Solved Trying to make an ESP

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

maxibaby

Newbie
Full Member
Oct 23, 2015
48
383
1
Hello guys, it's me again.
Basically now I want to make an ESP for Assault Cube.

** OFFTOPIC **
If i wanted to do an overlay, I should be following this ? https://stackoverflow.com/questions...rendering-context-with-transparent-background

** BACK TO TOPIC**
So from what I have understood, the idea behind drawing the ESP is:

Hooking to "wglSwapBuffers", so whenever this function get's called, I can draw my self into the game what ever I want. (Am I right?)

Basically that function will be called from the thread that has the game context, so i'm drawing into the 3d plane. (Am i right?)

https://guidedhacking.com/showthread.php?6487-How-To-Hook-10
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
if you hover over it you'd see WINAPI is a macro for __stdcall, which is what most windows defined functions are.
And your code still doesnt show the actual hook function
and finally, void(WINAPI * whatever) basically reads: a pointer to a function with calling convention __stdcall, that we're going to call "whatever" for the sake of simplicity.
 

maxibaby

Newbie
Full Member
Oct 23, 2015
48
383
1
From what I understand..


C++:
HMODULE hMod = GetModuleHandle("opengl32.dll");
// He creates a hook, so whenever wglSwapBuffers function, coming fron opengl32.dll, gets called -> it jumps to hkwglSwapBuffs

trpHook(GetProcAddress(hMod, "wglSwapBuffers"), hkwglSwapBuffs, 5)
C++:
// I'm guessing, that by reverse engineering, he knows, that whenever wglSwapBuffers gets called, _In_ HDC hDc is passed in also.
// This should be his signature:  wglSwapBuffers(_In_ HDC hDc)

void WINAPI hkwglSwapBuffs(_In_ HDC hDc){
	if (esp->State())
		esp->Draw();

	if (gEsp->State())
		gEsp->Draw();

	if (radar->State())
		radar->Draw();

	if (Menu)
		DrawMenu();

// What the heck is he returning?
	return owglSwapBuffers(hDc);
}
C++:
// WTF.
twglSwapBuffers owglSwapBuffers;
C++:
// WTF
typedef void(WINAPI * twglSwapBuffers) (HDC hDc);
From what I understood about hooking, we do the first step
  • He creates a hook, so whenever wglSwapBuffers.dll gets called -> it jumps to hkwglSwapBuffs¨
  • Function gets executed and then it should lead to the real wglSwapBuffers.dll, no ?
  • Where does he does that?
 
Last edited:

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
Okay, to break it down, when you want to hook something normally then you create a typedef for it, this basically means you're creating the function, but saving it in the form of a variable

C++:
typedef long(__stdcall * tGetProcAddress)(HMODULE, wchar_t*); // create our typedef
tGetProcAddress oGetProcAddress; // now oGetProcAddress can be called like normal get proc address like so: oGetProcAddress(Module, function);
then you have to set oGetProcAddress to something, most of the time when writing hooking functions you return the original address+bytes you overwrote, so that you dont infinite loop.

So at the very end when you see

return owglSwapBuffers(hdc)

what's happening is that you're simply calling the original function, it will return back to you after doing all its normal stuff ( so you dont xxxx up drawing ), and then you will return to the return address that was meant for wglSwapBuffers ( if you don't get what i mean then maybe some asm is in order :p )
 

maxibaby

Newbie
Full Member
Oct 23, 2015
48
383
1


My questions are:

  • Where did he save / executed the old (0x0F5F4A0 in our example) content.
  • Where does the typedef, "return the original address+bytes ", to avoid infinite loop
  • C++:
    typedef void(WINAPI * twglSwapBuffers) (HDC hDc);

I understand the core, my main problem is c++ language, coming from python, LOL
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,297
37,938
269
Havent seen the code myself, but most hook functions return (addressOfHook + lengthOfHook) , so thats how they avoid the infinite loop,
And sometimes you save the old code, if you want, otherwise you simply replace it yourself with

__asm
{
old code
}
 

maxibaby

Newbie
Full Member
Oct 23, 2015
48
383
1
C++:
Hook::Hook(void * hkAddy, void * hkFnctAddy, DWORD len){
	m_isHooked = false;
	m_hkAddy = hkAddy;
	m_len = len;
	m_hkFnctAddy = hkFnctAddy;
	m_restoreBytes = new BYTE[200];
}

C++:
void * trpHook::CreateDetour(){
	void * pTrp;
	DWORD oldProtect, Bkup, relativeAddy;

	if (m_hkAddy == NULL || m_len < 5)
		return nullptr;

	if (!VirtualProtect(m_hkAddy, m_len, PAGE_EXECUTE_READWRITE, &oldProtect))
		return nullptr;

	//Allocate a spot of memory for pTrp
	pTrp = VirtualAlloc(0, m_len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	//Copy the bytes into the beginning of pTrp for when we're returning.
	memcpy(pTrp, m_hkAddy, m_len);
	//Copy the bytes into m_restoreBytes for when we want to undo the hook
	memcpy(m_restoreBytes, m_hkAddy, m_len);
	//NOP out the start of the function
	memset(m_hkAddy, 0x90, m_len);

	/*PLACING OUR JUMP AT THE ORIGINAL FUNCTION*/

	//Get relative address, place jmp, put relative address on next 4 bytes
	relativeAddy = ((DWORD)m_hkFnctAddy - (DWORD)m_hkAddy) - 5;
	*(BYTE*)m_hkAddy = 0xE9;
	*(DWORD*)((DWORD)m_hkAddy + 0x1) = relativeAddy;
       
       
         
         What happens here?
	/*PLACING OUR JUMP AT THE TRAMPOLINE*/

	//Get relative address, place jmp, put relative address on next 4 bytes
	DWORD relAddy = ((DWORD)m_hkAddy - (DWORD)pTrp) - 5;
	*(BYTE*)((DWORD)pTrp + m_len) = 0xE9;
	*(DWORD*)((DWORD)pTrp + m_len + 0x1) = relAddy;

	//Restore whatever protection there was
	if (!VirtualProtect(m_hkAddy, m_len, oldProtect, &Bkup))
		return nullptr;

	return pTrp;
}
Real function gets modified, so it jumps to our own function.
pTrp gets assigned [OLD CONTENT] + JUMP [REAL TO FUNCTION]


GRR theres something i'm still missing!

  • Old function jumps to the new function
  • Theres a pointer pTrp with the content replaced and points to OldFunction + replaced Bits to avoid infinite loop

Where's the link, new function -> pTrp so it actually gets executed
 
Last edited:

Solaire

Respected Hacker
Dank Tier VIP
Dec 15, 2013
1,051
16,353
62
Ayy glad you got things figured out through the source! For a better understanding of how things work, place the hook and step through wglSwapBuffers (Including the jmp at the top that is placed if I remember correctly).
 

maxibaby

Newbie
Full Member
Oct 23, 2015
48
383
1
Hehehe thanks, you guys are awesome.

Now i can draw on screen, and understood Hooking / UnHooking, my game is no longer crashing like crazy, (Just a bit)


Now i need to understand about OpenGl transformations / view points i think, because I'm trying to draw my line, and it gets randomly drawed

:indifferent:

Any tip / resource is appreciated


After 3 hours i learned how to make a triangle that rotates, and has colors on vertex :cool:
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods