| View previous topic :: View next topic |
| Author |
Message |
Mapleblitzer
Master Cheater
![]() Reputation: 0
Joined: 08 Apr 2007
Posts: 254
|
 Posted: Tue Sep 01, 2009 2:54 pm Post subject: D3D hook on GG game |
 |
|
Hi,
I'm playing a game called rakion (protected by GG), and I'm having some problems with my d3d interface hook. The moment I inject it, the game closes. It doesn't even get to the message box I placed to tell me that the hook was installed.
Here's the hook part of my source (thanks to tombana's source):
| Code: |
#include <windows.h>
#include <d3dx8.h>
#include <d3d8.h>
#pragma comment(lib,"d3d8.lib")
#pragma comment(lib,"d3dx8.lib")
DWORD D3D8Create = (DWORD)GetProcAddress(GetModuleHandle("d3d8.dll"),"Direct3DCreate8");
DWORD OldProtect = NULL;
IDirect3D8 *(_stdcall*RealD3D8Create)(UINT SDKVersion) = Direct3DCreate8;
IDirect3D8* _stdcall MyD3D8Create(UINT SDKVersion)
{
*(BYTE*)D3D8Create = 0xE9;
*(DWORD*)(D3D8Create+1) = 0xEC8B55FF;
pD3D8Interface = RealD3D8Create(SDKVersion);
VirtualProtect((LPVOID)(*(DWORD*)pD3D8Interface+0x40),4,PAGE_EXECUTE_READWRITE,&OldProtect);
*(DWORD*)&RealCreateDevice = *(DWORD*)(*(DWORD*)pD3D8Interface+0x40);
*(DWORD*)(*(DWORD*)pD3D8Interface+0x40) = (DWORD)MyCreateDevice;
return pD3D8Interface;
}
DWORD WINAPI MainThread(LPVOID lParam)
{
*(BYTE*)D3D8Create = 0xE9;
*(DWORD*)(D3D8Create+1) = (DWORD)MyD3D8Create - (DWORD)D3D8Create - 5;
MessageBox(0,"Hooked!",0,0);
return true;
}
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
MessageBox(NULL,("Injected!"),("Injected!"),MB_OK);
CreateThread(NULL,0,MainThread,NULL,0,NULL);
return true;
}
if (ul_reason_for_call == DLL_PROCESS_DETACH)
return false;
return true;
} |
|
|
| Back to top |
|
 |
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Sep 02, 2009 3:47 am Post subject: |
|
|
| For rakion, you have to apply the hook at the right time. Rakion calls Direct3DCreate9 right after "Load Modeldata" on the load screen. So at that point, the hook must be there. However, if you have the hook in place from the beginning, gg will detect it and close Rakion. What I usually do for rakion is have a messagebox before the hook, and then click Ok to that as soon as you see "Load modeldata".
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Wed Sep 02, 2009 3:50 am Post subject: |
|
|
well first of all it is horrible practice to put a message box in the entry point of a dll. put it in the created thread if that is what you wanted..
and can you show me your injector code ? because rakion can not be injected into like a regular program from what i remember when i created an injector for someone else
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Sep 02, 2009 8:00 am Post subject: |
|
|
| Slugsnack wrote: | well first of all it is horrible practice to put a message box in the entry point of a dll. put it in the created thread if that is what you wanted..
and can you show me your injector code ? because rakion can not be injected into like a regular program from what i remember when i created an injector for someone else |
I think there's a working injector source for rakion out there somewhere.
Methods that work are the thread-hijack method (getthreadcontext and setthreadcontext to set the main thread at loadlibrary) and CreateRemoteThread with a delay (create the thread suspended, then wait a few seconds and then resume the thread).
|
|
| Back to top |
|
|
Mapleblitzer
Master Cheater
![]() Reputation: 0
Joined: 08 Apr 2007
Posts: 254
|
| Posted: Wed Sep 02, 2009 10:18 am Post subject: |
|
|
Thanks tombana and slug (I'm still working on better coding practice T_T). I was wondering why on your l33dprogs google page you had that instruction to inject when they see load model data, is there any way to detect it without user input?
Also, would it be possible to make a d3d overlay with some sort of edit box? My thinking was that in the wndproc, I would wait for a mouse click within the edit box, then wait for WM_CHAR msgs and draw the characters that are sent (while saving them in a buffer convert to values later). Is there any easier way?
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Sep 02, 2009 11:19 am Post subject: |
|
|
| Quote: | | is there any way to detect it without user input? |
I don't know. There might be a pointer you could read that has info on the loading-process or something. You could also have a constant value of Sleep but then again computer speeds differ a lot. User-input is the easiest.
| Quote: |
Also, would it be possible to make a d3d overlay with some sort of edit box? My thinking was that in the wndproc, I would wait for a mouse click within the edit box, then wait for WM_CHAR msgs and draw the characters that are sent (while saving them in a buffer convert to values later). Is there any easier way? |
I made such a system for another game. Subclass the game window to receive the window messages. Then when the mouse clicks inside the edit box, wait for WM_CHAR messages and put them in the edit box. You can make draggable windows with buttons and textboxes and so on. Might seem really complicated but I started it it wasn't hard at all.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
