Thought id write a tutorial on how to ClientHook Medal Of Honor Allied Assault.
First off lets look at what files the game uses. Like most q3 "based" games it has a cgame ( Client game ) file. So this is where we are going to look for our stuff aswell as the mohaa.exe file.
So now we know mohaa uses cgamex86.dll, lets look into getting access to it.
As per normal with making all dll files your need to start off with dllMain with LoadLibrary been called
Code:
HMODULE ( WINAPI *orig_LoadLibrary )( LPCSTR lpFileName );
HMODULE WINAPI LoadLibrary_Hook( LPCSTR lpFileName )
{
HMODULE hModule = orig_LoadLibrary( lpFileName );
if( strstr( lpFileName, "cgamex86.dll" ) ) //Mohaa cgamex86.dll accessed
{
}
return hModule;
}
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved )
{
if( fdwReason == DLL_PROCESS_ATTACH )
{
orig_LoadLibrary = (struct HINSTANCE__ *(__stdcall *)(const char *))DetourFunction((PBYTE)LoadLibrary, (PBYTE)LoadLibrary_Hook );
}
return TRUE;
} Now we have this we need to find some memory addresses from the game
( see tutorial by Bon
http://nC.be/forum/showthread.php?t=288 )
For the sake of this tutorial i will list a couple for version 1.1. As per all quake 3 games, we use AddRefEntityToScene for a wallhack. So lets see if we can find this function shall we? You'll find this in mohaa.exe at 0x004B1C30.
So now we have our offset lets hook that window. Again as per all q3 based game it carries the "refEntity_t" struct as a parameter. So lets first make the void so we can access it.
Code:
void (WINAPIV *orig_AddRefToScene)(refEntity_t *ref);
void CG_AddRefDetour(refEntity_t *ref)
{
orig_AddRefToScene(ref);
} Now we have this, how do we call it? Simple, were call it in DLLMAIN because it is called form the .exe. so under your LoadLibrary Detour, add in the line to detour AddRefEntityToScene
Code:
orig_AddRefToScene = (void (WINAPIV *)(refEntity_t*)) DetourFunction((PBYTE)0x004B1C30, (PBYTE)CG_AddRefDetour);
DllMain should now look like so:
Code:
BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved )
{
if( fdwReason == DLL_PROCESS_ATTACH )
{
orig_LoadLibrary = (struct HINSTANCE__ *(__stdcall *)(const char *))DetourFunction((PBYTE)LoadLibrary, (PBYTE)LoadLibrary_Hook );
orig_AddRefToScene = (void (WINAPIV *)(refEntity_t*)) DetourFunction((PBYTE)0x004B1C30, (PBYTE)CG_AddRefDetour);
}
return TRUE;
} Now we have access to AddRefEntityToScene. So lets add a wallhack into it shall we? In quake 3 you can see how its done looking at the above function in any q3 sdk, so we still need refEntity_t struct. Use the one from quake 3 and it will work fine. Your also need a couple of other things, but i've listed them below for you.
Code:
typedef int qhandle_t;
typedef vec_t vec3_t[3];
typedef enum {
RT_MODEL,
RT_POLY,
RT_SPRITE,
RT_SPLASH,
RT_BEAM,
RT_RAIL_CORE,
RT_RAIL_CORE_TAPER,
RT_RAIL_RINGS,
RT_LIGHTNING,
RT_PORTALSURFACE,
RT_MAX_REF_ENTITY_TYPE
} refEntityType_t;
typedef struct {
refEntityType_t reType;
int renderfx;
qhandle_t hModel;
vec3_t lightingOrigin;
float shadowPlane;
float origin[3];
int skinNum;
qhandle_t customSkin;
qhandle_t customShader;
byte shaderRGBA[4];
float shaderTime;
float radius;
float rotation;
int reFlags;
int entityNum;
} refEntity_t; Good. No inside your AddRefEntityToScene Hook, use your pointer to point to RF_DEPTHHACK. Your Hooked function should now show
Code:
void (WINAPIV *orig_AddRefToScene)(refEntity_t *ref);
void CG_AddRefDetour(refEntity_t *ref)
{
ref->renderfx |= RF_DEPTHHACK;
orig_AddRefToScene(ref);
} Compile the dll and inject it into the game ( version 1.1 ) and jump into multiplayer, you should see that it now shows doors, player, and a few other things through walls
Thats the wallhack done. How about some writing?
Writing in MOHAA is slightly different because you can't simply draw and call it in drawactiveframe like you normally can in other q3 games.
Mohaa has a few functions you need to draw. DrawString, RegisterFont, Draw2d. RegisterFont and Drawstring need to be called directly rather than hooked like above. So lets do this.
Because im nice im posting the functions with the correct memory addresses.
RegisterFont and Drawstring are just globals to use.
Code:
INT* (WINAPIV *trap_RegisterFont)( const char *font ) = (int *(__cdecl *)(const char *))0x004AC2F0;
VOID (WINAPIV *trap_DrawString)( int *font, const char *text, float x, float y, int length, int size ) = (void (__cdecl *)(int *,const char *,float,float,int,int))0x004AC7C0;
Now we need CG_Draw2D else it will draw behind the world and we won't see the text unless we are in noclip and outside the map. So like we did for AddRefEntityToScene do the same for CG_Draw2D BUT call this in your LoadLibrary Hook because it is a function in cgamex86.dll not the .exe like the others.
Code:
HMODULE ( WINAPI *orig_LoadLibrary )( LPCSTR lpFileName );
HMODULE WINAPI LoadLibrary_Hook( LPCSTR lpFileName )
{
HMODULE hModule = orig_LoadLibrary( lpFileName );
if( strstr( lpFileName, "cgamex86.dll" ) )
{
orig_Draw2D = (void (__cdecl *)(void)) DetourFunction((PBYTE)0x300205EA, (PBYTE)CG_Draw2D );
}
return hModule;
} Code:
void (*orig_Draw2D)( void );
void CG_Draw2D( void )
{
orig_Draw2D();
} Now you have access to everything you need, lets call it shall we??
First off Lets make another void, because its Much easier to call one thing rather than a few. So lets make a drawing void.
Code:
void CG_DrawString( int x, int y, const char *text, int scale )
{
int *font = trap_RegisterFont( "verdana-14" );
trap_DrawString( font, text, x, y, -1, scale );
} You can use any font you like, possible arguments are:
Code:
"facfont-20" (standard)
"courier-16"
"courier-18"
"courier-20"
"handle-16"
"handle-18"
"handle-22"
"handle-23"
"marlett"
"verdana-12"
"verdana-14"
Thanks codinGanimal for a list of choosable fonts and the drawstring and registerfont functions.
In your Draw2D Hook call CG_DrawString instead of trap_Drawstring.
Code:
void (*orig_Draw2D)( void );
void CG_Draw2D( void )
{
CG_DrawString( 250, 5, "MOHAA Hook By Mombatu", 1 );
orig_Draw2D();
}
Now load it ingame and at the top of your screen you should see the writing!
Congratulations if you have, because you now have a wallhack with writing on MOHAA 1.1!!
Many other things can be done, use your disassembler to find things you need. As a good reference i recomend using the FAKK 2 sdk, as mohaa is very similar to this.
