Orginal XP thread: http://www.uc-forum.com/forum/d3d-pr...n-hook-xp.html
Orginal W7/Vista thread:
http://www.uc-forum.com/forum/d3d-pr...tion-hook.html By me - Shad0w_ XP
Defines
Code:
DWORD * VTable;
DWORD dwEndscene_hook, dwEndscene_ret;
BYTE EndSceneOpCodes[6];
Endscene
This time device is already been loaded and checked for null device
Code:
__declspec(naked) void MyEndscene( )
{
__asm
{
//most registers have already been preserved
pushaf; //we are in the middle of a conditional jmp
mov dword ptr ss:[ebp-1C], edi;
mov dword ptr ss:[ebp-18], ebx; //replace patched code
mov m_pD3Ddev, esi; //Get the device (loaded previously)
}
__asm
{
popaf; //je is set
jmp dwEndscene_ret;//jump back to normal endscene
}
}
My offset init function using vtable pattern that Gordon' posted
Code:
void Dx9Hook( LPCSTR D3D9 )
{
DWORD hD3D = NULL;
while (!hD3D) hD3D = (DWORD)GetModuleHandle(D3D9);
DWORD PPPDevice = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
memcpy( &VTable, (void *)(PPPDevice + 2), 4);
dwEndscene_hook = VTable[42] + 0x36; //mid function
dwEndscene_ret = dwEndscene_hook + 0x6; //return address
}
Usuage @ Mainthread
Code:
Dx9Hook("d3d9.dll");
Memcpy((void *)Endscene_opcodes, (void *)"\x89\x7D\xE4\x89\x5D\xE8", 6);
while( 1 )
{
Sleep( 1000 );
if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
Detour(dwEndscene_hook, MyEndscene);
}
Note: untested and uncompiled... all based on theory and coded quickly to help xp people find there way.
Edit: miscalculated distance, fixed now.
W7 and Vista
Defines
Code:
DWORD * VTable;
DWORD dwEndscene_hook, dwEndscene_ret;
BYTE EndSceneOpCodes[6];
Endscene
Code:
__declspec(naked) void MyEndscene( )
{
__asm
{
mov dword ptr ss:[ebp - 10], esp;
mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
mov m_pD3Ddev, esi; //Get the device
}
__asm
{
jmp dwEndscene_ret;//jump back to normal endscene
}
}
My offset init function using vtable pattern that Gordon' posted
Code:
void Dx9Hook( LPCSTR D3D9 )
{
DWORD hD3D = NULL;
while (!hD3D) hD3D = (DWORD)GetModuleHandle(D3D9);
DWORD PPPDevice = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
memcpy( &VTable, (void *)(PPPDevice + 2), 4);
dwEndscene_hook = VTable[42] + 0x2A; //mid function
dwEndscene_ret = dwEndscene_hook + 0x6; //return address
}
Usuage @ Mainthread
Code:
Dx9Hook("d3d9.dll");
Memcpy((void *)Endscene_opcodes, (void *)"\x89\x65\xF0\x8B\x75\x08", 6);
while( 1 )
{
Sleep( 1000 );
if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
Detour(dwEndscene_hook, MyEndscene);
}
Loop to counter repatching from hackshield
Detour must be 6 bytes long, since your over writing this instruction in endscene:
mov dword ptr ss:[ebp - 10], esp;
mov esi, dword ptr ss:[ebp + 0x8];
Enjoy.
This should work on most functions within the d3d interface, since I'm hooking just after the device is mov to esi.
Credits and TFD
( ZeaS ) : Create a method of catching and rewriting the overwritten assembly and then executing it again in the assembly.
Thanks for learn_more who gave me xp assembly.
Dx9 EndScene Midfunction Hook 
Linear Mode
