Speedhacking...

[lanman92]

Is anyone willing to share any addresses to detour or functions to bypass to enable speedhacking? I'm sorry if no one is willing to do so, please do not flame me.

[Xarg0]

GetTickCount() QueryPerformanceCounter()

[lanman92]

So, I just have to rewrite their routine to return my own custom value? I guess I'll check Olly and see where it is and check how hard it will be to do this. Okay, I just searched WoW's process in Olly, and I could not find any commands referencing GetTickCount() or QueryPerformanceCounter(). Is it used in a ...sneaky?... manner?

[Xarg0]

GetTickCount Function (Windows)
QueryPerformanceCounter Function ()

They are imported by wow -.- take a look at the IAT and you'll see them, I don't know how you could've missed them with olly...

And if you still don't know how these functions are related to speedhacking, try this omg it's a link!/

[Cypher]

hai guise! I kan haz windoze api hooz?

[Shynd]

u wan2 haf api hukz? haha2bad dey r hrardr den ucan handel!!haha

[Xarg0]

weeeeeeeeeeeehhhh me got teh api huuk, me no giv tu u cuz me is teh uber l33t!

[lanman92]

Ok, I just made my first attempt to do an API hook on GetTickCount() after reading some articles around the web. I'm just trying to see if I can even get the hook going right now, I know this won't really do much. Here's my source, WoW keeps closing just after injection though. Please explain why?

Code:

 
#include "stdafx.h"
#pragma comment(lib, "detours.lib")
#pragma comment(lib, "kernel32.lib")
 
typedef DWORD(__stdcall *GTCPtr) (void);
 
GTCPtr pTargetGTC = NULL;
GTCPtr pTrampolineGTC = NULL;
HMODULE hKernel32 = NULL;
 
void main();
DWORD WINAPI mGetTickCount();
 
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)main, hModule, 0, 0);
case DLL_PROCESS_DETACH:
FreeLibrary(hModule);
break;
}
return TRUE;
}
 
void main(void)
{
hKernel32 = GetModuleHandle((LPCWSTR) "kernel32.dll");
pTargetGTC = (GTCPtr) GetProcAddress(hKernel32, "GetTickCount");
pTrampolineGTC = (GTCPtr) DetourFunction((PBYTE) pTargetGTC, (PBYTE) mGetTickCount);
return;
}
 
DWORD WINAPI mGetTickCount()
{
DWORD dwRet = GetTickCount();
dwRet = dwRet*2;
return dwRet;
}

[Cypher]

Its probably not the cause of your problem but your thread creation is retarded. Follow the prototype and pass the address of the function, the prototype is there for a damn reason. (eg Non-conformant code like what you have posted above will crash and burn on some or all x64 computers) I cbf checking what you're doing wrong atm, but I can tell you pretty surely that your hooked function is acting incorrectly.

[Namoknan]

By theory this will cause a very fast time elapse and afterwards it will be as fast as usual

DWORD WINAPI mGetTickCount()
{
DWORD dwRet = GetTickCount();
dwRet = dwRet*2;
return dwRet;
}

[Xarg0]

You're doing it wrong, if you wan't to call the unmodified version of GettickCount after a detour you can't call GetTickCount() since this will jump to your mGetTickCount function, you'll need the trampoline function, first you'll have to typecast it to a GetTickCount function and then you can call it, it'll execute the bytes overwritten by your detour jmp and then jmp to the code right after your detour jmp (detours handles everthing for you so you don't need to worry about half instructions beeing executed and causing a crash).
Also you're mGetTickCount is wrong as Namokan already stated.

[lanman92]

Ok, thanks for the replies, I didn't realise that I didn't make a trampoline for it. I was just kind of copying and pasting some code off of a site, seeing if I could see what it actually does. I'll try rewriting the whole thing pretty much when I get home. What is the correct way to detour it so that it does it right? I looked at the WoWX one, but it's looking like a jumble of code to me. Anyone feel like explaining?

[Xarg0]

rtfm rtfm rtfm rtfm!!!!!!
realy just rtfm of microsoft detours >.<

[lanman92]

I never saw the '****ing manual', I DL'd it from some website, i think it was Shynd's site or something... I'll look it up though...

[Cypher]