E78 |69CECD71 DD d3d9.71CDCE69 71BE4E7C |1BD0CD71 DD d3d9.71CDD01B 71BE4E80 |1A58C071 DD d3d9.71C0581A 71BE4E84 |E4EDBE71 DD d3d9.71BEEDE4 71BE4E88 |A078C071 DD d3d9.71C078A0 71BE4E8C |34E0BF71 DD d3d9.71BFE034 71BE4E90 |CC74CD71 DD d3d9.71CD74CC 71BE4E94 |486BCD71 DD d3d9.71CD6B48 71BE4E98 |82EABE71 DD d3d9.71BEEA82 71BE4E9C |8A0ACE71 DD d3d9.71CE0A8A 71BE4EA0 |2345BF71 DD d3d9.71BF4523 71BE4EA4 |7701CE71 DD d3d9.71CE0177 71BE4EA8 |5909BF71 DD d3d9.71BF0959 71BE4EAC |2FE1BF71 DD d3d9.71BFE12F 71BE4EB0 |AFE9C371 DD d3d9.71C3E9AF 71BE4EB4 |E02ECE71 DD d3d9.71CE2EE0 71BE4EB8 |1430CE71 DD d3d9.71CE3014 71BE4EBC |6333CE71 DD d3d9.71CE3363 71BE4EC0 |8659C171 DD d3d9.71C15986 71BE4EC4 |DF58C171 DD d3d9.71C158DF 71BE4EC8 |BC48BF71 DD d3d9.71BF48BC 71BE4ECC |D655C271 DD d3d9.71C255D6 71BE4ED0 |D134CE71 DD d3d9.71CE34D1 71BE4ED4 |8BF3BE71 DD d3d9.71BEF38B 71BE4ED8 |3AF1BE71 DD d3d9.71BEF13A 71BE4EDC |A12AC071 DD d3d9.71C02AA1 71BE4EE0 |F22BC071 DD d3d9.71C02BF2 71BE4EE4 |5576BF71 DD d3d9.71BF7655 71BE4EE8 |5F7EBF71 DD d3d9.71BF7E5F 71BE4EEC |58B8BF71 DD d3d9.71BFB858 71BE4EF0 |17BCBF71 DD d3d9.71BFBC17
42 DD d3d9.71BFCE09 so 71BFCE09 - 71BE0000 = 1CE09
As we know dlls have a different base address each time its loaded, so we just do something like dwEndSceneAddress = (GetModuleHandleA('d3d9.dll') + $0001CE09 )
This will give the correct address to hook without all the pointer of the pointer bullshit and chasing sig scans...
Anyway back on track here... yes the RGNDATA structor I will be needing because I dont have Delphi D3d9 Headers library so everything I need to convert and make my own Delphi Structor.
-
-
12-05-2010 #6Newbie
- Join Date
- Apr 2010
- Gender
- Posts
- 59
- Reputation
- 10
- Thanks
- 35
- My Mood
-
Oh, I figured Delphi had windows header (RGNDATA is from WinGDI header), but sure, I'll give you the struct: Originally Posted by Departure
Code:typedef struct _RGNDATAHEADER { DWORD dwSize; DWORD iType; DWORD nCount; DWORD nRgnSize; RECT rcBound; } RGNDATAHEADER, *PRGNDATAHEADER; typedef struct _RGNDATA { RGNDATAHEADER rdh; char Buffer[1]; } RGNDATA, *PRGNDATA, NEAR *NPRGNDATA, FAR *LPRGNDATA;
-
12-05-2010 #7
ThreadstarterBobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
- 125
- Thanks
- 1,794
- My Mood
-
Your probably right It it might have that already... But just incase and it saves me looking for it as the Delphi Windows Unit is very large...
Anyway im thinking of Hooking DrawIndexedPrimitive (Vtable 82) Doesn't seem to need a heap of arguments passed to it.
//Edit
Yes you where right... It was in the Delphi Windows Unit
Code:type PRgnDataHeader = ^TRgnDataHeader; {$EXTERNALSYM _RGNDATAHEADER} _RGNDATAHEADER = packed record dwSize: DWORD; iType: DWORD; nCount: DWORD; nRgnSize: DWORD; rcBound: TRect; end; TRgnDataHeader = _RGNDATAHEADER; {$EXTERNALSYM RGNDATAHEADER} RGNDATAHEADER = _RGNDATAHEADER; PRgnData = ^TRgnData; {$EXTERNALSYM _RGNDATA} _RGNDATA = record rdh: TRgnDataHeader; Buffer: array[0..0] of CHAR; Reserved: array[0..2] of CHAR; end; TRgnData = _RGNDATA; {$EXTERNALSYM RGNDATA} RGNDATA = _RGNDATA;Last edited by Departure; 12-05-2010 at 11:05 AM.
-
12-05-2010 #8Newbie
- Join Date
- Apr 2010
- Gender
- Posts
- 59
- Reputation
- 10
- Thanks
- 35
- My Mood
-
Won't work, someone said there's a special way you can hook it, but I haven't cared enough to figure out. If I remember right, hooking DIP causes it to crash instantaneously Originally Posted by Departure
-
12-05-2010 #9Expert Member
- Join Date
- May 2010
- Gender
- Posts
- 644
- Reputation
- 38
- Thanks
- 762
- My Mood
-
Hooking DIP(82) or/and SSS(100) will cause instant detection and crash Originally Posted by Apoc91
you gotta have a bypass for hackshield
//EDIT read my post on your other thread
Last edited by GodHack2; 12-05-2010 at 11:10 AM.
beat this bitches ^^^^^^^
Current Stats : Bored :/
Respect list :
Crash !
Gordon'
Markoj
-
The Following User Says Thank You to GodHack2 For This Useful Post:
Departure (12-05-2010)
-
12-05-2010 #10
ThreadstarterBobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
- 125
- Thanks
- 1,794
- My Mood
-
Thanks, Looks like im going to have to hook "Present" Vtable(17) which thanks to Apoc91 I should be able to do
... just to confirm with you guys hooking Present still works with CA?
-
12-05-2010 #11Newbie
- Join Date
- Apr 2010
- Gender
- Posts
- 59
- Reputation
- 10
- Thanks
- 35
- My Mood
-
It's working for me so far
-
The Following User Says Thank You to Apoc91 For This Useful Post:
Departure (12-05-2010)
-
12-05-2010 #12Expert Member
- Join Date
- May 2010
- Gender
- Posts
- 644
- Reputation
- 38
- Thanks
- 762
- My Mood
-
working fine for me Originally Posted by Departure
Thanks, Looks like im going to have to hook "Present" Vtable(17) which thanks to Apoc91 I should be able to do... just to confirm with you guys hooking Present still works with CA?
beat this bitches ^^^^^^^
Current Stats : Bored :/
Respect list :
Crash !
Gordon'
Markoj
-
The Following User Says Thank You to GodHack2 For This Useful Post:
Departure (12-05-2010)
-
12-05-2010 #13
karma's a bitch; right? 
- Join Date
- Aug 2009
- Gender
- Location
- Posts
- 3,404
- Reputation
- 157
- Thanks
- 4,003
- My Mood
-
you can hook it, but hackshield detects it and kicks you after about 2 mins. Originally Posted by Apoc91
You have to either bypass it (NOP some scan addresses in hackshield) or find your own undetected way of hooking.
Yes present works fine. Originally Posted by Departure
Thanks, Looks like im going to have to hook "Present" Vtable(17) which thanks to Apoc91 I should be able to do... just to confirm with you guys hooking Present still works with CA?
-
12-05-2010 #14Upcoming MPGHiean
- Join Date
- Jul 2010
- Gender
- Posts
- 3,033
- Reputation
- 340
- Thanks
- 2,792
- My Mood
-
Yeps. Also, a heads up, HackShield's first scan is at ~2 minutes. If you crash then, you'll know it's your hook, or some ASCII string that is blacklisted (like "aimbot"); Originally Posted by Departure
Thanks, Looks like im going to have to hook "Present" Vtable(17) which thanks to Apoc91 I should be able to do... just to confirm with you guys hooking Present still works with CA?
-
12-05-2010 #15
ThreadstarterBobo's Trainer
- Join Date
- Nov 2010
- Gender
- Posts
- 805
- Reputation
- 125
- Thanks
- 1,794
- My Mood
-
Hmm I have an idea... What if on keypress you do the following in order
Hook EndScene
Send PushToConsole
UnHook EndScene
This way the EndScene is only Hooked for Split second, Then when you turn off the hack
you would do the same...
Hooke EmdScene
Send PushToConsole
UnHook EndScene
So if your completely unlucky and CA happens to be checking at that exact moment when you hook the EndScene (which would be 1 in a billion) you will get kicked but the chances that will even happen would be extremely small