• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Results 1 to 10 of 10
    1. #1
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      146

      Hooking endscene?

      Silent VPN
      Hello i'm trying to find the address of endscene through the IAT, code:
      [PHP]

      int IATfind(const char* function, HMODULE module){
      int ip = 0;
      if (module == 0)
      module = GetModuleHandle(0);

      /* retrieve headers of module */
      PIMAGE_DOS_HEADER pImgDosHeaders = (PIMAGE_DOS_HEADER)module;
      PIMAGE_NT_HEADERS pImgNTHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)pImgDosHeaders + pImgDosHeaders->e_lfanew); // the actual PE header
      PIMAGE_IMPORT_DESCRIPTOR pImgImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)pImgDosHeaders + pImgNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress );
      int size = (int)((LPBYTE)pImgDosHeaders + pImgNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);

      if (pImgDosHeaders->e_magic != IMAGE_DOS_SIGNATURE){
      printf("e_magic is no valid DOS signature\n");
      return 1;
      }


      for (IMAGE_IMPORT_DESCRIPTOR* iid = pImgImportDesc; iid->Name != NULL; iid++){
      printf("\n \t \t %s \n \n",(char*)iid->Name + (SIZE_T)module);
      for (int funcIdx = 0; *(funcIdx + (LPVOID*)(iid->FirstThunk + (SIZE_T)module)) != NULL; funcIdx++){

      //check if the function matches the function we are looking for
      char* modFuncName = (char*)(*(funcIdx + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)module)) + (SIZE_T)module + 2);
      printf(modFuncName); // only finds direct3dcreate9
      printf("\n");



      /*PIMAGE_THUNK_DATA pImgThunkData = (PIMAGE_THUNK_DATA)((LPBYTE)pImgDosHeaders + iid[iz].OriginalFirstThunk);
      PIMAGE_IMPORT_BY_NAME pImgImportByName = NULL;
      for (; pImgThunkData->u1.Function; ++pImgThunkData)
      {
      pImgImportByName = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)pImgDosHeaders + pImgThunkData->u1.AddressOfData);
      printf(pImgImportByName->Name);
      printf("\n");
      }*/
      }
      }
      return 0;
      }[/PHP]

      But the IAT only contains Direct3dCreate9, can i hook this function to retrieve the device pointer? And if it is not in the IAT how is endscene imported?

    2. #2
      Kim Kong Trasher
      I don't have status.
       
      Raging
       
      c5's Avatar
      Join Date
      Jul 2012
      Location
      Mankei Iland
      Posts
      1,221
      Thanks (-->)
      97
      Thanks (<--)
      492
      GetProcAddress to find d3d9.dll exports.

      I use some sigs to find d3d9 present and then get the device pointer, then reverse the game's renderer classes and access the functions I want to hook from there.

      Easiest for you would be to hook createdevice, get the pointer to the device from there and get endscene from there.

      Regards your idea on import walking, I think HadesMem supported it, look at that, it's open source.
      Hooking endscene?

    3. #3
      Respected Hacker
      Learning to hack games!
       
      Coding
       
      till0sch's Avatar
      Join Date
      Oct 2012
      Location
      Germany.
      Posts
      1,168
      Thanks (-->)
      179
      Thanks (<--)
      340
      When not just using vtable and directly hooking EndScene through it?

    4. #4
      Hacker
      ^.^
       
      Eating
       
      NTvalk's Avatar
      Join Date
      Jul 2013
      Location
      Your RAM
      Posts
      512
      Thanks (-->)
      176
      Thanks (<--)
      146
      Quote Originally Posted by till0sch97 View Post
      When not just using vtable and directly hooking EndScene through it?
      I assume you meant why, the reason why i'm doing this is because i can make it fully external without injection/malicious calls.

      Quote Originally Posted by c5 View Post
      GetProcAddress to find d3d9.dll exports.

      I use some sigs to find d3d9 present and then get the device pointer, then reverse the game's renderer classes and access the functions I want to hook from there.

      Easiest for you would be to hook createdevice, get the pointer to the device from there and get endscene from there.

      Regards your idea on import walking, I think HadesMem supported it, look at that, it's open source.
      Alright i will try hooking createdevice, and about the sigs, will they work on all different platforms? (windows 8,7 etc)

    5. #5
      Kim Kong Trasher
      I don't have status.
       
      Raging
       
      c5's Avatar
      Join Date
      Jul 2012
      Location
      Mankei Iland
      Posts
      1,221
      Thanks (-->)
      97
      Thanks (<--)
      492
      Quote Originally Posted by NTvalk View Post
      Alright i will try hooking createdevice, and about the sigs, will they work on all different platforms? (windows 8,7 etc)
      The sig I am using currently for d3d9 endscene does work fine everywhere, since the d3d9 comes from the directX redist, I just need to make sure it properly works with it.
      Hooking endscene?

    6. Thanks NTvalk thanked for this post
    7. #6
      Respected Hacker
      Learning to hack games!
       
      Coding
       
      till0sch's Avatar
      Join Date
      Oct 2012
      Location
      Germany.
      Posts
      1,168
      Thanks (-->)
      179
      Thanks (<--)
      340
      Quote Originally Posted by NTvalk View Post
      I assume you meant why, the reason why i'm doing this is because i can make it fully external without injection/malicious calls.
      Sure, sorry.. But you could do patterns externally..

    8. #7
      k
      haxin'
       
      Coding
       
      kokole's Avatar
      Join Date
      Aug 2012
      Posts
      71
      Thanks (-->)
      14
      Thanks (<--)
      14
      EndScene isn't defined as export for d3d9.dll, it's a method of the IDirect3DDevice9 interface.
      h4x1ng ftw

    9. Thanks c5 thanked for this post
    10. #8
      Respected Hacker
      Learning to hack games!
       
      Coding
       
      till0sch's Avatar
      Join Date
      Oct 2012
      Location
      Germany.
      Posts
      1,168
      Thanks (-->)
      179
      Thanks (<--)
      340
      Quote Originally Posted by kokole View Post
      EndScene isn't defined as export for d3d9.dll, it's a method of the IDirect3DDevice9 interface.
      Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.

    11. #9
      Kim Kong Trasher
      I don't have status.
       
      Raging
       
      c5's Avatar
      Join Date
      Jul 2012
      Location
      Mankei Iland
      Posts
      1,221
      Thanks (-->)
      97
      Thanks (<--)
      492
      Quote Originally Posted by till0sch97 View Post
      Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.
      He is just saying that because NTValk thought it would be, he was looking at imports initially.
      Hooking endscene?

    12. Thanks NTvalk, till0sch thanked for this post
    13. #10
      k
      haxin'
       
      Coding
       
      kokole's Avatar
      Join Date
      Aug 2012
      Posts
      71
      Thanks (-->)
      14
      Thanks (<--)
      14
      Silent VPN
      Quote Originally Posted by till0sch97 View Post
      Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.
      Using patterns is a really bad idea since there is more than just 1 version of d3d9.dll, so getting the function pointer by knowing the index of EndScene in the VTable is much better.

      Edit: Sorry you're right, I've read it as "to find EndScene".
      Last edited by kokole; 12-05-2013 at 10:09 AM.
      h4x1ng ftw

    14. Thanks c5 thanked for this post

    Similar Game Hacker Threads

    1. [Tutorial] VEH Hooking (aka PageGuard Hooking) - An In-depth Look
      By Zuva in forum Game Hacking Tutorials
      Replies: 7
      Last Post: 08-02-2016, 01:02 PM
    2. [Help] My EndScene Hook Isn't Being Called :\
      By TheHylianTimelord in forum Hacking Help
      Replies: 21
      Last Post: 12-28-2015, 12:32 PM
    3. [Help] ENDSCENE Hooking
      By Ace0fSpades in forum GH Tutorials Help
      Replies: 3
      Last Post: 09-19-2015, 09:26 PM
    4. [Help] Only drawing 1 box ENDSCENE
      By j3b in forum C/C++
      Replies: 3
      Last Post: 02-14-2014, 07:17 PM
    5. Rust VMT EndScene
      By gnuzim in forum Other Game Hacks
      Replies: 32
      Last Post: 02-13-2014, 11:24 PM

    Tags for this Thread