Hello,
I try the whole of this day, to Hook the Endscene from Win 8, but my Problem is, it's Crash or I only get on all ASM stuff "0" as return.
Crash Code:
All 0 Code:Code:threadHooked = false; // allocate memory to store injected code: injected_code = Memory.AllocateMemory(2048); // allocate memory the new injection code pointer: addresseInjection = Memory.AllocateMemory(0x4); Memory.WriteInt(addresseInjection, 0); // allocate memory the pointer return value: retnInjectionAsm = Memory.AllocateMemory(0x4); Memory.WriteInt(retnInjectionAsm, 0); // Generate the STUB to be injected Memory.Asm.Clear(); // $Asm // save regs Memory.Asm.Clear(); Memory.Asm.AddLine("push 14"); Memory.Asm.AddLine("mov eax, " + ConvertToHexString(D3D9Module)); Memory.Asm.AddLine("pushad"); Memory.Asm.AddLine("pushfd"); // Test if you need launch injected code: Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("test eax, eax"); Memory.Asm.AddLine("je @out"); // Launch Fonction: Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("call eax"); // Copie pointer return value: Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax"); // Enter value 0 of addresse func inject Memory.Asm.AddLine("mov edx, " + addresseInjection); Memory.Asm.AddLine("mov ecx, 0"); Memory.Asm.AddLine("mov [edx], ecx"); // Close func Memory.Asm.AddLine("@out:"); // load reg Memory.Asm.AddLine("popfd"); Memory.Asm.AddLine("popad"); // injected code uint sizeAsm = (uint)(Memory.Asm.Assemble().Length); Memory.Asm.Inject(injected_code); // Size asm jumpback int sizeJumpBack = 7; // copy and save original instructions Memory.Asm.Clear(); Memory.Asm.AddLine("mov edi, edi"); Memory.Asm.AddLine("push ebp"); Memory.Asm.AddLine("mov ebp, esp"); Memory.Asm.Inject(injected_code + sizeAsm); // create jump back stub Memory.Asm.Clear(); Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack)); Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack); // create hook jump Memory.Asm.Clear(); // $jmpto Memory.Asm.AddLine("jmp " + (injected_code)); Memory.Asm.AddLine("nop"); Memory.Asm.AddLine("nop"); Memory.Asm.Inject(pEndScene);
The Code with "0" give an Exception:Code:threadHooked = false; // allocate memory to store injected code: injected_code = Memory.AllocateMemory(2048); // allocate memory the new injection code pointer: addresseInjection = Memory.AllocateMemory(0x4); Memory.WriteInt(addresseInjection, 0); // allocate memory the pointer return value: retnInjectionAsm = Memory.AllocateMemory(0x4); Memory.WriteInt(retnInjectionAsm, 0); // Generate the STUB to be injected Memory.Asm.Clear(); // $Asm // save regs Memory.Asm.Clear(); Memory.Asm.AddLine("push 14"); Memory.Asm.AddLine("mov eax, " + (ConvertToHexString(D3D9Module) + 0x149A0C)); Memory.Asm.AddLine("pushad"); Memory.Asm.AddLine("pushfd"); // Test if you need launch injected code: Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("test eax, eax"); Memory.Asm.AddLine("je @out"); // Launch Fonction: Memory.Asm.AddLine("mov eax, [" + addresseInjection + "]"); Memory.Asm.AddLine("call eax"); // Copie pointer return value: Memory.Asm.AddLine("mov [" + retnInjectionAsm + "], eax"); // Enter value 0 of addresse func inject Memory.Asm.AddLine("mov edx, " + addresseInjection); Memory.Asm.AddLine("mov ecx, 0"); Memory.Asm.AddLine("mov [edx], ecx"); // Close func Memory.Asm.AddLine("@out:"); // load reg Memory.Asm.AddLine("popfd"); Memory.Asm.AddLine("popad"); // injected code uint sizeAsm = (uint)(Memory.Asm.Assemble().Length); Memory.Asm.Inject(injected_code); // Size asm jumpback int sizeJumpBack = 7; // copy and save original instructions Memory.Asm.Clear(); Memory.Asm.AddLine("mov edi, edi"); Memory.Asm.AddLine("push ebp"); Memory.Asm.AddLine("mov ebp, esp"); Memory.Asm.Inject(injected_code + sizeAsm); // create jump back stub Memory.Asm.Clear(); Memory.Asm.AddLine("jmp " + (pEndScene + sizeJumpBack)); Memory.Asm.Inject(injected_code + sizeAsm + (uint)sizeJumpBack); // create hook jump Memory.Asm.Clear(); // $jmpto Memory.Asm.AddLine("jmp " + (injected_code)); Memory.Asm.AddLine("nop"); Memory.Asm.AddLine("nop"); Memory.Asm.Inject(pEndScene);
D3D9Module = 0x6387F8DFCode:"Assembly failed! Error code: -121; Error Line: 3 bei Fasm.ManagedFasm.Assemble(String szSource, Int32 nMemorySize, Int32 nPassLimit) bei Fasm.ManagedFasm.Assemble()"
/e: The Offsets are right (works with Win7 and XP-Win7 Injection Code)
greets,
Endecs
Shout-Out
User Tag List
Thread: Win 8 - EndsceneHook
Results 1 to 12 of 12
-
12-03-2012 #1
Master Sergeant
- Reputation
- 53
- Join Date
- Jan 2011
- Posts
- 116
- Thanks G/R
- 0/0
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Win 8 - EndsceneHook
Last edited by Endecs; 12-03-2012 at 02:25 PM.
-
12-03-2012 #2
Elite User
- Reputation
- 487
- Join Date
- May 2008
- Posts
- 578
- Thanks G/R
- 2/23
- Trade Feedback
- 1 (100%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
How do you get pEndScene?Originally Posted by Endecs
You might also want to take a look at my project here
-
12-03-2012 #3
Master Sergeant
- Reputation
- 53
- Join Date
- Jan 2011
- Posts
- 116
- Thanks G/R
- 0/0
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
All working with Win 7, just not with Win 8.Code:uint pDevice = Memory.ReadUInt((UInt32)Memory.MainModule.BaseAddress + DX_DEVICE); uint pEnd = Memory.ReadUInt(pDevice + DX_DEVICE_IDX); uint pScene = Memory.ReadUInt(pEnd); uint pEndScene = Memory.ReadUInt(pScene + ENDSCENE_IDX);
And moment I will take a look in your Project.Code:Direct3D9__Device = 0xB18ADC, // 5.1 Direct3D9__Device__OffsetA = 0x2808, // 5.1 Direct3D9__Device__OffsetB = 0xA8 // 5.1
/e: Your Projekt does not help me really :s
greets,
EndecsLast edited by Endecs; 12-03-2012 at 03:27 PM.
-
12-03-2012 #4
Elite User
- Reputation
- 487
- Join Date
- May 2008
- Posts
- 578
- Thanks G/R
- 2/23
- Trade Feedback
- 1 (100%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I'm using Windows 8 myself. I got no problems with it at all.
-
12-03-2012 #5
Master Sergeant
- Reputation
- 53
- Join Date
- Jan 2011
- Posts
- 116
- Thanks G/R
- 0/0
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
You mean, how I do it, or how you do it in your Projekt?Originally Posted by Master674
greets,
Endecs
-
12-04-2012 #6
🐸
- Reputation
- 1515
- Join Date
- May 2008
- Posts
- 2,433
- Thanks G/R
- 81/336
- Trade Feedback
- 1 (100%)
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
d3dshark works in Windows 8. You should use the same method of hooking it.Originally Posted by Endecs
-
12-15-2012 #7
Contributor
- Reputation
- 201
- Join Date
- Feb 2011
- Posts
- 75
- Thanks G/R
- 0/0
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
If this is for Windows 8, the "original instructions" that you have are not right
This is what it looks like for Windows 8Code:// copy and save original instructions Memory.Asm.Clear(); Memory.Asm.AddLine("mov edi, edi"); Memory.Asm.AddLine("push ebp"); Memory.Asm.AddLine("mov ebp, esp"); Memory.Asm.Inject(injected_code + sizeAsm);
but the address "d3d9.dll+149A0C" would have to be read from the original endscene, so something likeCode:push 14 mov eax, d3d9.dll+149A0C
Code:// copy and save original instructions Memory.Asm.Clear(); Memory.Asm.AddLine("push 0x14"); Memory.Asm.AddLine("mov eax, " + Memory.ReadUInt(pEndScene + 3)); Memory.Asm.Inject(injected_code + sizeAsm);
-
12-17-2012 #8
Contributor
- Reputation
- 87
- Join Date
- Jan 2010
- Posts
- 297
- Thanks G/R
- 0/1
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Do a short jmp to the location pEndscene - 0x5 where you write your jmp to your code cave. Execute your code and add the 2 bytes at the end of the function. Jump back (pEndscene + 0x2) and you are fine ;-)
(+rep xDD wispher)
-
12-17-2012 #9
Contributor
- Reputation
- 201
- Join Date
- Feb 2011
- Posts
- 75
- Thanks G/R
- 0/0
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by hamburger12
That should work as long as you know for sure that pEndscene + 0x5 is already allocated and not something important that you're going to overwrite.
You could always patch the VMT address too.
BTW, what is "(+rep xDD wispher)"? Are you asking for rep?
-
12-18-2012 #10
Kynox's Sister's Pimp
- Reputation
- 1358
- Join Date
- Apr 2006
- Posts
- 5,368
- Thanks G/R
- 0/6
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
What if something has already hooked EndScene (i.e. steam)? You need to check whether there is already a jump there, then write that jump into your trampoline if there is.Originally Posted by hamburger12
You should also check whether or not someone has performed a detour on the first 5 bytes of the function rather than utilizing hotpatching. If they have, your method will destroy the instruction and you will try to execute invalid code when you jump into EndScene+0x2.
-
12-18-2012 #11
🐸
- Reputation
- 1515
- Join Date
- May 2008
- Posts
- 2,433
- Thanks G/R
- 81/336
- Trade Feedback
- 1 (100%)
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
Honorbuddy does not check and it drives me insane when my EndScene hooks are overwritten... For the sake of everyone, listen to this guy.Originally Posted by Cypher
-
12-18-2012 #12
Kynox's Sister's Pimp
- Reputation
- 1358
- Join Date
- Apr 2006
- Posts
- 5,368
- Thanks G/R
- 0/6
- Trade Feedback
- 0 (0%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by Jadd
Yeah, I don't understand why people just assume they're the only person who wants to hook EndScene (or anything else for that matter). I can understand if you're hooking engine functions or something like that, but if you're going to hook public exported APIs, at least be polite about it and support hook chaining.
Reply With QuoteSimilar Threads
-
How to win AV as alliance
By Matt in forum World of Warcraft GuidesReplies: 11Last Post: 12-16-2006, 08:25 PM -
AB win in under 30 mins if you play as team
By Elites360 in forum World of Warcraft GuidesReplies: 8Last Post: 10-26-2006, 06:30 PM -
First Contest! Win WoW Gold or Power Leveling!
By Matt in forum OC NewsReplies: 41Last Post: 09-21-2006, 10:17 PM -
Guaranteed Warsong Gulch Win
By Matt in forum World of Warcraft GuidesReplies: 6Last Post: 06-29-2006, 06:42 PM -
Winning AV in under 25 minutes
By Matt in forum World of Warcraft GuidesReplies: 1Last Post: 05-15-2006, 05:40 PM
-
OwnedCore Forums
casino news World of Warcraft Pokemon GO MMO Overwatch RTS Casino reviews www.planet-casino.com lucky 8 lucky8 no deposit codes bc game bc game lucky8 -
casino
Casino Gambling Online casinos Casino en ligne bc game bc game bc game no deposit bonus codes roobet Top 10 Casinos Casino reviews Bitcoin casino Paypal Casino Lucky8 1xbit heycasino Need some help :) WoTLK EU Account Giveaway EU 80 Rogue FROZEN finding out wow Question about Calculate this and get a Gotta call blizz, need [REAL] issue Just scammed my first! -
CoreCoins
CoreCoins CoreCoins FAQ Shout-Out Banner Ads -
My OwnedCore
My Profile Notifications Settings Buy CoreCoins About Us
Privacy Policy | Cookie Policy | Terms | Contact Us
Available Payment Methods:-
