DIRECT3D8 HOOKING:
Required Skills:
BASIC ASM programming - Necessary for making the hook code.
CODE Injection - Necessary for setting the hook code.
Debugging skill - Necessary for finding the Method Calls. Or
Hooking of Exports ? Necessary unless you plan to use a debugger.
Desired Skills:
C++ programming - if you want to exploit the hook, you'll have to be able to code for D3D.
DLL Injection - makes Code Injection a walk in the park.
If you can Program (if not you will have a hard time) then you can do this pretty much without anything except your target program, your skill and your compiler. If you are unsure of your programming skills then you can use a Debugger to do all the preliminary work. Here is a basic Over-View of the process.
1.) Hook the call to Direct3DCreate8 - BPX it or make a program to hook it
1.)Keep a record of where this is called from, you will need that info later
2.)Find out what it happens to the return value from this call
The purpose of hooking Direct3DCreate8 is ONLY so that you are able to hook CreateDevice, you want to hook CreateDevice so that you get the Device Interface, Necessary if you plan to DO anything with your Hook, and you want to hook EndScene because this is most likely the place that you will be DOING things at.
2.) IF the return value is stored in a hard-coded location then there is no need to hook this call to keep track of this important value, if however it is stored in moving location, you will have to.
3.)Once you have access to the return value you will need to calculate from it Where CreateDevice is at
4.)Hook CreateDevice again either BPX or hook it with your program?
5.)Grab the Pointer to your Device Interface and from that Calculate the address of EndScene (or any other function you want to hook)
6.)Hook EndScene .. you know
After you do The Steps Listed above you have enough Information to take over the screen. You simple keep a pointer to the Device Interface, and Hook EndScene, you don?t need to worry about Direct3DCreate8 once you have the addies that call CreateDevice and EndScene in most cases.
Since I am only covering the Hooking of Direct3D here and not the use of the Hooks once Installed That is as far as I will go here. Now for a more thorough explanation of each step.
Hook the call to Direct3DCreate8.
If you are using a debugger to do this part by hand then I expect you to know how to use it, I am not going to tell you how to set breakpoints. If you are Hooking this with a program then a required skill Is knowledge of how to set hooks.
Your main objective here is retrieving the Return Value from this call since you have to have it to calculate Where CreateDevice is
Once you have the return Value from that call, then you need to go from Pointer to Com Object, to Pointer to Structure of Pointers, to Pointer to CreateDevice, this would take many words to explain something simple, so ill show you what I Mean in ASM (BASIC ASM = REQUIRED SKILL), Assuming you have the Return Value in EAX then
MOV EBX, DWORD PTR [EAX]
MOV ECX, DWORD PTR [EBX]
Now EAX, holds PTR to COM, EBX holds PTR to STRUCT, and ECX Points to first BYTE of CreateDevice
This is because the first member of the COM OBJECT is a pointer to The Structure, and the Fist member of the Structure is a pointer to CreateDevice.
At this Point you Should Hook CreateDevice, so that you can find out where it gets called from. AND grab the Pointer to your Device Interface. When your hook catches a call to CreateDevice DWORD PTR [esp]= Where it was called from and DWORD PTR [esp+24]=Where the pointer to Device Interface will be stored so grab those values.
(man I get headaches from all these Pointers to Pointers to Pointers?..)
After CreateDevice returns, you will want to hook EndScene. Soooo?
Have In EAX the value you grabbed from [ESP+24] above
MOV EAX, DWORD PTR [EAX]
MOV EBX, DWORD PTR [EAX]
MOV ECX, DWORD PTR [EBX+8Ch]
Now ECX points to the first Byte of EndScene, Hook This to Find Where It gets Called From.
Congratulations, now you have all the information you need to fiddle around with the screen while the game is running
 |
