[Coding] D3D Hooking Using Renderer Class

**Sfab1** · 04-26-2010, 11:30 AM

this is short and simple probably nothing new for some people but might be usefull for newcomers and i actually didnt see this anywhere posted so...

Code:

LPDIRECT3DDEVICE9 pGameDevice;
typedef HRESULT( WINAPI *EndScene_ )( LPDIRECT3DDEVICE9 pDevice);
typedef HRESULT( WINAPI *DrawIndexedPrimitive_)(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex,    UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
EndScene_ pEndScene;
DrawIndexedPrimitive_ pDrawIndexedPrimitive;

HRESULT WINAPI hEndScene( LPDIRECT3DDEVICE9 pDevice )
{    
    _asm pushad;
    /*YOUR CODE HERE*/
    __asm popad;
    return pEndScene(pDevice);
}
HRESULT WINAPI hDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT startIndex, UINT primCount)
{    
    _asm pushad;
    /*YOUR CHAMS CODE HERE*/
    _asm popad;
    return pDrawIndexedPrimitive(pDevice, Type, BaseVertexIndex, MinIndex,NumVertices, startIndex, primCount);
}
void InitRendering(LPDIRECT3DDEVICE9 pDevice)
{
    if(bInitOnce == true)
    {
        /* HERE CREATE FONTS, LINES, INIT VIEWPORT */

        bInitOnce = false;
    }
} 
DWORD WINAPI dwSleepThread( LPVOID lpArgs )
{
    DWORD BF2Base = NULL;
    while ( BF2Base == NULL )
    {
        Sleep( 200 );
        BF2Base = ( DWORD ) GetModuleHandle("BF2.exe");
    }

    while(!pGameDevice) 
        pGameDevice = renderer->m_pDevice;// LPDIRECT3DDEVICE9 from Renderer Class

    InitRendering(pGameDevice);

    DWORD* pdwNewGameDevice = (DWORD*)pGameDevice;
    pdwNewGameDevice = (DWORD*)pdwNewGameDevice[0]; 

    pEndScene = (EndScene_)DetourFunction((PBYTE)(pdwNewGameDevice[42]),(PBYTE)hEndScene);
    pDrawIndexedPrimitive = (DrawIndexedPrimitive_)DetourFunction((PBYTE)pdwNewGameDevice[82],(PBYTE)hDrawIndexedPrimitive);
    return 0;
}
INT WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpArgs )
{
    switch ( dwReason )
    {
        case DLL_PROCESS_ATTACH:
        {    
            CreateThread( NULL, NULL, &dwSleepThread, NULL, NULL, NULL );
        }
        break;
    }
    return TRUE;
}

above works for bf2 and 2142 it would work for Cod4 as well with small change

make it work with MW2 or WAW just change offset then...

Code:

    DWORD  COD4Base = NULL;
    while ( COD4Base == NULL )
    {
        Sleep( 200 );
         COD4Base = ( DWORD ) GetModuleHandle("iw3mp.exe");
    }

    while(!pGameDevice) 
        *( DWORD *)&pGameDevice = *( DWORD * )0xCC9A408;//for call of duty 4

credits: Me, uc-forum in general and everyone who contributes their knowledge to this community

**learn_more** · 04-26-2010, 11:44 AM

thanks for sharing your insights, but imho this could be expanded a bit:

you call it 'D3D Hooking Using Renderer Class', yet you only reference the renderer class once, when reading it.

this doesnt teach much, not how to find the renderer class, not how to reverse it, only to get the device out of it when you already have the renderer class, but when people are upto that point, you can assume they can read the device out of it aswell?