[Undetected] xPwn 1.0 xFire Trampoline Hook

**raiders** · 09-02-2010, 05:47 AM

Code:

/*
Project: xPwn 1.0 xFire Trampoline Hook
Author: Raiders - UC-Forum.com
Release Date: 9/1/2010

Credits:    Reunion - Initial Swapchain::Present hook and using xfire's hook to obtain render access.
            Monster64 - Hes awesome.
            xFire - Thanks for creating a wide open window to avoid punkbuster scans on our render hooks!

This code is a UC-Forum only release and is not to be distributed without express permission from the author.
This code may not be used in any saleable product, public hacks using this method are encouraged!
*/

I turned my idea into a working base for you guys to use. I wrote my own little detour function just to replace and redirect their trampoline, so if you don't know how detours work now is your chance to learn!

This code should work in any xfire supported game where the game uses a swapchain to render (Battlefield, Call of Duty... perhaps more). Xfire must be installed and loaded into the game.

This method can be adapted to work for any xfire supported game on really any xfire supported renderer. This method can also be adapted to other in game overlays, such as fraps.

If there is enough popularity for this release, I may create hooks to support games that don't use a swapchain for rendering and possibly a dx10/11 release.

What you get:
Undetected render hook!
Undetected reset hook!
Undetected release hook (xfire hooks this function, if you need it I wrote the hook...)
All of the required functions to enable all of these hooks across multiple versions of xfire.

Download Link:
http://www.ucdownloads.com/downloads...o=file&id=5485

Enjoy,
Raiders

**Rave.whiteLight** · 09-02-2010, 06:08 AM

I reserve my first post and first thanks for this until it is approved.

Thanks though lol

**Hanoi22** · 09-02-2010, 07:50 AM

Omg can't wait, Good job.

**learn_more** · 09-02-2010, 01:08 PM

approved, no binaries, no scanlog

**Gellin** · 09-02-2010, 01:39 PM

Nice work, xfire just got raided.

**smoochy** · 09-02-2010, 06:18 PM

very nice & clean base, sir.

+reputation.

**Freeheadshot** · 09-04-2010, 07:15 PM

very nice post ! Thanks

**disavow** · 09-04-2010, 08:48 PM

Thisisgoodthanks

Coolness +rep.

Special11 · 09-12-2010, 11:22 PM

Thanks for publicating this

**raiders** · 09-15-2010, 10:17 PM

Quote:

Originally Posted by Special11

Thanks for publicating this

You are quite welcome lol

Cynical_Dude · 09-28-2010, 04:08 PM

What are you supposed to do with this ??

**fatboy88** · 09-28-2010, 04:50 PM

Quote:

Originally Posted by Cynical_Dude

What are you supposed to do with this ??

Hook and draw and other things ....

Cynical_Dude · 09-28-2010, 04:53 PM

Great help... nvm guess my newb brain just isnt good enough at programming to understand this stuff yet

**CyberDwak** · 09-30-2010, 04:00 PM

Nice Hook raiders!

You could also use this:

PHP Code:

  ////////////////////////////////////////////////////////////////////

int FindXFireString(char* ss)
{
    int qs=0,i=0;//xfire
    while(ss[qs]!=0)qs++;
    for(i=0;i<qs;i++)
    {
        if((i+5)>qs)return 0;
        if(ss[i+0] == 'x')
        if(ss[i+1] == 'f')
        if(ss[i+2] == 'i')
        if(ss[i+3] == 'r')
        if(ss[i+4] == 'e')
        {
            return 1;                
        }
    }
    return 0;
}

////////////////////////////////////////////////////////////////////

char *GetModule( ModuleInfoNode* module )
{
   ProcessModuleInfo *pmInfo;

   char *buf;
   char *pathbuf;
   int i = 0;

   _asm
   {
      mov eax, fs:[18h]      // TEB
      mov eax, [eax + 30h]   // PEB
      mov eax, [eax + 0Ch]   // PROCESS_MODULE_INFO
      mov pmInfo, eax
   }

   module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
    
   while( module->baseAddress )
   {
      buf=(char*)malloc((1+module->name.Length)*sizeof(char));
      for(i = 0; i < module->name.Length;i++)buf[i] = module->name.Buffer[i];
      buf[i] = 0;
      pathbuf=(char*)malloc((1+module->fullPath.Length)*sizeof(char));
      for(int p=0; p < module->fullPath.Length;p++)pathbuf[i] = module->fullPath.Buffer[i];
      pathbuf[i] = 0;
      if(FindXFireString(buf)==1)
      {
          return buf;
      }
      module = (ModuleInfoNode *)(module->LoadOrder.Flink);
      free(buf);
   }
   return NULL;
}

////////////////////////////////////////////////////////////////////

I Can't remember where I found it but its used to dynamically find the xfire modules name

.

Use it like this:

PHP Code:

  DWORD WINAPI InitHooks(LPVOID)
{
    char *ModName            = NULL;
    ModuleInfoNode *module;

    while(!ModName)
    {
        ModName = GetModule( module );
        Sleep(10);
    }

    DWORD dwXfire = 0;
    while(!dwXfire)
    {
        dwXfire = (DWORD)GetModuleHandle(ModName);
        Sleep(250);
    }

And I'm not sure if PB scans for strings but if they do then you should just ZeroMemory the Pattern Scan Strings after you use them:

PHP Code:

  DWORD WINAPI InitHooks(LPVOID)
{
    char *ModName            = NULL;
    ModuleInfoNode *module;

    while(!ModName)
    {
        ModName = GetModule( module );
        Sleep(10);
    }

    DWORD dwXfire = 0;
    while(!dwXfire)
    {
        dwXfire = (DWORD)GetModuleHandle(ModName);
        Sleep(250);
    }

    Sleep(5000);

    char *FP_One        = "\x55\x8B\xEC\x83\xEC\x00\x53\x52\x51\x56\x57\x9C\xE8\x00\x00\x00\x00\x89\x45\x00\xFF\x75\x00\xFF\x75\x00\xFF\x75\x00\xFF\x75\x00\xFF\x75\x00\xFF\x75\x00\x8B\x4D\x00\xE8\x00\x00\x00\x00\xA3\x00\x00\x00\x00\x8B\x4D\x00\xE8\x00\x00\x00\x00\x83\xF8\x00\x75\x00\x8B\x45\x00\x5\x00\x00\x00\x00";
    char *FP_Two        = "xxxxx?xxxxxxx????xx?xx?xx?xx?xx?xx?xx?xx?x????x????xx?x????xx?x?xx?x???";

    CXfireTrampoline* xfTrampoline = GetXfireTrampoline(GetAbsoluteFromRelative(FindPattern((DWORD)dwXfire, 0xFFFFFF, (byte*)FP_One, (char*)FP_Two) + 0xC));

    //Render hook
    pSwapPresent = (SwapPresent_t)HookTrampoline(&xfTrampoline->trSwapchain, (DWORD*)&hkSwapPresent);

    //Reset hook
    pReset = (Reset_t)HookTrampoline(&xfTrampoline->trReset, (DWORD*)&hkReset);

    //Device release hook... if you have a use for this uncomment this line
    //pRelease = (Release_t)HookTrampoline(&xfTrampoline->trRelease, (DWORD*)&hkRelease);

    ZeroMemory(FP_One,        sizeof(FP_One));
    ZeroMemory(FP_Two,        sizeof(FP_Two));
    ZeroMemory(ModName,        sizeof(ModName));

    return 0;
}

Great Hook though!

**learn_more** · 09-30-2010, 05:55 PM

a bit easier?
wrote in notepad, so dunno if it's syntaxically correct

Code:

HMODULE GetXfireModule()
{
    ProcessModuleInfo *pmInfo;
    ModuleInfoNode* module

    _asm
    {
        mov eax, fs:[18h]      // TEB
        mov eax, [eax + 30h]   // PEB
        mov eax, [eax + 0Ch]   // PROCESS_MODULE_INFO
        mov pmInfo, eax
    }

    module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
    
    while( module->baseAddress )
    {
        if( module->name.Buffer && module->name.Length && !_wcsnicmp( module->name.Buffer[i], L"xfire_toucan", 12 ) )
            return module->baseAddress;
    }
    return NULL;
}