@.::SCHiM::. , if you are detouring EndScene, then try Present. I haven't studied Combat Arms very deeply yet, but it seems that Present works, and EndScene doesn't. XFire also hooks Present for Combat Arms under its configurations files, whereas it detours EndScene for many other games in its config.
Lastly, Combat Arms detects some rouge strings in loaded modules. I found out the hard way by commenting out line by line of code ... The most clear example in my mind is the word "aimbot". If I have that (in ASCII), Combat Arms would just crash after HackShield's initial scan, which is ~2 minutes (+- 20 seconds) after CA is launched.
@ALL, packers do nothing, stop suggesting it.
@freedompeace
Nice Speech, you didnt hit the DIP part, Someone had a hack with pure DIP and it DC also. what you gonna say
I just like programming, that is all.
Current Stuff:
- GPU Programmer (Cuda)
- Client/Server (Cloud Server)
- Mobile App Development
packers made my hack not d/c...
++PashaAmd++ (05-25-2011)
@.::SCHiM::.
1. 90% of the coders here don't understand the mid function hook(no offence)
3. 90% of the coders here don't make there own hooks(no offence)
4. 90% of the coders here wont be able to help you(no offence)
5. 90% of the coders will using someone else hooks(no offence)
Now im willing to bet you are also using a hook function you got from some where right?
Im guessing you did anyway.... add some random byte inbetween your hook function so it changes the byte signature of that function(just do some inline assembly instructions)
Also try hooking Present and Reset as we know these are not scanned for detection and does not need to be mid function...
Good luck.
P.s no offence to 90% of the coders here, That's just how I have seen it roll around here.
Also take TopBlast's advice about hooking a callee of DIP....
P.s.s
The packer subject has been talked about before, and I stick with what I said before that packers are pointless because the image is normally completely unpacked in memory(but still has the compactors signature in the first code section of the dll, the stub). What you do need to know is that using a "Protector" can benefit you because protectors normally have "Stolen Bytes" which don't get replaced until the function/procedure is called, Also a protector will normally compact the image depending on the settings, This means that it will not unpack the parts of code until its called for. Once again you need to know the difference between a packer and a protector...
Last edited by Departure; 05-25-2011 at 11:28 PM.
nucks (05-26-2011)
@topblast, "Nice Speech". @.::SCHiM::. did not once mention a DIP hook, so your "point", if we can call it that, is irrelevant.
It's all mine, no copy no leech, all out of my head.Code:MidFunctionHook proc MidFunctionTargetAddress:DWORD, MidFunctionHookAddress:DWORD, InstructionSize:DWORD invoke GlobalAlloc, GPTR, 10h mov MidFunctionTrampoline, eax xor esi, esi xor ecx, ecx mov ebx, MidFunctionTargetAddress @1: mov cl, byte ptr[ebx+esi] mov byte ptr[eax+esi], cl inc esi cmp esi, InstructionSize jne @1 add eax, InstructionSize mov esi, 0E9h mov [eax], esi inc eax mov ebx, eax mov edx, MidFunctionTargetAddress sub edx, ebx ; edx = to inc edx ; because of inc eax (after mov [eax], esi) mov [eax], edx mov ebx, MidFunctionTargetAddress invoke VirtualProtect, MidFunctionTargetAddress, 40h, 40h, addr Oldprott mov eax, MidFunctionTargetAddress mov esi, 0E9h mov [eax], esi inc eax mov ebx, MidFunctionHookAddress sub ebx, eax sub ebx, 4h mov [eax], ebx xor esi, esi add esi, 5h mov ebx, 90h dec eax @2: mov byte ptr[eax+esi], bl inc esi cmp esi, InstructionSize jne @2 invoke VirtualProtect, MidFunctionTrampoline, 40h, 40h, addr Oldprot invoke VirtualProtect, MidFunctionTargetAddress, 40h, Oldprott, Oldprot mov eax, MidFunctionTrampoline ret MidFunctionHook endp
Also can I disable the depth buffer from present? I can't can I?
@freedompeace
I'm hooking DrawIndexedPrimitive (I thought that was DIP, if not what's DIP?)
Everything there is detected, and I only have 1 asci string in my entire code ("d3d.dll") does hackshield d/c on that?
Last edited by .::SCHiM::.; 05-26-2011 at 12:18 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
There's nothing wrong with the code
It works perfectly fine all games, except those with anti cheat. It was just to show that I had my own hook.
I'm going to try and hook present now, will post back
EDIT:
The hook on present works fine, until I'm in game, then the menu isn't drawn (in the lobby it works though) Any other functions?
Since my top most priority was getting chams/wallhack I think I'm going to try hooking SetRenderState, and make it always return false on depth buffering.
Last edited by .::SCHiM::.; 05-26-2011 at 01:35 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
I'm not sure what your (chams/wallhack) code does at the moment.. so I'll throw you a generic answer:
IIRC, the DirectX device changes once you hit in-game. If you've not already detected this, you'll need to update your device and any dependent graphics-related resources, for example, a vertex buffer or the ID3DXLine interface. But you've probably already done this, so I don't really know without seeing some code :/
Well I don't know either, but what I do know is that the wallhack works when directly hooking SetRenderState, end then just turing every call that wants to enable the Zbuffer to false.
It's working now!!!!
Thanks everyone, If I ever release something, you'll get creds.
@freedompeace
I don't know about the changing device pointer, but then again, I don't use the device pointer for my hook. I just find the vtable and hook the functions I need, then I use the device pointer supplied on the stack.
Code:void hkSetRenderState(LPDIRECT3DDEVICE9 pDevice, D3DRENDERSTATETYPE State, DWORD Value){ _asm pushad if(State == 7){ Value = 0; // disable depth } if(State == 17){ Value = 1; // disable pixel } //pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE); // Disable it //pDevice->SetRenderState(D3DRS_ZFUNC, D3DCMP_NEVER);// Reject the pixels (shaders) _asm popad ReturnFromHook(Gmem2, 2); } while(1){ if(GetAsyncKeyState(VK_INSERT)){ // if(RenderState == false){ Gmem2 = Hook((DWORD)Vtable[57], (DWORD)&hkSetRenderState); // RenderState = true; // } else { // RemoveHook(Gmem2); // RenderState = false; // } }
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
@.::SCHiM::. nice! What changes did you make for it to work, or is it the code up there? :P
.::SCHiM::. (05-26-2011)
Nothing changed about my code, the only thing I changed is which function I hook. Instead of hooking DIP I hook SetRenderState now (since I can check the stack for which call is being made (depth, pixel shaders etc. etc))
So now, whenever a call has been made for depth, I just auto disable it, that's how my wallhack works now.
Still I'd like to know how I can use present to display my menu in-game. What can you tell me about changing device pointers?
Is this why people hook Reset()?
Last edited by .::SCHiM::.; 05-26-2011 at 06:52 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
freedompeace (05-26-2011)
I just like programming, that is all.
Current Stuff:
- GPU Programmer (Cuda)
- Client/Server (Cloud Server)
- Mobile App Development