D3D9 vTable doesnt work =(

[MurxXxel]

Hey Guys^^,

I wanted to make a chams hack for d3d9, so i searched in the web and found much tutorials about this stuff.
Firstly i wanted to hook all the functions without vTable but everybody says try it with its better....
So i decided to do this with help (web,tutorials...) but im stucking here because only Endscene and Beginscene is hooked here and i dont know why :S

So please help a noob and make him happy =)

Thanks to all who are trying to help me^^

PS: and maybe u can help me with explaining it what i made wrong ()=)

PHP Code:

#include <windows.h>
//----------------------------------------------------------------------------------------------------------------------------------

//-----------------------------------------------------------------------------------------------------------------------------------
#include <mmsystem.h>
#pragma comment(lib, "winmm.lib")
//-----------------------------------------------------------------------------------------------------------------------------------
#include <stdio.h>
//-----------------------------------------------------------------------------------------------------------------------------------
#include <fstream>
//-----------------------------------------------------------------------------------------------------------------------------------
#include "detours.h"
#pragma comment(lib,"detours.lib")
//-----------------------------------------------------------------------------------------------------------------------------------
#include <d3d9.h>
#include <d3dx9.h>
#include <vector>
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")
//-----------------------------------------------------------------------------------------------------------------------------------
using namespace std;
//---------------------------------------------------------------------------------------------------------------------------------
#define HOOK(func,addy) o##func = (t##func)DetourFunction((PBYTE)addy,(PBYTE)hk##func) //Quick Hook using MS Detour
#define UNHOOK(func,addy) o##func = (t##func)DetourFunction((PBYTE)addy,(PBYTE)o##func) //Quick Unook using MS Detour
//---------------------------------------------------------------------------------------------------------------------------------
#define ES  0 //EndScene
#define DIP 1 //DrawIndexedPrimitive
#define RES 2 //Reset
#define BS    3 //Beginscene
#define DP    4 //DrawPrimitive
#define SSS 5 //SetStreamSource


//---------------------------------------------------------------------------------------------------------------------------------
LPDIRECT3DDEVICE9 npDevice; //pDevice is stored here so we can hook through the VTable
//---------------------------------------------------------------------------------------------------------------------------------
UINT myStride = 0;
//---------------------------------------------------------------------------------------------------------------------------------
ofstream myfile; //Used for logging to a text file
//---------------------------------------------------------------------------------------------------------------------------------


typedef HRESULT (WINAPI* tEndScene)(LPDIRECT3DDEVICE9 pDevice);
tEndScene oEndScene = NULL;

typedef HRESULT (WINAPI* tDrawIndexedPrimitive)(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount);
tDrawIndexedPrimitive oDrawIndexedPrimitive = NULL;

typedef HRESULT(WINAPI* BeginScene_)(LPDIRECT3DDEVICE9 pDevice);
BeginScene_ oBeginScene;

typedef HRESULT(WINAPI* tReset)(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS* pPresentationParameters);
tReset oReset = NULL;

typedef HRESULT (WINAPI* tSetStreamSource)(LPDIRECT3DDEVICE9 pDevice,UINT StreamNumber,IDirect3DVertexBuffer9* pStreamData,UINT OffsetInBytes,UINT Stride);
tSetStreamSource oSetStreamSource;
//---------------------------------------------------------------------------------------------------------------------------------
PBYTE HookVTableFunction( PDWORD* dwVTable, PBYTE dwHook, INT Index )
{
    DWORD dwOld = 0;
    VirtualProtect((void*)((*dwVTable) + (Index*4) ), 4, PAGE_EXECUTE_READWRITE, &dwOld);

    PBYTE pOrig = ((PBYTE)(*dwVTable)[Index]);
    (*dwVTable)[Index] = (DWORD)dwHook;

    VirtualProtect((void*)((*dwVTable) + (Index*4)), 4, dwOld, &dwOld);

    return pOrig;
}

 
//-----------------------------------------------------------------------------------------------------------------------------------
HRESULT WINAPI hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    myfile << "EndScene is hooked\n";             //Check log
    while(!npDevice) {
        npDevice = pDevice;                       //Here we store pDevice so we can re-hook with a VTable hook later.
    }

    return oEndScene(pDevice);
}
//---------------------------------------------------------------------------------------------------------------------------------
HRESULT WINAPI hkBeginScene(LPDIRECT3DDEVICE9 pDevice)
{
    myfile << "BeginScene is hooked\n";             //Check log
    return oBeginScene(pDevice);
}
//---------------------------------------------------------------------------------------------------------------------------------
LPDIRECT3DTEXTURE9 texRed;
LPDIRECT3DTEXTURE9 texGreen;

HRESULT WINAPI hkDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount)
{

    myfile << "DrawIndexPrimitive is hooked\n";             //Check log
    return oDrawIndexedPrimitive(pDevice, PrimType, BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount);
}

//---------------------------------------------------------------------------------------------------------------------------------
HRESULT WINAPI hkReset(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS* pPresentationParameters)
{
    myfile << "Reset is hooked\n";                //Check log
    

   HRESULT iReturnValue = oReset(pDevice, pPresentationParameters);

    if(iReturnValue == D3D_OK) {

       
    }

    return iReturnValue;

}

HRESULT WINAPI hkSetStreamSource(LPDIRECT3DDEVICE9 pDevice,UINT StreamNumber,IDirect3DVertexBuffer9* pStreamData,UINT OffsetInBytes,UINT Stride)
{
myfile << "SetStreamSource is hooked\n";
return oSetStreamSource(pDevice,StreamNumber,pStreamData,OffsetInBytes,Stride);
}
//-----------------------------------------------------------------------------------------------------------------------------------
LRESULT CALLBACK MsgProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam){return DefWindowProc(hwnd, uMsg, wParam, lParam);}
void DX_Init(DWORD* table)
{
    WNDCLASSEXA wc = {sizeof(WNDCLASSEX),CS_CLASSDC,MsgProc,0L,0L,GetModuleHandleA(NULL),NULL,NULL,NULL,NULL,"DX",NULL};
    RegisterClassExA(&wc);
    HWND hWnd = CreateWindowA("DX",NULL,WS_OVERLAPPEDWINDOW,100,100,300,300,GetDesktopWindow(),NULL,wc.hInstance,NULL);
    LPDIRECT3D9 pD3D = Direct3DCreate9( D3D_SDK_VERSION );
    D3DPRESENT_PARAMETERS d3dpp;
    ZeroMemory( &d3dpp, sizeof(d3dpp) );
    d3dpp.Windowed = TRUE;
    d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
    d3dpp.BackBufferFormat = D3DFMT_UNKNOWN;
    LPDIRECT3DDEVICE9 pd3dDevice;
    pD3D->CreateDevice(D3DADAPTER_DEFAULT,D3DDEVTYPE_HAL,hWnd,D3DCREATE_SOFTWARE_VERTEXPROCESSING,&d3dpp,&pd3dDevice);
    DWORD* pVTable = (DWORD*)pd3dDevice;
    pVTable = (DWORD*)pVTable[0];

    table[ES]   = pVTable[42];                    //EndScene address
    table[DIP]  = pVTable[82];                    //DrawIndexedPrimitive address
    table[RES]  = pVTable[16];                    //Reset address
    table[BS]   = pVTable[41];                    //BeginScene address
    table[SSS] = pVTable[100];                      //SetStreamSource


    DestroyWindow(hWnd);

    
}
//------------------------------------------------------------------------------------------------------------------------------------
DWORD WINAPI VirtualMethodTableRepatchingLoopToCounterExtensionRepatching( LPVOID  Param )
{
    while(1) {
        Sleep(100);
        HookVTableFunction((PDWORD*)npDevice, (PBYTE)hkDrawIndexedPrimitive, 82); //Hook DrawIndexedPrimitive
        HookVTableFunction((PDWORD*)npDevice, (PBYTE)hkEndScene, 42); //Hook EndScene
        HookVTableFunction((PDWORD*)npDevice, (PBYTE)hkReset, 16); //Hook Reset
        HookVTableFunction((PDWORD*)npDevice, (PBYTE)hkBeginScene, 41); //Hook Beginscene
        HookVTableFunction((PDWORD*)npDevice, (PBYTE)hkSetStreamSource, 100);//Hook SetStreamSource
    }

    return 1;
}
//------------------------------------------------------------------------------------------------------------------------------------
bool hooked = false;
DWORD WINAPI LoopFunction( LPVOID lpParam  )
{

    while(1) {
        if( hooked == false) {
            DWORD VTable[3] = {0};

            while(GetModuleHandleA("d3d9.dll")==NULL) {
                Sleep(250);
            }

            DX_Init(VTable);
            HOOK(EndScene,VTable[ES]);            //Hook EndScene as a device discovery hook

            while(!npDevice) {
                Sleep(50); //Sleep until npDevice is not equal to NULL
            }

            UNHOOK(EndScene, VTable[ES]);         //Unhook as soon as we have a valid pointer to pDevice
            *(PDWORD)&oDrawIndexedPrimitive = VTable[DIP];
            *(PDWORD)&oEndScene                = VTable[ES];
            *(PDWORD)&oReset                = VTable[RES];
            *(PDWORD)&oBeginScene            = VTable[BS];
            *(PDWORD)&oSetStreamSource            = VTable[SSS];
            
            CreateThread(NULL,0,&VirtualMethodTableRepatchingLoopToCounterExtensionRepatching,NULL,0,NULL); //Create hooking thread

            hooked = true;

            Sleep(200);

        }
    }
    return 0;
}
//------------------------------------------------------------------------------------------------------------------------------------
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
    if(dwReason == DLL_PROCESS_ATTACH) {
        CreateThread(0, 0, LoopFunction, 0, 0, 0);
        myfile.open("C:\\Users\\pc\\Desktop\\CPP\\Hooklog.txt");
        myfile.clear();
        myfile << "----------Attached----------\n";
        myfile << "\n";
    }
    else if(dwReason == DLL_PROCESS_DETACH) {
        myfile << "----------Detached----------";
        myfile.close();
    }

    return TRUE;
} 


[4bply]

That is JoshRose source right?

[MurxXxel]

I have it from another page it can be that that is his code^^

Quote:

myfile << "SetStreamSource is hooked\n";

Is very, very, very, stupid.
Having file io getting called 54000 times a minute is just going to wreak havoc in so many ways.

Quote:

VirtualMethodTableRepatchingLoopToCounterExtensionRepatching

What the fk???

So many things wrong.

[MurxXxel]

Is right im learning ^^
thx for answer

I recommend just using strife's base that was made for logging strides

[JoshRose]

Quote:

Originally Posted by SEGnosis

Is very, very, very, stupid.
Having file io getting called 54000 times a minute is just going to wreak havoc in so many ways.

What the fk???

So many things wrong.

This code was written as a base, it was not designed to be used as it is exactly, those logs are just so you know when all is working, obviously you take them out.

VirtualMethodTableRepatchingLoopToCounterExtension Repatching

is used to keep overwriting the address incase something has patched it back.

[Roverturbo]

Quote:

Originally Posted by SEGnosis

Quote:

What the fk???

I wrote that function for two valid reasons:

1. Depending on the game at hand, some Direct3D extension functions used restore the virtual method table and erase your detouring.
2. I wanted to break the longest function name record, did I win?

With no disrespect intended towards JoshRose's contribution, if you want something more easier to follow and understand (do you intend on trying to understand what you are doing?) then you can look at this example.

Direct3D9 Interface Hooking

Quote:

Originally Posted by JoshRose

This code was written as a base, it was not designed to be used as it is exactly, those logs are just so you know when all is working, obviously you take them out.

VirtualMethodTableRepatchingLoopToCounterExtension Repatching

is used to keep overwriting the address incase something has patched it back.

You know you could add a simple time code check and if it gets out of sync for over a second or two with no response from reset or end scene, then you re-hook.

Instead of wasting away re hooking for no reason.

[MurxXxel]

Okay thank you all xD

roverturbo thank u ill have a look at your base
and pm you if i have questions =)

[Roverturbo]

Quote:

Originally Posted by SEGnosis

You know you could add a simple time code check and if it gets out of sync for over a second or two with no response from reset or end scene, then you re-hook.

Instead of wasting away re hooking for no reason.

If you research the scenario then you will find out it constantly gets erased within one second of you writing to the table. There is reason for repeative patching and no waste or resources (although someone must have a really poor system for that simple thread to effect their performance).

Quote:

Originally Posted by MurxXxel

and pm you if i have questions =)

If you have questions then you ask them in the forum, not in private messages.

[zoomgod]

Couple things to note:

1) Some A/C will unhook VMT the first time and kick the second so it depends on the game if you can even do a straight up VMT hook (I see no mention of game).

2) Why hook SetStreamSource when you can simply call GetStreamSource in DIP to get the stride. Roverturbo posted an example of that here in the past and of course less hooks means less chance of detection.