[Question] Detouring without using IAT / EAT Hooking, Hardwear Breakpoints or the 0xE9 Detour.
- Sponsored Advertisement -
Welcome to the UnKnoWnCheaTs - Multiplayer Game Hacks and Cheats.
You have to register before you can post and see and access any of the advanced forum features, please click the register link to proceed to the registration form. To start viewing threads or posts, select a forum that you want to visit from the selection below.
Assembly hacking programming reversing
You are Unregistered, please register to gain Full access.
If the function is part of a class you can do a VTable hook. Just replace the function address in list with your address.
__________________
I'm like a virus, you can delete me but I am never really gone.
Links die, searching does not. (Fravia : searchlores.org)
Solving problems requires effort not a college degree.
If the function is part of a class you can do a VTable hook. Just replace the function address in list with your address.
Sadly, the function is not a virtual function
Just a reason why i'm asking:
I'm hooking a function Counter-Strike: Source to get it's spread value but Inline Detouring is detected by VAC, IAT / EAT hooks are also detected by VAC and yes you gussed it so are Hardware breakpoints.
I'm hooking a function Counter-Strike: Source to get it's spread value but Inline Detouring is detected by VAC, IAT / EAT hooks are also detected by VAC and yes you gussed it so are Hardware breakpoints.
VAC can't scan the whole windows APIs
You can also hide hardware breakpoints by hooking KiUserExceptionDispatcher and GetThreadContext.....
"VAC can't scan the whole windows APIs" I'm assuming you are refering to the IAT / EAT hooks?
no... jmp hooks...
VAC can only scan a few APIs for hooks and they can only compare the first few bytes with a pattern. So you just need to find a windows api which is not scanned or place the hook not at the beginning.
Try mid function hooking, like 15 or so bytes in. I use it for BF2, BF2142 and BF:Heroes and all my hooks are UD
Hmm... I never knew that was possible, how would I acheive this?
OT: I've never seen another cheater / hacker from London :P I mean i've seen you post around these forums but today I just looked at the Location part of your user info.
Hmm... I never knew that was possible, how would I acheive this?
OT: I've never seen another cheater / hacker from London :P I mean i've seen you post around these forums but today I just looked at the Location part of your user info.
If VAC in CSS is really that hard then ring0 is a good idea. You could attack VAC directly and I think that is really hard or even impossible to detect if you do it right.
Hmm... I never knew that was possible, how would I acheive this?
That's referred to as a naked hook. You declare the function with decl spec of naked so no prolog is created, you then can handcraft your hook past the point of where they scan to. How you achieve it depends on the function layout, I usually look for 5 bytes I can patch and then adjust for that code in my function.
__________________
I'm like a virus, you can delete me but I am never really gone.
Links die, searching does not. (Fravia : searchlores.org)
Solving problems requires effort not a college degree.
That's referred to as a naked hook. You declare the function with decl spec of naked so no prolog is created, you then can handcraft your hook past the point of where they scan to. How you achieve it depends on the function layout, I usually look for 5 bytes I can patch and then adjust for that code in my function.
Well here is the ASM code to a part which I think I could patch with no problems: (11 Bytes which I can patch)
if ( hWpnInfo == GetInvalidWeaponInfoHandle() )
{
DevMsg("FX_FireBullets: LookupWeaponInfoSlot failed for weapon %s\n", wpnName );
return;
}
And it would only stop the DevMsg which as you can see is only a message ment for developers meaning it would cause no problem if it was patched by some of my code but I know i'd have to patch the if statement otherwise my patched code wouldn't be called unless "hWpnInfo == GetInvalidWeaponInfoHandle()" was true.
there is no other possibility, but instead of hardware breakpoints you can create any other exception and catch it with an exception handler.
Spot on - I use PAGE_GUARD exception, and then, to readd the hook, I set the trap flag to single-step through the function; it may sound albeit slow, but, in live tests, there is literally no increase in lag in all games it's been tested on.
Thus far, I haven't ran into an anti-cheat which checks the protection status for each page.
As I said you can create any exception, there are still some other ways to force an exception.
the PAGE_GUARD exception method is very slow and I am sure it costs a lot of fps if you single step through the whole page... of course it still depends on which page you choose.
Another way to hook a function would be to insert a push [address of your hook] right before the ret of the target function. This falls into the category of code patching and can be detecte for example with checksums but if you use this to detour windows api functions its pretty powerfull.
the PAGE_GUARD exception method is very slow and I am sure it costs a lot of fps if you single step through the whole page... of course it still depends on which page you choose.
Actually, there is no noticable lag when I'm using my hooking library which utilizes this very technique; library can be found here.
