EndScene Hook not changing anything

[lanman92]

I understand the structure, but my pointers are just returning zero. I don't see why. This is causing way too much grief.

[Nesox]

Code:

typedef HRESULT ( __stdcall * tEndScene )( LPDIRECT3DDEVICE9 pThis );
tEndScene oEndScene;

HRESULT __stdcall myEndScene(LPDIRECT3DDEVICE9 pThis)
{    
    return oEndScene(pThis);
}

void InstallDetours()
{
    //[[[[0x1135270] + 0x38A8]] + 0xA8] 3.1.1
    //[[[[0x113C290] + 0x38A8]] + 0xA8] 3.1.2

    unsigned long pFoo = *(unsigned long*)(0x0113C290);
    unsigned long pBar = *(unsigned long*)(pFoo + 0x38A8);
    unsigned long pFoobar = *(unsigned long*)(*(DWORD*)pBar + 0xA8);
    
    oEndScene = (tEndScene)DetourFunction((PBYTE)pFoobar, (PBYTE)myEndScene);
}

This works. I dunno why you would do it with ASM

[lanman92]

I'm not sure why the asm wasnt working. Oh well. this does. I'll go with it.

[Ugge]

Its because your asm is wrong

Code:

 
__asm {
pushad;
mov eax, [0x113C290]; <-- this is the same as "mov eax, 0x113C290". The brackets does nothing when you have a constant or a variable. add this:
mov eax, [eax]
mov eax, [eax + 0x38A8];
mov eax, [eax];
mov edx, 0x42 * 0x4;
mov eax, [eax + edx];
mov eax, [eax];
mov endScene, eax;
popad;
}
oEndScene = (tEndScene)DetourFunction((PBYTE)endScene, (PBYTE)mEndScene);

yes, the visual studio assembler is weird :/

[lanman92]

Sigh. Thanks for the info, I'll remember it

[jockel]

[code]
//[[[[0x1135270] + 0x38A8]] + 0xA8] 3.1.1
//[[[[0x113C290] + 0x38A8]] + 0xA8] 3.1.2

Thanks for the offsets Nesox,

can you give me a hint on how to find out the last two parts "0x38A8" and "0xA8" through reverse engineering Wow?

[lanman92]

Read Sillyboy's thread.

EDIT: Hell, I'm bored. You can reverse the first value through the double-pointer passed to CreateDevice. Wow uses GetProcAddress() to get the addy of the Direct3DCreate9 func. Search for d3d9_dll and you'll see it. Using a debugger you can find the value from here. It should give you the info you need. 0xA8 is simply the offset to the virtual function(hence the reading of the first four bytes of the object). I think this is how I replicated his results =/ might be wrong tho.

[ziinus]

Hi, sorry for hijacking this thread but it's not that off topic.

My injected dll successfully hook endscene and can communicate with my c# process through named pipes.
But now i'm a little lost on how to call interact function and lua_dostring from my hook.

Any help would be greatly appreciated

[suicidity]

My hook works 100% fine

[lanman92]

Use a function pointer to DoString in your DLL.

EDIT: Screw hooking this in a DLL, ill just do it in C# and communicate through memory writes :P

[suicidity]

You can easily get and draw to a device; But it won't be in sync, and as soon as you draw when a scene is open the game will crash.

Although you can 100% detour Out of process; and you can use C# to do it.

[lanman92]

I didn't mean drawing a UI out of process, just doing functions and casting etc.

[suicidity]

Aha. Well you can still do a simple DLL to inject, and returning true in your DllMain will cause WoW's mainthread to call your DLL.

Whatever you'd be doing would be updated when WoW is updated and be in-process.

[lanman92]

Not really sure what you mean there.

[jjaa]

I've been slowly converting all of my stuff to C#. But my C# is executed inside WoW, In WoW's main thread.

It's easy to do and very useful. How To Inject a Managed .NET Assembly (DLL) Into Another Process - Coding the Wheel