[Source] MidFunction Hook

[Shad0w_]

Thought I would release this since I don't use it anymore
I made it as a method to counter hackshields protection
However there are easier methods to counter hackshield

Defines

Code:

DWORD * VTable;
DWORD dwEndscene_hook, dwEndscene_ret;
BYTE EndSceneOpCodes[6];

Endscene

Code:

__declspec(naked) void MyEndscene( )
{
    __asm 
    {
        mov dword ptr ss:[ebp - 10], esp;
        mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
                mov m_pD3Ddev, esi; //Get the device
    }


    __asm 
    {
        jmp dwEndscene_ret;//jump back to normal endscene
    }

}

My offset init function using vtable pattern that Gordon' posted

Code:

void Dx9Hook( LPCSTR D3D9 )
{
    DWORD hD3D = NULL;
    while (!hD3D) hD3D = (DWORD)GetModuleHandle(D3D9);
    DWORD PPPDevice = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    memcpy( &VTable, (void *)(PPPDevice + 2), 4);

    dwEndscene_hook = VTable[42] + 0x2A; //mid function
    dwEndscene_ret = dwEndscene_hook + 0x6; //return address
}

Usuage @ Mainthread

Code:

Dx9Hook("d3d9.dll");


Memcpy((void *)Endscene_opcodes, (void *)"\x89\x65\xF0\x8B\x75\x08", 6);
        
while( 1 )
{
    Sleep( 1000 );

    if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
        Detour(dwEndscene_hook, MyEndscene);
 
}

Loop to counter repatching from hackshield
Detour must be 6 bytes long, since your over writing this instruction in endscene:
mov dword ptr ss:[ebp - 10], esp;
mov esi, dword ptr ss:[ebp + 0x8];

Enjoy.

This should work on most functions within the d3d interface, since I'm hooking just after the device is mov to esi.

[SEGnosis]

o: looks decent, but too many undefined vars.

[Shad0w_]

Quote:

Originally Posted by SEGnosis

o: looks decent, but too many undefined vars.

Not really, 4 basic and simple ones.
For people who can't master them, they should be doing this:

Code:

DWORD * VTable;
DWORD dwEndscene_hook, dwEndscene_ret;
BYTE EndSceneOpCodes[6];

[Gellin]

Code:

__declspec(naked) void MyEndscene( )
{
	__asm 
	{
		mov dword ptr ss:[ebp - 10], esp;
		mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
                mov m_pD3Ddev, esi; //Get the device
                pushad;
	}


	__asm 
	{
                popad;
		jmp dwEndscene_ret;//jump back to normal endscene
	}

}

[Shad0w_]

When I was using this method of hooking, I never had the need to push or pop any registers.
Never crashed, failed or error'd anyways.

[thelick]

I'm not expert like you by the way i don't use the endscene in my hook and i don't see any reason to use it or i'm wrong?
Endscene it's constantly scanned from the hs but it isn't so needful

[fatboy88]

Quote:

Originally Posted by thelick

I'm not expert like you by the way i don't use the endscene in my hook and i don't see any reason to use it or i'm wrong?
Endscene it's constantly scanned from the hs but it isn't so needful

its scanned cuz people with esp usally hook and draw there.

BeginScene: begins the scene data is drawn to back buffer

Present: the backbuffer is flipped to front buffer

Endscene: ends the front buffer drawing, swaps pointer back to the back buffer?

correct me if wrong ^^

[thelick]

And is it really needed?
I should thank Shad0w for his contribute aniway,but i think that there is always another way..

[M.Holder]

Whre kann i find the LPDIRECT3DDEVICE9 ?

Quote:

Endscene

Code:

__declspec(naked) void MyEndscene( )
{
    __asm 
    {
        mov dword ptr ss:[ebp - 10], esp;
        mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
                mov m_pD3Ddev, esi; //Get the device
    }
 
 
    __asm 
    {
        jmp dwEndscene_ret;//jump back to normal endscene
    }
 
}

Can i use this for Reset and DIP too?

Thank you for releasing this hook.

[Geecko]

just add:

Quote:

LPDIRECT3DDEVICE9 m_pD3Ddev;

before the first "_asm"
i think u can use it, u only need to get more parameters...ebp+0xC..and so on..

[M.Holder]

Can you give me an example please?

[fatboy88]

Quote:

Originally Posted by thelick

And is it really needed?
I should thank Shad0w for his contribute aniway,but i think that there is always another way..

there is but im explaining why most people hook it.

[Kosaki]

Quote:

Originally Posted by Geecko

just add:


before the first "_asm"
i think u can use it, u only need to get more parameters...ebp+0xC..and so on..

You can't do that in a naked function.
Rather use a global variable.

[M.Holder]

Hi,

thank you two for your replies.
Can you explain me where to put ebp + 0xC and what happens at the execution? (bcause i am not a c&p coder, i want to know what the code does at runtime)

How can i understand this: BYTE EndSceneOpCodes[6]; ?
When i am hooking Reset, what must be changed to get it working?

[thelick]

You don't need it for the reset :S
And some1 correct me if i'm wrong, cause i'm not so good with asm and i'm a beginner with the c++ , EBP allocate variables on the stack

[Shad0w_]

Quote:

Originally Posted by thelick

You don't need it for the reset :S
And some1 correct me if i'm wrong, cause i'm not so good with asm and i'm a beginner with the c++ , EBP allocate variables on the stack

EBP is filled with data from the stack pointer.
EBP now points to offsets containing data (the parameters).
It's the most generic place I found to hook, as far as I know it will work on many functions.
Not present, since it works... differently.

For endscene however, this is pretty much a complete working base code.

[Gellin]

This is probably OS specific, because the d3d9.dll differs for Win XP and Win 7 | Win Vista, unless you found a place to hook that the code you patched over is the same for both d3d9.dll versions.

I might be wrong though.

[M.Holder]

Quote:

Originally Posted by Shad0w_

EBP is filled with data from the stack pointer.
EBP now points to offsets containing data (the parameters).
It's the most generic place I found to hook, as far as I know it will work on many functions.
Not present, since it works... differently.

For endscene however, this is pretty much a complete working base code.

So, if i understand you correctly, i can´t hook Present with it?

Can i hook DIP and Reset with it?

EDIT:

Warrock crashs with that code:

Hookthread:

Code:

void HookD3D()
{
    Dx9EndSceneHook("d3d9.dll");
 
 
    memcpy((void *)EndSceneOpCodes, (void *)"\x89\x65\xF0\x8B\x75\x08", 6);
 
    while( 1 )
    {
        Sleep( 1000 );
 
        if(memcmp((void *)EndSceneOpCodes, (void *)dwEndScene_hook, 6) == 0 )
            DetourCreate((PBYTE)dwEndScene_hook, (PBYTE)myEndScene, 6);
 
    } 
}

Code:

__declspec(naked) void myEndScene()
{
    __asm
    {
        mov dword ptr ss:[ebp - 10], esp;
        mov esi, dword ptr ss:[ebp + 0x8];    //replace pathced code
        mov m_pD3DDev, esi;    //Get Device
    }
 
    DrawBoxA(m_pD3DDev, 20, 20, 200, 200, D3DCOLOR_ARGB(255, 255, 255, 0), D3DCOLOR_ARGB(255, 0, 0, 0));
 
    __asm
    {
        jmp dwEndScene_ret; //jump back to normal endscene
    }
}

Code:

void Dx9EndSceneHook(LPCSTR D3D9)
{
    DWORD hD3D = NULL;
    while (!hD3D) hD3D = (DWORD)GetModuleHandle(D3D9);
    DWORD PPPDevice = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    memcpy ( &VTable, (void *)(PPPDevice + 2), 4);
 
    dwEndScene_hook = VTable[42] + 0x2A;
    dwEndScene_ret =dwEndScene_hook + 0x6;
}

My Detour:

Code:

void *DetourCreate (BYTE *src, const BYTE *dst, const int len)
{
    BYTE *jmp;
    DWORD dwback;
    DWORD jumpto, newjump;
 
    VirtualProtect(src,len,PAGE_READWRITE,&dwback);
 
    if(src[0] == 0xE9)
    {
        jmp = (BYTE*)malloc(10);
        jumpto = (*(DWORD*)(src+1))+((DWORD)src)+5;
        newjump = (jumpto-(DWORD)(jmp+5));
        jmp[0] = 0xE9;
        *(DWORD*)(jmp+1) = newjump;
        jmp += 5;
        jmp[0] = 0xE9;
        *(DWORD*)(jmp+1) = (DWORD)(src-jmp);
    }
    else
    {
        jmp = (BYTE*)malloc(5+len);
        memcpy(jmp,src,len);
        jmp += len;
        jmp[0] = 0xE9;
        *(DWORD*)(jmp+1) = (DWORD)(src+len-jmp)-5;
    }
    src[0] = 0xE9;
    *(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
 
    for(int i = 5; i < len; i++)
        src[i] = 0x90;
    VirtualProtect(src,len,dwback,&dwback);
    return (jmp-len);
}

Should i use an other detour?

It is crashing after the the Chapter 2 MainScreen. But it shows my Rectangle there.
F*** HackShield.

Regards

[ZeaS]

Quote:

Originally Posted by M.Holder

So, if i understand you correctly, i can´t hook Present with it?

Can i hook DIP and Reset with it?

you basically can hook every function, you just need to replace the code that your jump messed up, thats all

Quote:

How can i understand this: BYTE EndSceneOpCodes[6]; ?

he's storing the original bytes in there and is checking them in a loop so if the current bytes match these bytes he knows that hackshield removed his hooks and is rehooking then.

Quote:

Whre kann i find the LPDIRECT3DDEVICE9 ?

if you would look at shadow's example, you would see, where you can get the device from "mov m_pD3DDev, esi; //Get the device"

edit
he edited his post

please use code tags :S try using pushad(fd) / popad(fd)

[thelick]

Quote:

Originally Posted by Shad0w_

EBP is filled with data from the stack pointer.
EBP now points to offsets containing data (the parameters).
It's the most generic place I found to hook, as far as I know it will work on many functions.
Not present, since it works... differently.

For endscene however, this is pretty much a complete working base code.

thx for the explanation and good job

@M.Holder this works goods for the endscene,and the detour that you are using is a simple jmp detour detected from the hackshield ---> 0xe9 00 00 00 00 almost patched months ago