[AJUDA] Hook DipEngine

#define EndereçoDip 0x61F43D DWORD retDipEngine = EndereçoDip + 0x7;//Retornar Dip bool Ativa, Menu = TRUE; void CriaMenu(LPDIRECT3DDEVICE9 pDevice) { // Desenho do Menu , na base ja está desenhada , não coloquei aqui para não ficar mt grande o codigo } void CriarFont(LPDIRECT3DDEVICE9 pDevice) { if (pFont) { pFont->Release(); pLine->Release(); pLine = NULL; pFont = NULL; Ativa = false; } if (!Ativa) { D3DXCreateFont(pDevice, 14, 0, 500, 1, 0, 1, 0, 4, 0 | (1 << 4), /*Arial*/XorStr<0xfd, 6, 0x94fa6162>("\xbc\x8c\x96\x61\x6d" + 0x94fa6162).s, &pFont); D3DXCreateLine(pDevice, &pLine); Ativa = true; } CriaMenu(pDevice); } _declspec (naked) HRESULT WINAPI DipMidFunction() { static LPDIRECT3DDEVICE9 pDevice; _asm { PUSH EAX MOV DWORD PTR DS : [pDevice], EAX MOV EAX, DWORD PTR DS : [ECX + 0x148] PUSHAD } CriarFont(pDevice); _asm { POPAD JMP retDipEngine } } void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen) { DWORD dwOldProtect, dwBkup, dwRelAddr; VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect); dwRelAddr = (DWORD)(dwJumpTo - (DWORD)pAddress) - 5; *pAddress = 0xE9; *((DWORD *)(pAddress + 0x1)) = dwRelAddr; VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup); return; } void _cdecl StartRoutine2(void*) { while (true) { if (memcmp((void*)EndereçoDip, (void*)(PBYTE)"\x8B\x08", 1) == 0) { Sleep(250); MakeJMP((PBYTE)EndereçoDip, (DWORD)DipMidFunction, 7); } } } BOOL CheckModules(VOID) { if (GetModuleHandleA(/*d3d9.dll*/XorStr<0xd1, 9, 0x4236b>("\xb5\xe1\xb7\xed\xfb\xb2\xbb\xb4" + 0x4236b).s) != NULL && GetModuleHandleA(/*CShell.dll*/XorStr<0xc9, 11, 0xfac72dfa>("\x8a\x99\xa3\xa9\xa1\xa2\xe1\xb4\xbd\xbe" + 0xfac72dfa).s) != NULL && GetModuleHandleA(/*ClientFX.fxd*/XorStr<0x12, 13, 0xa743db42>("\x51\x7f\x7d\x70\x78\x63\x5e\x41\x34\x7d\x64\x79" + 0xa743db42).s) != NULL) return TRUE; return FALSE; } BOOL WINAPI DllMain(HMODULE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hDll); CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)StartRoutine2, NULL, NULL, NULL); } return TRUE; }

Code:

#include <windows.h>
#include <d3d9.h>
#include <d3dx9.h>
#include <stdio.h>
#include <process.h>

#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")

DWORD dwEndscene_hook;
DWORD dwEndscene_ret;

DWORD *vTable;

LPD3DXFONT pFont;

int text;

VOID WriteText( LPDIRECT3DDEVICE9 pDevice, INT x, INT y, DWORD color, CHAR *text )
{    
    RECT rect;
    SetRect( &rect, x, y, x, y );
    pFont->DrawText( NULL, text, -1, &rect, DT_NOCLIP | DT_LEFT, color );
}


VOID WINAPI EndScene(LPDIRECT3DDEVICE9 pDevice)
{
	if( pFont )
    {
        pFont->Release();
        pFont = NULL;
    }
    if( !pFont )
    {
        D3DXCreateFont( pDevice, 14,0,FW_BOLD,1,0,DEFAULT_CHARSET,OUT_DEFAULT_PRECIS,DEFAULT_QUALITY,DEFAULT_PITCH | FF_DONTCARE,"Arial",&pFont );
    }

	WriteText( pDevice, 15, 80, D3DCOLOR_ARGB(255,255,000,000), "EndScene" );

}

__declspec(naked) void MyEndscene( )
{

	static LPDIRECT3DDEVICE9 pDevice;

    __asm
    {
        mov dword ptr ss:[ebp - 10], esp;
        mov esi, dword ptr ss:[ebp + 0x8];
        mov pDevice, esi;
    }

	EndScene(pDevice);

    __asm
    {
        jmp dwEndscene_ret;
    }
 
}

bool Mask(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i<dwLen; i++)
        if(Mask((BYTE*)(dwAddress + i), bMask, szMask))
            return (DWORD)(dwAddress+i);
    return 0;
}

void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen)
{
    DWORD dwOldProtect, dwBkup, dwRelAddr;
    VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
    *pAddress = 0xE9;
    *((DWORD *)(pAddress + 0x1)) = dwRelAddr;
    for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;
	VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
    return;
}

void MyHook( void )
{
    DWORD hD3D = NULL;
    while (!hD3D) hD3D = (DWORD)GetModuleHandle("d3d9.dll");

    DWORD PPPDevice = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    WriteMemory( &vTable, (void *)(PPPDevice + 2), 4);

    dwEndscene_hook = vTable[42] + 0x2A;

    dwEndscene_ret = dwEndscene_hook + 0x6;

	while(1)
	{
		Sleep(100);
		MakeJMP((PBYTE)dwEndscene_hook, (DWORD)MyEndscene, 6);
	}
}

BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpvReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls(hModule);
        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)MyHook, NULL, NULL, NULL);
    }
    return TRUE;
}

Credits
Hacker Fail, ZeaS, Shad0w_

[AJUDA] Hook DipEngine

Post a Reply

Similar Threads

Tags for this Thread