Hook Detected

[freedompeace]

@.::SCHiM::. , if you are detouring EndScene, then try Present. I haven't studied Combat Arms very deeply yet, but it seems that Present works, and EndScene doesn't. XFire also hooks Present for Combat Arms under its configurations files, whereas it detours EndScene for many other games in its config.

Lastly, Combat Arms detects some rouge strings in loaded modules. I found out the hard way by commenting out line by line of code ... The most clear example in my mind is the word "aimbot". If I have that (in ASCII), Combat Arms would just crash after HackShield's initial scan, which is ~2 minutes (+- 20 seconds) after CA is launched.

@ALL, packers do nothing, stop suggesting it.

[whit]

@ALL, packers do nothing, stop suggesting it.

^this.......

[topblast]

@.::SCHiM::. , if you are detouring EndScene, then try Present. I haven't studied Combat Arms very deeply yet, but it seems that Present works, and EndScene doesn't. XFire also hooks Present for Combat Arms under its configurations files, whereas it detours EndScene for many other games in its config.

Lastly, Combat Arms detects some rouge strings in loaded modules. I found out the hard way by commenting out line by line of code ... The most clear example in my mind is the word "aimbot". If I have that (in ASCII), Combat Arms would just crash after HackShield's initial scan, which is ~2 minutes (+- 20 seconds) after CA is launched.

@ALL, packers do nothing, stop suggesting it.

@freedompeace
Nice Speech, you didnt hit the DIP part, Someone had a hack with pure DIP and it DC also. what you gonna say

[nucks]

packers made my hack not d/c...

[whit]

@freedompeace
Nice Speech, you didnt hit the DIP part, Someone had a hack with pure DIP and it DC also. what you gonna say

I UnHook B/w Renderstates and everthing works fine

[Departure]

@.::SCHiM::.

1. 90% of the coders here don't understand the mid function hook(no offence)
3. 90% of the coders here don't make there own hooks(no offence)
4. 90% of the coders here wont be able to help you(no offence)
5. 90% of the coders will using someone else hooks(no offence)

Now im willing to bet you are also using a hook function you got from some where right?
Im guessing you did anyway.... add some random byte inbetween your hook function so it changes the byte signature of that function(just do some inline assembly instructions)

Also try hooking Present and Reset as we know these are not scanned for detection and does not need to be mid function...

Good luck.

P.s no offence to 90% of the coders here, That's just how I have seen it roll around here.
Also take TopBlast's advice about hooking a callee of DIP....

P.s.s
The packer subject has been talked about before, and I stick with what I said before that packers are pointless because the image is normally completely unpacked in memory(but still has the compactors signature in the first code section of the dll, the stub). What you do need to know is that using a "Protector" can benefit you because protectors normally have "Stolen Bytes" which don't get replaced until the function/procedure is called, Also a protector will normally compact the image depending on the settings, This means that it will not unpack the parts of code until its called for. Once again you need to know the difference between a packer and a protector...

[freedompeace]

@freedompeace
Nice Speech, you didnt hit the DIP part, Someone had a hack with pure DIP and it DC also. what you gonna say

@topblast, "Nice Speech". @.::SCHiM::. did not once mention a DIP hook, so your "point", if we can call it that, is irrelevant.

[.::SCHiM::.]

@.::SCHiM::.

1. 90% of the coders here don't understand the mid function hook(no offence)
3. 90% of the coders here don't make there own hooks(no offence)
4. 90% of the coders here wont be able to help you(no offence)
5. 90% of the coders will using someone else hooks(no offence)

Now im willing to bet you are also using a hook function you got from some where right?
Im guessing you did anyway.... add some random byte inbetween your hook function so it changes the byte signature of that function(just do some inline assembly instructions)

Also try hooking Present and Reset as we know these are not scanned for detection and does not need to be mid function...

Good luck.

P.s no offence to 90% of the coders here, That's just how I have seen it roll around here.
Also take TopBlast's advice about hooking a callee of DIP....

P.s.s
The packer subject has been talked about before, and I stick with what I said before that packers are pointless because the image is normally completely unpacked in memory(but still has the compactors signature in the first code section of the dll, the stub). What you do need to know is that using a "Protector" can benefit you because protectors normally have "Stolen Bytes" which don't get replaced until the function/procedure is called, Also a protector will normally compact the image depending on the settings, This means that it will not unpack the parts of code until its called for. Once again you need to know the difference between a packer and a protector...

Code:

 
MidFunctionHook proc MidFunctionTargetAddress:DWORD, MidFunctionHookAddress:DWORD, InstructionSize:DWORD

invoke GlobalAlloc, GPTR, 10h
mov MidFunctionTrampoline, eax

xor esi, esi
xor ecx, ecx
mov ebx, MidFunctionTargetAddress

@1:
mov cl, byte ptr[ebx+esi]
mov byte ptr[eax+esi], cl

inc esi
cmp esi, InstructionSize
jne @1


add eax, InstructionSize
mov esi, 0E9h
mov [eax], esi
inc eax

mov ebx, eax
mov edx, MidFunctionTargetAddress
sub edx, ebx                           ; edx = to
inc edx                                ; because of inc eax (after mov [eax], esi)
mov [eax], edx



mov ebx, MidFunctionTargetAddress

invoke VirtualProtect, MidFunctionTargetAddress, 40h, 40h, addr Oldprott

mov eax, MidFunctionTargetAddress
mov esi, 0E9h
mov [eax], esi
inc eax

mov ebx, MidFunctionHookAddress
sub ebx, eax
sub ebx, 4h
mov [eax], ebx

xor esi, esi
add esi, 5h
mov ebx, 90h
dec eax

@2:
mov byte ptr[eax+esi], bl
inc esi
cmp esi, InstructionSize
jne @2

invoke VirtualProtect, MidFunctionTrampoline, 40h, 40h, addr Oldprot 

invoke VirtualProtect, MidFunctionTargetAddress, 40h, Oldprott, Oldprot

mov eax, MidFunctionTrampoline
ret
MidFunctionHook endp

It's all mine, no copy no leech, all out of my head.
Also can I disable the depth buffer from present? I can't can I?

@freedompeace

I'm hooking DrawIndexedPrimitive (I thought that was DIP, if not what's DIP?)
Everything there is detected, and I only have 1 asci string in my entire code ("d3d.dll") does hackshield d/c on that?

[freedompeace]

Code:

 
MidFunctionHook proc MidFunctionTargetAddress:DWORD, MidFunctionHookAddress:DWORD, InstructionSize:DWORD

invoke GlobalAlloc, GPTR, 10h
mov MidFunctionTrampoline, eax

xor esi, esi
xor ecx, ecx
mov ebx, MidFunctionTargetAddress

@1:
mov cl, byte ptr[ebx+esi]
mov byte ptr[eax+esi], cl

inc esi
cmp esi, InstructionSize
jne @1


add eax, InstructionSize
mov esi, 0E9h
mov [eax], esi
inc eax

mov ebx, eax
mov edx, MidFunctionTargetAddress
sub edx, ebx                           ; edx = to
inc edx                                ; because of inc eax (after mov [eax], esi)
mov [eax], edx



mov ebx, MidFunctionTargetAddress

invoke VirtualProtect, MidFunctionTargetAddress, 40h, 40h, addr Oldprott

mov eax, MidFunctionTargetAddress
mov esi, 0E9h
mov [eax], esi
inc eax

mov ebx, MidFunctionHookAddress
sub ebx, eax
sub ebx, 4h
mov [eax], ebx

xor esi, esi
add esi, 5h
mov ebx, 90h
dec eax

@2:
mov byte ptr[eax+esi], bl
inc esi
cmp esi, InstructionSize
jne @2

invoke VirtualProtect, MidFunctionTrampoline, 40h, 40h, addr Oldprot 

invoke VirtualProtect, MidFunctionTargetAddress, 40h, Oldprott, Oldprot

mov eax, MidFunctionTrampoline
ret
MidFunctionHook endp

It's all mine, no copy no leech, all out of my head.
Also can I disable the depth buffer from present? I can't can I?

@freedompeace

I'm hooking DrawIndexedPrimitive (I thought that was DIP, if not what's DIP?)
Everything there is detected, and I only have 1 asci string in my entire code ("d3d.dll") does hackshield d/c on that?

Oh, I didn't see any references to DIP, so I had thought you meant the standard DX functions. I'll have a look when I get home .. and the code box isn't 10px wide as it is on mobile.

[.::SCHiM::.]

Oh, I didn't see any references to DIP, so I had thought you meant the standard DX functions. I'll have a look when I get home .. and the code box isn't 10px wide as it is on mobile.

There's nothing wrong with the code
It works perfectly fine all games, except those with anti cheat. It was just to show that I had my own hook.

I'm going to try and hook present now, will post back

EDIT:

The hook on present works fine, until I'm in game, then the menu isn't drawn (in the lobby it works though) Any other functions?

Since my top most priority was getting chams/wallhack I think I'm going to try hooking SetRenderState, and make it always return false on depth buffering.

[freedompeace]

There's nothing wrong with the code
It works perfectly fine all games, except those with anti cheat. It was just to show that I had my own hook.

I'm going to try and hook present now, will post back

EDIT:

The hook on present works fine, until I'm in game, then the menu isn't drawn (in the lobby it works though) Any other functions?

Since my top most priority was getting chams/wallhack I think I'm going to try hooking SetRenderState, and make it always return false on depth buffering.

I'm not sure what your (chams/wallhack) code does at the moment.. so I'll throw you a generic answer:

IIRC, the DirectX device changes once you hit in-game. If you've not already detected this, you'll need to update your device and any dependent graphics-related resources, for example, a vertex buffer or the ID3DXLine interface. But you've probably already done this, so I don't really know without seeing some code :/

[.::SCHiM::.]

I'm not sure what your (chams/wallhack) code does at the moment.. so I'll throw you a generic answer:

IIRC, the DirectX device changes once you hit in-game. If you've not already detected this, you'll need to update your device and any dependent graphics-related resources, for example, a vertex buffer or the ID3DXLine interface. But you've probably already done this, so I don't really know without seeing some code :/

Well I don't know either, but what I do know is that the wallhack works when directly hooking SetRenderState, end then just turing every call that wants to enable the Zbuffer to false.

It's working now!!!!

Thanks everyone, If I ever release something, you'll get creds.

@freedompeace

I don't know about the changing device pointer, but then again, I don't use the device pointer for my hook. I just find the vtable and hook the functions I need, then I use the device pointer supplied on the stack.

Code:

void hkSetRenderState(LPDIRECT3DDEVICE9 pDevice, D3DRENDERSTATETYPE State, DWORD Value){

_asm pushad

             
if(State == 7){
   Value = 0;                  // disable depth
} 
if(State == 17){
   Value = 1;                  // disable pixel
}
                  //pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE); // Disable it
                  //pDevice->SetRenderState(D3DRS_ZFUNC, D3DCMP_NEVER);// Reject the pixels (shaders)
_asm popad
	ReturnFromHook(Gmem2, 2);
}

	while(1){
     if(GetAsyncKeyState(VK_INSERT)){  
	//	if(RenderState == false){
			Gmem2 = Hook((DWORD)Vtable[57], (DWORD)&hkSetRenderState);
		//	RenderState = true;
	//	} else {
	//		RemoveHook(Gmem2);
	//		RenderState = false;
	//	}

	 }

[freedompeace]

Well I don't know either, but what I do know is that the wallhack works when directly hooking SetRenderState, end then just turing every call that wants to enable the Zbuffer to false.

It's working now!!!!

Thanks everyone, If I ever release something, you'll get creds.

@freedompeace

I don't know about the changing device pointer, but then again, I don't use the device pointer for my hook. I just find the vtable and hook the functions I need, then I use the device pointer supplied on the stack.

Code:

void hkSetRenderState(LPDIRECT3DDEVICE9 pDevice, D3DRENDERSTATETYPE State, DWORD Value){

_asm pushad

             
if(State == 7){
   Value = 0;                  // disable depth
} 
if(State == 17){
   Value = 1;                  // disable pixel
}
                  //pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE); // Disable it
                  //pDevice->SetRenderState(D3DRS_ZFUNC, D3DCMP_NEVER);// Reject the pixels (shaders)
_asm popad
	ReturnFromHook(Gmem2, 2);
}

	while(1){
     if(GetAsyncKeyState(VK_INSERT)){  
	//	if(RenderState == false){
			Gmem2 = Hook((DWORD)Vtable[57], (DWORD)&hkSetRenderState);
		//	RenderState = true;
	//	} else {
	//		RemoveHook(Gmem2);
	//		RenderState = false;
	//	}

	 }

@.::SCHiM::. nice! What changes did you make for it to work, or is it the code up there? :P

[.::SCHiM::.]

@.::SCHiM::. nice! What changes did you make for it to work, or is it the code up there? :P

Nothing changed about my code, the only thing I changed is which function I hook. Instead of hooking DIP I hook SetRenderState now (since I can check the stack for which call is being made (depth, pixel shaders etc. etc))

So now, whenever a call has been made for depth, I just auto disable it, that's how my wallhack works now.

Still I'd like to know how I can use present to display my menu in-game. What can you tell me about changing device pointers?
Is this why people hook Reset()?

[topblast]

Nothing changed about my code, the only thing I changed is which function I hook. Instead of hooking DIP I hook SetRenderState now (since I can check the stack for which call is being made (depth, pixel shaders etc. etc))

So now, whenever a call has been made for depth, I just auto disable it, that's how my wallhack works now.

Still I'd like to know how I can use present to display my menu in-game. What can you tell me about changing device pointers?
Is this why people hook Reset()?

Well yes but you dont have to hook reset. You can simply check if your globaal device and you Hooked device are the same, If they are the same then every thing is ok, But if they are not then the device and been chance so then you reset everything to the new device.