Win 8 - EndsceneHook menu

Shout-Out

User Tag List

Results 1 to 12 of 12
  1. #1
    Endecs's Avatar Master Sergeant
    Reputation
    53
    Join Date
    Jan 2011
    Posts
    116
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Win 8 - EndsceneHook

    Hello,

    I try the whole of this day, to Hook the Endscene from Win 8, but my Problem is, it's Crash or I only get on all ASM stuff "0" as return.

    Crash Code:
    Code:
      threadHooked = false;
                                // allocate memory to store injected code:
                                injected_code = Memory.AllocateMemory(2048);
                                // allocate memory the new injection code pointer:
                                addresseInjection = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(addresseInjection, 0);
                                // allocate memory the pointer return value:
                                retnInjectionAsm = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(retnInjectionAsm, 0);
    
                                // Generate the STUB to be injected
                                Memory.Asm.Clear(); // $Asm
    
                                // save regs
                                Memory.Asm.Clear();
    
                                Memory.Asm.AddLine("push 14");
                                Memory.Asm.AddLine("mov eax, " + ConvertToHexString(D3D9Module));
    
                                Memory.Asm.AddLine("pushad");
                                Memory.Asm.AddLine("pushfd");
    
                                // Test if you need launch injected code:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("test eax, eax");
                                Memory.Asm.AddLine("je @out");
    
                                // Launch Fonction:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("call eax");
    
                                // Copie pointer return value:
                                Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
    
                                // Enter value 0 of addresse func inject
                                Memory.Asm.AddLine("mov edx, " + addresseInjection);
                                Memory.Asm.AddLine("mov ecx, 0");
                                Memory.Asm.AddLine("mov [edx], ecx");
    
                                // Close func
                                Memory.Asm.AddLine("@out:");
    
                                // load reg
                                Memory.Asm.AddLine("popfd");
                                Memory.Asm.AddLine("popad");
    
    
                                // injected code
                                uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                                Memory.Asm.Inject(injected_code);
    
                                // Size asm jumpback
                                int sizeJumpBack = 7;
    
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("mov edi, edi");
                                Memory.Asm.AddLine("push ebp");
                                Memory.Asm.AddLine("mov ebp, esp");
                                Memory.Asm.Inject(injected_code + sizeAsm);
    
                                // create jump back stub
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                                Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);
    
                                // create hook jump
                                Memory.Asm.Clear(); // $jmpto
                                Memory.Asm.AddLine("jmp " + (injected_code));
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.Inject(pEndScene);
    All 0 Code:

    Code:
      threadHooked = false;
                                // allocate memory to store injected code:
                                injected_code = Memory.AllocateMemory(2048);
                                // allocate memory the new injection code pointer:
                                addresseInjection = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(addresseInjection, 0);
                                // allocate memory the pointer return value:
                                retnInjectionAsm = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(retnInjectionAsm, 0);
    
                                // Generate the STUB to be injected
                                Memory.Asm.Clear(); // $Asm
    
                                // save regs
                                Memory.Asm.Clear();
    
                                Memory.Asm.AddLine("push 14");
                                Memory.Asm.AddLine("mov eax, " + (ConvertToHexString(D3D9Module) + 0x149A0C));
    
                                Memory.Asm.AddLine("pushad");
                                Memory.Asm.AddLine("pushfd");
    
                                // Test if you need launch injected code:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("test eax, eax");
                                Memory.Asm.AddLine("je @out");
    
                                // Launch Fonction:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("call eax");
    
                                // Copie pointer return value:
                                Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
    
                                // Enter value 0 of addresse func inject
                                Memory.Asm.AddLine("mov edx, " + addresseInjection);
                                Memory.Asm.AddLine("mov ecx, 0");
                                Memory.Asm.AddLine("mov [edx], ecx");
    
                                // Close func
                                Memory.Asm.AddLine("@out:");
    
                                // load reg
                                Memory.Asm.AddLine("popfd");
                                Memory.Asm.AddLine("popad");
    
    
                                // injected code
                                uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                                Memory.Asm.Inject(injected_code);
    
                                // Size asm jumpback
                                int sizeJumpBack = 7;
    
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("mov edi, edi");
                                Memory.Asm.AddLine("push ebp");
                                Memory.Asm.AddLine("mov ebp, esp");
                                Memory.Asm.Inject(injected_code + sizeAsm);
    
                                // create jump back stub
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                                Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);
    
                                // create hook jump
                                Memory.Asm.Clear(); // $jmpto
                                Memory.Asm.AddLine("jmp " + (injected_code));
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.Inject(pEndScene);
    The Code with "0" give an Exception:

    Code:
    "Assembly failed!  Error code: -121;  Error Line: 3
       bei Fasm.ManagedFasm.Assemble(String szSource, Int32 nMemorySize, Int32 nPassLimit)
       bei Fasm.ManagedFasm.Assemble()"
    D3D9Module = 0x6387F8DF

    /e: The Offsets are right (works with Win7 and XP-Win7 Injection Code)

    greets,
    Endecs
    Last edited by Endecs; 12-03-2012 at 02:25 PM.

    Win 8 - EndsceneHook
  2. #2
    Master674's Avatar Elite User
    Reputation
    487
    Join Date
    May 2008
    Posts
    578
    Thanks G/R
    2/23
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Endecs View Post
    Hello,

    I try the whole of this day, to Hook the Endscene from Win 8, but my Problem is, it's Crash or I only get on all ASM stuff "0" as return.

    Crash Code:
    Code:
      threadHooked = false;
                                // allocate memory to store injected code:
                                injected_code = Memory.AllocateMemory(2048);
                                // allocate memory the new injection code pointer:
                                addresseInjection = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(addresseInjection, 0);
                                // allocate memory the pointer return value:
                                retnInjectionAsm = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(retnInjectionAsm, 0);
    
                                // Generate the STUB to be injected
                                Memory.Asm.Clear(); // $Asm
    
                                // save regs
                                Memory.Asm.Clear();
    
                                Memory.Asm.AddLine("push 14");
                                Memory.Asm.AddLine("mov eax, " + ConvertToHexString(D3D9Module));
    
                                Memory.Asm.AddLine("pushad");
                                Memory.Asm.AddLine("pushfd");
    
                                // Test if you need launch injected code:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("test eax, eax");
                                Memory.Asm.AddLine("je @out");
    
                                // Launch Fonction:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("call eax");
    
                                // Copie pointer return value:
                                Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
    
                                // Enter value 0 of addresse func inject
                                Memory.Asm.AddLine("mov edx, " + addresseInjection);
                                Memory.Asm.AddLine("mov ecx, 0");
                                Memory.Asm.AddLine("mov [edx], ecx");
    
                                // Close func
                                Memory.Asm.AddLine("@out:");
    
                                // load reg
                                Memory.Asm.AddLine("popfd");
                                Memory.Asm.AddLine("popad");
    
    
                                // injected code
                                uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                                Memory.Asm.Inject(injected_code);
    
                                // Size asm jumpback
                                int sizeJumpBack = 7;
    
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("mov edi, edi");
                                Memory.Asm.AddLine("push ebp");
                                Memory.Asm.AddLine("mov ebp, esp");
                                Memory.Asm.Inject(injected_code + sizeAsm);
    
                                // create jump back stub
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                                Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);
    
                                // create hook jump
                                Memory.Asm.Clear(); // $jmpto
                                Memory.Asm.AddLine("jmp " + (injected_code));
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.Inject(pEndScene);
    All 0 Code:

    Code:
      threadHooked = false;
                                // allocate memory to store injected code:
                                injected_code = Memory.AllocateMemory(2048);
                                // allocate memory the new injection code pointer:
                                addresseInjection = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(addresseInjection, 0);
                                // allocate memory the pointer return value:
                                retnInjectionAsm = Memory.AllocateMemory(0x4);
                                Memory.WriteInt(retnInjectionAsm, 0);
    
                                // Generate the STUB to be injected
                                Memory.Asm.Clear(); // $Asm
    
                                // save regs
                                Memory.Asm.Clear();
    
                                Memory.Asm.AddLine("push 14");
                                Memory.Asm.AddLine("mov eax, " + (ConvertToHexString(D3D9Module) + 0x149A0C));
    
                                Memory.Asm.AddLine("pushad");
                                Memory.Asm.AddLine("pushfd");
    
                                // Test if you need launch injected code:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("test eax, eax");
                                Memory.Asm.AddLine("je @out");
    
                                // Launch Fonction:
                                Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]");
                                Memory.Asm.AddLine("call eax");
    
                                // Copie pointer return value:
                                Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax");
    
                                // Enter value 0 of addresse func inject
                                Memory.Asm.AddLine("mov edx, " + addresseInjection);
                                Memory.Asm.AddLine("mov ecx, 0");
                                Memory.Asm.AddLine("mov [edx], ecx");
    
                                // Close func
                                Memory.Asm.AddLine("@out:");
    
                                // load reg
                                Memory.Asm.AddLine("popfd");
                                Memory.Asm.AddLine("popad");
    
    
                                // injected code
                                uint sizeAsm = (uint)(Memory.Asm.Assemble().Length);
                                Memory.Asm.Inject(injected_code);
    
                                // Size asm jumpback
                                int sizeJumpBack = 7;
    
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("mov edi, edi");
                                Memory.Asm.AddLine("push ebp");
                                Memory.Asm.AddLine("mov ebp, esp");
                                Memory.Asm.Inject(injected_code + sizeAsm);
    
                                // create jump back stub
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack));
                                Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack);
    
                                // create hook jump
                                Memory.Asm.Clear(); // $jmpto
                                Memory.Asm.AddLine("jmp " + (injected_code));
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.AddLine("nop");
                                Memory.Asm.Inject(pEndScene);
    The Code with "0" give an Exception:

    Code:
    "Assembly failed!  Error code: -121;  Error Line: 3
       bei Fasm.ManagedFasm.Assemble(String szSource, Int32 nMemorySize, Int32 nPassLimit)
       bei Fasm.ManagedFasm.Assemble()"
    D3D9Module = 0x6387F8DF

    /e: The Offsets are right (works with Win7 and XP-Win7 Injection Code)

    greets,
    Endecs
    How do you get pEndScene?
    You might also want to take a look at my project here

  3. #3
    Endecs's Avatar Master Sergeant
    Reputation
    53
    Join Date
    Jan 2011
    Posts
    116
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Code:
                        uint pDevice = Memory.ReadUInt((UInt32)Memory.MainModule.BaseAddress + DX_DEVICE);
                        uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX);
                        uint pScene = Memory.ReadUInt(pEnd);
                        uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);
    All working with Win 7, just not with Win 8.

    Code:
            Direct3D9__Device = 0xB18ADC,                   // 5.1
            Direct3D9__Device__OffsetA = 0x2808,            // 5.1
            Direct3D9__Device__OffsetB = 0xA8               // 5.1
    And moment I will take a look in your Project.

    /e: Your Projekt does not help me really :s

    greets,
    Endecs
    Last edited by Endecs; 12-03-2012 at 03:27 PM.

  4. #4
    Master674's Avatar Elite User
    Reputation
    487
    Join Date
    May 2008
    Posts
    578
    Thanks G/R
    2/23
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm using Windows 8 myself. I got no problems with it at all.

  5. #5
    Endecs's Avatar Master Sergeant
    Reputation
    53
    Join Date
    Jan 2011
    Posts
    116
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Master674 View Post
    I'm using Windows 8 myself. I got no problems with it at all.
    You mean, how I do it, or how you do it in your Projekt?

    greets,
    Endecs

  6. #6
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1515
    Join Date
    May 2008
    Posts
    2,433
    Thanks G/R
    81/336
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Endecs View Post
    You mean, how I do it, or how you do it in your Projekt?

    greets,
    Endecs
    d3dshark works in Windows 8. You should use the same method of hooking it.

  7. #7
    eracer's Avatar Contributor
    Reputation
    201
    Join Date
    Feb 2011
    Posts
    75
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If this is for Windows 8, the "original instructions" that you have are not right
    Code:
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("mov edi, edi");
                                Memory.Asm.AddLine("push ebp");
                                Memory.Asm.AddLine("mov ebp, esp");
                                Memory.Asm.Inject(injected_code + sizeAsm);
    This is what it looks like for Windows 8
    Code:
    push 14
    mov eax, d3d9.dll+149A0C
    but the address "d3d9.dll+149A0C" would have to be read from the original endscene, so something like

    Code:
                                // copy and save original instructions
                                Memory.Asm.Clear();
                                Memory.Asm.AddLine("push 0x14");
                                Memory.Asm.AddLine("mov eax, " + Memory.ReadUInt(pEndScene + 3));
                                Memory.Asm.Inject(injected_code + sizeAsm);

  8. #8
    hamburger12's Avatar Contributor CoreCoins Purchaser
    Reputation
    87
    Join Date
    Jan 2010
    Posts
    297
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do a short jmp to the location pEndscene - 0x5 where you write your jmp to your code cave. Execute your code and add the 2 bytes at the end of the function. Jump back (pEndscene + 0x2) and you are fine ;-)











    (+rep xDD wispher)

  9. #9
    eracer's Avatar Contributor
    Reputation
    201
    Join Date
    Feb 2011
    Posts
    75
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hamburger12 View Post
    Do a short jmp to the location pEndscene - 0x5 where you write your jmp to your code cave. Execute your code and add the 2 bytes at the end of the function. Jump back (pEndscene + 0x2) and you are fine ;-)











    (+rep xDD wispher)

    That should work as long as you know for sure that pEndscene + 0x5 is already allocated and not something important that you're going to overwrite.
    You could always patch the VMT address too.

    BTW, what is "(+rep xDD wispher)"? Are you asking for rep?

  10. #10
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hamburger12 View Post
    Do a short jmp to the location pEndscene - 0x5 where you write your jmp to your code cave. Execute your code and add the 2 bytes at the end of the function. Jump back (pEndscene + 0x2) and you are fine ;-)











    (+rep xDD wispher)
    What if something has already hooked EndScene (i.e. steam)? You need to check whether there is already a jump there, then write that jump into your trampoline if there is.

    You should also check whether or not someone has performed a detour on the first 5 bytes of the function rather than utilizing hotpatching. If they have, your method will destroy the instruction and you will try to execute invalid code when you jump into EndScene+0x2.

  11. #11
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1515
    Join Date
    May 2008
    Posts
    2,433
    Thanks G/R
    81/336
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Cypher View Post
    What if something has already hooked EndScene (i.e. steam)? You need to check whether there is already a jump there, then write that jump into your trampoline if there is.
    Honorbuddy does not check and it drives me insane when my EndScene hooks are overwritten... For the sake of everyone, listen to this guy.

  12. #12
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Jadd View Post
    Honorbuddy does not check and it drives me insane when my EndScene hooks are overwritten... For the sake of everyone, listen to this guy.

    Yeah, I don't understand why people just assume they're the only person who wants to hook EndScene (or anything else for that matter). I can understand if you're hooking engine functions or something like that, but if you're going to hook public exported APIs, at least be polite about it and support hook chaining.

Similar Threads

  1. How to win AV as alliance
    By Matt in forum World of Warcraft Guides
    Replies: 11
    Last Post: 12-16-2006, 08:25 PM
  2. AB win in under 30 mins if you play as team
    By Elites360 in forum World of Warcraft Guides
    Replies: 8
    Last Post: 10-26-2006, 06:30 PM
  3. Replies: 41
    Last Post: 09-21-2006, 10:17 PM
  4. Guaranteed Warsong Gulch Win
    By Matt in forum World of Warcraft Guides
    Replies: 6
    Last Post: 06-29-2006, 06:42 PM
  5. Winning AV in under 25 minutes
    By Matt in forum World of Warcraft Guides
    Replies: 1
    Last Post: 05-15-2006, 05:40 PM
All times are GMT -5. The time now is 03:54 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search