MidFunction Hook (XP)

**disavow** · 08-31-2010, 03:38 AM

Thanks to learn_more for sending me xp version to hook.

Win7 + Vista: http://www.uc-forum.com/forum/d3d-pr...tion-hook.html

Defines

Code:

DWORD * VTable;
DWORD dwEndscene_hook, dwEndscene_ret;
BYTE EndSceneOpCodes[6];

Endscene
This time device is already been loaded and checked for null device

Code:

__declspec(naked) void MyEndscene( )
{
    __asm 
    {
         //most registers have already been preserved
         pushaf; //we are in the middle of a conditional jmp
         mov dword ptr ss:[ebp-1C], edi;
         mov dword ptr ss:[ebp-18], ebx; //replace patched code
         mov m_pD3Ddev, esi; //Get the device (loaded previously)
    }


    __asm 
    {
        popaf; //je is set
        jmp dwEndscene_ret;//jump back to normal endscene
    }

}

My offset init function using vtable pattern that Gordon' posted

Code:

void Dx9Hook( LPCSTR D3D9 )
{
    DWORD hD3D = NULL;
    while (!hD3D) hD3D = (DWORD)GetModuleHandle(D3D9);
    DWORD PPPDevice = FindPattern(hD3D, 0x128000,  (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86",  "xx????xx????xx");
    memcpy( &VTable, (void *)(PPPDevice + 2), 4);

    dwEndscene_hook = VTable[42] + 0x36; //mid function
    dwEndscene_ret = dwEndscene_hook + 0x6; //return address
}

Usuage @ Mainthread

Code:

Dx9Hook("d3d9.dll");

Memcpy((void *)Endscene_opcodes, (void *)"\x89\x7D\xE4\x89\x5D\xE8", 6);
        
while( 1 )
{
    Sleep( 1000 );

    if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
        Detour(dwEndscene_hook, MyEndscene);
 
}

Note: untested and uncompiled... all based on theory and coded quickly to help xp people find there way.

Edit: miscalculated distance, fixed now.

**Gellin** · 08-31-2010, 04:30 AM

I think the proper way to preserve the flags/registers what ever YOU call them would be.

Code:

_declspec(naked) void MyEndscene( )
{
    __asm 
    {
         mov dword ptr ss:[ebp-1C], edi;
         mov dword ptr ss:[ebp-18], ebx; 
         mov m_pD3Ddev, esi; 
         pushaf; 
    }


    __asm 
    {
        popaf; //je is set
        jmp dwEndscene_ret;//jump back to normal endscene
    }

}

Personally i would use pushad/popad as well

**disavow** · 08-31-2010, 05:11 AM

Quote:

Originally Posted by Gellin

I think the proper way to preserve the flags/registers what ever YOU call them would be.

Code:

_declspec(naked) void MyEndscene( )
{
    __asm 
    {
         mov dword ptr ss:[ebp-1C], edi;
         mov dword ptr ss:[ebp-18], ebx; 
         mov m_pD3Ddev, esi; 
         pushaf; 
    }


    __asm 
    {
        popaf; //je is set
        jmp dwEndscene_ret;//jump back to normal endscene
    }

}

Personally i would use pushad/popad as well

I'm preserving the flags before this:
mov dword ptr ss:[ebp-1C], edi;
because a flags have been set by the cmp op before it, not that it matters.
As I said all the registers have already been preserved and doing so again would probably crash it...
They wouldn't need to be preserved anyways, since they get reset after this hook.

thelick · 08-31-2010, 12:20 PM

Nice work Shad0w..And if you want hook vista/w7 and xp both?

**Little** · 08-31-2010, 12:32 PM

Quote:

Originally Posted by thelick

Nice work Shad0w..And if you want hook vista/w7 and xp both?

you have a few options, you could do a OS check, and hook accordingly

thelick · 08-31-2010, 12:41 PM

Quote:

Originally Posted by Little

you have a few options, you could do a OS check, and hook accordingly

Right thx little,similar of what i'm doing with the OS check for the addies of op7

**ZeaS** · 08-31-2010, 02:55 PM

Quote:

Originally Posted by thelick

Right thx little,similar of what i'm doing with the OS check for the addies of op7

or you could create a "emtpy" function, getting the current bytes and writing them into it so you would not need 2 caves and you will not need a os check : )

thelick · 08-31-2010, 05:49 PM

Quote:

Originally Posted by ZeaS

or you could create a "emtpy" function, getting the current bytes and writing them into it so you would not need 2 caves and you will not need a os check : )

Thanks ZeaS

**Quicktime** · 09-01-2010, 02:19 PM

Quote:

Originally Posted by Shad0w_

...

Hey,

I've seen this approach work with punkbuster in the past, I am not sure if it was JoshRose or R4z8r who spoke to me about it, they may have also released source-code somewhere on this forum...

Punkbuster would only scan the first 5-10 bytes of directx functions, so you can hook deeper within the function or hook subfunctions, etc. I am not sure if this is still the case however.

Regards,

- Quicktime

thelick · 09-01-2010, 02:26 PM

Quote:

Originally Posted by Quicktime

Hey,

I've seen this approach work with punkbuster in the past, I am not sure if it was JoshRose or R4z8r who spoke to me about it, they may have also released source-code somewhere on this forum...

Punkbuster would only scan the first 5-10 bytes of directx functions, so you can hook deeper within the function or hook subfunctions, etc. I am not sure if this is still the case however.

Regards,

- Quicktime

Almost sure we are talking about hackshield

**disavow** · 09-01-2010, 02:48 PM

As far as i'm aware it still works with punkbuster also.
Prehaps all anti detections tools except the latest version of gameguard.
SubFunctions work but that can go into a different sort of territory.

Once you go through there actual function calls and conditional jumps, there is much more that can be modified within the function without triggering a scan.
Once people learn a basic midfunction technique like this I guess they can be more creative and look into these options.

**Quicktime** · 09-01-2010, 03:09 PM

Quote:

Originally Posted by thelick

Almost sure we are talking about hackshield

Yes I know this thread is directed at Hackshield... I was just pointing out that the code may have additional uses...

Quote:

Originally Posted by Shad0w_

...

Thanks for pointing this out!

Cheers,

- Quicktime

z4y4 · 11-18-2011, 05:37 AM

help..
how to insert the midfunction hook into my base..??
My base hook

Quote:

Code:

 typedef HRESULT    ( WINAPI* oEndScene )( LPDIRECT3DDEVICE9 pDevice );
oEndScene pEndScene;

HRESULT APIENTRY myEndScene( LPDIRECT3DDEVICE9 pDevice )
{
        PostReset(pDevice);
        Menu.ShowMenu(pDevice);
        PreReset(pDevice);
    return pEndScene( pDevice );
}
PVOID D3Ddiscover(void *tbl, int size)
{
    HWND                  hWnd;
    void                  *pInterface=0 ;
    D3DPRESENT_PARAMETERS d3dpp;

    if ((hWnd=CreateWindowEx(NULL,WC_DIALOG,"",WS_OVERLAPPED,0,0,50,50,NULL,NULL,NULL,NULL))==NULL) return 0;
    ShowWindow(hWnd, SW_HIDE);

    LPDIRECT3D9            pD3D;
    LPDIRECT3DDEVICE9    pD3Ddev;
    if ((pD3D = Direct3DCreate9(D3D_SDK_VERSION))!=NULL)

    {
        ZeroMemory(&d3dpp, sizeof(d3dpp));
        d3dpp.Windowed         = TRUE;
        d3dpp.SwapEffect       = D3DSWAPEFFECT_DISCARD;
        d3dpp.hDeviceWindow    = hWnd;
        d3dpp.BackBufferFormat = D3DFMT_X8R8G8B8;
        d3dpp.BackBufferWidth  = d3dpp.BackBufferHeight = 600;
        pD3D->CreateDevice(D3DADAPTER_DEFAULT,D3DDEVTYPE_HAL,hWnd,D3DCREATE_SOFTWARE_VERTEXPROCESSING,&d3dpp,&pD3Ddev);
        if (pD3Ddev)  {
            pInterface = (PDWORD)*(DWORD *)pD3Ddev;
            memcpy(tbl,(void *)pInterface,size);
            pD3Ddev->Release();
        }
        pD3D->Release();
    }
    DestroyWindow(hWnd);
    return pInterface;
}
int D3D(void)
{
    HINSTANCE    hD3D;
    DWORD        vTable[2520/24];
    hD3D=0;
    do {
        hD3D = GetModuleHandle("d3d9.dll");
        if (!hD3D) Sleep(553000);
    } while(!hD3D);


    if (D3Ddiscover((void *)&vTable[0],23520/56)==0) return 0;
    {
       
        while(1)
        {
        if(memcmp((void*)vTable[7134/87],(void*)(PBYTE)"\x8B\xFF",128/64)== 0)
        {
            pDrawIndexedPrimitive    = (oDrawIndexedPrimitive)    DetourCreate((PBYTE)vTable[7134/87], (PBYTE)myDrawIndexedPrimitive, 245/49);
            pEndScene = (oEndScene) DetourCreate((PBYTE) vTable[1554/37], (PBYTE)myEndScene,245/49);
        }
    Sleep(55300);
    }
    return -1;
    }   

}
char* cBase::GetFile(char *file)
{
    static char path[320];
    for(int i= 0;i<strlen(path);i++)
        path[i]=0;
    strcpy(path, Base.dllpath);
    strcat(path, file);
    return path;
}
BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
{
    DisableThreadLibraryCalls(hDll);
    if (dwReason == DLL_PROCESS_ATTACH)
    /*CheckValidHardwareID();*/
    {
        MessageBox (0,"====================================================================\n\n                                    =||>>>>zkyE D3D Menu<<<<||=\n\n====================================================================\n\nFITUR        :\n\n     >  WH CHAMS\n\n     >  HEAD CHAMS\n\n     >  WEAPON CHAMS\n\n     >  WH BENING\n\n     >  WH Glass (WH Biasa)\n\n     >  Phantom\n\n     >  Wireframe\n\n     >  Anti VoteKick   F1 = On / F2 = Off\n\n     >  Crosshair \n\n\n\nCreator :                                                          |== zAyA rAztA ==|\n\n====================================================================","                                   ==|| ™ zkyE (zaya@N3) zAyA rAztA ™ ||==", MB_OK);
       
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)D3D, NULL, NULL, NULL);

    }   
    return TRUE;
}

TheGoogle · 02-04-2012, 08:44 AM

error

1>.\Direct3D.cpp(55) : error C2041: illegal digit 'C' for base '10'

mov dword ptr ss:[ebp-1C], edi; // c can not be used

TheGoogle · 02-08-2012, 08:21 AM

dwEndscene_hook = vtable [42] + 0x36; / / mid function

How do you get 0x36; please let me know

**Little** · 02-08-2012, 08:23 AM

he's hooking 0x36 bytes into the function... take a look at the function in d3d9.dll