d3dapp

jeromerz · 08/27/2016, 18:53

Hi everyone,

i've been trying to add this function on my Neuz.exe

Code:

void CD3DApplication::CheckCheatTools()
{
	static DWORD dwCurrentPID = GetCurrentProcessId();
	// Check transmission gear, etc.
	//////////////////////////////////////////////////////////////////////////
	BYTE* byte_pos = (BYTE*)::timeGetTime;
	BYTE* byte_pos2 = (BYTE*)::GetTickCount;
	// EndScene method offset A8
	int* ppp = (int*)(*(int*)m_pd3dDevice + 0xA8);// EndScene method offset A8) 
	BYTE* byte_pos3 = (BYTE*)(*ppp);
	if (*byte_pos == 0xE9 || *byte_pos2 == 0xE9 || *byte_pos3 == 0xE9 || *byte_pos == 0xFF || *byte_pos2 == 0xFF ) // E9 / FF52 jmp instruction
	{
		//½áÊø½ø³Ì
		ExitProcess(-1);
		return;
	}
	if(m_timerCheckCheatTools.IsTimeOut()) //10s¼ì²éÒ»´Î
	{
		/*
		  Detection process
******** Now we will use the function CreateToolhelp32Snapshot () to get a snapshot of the current running process
*********This function returns a handle to the snapshot of running processes.
******** His prototype is:
******	 HANDLE WINAPI CreateToolhelp32Snapshot (DWORD dwFlags, DWORD th32ProcessID);
		 We will dwFlags set TH32CS_SNAPPROCESS, th32ProcessID set to zero.
		*/
		HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
		if(hSnapShot == INVALID_HANDLE_VALUE)
		{
			m_timerCheckCheatTools.Reset(); //ÖØÖÃ¶¨Ê±Æ÷
			return;
		}
		/*
  // Now we get information of all processes.
* // Extract the data from the hSnapShot to a PROCESSENTRY32 structure
* // This structure represents a process that is part of ToolHelp32 API.
  // Extract data by Process32First () and Process32Next () these two functions.
		*/
		PROCESSENTRY32* processInfo = new PROCESSENTRY32;

		// The value must be set PROCESSENTRY32 dwSize members
		processInfo->dwSize=sizeof(PROCESSENTRY32);

		//Start traversing
		BOOL bNext = Process32First(hSnapShot,processInfo);
		BOOL bFound = FALSE;
		HANDLE hProcess = NULL;
		BYTE byCheck1,byCheck2,byCheck3,byCheck4;
		/*
		00402f20 0x79
		00402f3c 0x6b
		00402f53 0x19
		00402f5c 0x61                                                            
		*/
		SIZE_T sizeRet = 0;
		while(bNext)
		{
			if(processInfo->th32ProcessID != dwCurrentPID)
			{
				hProcess = OpenProcess(PROCESS_VM_READ, FALSE, processInfo->th32ProcessID);
				if (hProcess)
				{
					ReadProcessMemory(hProcess,(LPCVOID)0x00402f20,&byCheck1,1,&sizeRet);
					ReadProcessMemory(hProcess,(LPCVOID)0x00402f3c,&byCheck2,1,&sizeRet);
					ReadProcessMemory(hProcess,(LPCVOID)0x00402f53,&byCheck3,1,&sizeRet);
					ReadProcessMemory(hProcess,(LPCVOID)0x00402f5c,&byCheck4,1,&sizeRet);
					/*
					Extracted from ASpeeder function in part of the code to generate a random dll name.
					The reason why these four extraction constant, because the code should be updated infrequently,
					so the address should not be changed. This can increase the success rate of judge
********************And these four values is cured specific values, such as the first 0x79
					is set to generate a random dll name the first character is "y". So you can maximize avoid misjudgment!
					*/
					if(byCheck1 == 0x79 && byCheck2 == 0x6b && byCheck3 == 0x19 && byCheck4 == 0x61) 
					{
						bFound = TRUE;
						break;
					}
					CloseHandle(hProcess);
				}
			}
			bNext = Process32Next(hSnapShot,processInfo);
		}
		CloseHandle(hSnapShot); 
		delete processInfo;
		if(bFound)
		{
			ExitProcess(-1);
			return;
		}
		m_timerCheckCheatTools.Reset(); 
	}
}

successfully compiled it without any error but when i launch it on windows 8 or windows 10 OS the neuz.exe pop out and then when the hour glass icon shows up the indication that the loading time is finished the Neuz.exe will automatically close without generating errors. So i assumed that the problem is on the DirectX version.

But on windows 7 below it runs well.

thanks in advance

alfredico · 08/27/2016, 19:28

It's because of this.
if (*byte_pos == 0xE9 || *byte_pos2 == 0xE9 || *byte_pos3 == 0xE9 || *byte_pos == 0xFF || *byte_pos2 == 0xFF ) // E9 / FF52 jmp instruction

jeromerz · 08/28/2016, 10:17

how can i make it work on win 8 and above? if i disable it or exclude it it generates error

Kaev <3 · 08/28/2016, 10:40

Code:

if (*byte_pos == 0xE9 || *byte_pos2 == 0xE9 || *byte_pos3 == 0xE9 || *byte_pos == 0xFF || *byte_pos2 == 0xFF ) // E9 / FF52 jmp instruction
{
//½áÊø½ø³Ì
ExitProcess(-1); // this will close the neuz without any errors
return;
}

If the condition is true, it will close the program as intended. Seems like one part of your condition is always true on >Windows 8.

alfredico · 08/28/2016, 10:49

No idea, I will try later since I'm curious.

Mognakor · 08/28/2016, 15:35

1. Use the [code]-tag

2. What are you trying to achieve? / How does your code work?

jeromerz · 08/29/2016, 03:30

It seems to be a speed checker. xD i dont really know but based on the packet some tools maybe blocked too

Mognakor · 08/29/2016, 16:34

So you are putting code into your source and you have no idea what it is supposed to do?

jeromerz · 08/29/2016, 16:37

i saw this project here:

Check Cheat tools xD

Capt. Jack · 08/29/2016, 17:19

I think it looks like the developer of the code wants to check the first instruction of the functions..
Hacks can overwrite windows functions (windows hook). They place a 'jmp' at the beginning of the function, so the functions(i.e. timeGetTime) will call their own funciton(i.e. timeGetTime_hack).
This is exactly what the code want to check:

Spoiler

Capt. Jack