EndScene getting started.

[Unkn0wn0x]

Good evening everyone,

well after some out of process projects i started to learn basic of hooking/injecting.

I looked into Microsoft Research, but in my opinion it's not the best libary to hook games.

However, I need a bit help because I know I'm doing it wrong and I could need some help.

I've started to write my entrypoint for my DLL

Code:

BOOL APIENTRY DllMain(
   HMODULE hModule, 
   DWORD  ul_reason_for_call, 
   LPVOID lpReserved) 
{ 
      switch(ul_reason_for_call) 
      { 
         case DLL_PROCESS_ATTACH:
         {
            CreateThread(0, 0, (LPTHREAD_START_ROUTINE) InitHook, 0, 0, 0);
         }
         case DLL_PROCESS_DETACH: 
         {  
            MessageBox(0, L"detach", L"", 0);
         }
   }

   return true; 
}

As you can see I start my own thread and I call my InitHook() function which does work after I have my DLL injected.

Code:

void InitHook()
{
   HMODULE hModule = NULL;
   
   // Test
   while (!hModule)
   {
      hModule = GetModuleHandleA("d3d9.dll");
      Sleep(100);
   }

   // Initializes hook
   pEndScene = (EndScene_t)DetourFunc((PBYTE) (void*)((0x00BB672C + 0x397C) + 0xA8), (PBYTE)hkEndScene, 5);
}

In this function I get the module handle of d3d9.dll and I initialize my pEndScene object with [[0x00BB672C + 0x397C] + 0xA8] which should be the EndScene adress. I've found a sample function to replace WoW's EndScene with my EndScene but I don't know if that is the right way cause I don't know much about hooking.

Code:

//-----------------------------------------------------------------------------
void *DetourFunc(BYTE *aSrc, const BYTE *aDst, const int aLen)
{
   
   MessageBox(0, L"Own Endscene!", L"detour func", 0);

   BYTE *jmp = (BYTE*)malloc(aLen + 5);
   DWORD dwBack;

   VirtualProtect(aSrc, aLen, PAGE_READWRITE, &dwBack);
   memcpy(jmp, aSrc, aLen);
   jmp += aLen;
   jmp[0] = 0xE9;
   *(DWORD*)(jmp + 1) = (DWORD)(aSrc + aLen - jmp) - 5;
   aSrc[0] = 0xE9;
   *(DWORD*)(aSrc + 1) = (DWORD)(aDst - aSrc) - 5;
   VirtualProtect(aSrc, aLen, dwBack, &dwBack);
   
   return (jmp - aLen);

}

On the top of my dllmain, I also added a typedef to EndScene and my own EndScene function, 


	
Code:
	
typedef HRESULT(__stdcall *EndScene_t)(LPDIRECT3DDEVICE9);

EndScene_t pEndScene;

HRESULT __stdcall hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
   // todo: testing if this ever get called <.<..
   MessageBox(0, L"Own Endscene!", L"WTF!! it works!", 0);

   return pEndScene(pDevice);
};
If i run it, it first crashed WoW cause I used another address. Now everything seems to work, but hkEndScene() never get's called. 

As I already mentioned, I do not know much about hooking, so I want to ask you to lookup my code and tell me what's wrong or where I can readup more basics (maybe with samples)

Thanks in advance
Unkn0wn0x

[Cypher]

You're using that shitty function over Microsoft Detours? Whyyyyyyyy??

Microsoft's detour library is far from perfect, but it's a LOT better than the "DetourFunc" you've posted. At least Microsoft's library has decent error handling and much better hooking logic. The function you're using should be called DetourFunctionAndCrashRandomly.

EDIT:

I'm feeling nice today, so I'll give you a hint as to what you ****ed up:

pEndScene = (EndScene_t)DetourFunc((PBYTE) (void*)((0x00BB672C + 0x397C) + 0xA, (PBYTE)hkEndScene, 5); // DANGER WILL ROBINSON! YOU NEED TO LEARN HOW POINTERS WORK!

This is why you need to learn the fundamentals of the language you intend to program in before attempting low level stuff like game hacking. >_>

Seriously. How can you be programming in C or C++ and not know how pointers work.

[mnbvc]

((0x00BB672C + 0x397C) + 0xA

:confused::confused::confused:


hmm, cypher was faster :P

[Ryns]

First things first, tidy up your sh!t ... you are starting a thread but not stopping it on the DETACH. Second thing first, use MS Detours!! It's really easy, see the snippets below from my baby "Capek".

dllmain.cpp:

Code:

#include "CapekHook.h"

BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
{
	CapekHook* hook = CapekHook::GetInstance();
	switch (ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			{
				hook->Initialise();
				break;
			}
		case DLL_PROCESS_DETACH:
			{
				hook->Release();
				break;
			}
	}
	return TRUE;
}

CapekHook.cpp:

Code:

...
void CapekHook::Initialise()
{
	DWORD  dwThreadId = 0;
	InstallEndSceneHook();
	m_ipcThread = CreateThread( NULL, 0, &StartIpcListener, NULL, 0, &dwThreadId );
	if (m_ipcThread == NULL)
		return;
}

void CapekHook::Release()
{
	RemoveEndSceneHook();
	m_ipcStop = true;
	if (WaitForSingleObject(m_ipcThread, 1000) == WAIT_TIMEOUT){
		SuspendThread(m_ipcThread);
		TerminateThread(m_ipcThread, 0);
	}
	CloseHandle(m_ipcThread);
}

void CapekHook::InstallEndSceneHook()
{
	if ( m_isAttached )
		return;
	PDWORD GxDeviceOffset = (PDWORD)GXDEVICE_OFFSET;
	DWORD GxDevice = (DWORD)*GxDeviceOffset;
	DWORD D3D9device = GxDevice + D3D9DEVICE_OFFSET;
	m_D3D9device = *reinterpret_cast<IDirect3DDevice9**>(D3D9device);
	DWORD* pVTable = (DWORD*)m_D3D9device;
	pVTable = (DWORD*)pVTable[0];
	// Detour the EndScene function #42 in the VTable
	m_originalEndScene = (EndSceneFunc)DetourFunction( (PBYTE)pVTable[42], (PBYTE)EndSceneHook );
	m_isAttached = true;
}

void CapekHook::RemoveEndSceneHook()
{
	if ( !m_isAttached )
		return;
	if ( m_wowMainThread != NULL ) { SuspendThread(m_wowMainThread); }
	DWORD* pVTable = (DWORD*)m_D3D9device;
	pVTable = (DWORD*)pVTable[0];
	// Remove the Detour
	DetourRemove( (PBYTE)m_originalEndScene, (PBYTE)EndSceneHook );
	if ( m_wowMainThread != NULL ) { ResumeThread(m_wowMainThread); }
	m_isAttached = false;
}
...

When I got the basics of my EndScene hook working i was so happy with myself i spent the whole day loading and unloading it without a single crash in-game.

twocents

Why "Capek"? Karel Čapek of course!

[flo8464]

@both: Please use _beginthreadex instead of CreateThread :confused:

[Ryns]

thanks for the advice, just read why on stackoverflow.com lulz

[Unkn0wn0x]

Hi,

I want to thank you for your help.

After two days of learning, reading documentations and a lot of try builds I've done my EndScene Hook now.

After my EndScene Hook was done, I wanted to run LUA and well.. I got it.

Special thanks to flo8684 and Ryns!

I've attached a little screenshot of my result :P

(BTW: I still cant figure out why PROTECTED Lua Functions like ToggleAutoWalk() [or somethink like that i cant remember now] only works if i jump or move my character.)

P.S: My LUA Engine is not finished right now, I need to check out why UnitHealth() or somethink like that returns everytime zero and so on. IDK but never mind. I go to sleep now :P

The screeeniee :

http://blog.unkn0wn0x.de/screenshots/wow/gotit.png

(Hope you like that screenie) :P

[tesserajk]

Are you calling them via FrameScript_Execute? In order to get return values from LUA functions you may need to register a wrapper function that can handle the LUA state. There are many available threads with the information on how to do this.