Source Code Rust Cheat - VMT EndScene Hook

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
Hey guys, me again!
Here is a complete VTable Hook...

Its already hooking EndScene,

If you guys want wallhack & chams just hook DrawIndexedPrimitive, use some model logger and enjoy :D

rust.jpg

C++:
#include <d3d9.h>
#include <d3dx9.h>
#include <stdio.h>

#pragma comment(lib, "d3d9")
#pragma comment(lib, "d3dx9")

//
#define GREEN D3DCOLOR_ARGB(255, 000, 255, 000)
//
class CGame;
class cVMT;
class cD3D;

class CGame
{
public:
	cVMT* pVMT; //0x0000 

};//Size=0x0004

class cVMT
{
public:
	DWORD pD3D; //0x0000 

};//Size=0x0004

const DWORD_PTR dwAddr = reinterpret_cast<DWORD_PTR>(GetModuleHandleA("rust.exe")) + 0x9ED740;
CGame* pGame = (CGame*)dwAddr;

typedef HRESULT(WINAPI* tEndScene)(LPDIRECT3DDEVICE9 pDevice);
tEndScene pEndScene;

LPD3DXFONT g_font;
bool once;

void DrawTest(LPDIRECT3DDEVICE9 pDevice)
{
	if (!once)
	{
		D3DXCreateFont(pDevice, 16, 0, FW_BOLD, 0, 0, 1, 0, 0, 0 | FF_DONTCARE, TEXT("Arial"), &g_font);
		once = true;
	}
	
	RECT rFont{ 10, 10, 150, 150 };

	g_font->DrawTextA(NULL, "g4x hooking", -1, &rFont, DT_LEFT, GREEN);
}

DWORD WINAPI hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
	_asm pushad;
	DrawTest(pDevice);
	_asm popad;
	return pEndScene(pDevice);
}

DWORD WINAPI nThread()
{
	DWORD_PTR dwEndScene = NULL;

	while (pGame != NULL)
	{
		pEndScene = (HRESULT(WINAPI*)(LPDIRECT3DDEVICE9 pDevice)) *(DWORD_PTR*)(pGame->pVMT->pD3D + 0xA8);
		VirtualProtect((LPVOID)(pGame->pVMT->pD3D + 0xA8), sizeof(DWORD_PTR), PAGE_EXECUTE_READWRITE, &dwEndScene);
		while (TRUE)
		{
			*(DWORD_PTR*)(pGame->pVMT->pD3D + 0xA8) = (DWORD_PTR)hkEndScene;
		}
		VirtualProtect((LPVOID)(pGame->pVMT->pD3D + 0xA8), sizeof(DWORD_PTR), dwEndScene, &dwEndScene);
	}
	return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
	if (fdwReason == DLL_PROCESS_ATTACH)
	{
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)nThread, 0, 0, 0);
	}
	return TRUE;
}
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
seems nice but wherefrom you get '0x9ED740' and '0xA8' ? If thats is known, it should be possible and easier for the community to apply it to other games
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
rust.exe+ 0x9ED740 is the address from our Rust vTable ...

0xA8 is pointing to our EndScene..

EndScene = Vtable[42]

42 * 4 = 168
168 HEX = A8

Multiply by 4 on 32bits and 8 for 64!

:D
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
rust.exe+ 0x9ED740 is the address from our Rust vTable ...

0xA8 is pointing to our EndScene..

EndScene = Vtable[42]

42 * 4 = 168
168 HEX = A8

Multiply by 4 on 32bits and 8 for 64!

:D
aaah :D well, anyways rep+ ( i know that its pointing on the vtble lol xD was asking how to get the vtable for d3d of a game ;) )
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
Ah, lol!
Well, the way i do, i use D3D9_Test Environment to get my EndScene address!

Go to my game, open CE
Click on Memory View
CTRL+G, search for your EndScene address

8B FF mov edi, edi

Breakpoint it...
Copy EAX Address on the right

now search for that HEX address

you will get a few results, look for static addresses(Green)

And that is your module+address

Sometimes u'll get more then one...
if you can't identify which one is right you should try them!

Sorry for this crap tutorial, if you don't get it i'll make a better one!
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
Ah, lol!
Well, the way i do, i use D3D9_Test Environment to get my EndScene address!

Go to my game, open CE
Click on Memory View
CTRL+G, search for your EndScene address

8B FF mov edi, edi

Breakpoint it...
Copy EAX Address on the right

now search for that HEX address

you will get a few results, look for static addresses(Green)

And that is your module+address

Sometimes u'll get more then one...
if you can't identify which one is right you should try them!

Sorry for this crap tutorial, if you don't get it i'll make a better one!
ooow its not that bad, but the eax on the right is just weird Oo
so if i search for '00000001' there are over 245k adresses xD
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
Its easy to get from CSS, are you using Windows 8?
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
how you're getting your EndScene dinamic address?

css.jpg

This is my CSS EndScene...

You probably got it wrong in somewhere

WSOCK32 isn't the right module
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
how you're getting your EndScene dinamic address?

css.jpg

This is my CSS EndScene...

You probably got it wrong in somewhere

WSOCK32 isn't the right module
using and searching for '8B FF mov edi, edi' as you said before , idk how to find that one :eek:
aah and btw please do like
path[\img]
for images :) otherwise we ever need to wait for an staff to appove a image lol Oo (imgur.com)
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
Oh, sorry lol!

the right address will be 8B FF, not that every 8B FF is the right one!

How do i send you D3D9 Test environment so you can grab your EndScene address?
i know there are other methods but thats the one i know!



Thats the address u need to search on your game memory view
yours will be different
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
i have that tool, used it for my old menu to design :) so i just search for that adress of the tool in mem view ? and then take the addy on the right and search for the static one ?
edit: if you would have teamspeak or skype.. xD
 

gnuzim

Jr.Coder
Trump Tier Donator
Dank Tier Donator
Nobleman
Nov 28, 2012
67
1,418
0
Yeaaah, its a great method.. i personally hate using detours! :D
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
Yeaaah, its a great method.. i personally hate using detours! :D
any particular reason or just for lulz? most people tend to think vtable hooking is undetected, although it's nothing too trivial to check common vtables and ac's have started doing that more recently, most legit progs do a jump hook therefor it's not effective for ac's to check for e9's on dx functions. you also need to account vtable pointers might get reset so there is an extra need of repatching them
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods