Warrock - Code Snippets

[Raz9r]

Quote:

Originally Posted by babyiloveyou12

Help DIP hook Please...

Quote:

Originally Posted by babyiloveyou12

@Phantom.

request working DIP Midfunction...

thanks...

Man it's really not that hard to do...
Just analyse the disassembly of the DrawIndexedPrimitive method, find some code cave (I used to use the "mov edi, edi" 2 byte nop at the beginning, but that's not in the middle of the function), place your jump inside, do your code, then jump back. not that hard to do...

However hooks placed in DrawIndexedPrimitive are most likely going to be detected by Hackshield. Why don't you hook in another function which is either caller or callee of DrawIndexedPrimitive?

[Kazbah__]

Quote:

Meiner geht doch
Nur der den ich Pub gestellt hab crasht nach paar min

und wo ist der sinn das du ihn dann public machst?

[~ExoduS~*]

Ich habe Parr Sachen geaddet Check 2 etc Trz wird nicht gehen lol oO

[babyiloveyou12]

Code:

VOID WINAPI DrawIndexedPrimitive_Main(LPDIRECT3DDEVICE9 pDevice,D3DPRIMITIVETYPE Type,INT BaseVertexIndex,UINT MinIndex,UINT NumVertices,UINT StartIndex,UINT PrimitiveCount)
{
	LPDIRECT3DVERTEXBUFFER9 Stream;
	UINT Stride;
	UINT Offset;
	if ( pDevice->GetStreamSource(0,&Stream,&Offset,&Stride) == D3D_OK )
	{
		Stream->Release();
	}
	if ( Stride == 32 || Stride == 36 )
	{
		pDevice->SetRenderState(D3DRS_ZENABLE,FALSE);
		pDevice->SetRenderState(D3DRS_AMBIENT,0xFFFF0000);
		pDevice->SetRenderState(D3DRS_ZENABLE,TRUE);
		pDevice->SetRenderState(D3DRS_AMBIENT,0xFF00FF00);
	}
}
__declspec(naked) void DrawIndexedPrimitive_GallGate() //hook at 7CB648
{
    __asm
    {
        call DrawIndexedPrimitive_Main
        call dword ptr ds:[esi+0x148]
        pop esi
        retn 0x18
    }
}

i try this... and my ASM_addies is Correct..

Code:

seg000:00****7                 push    ecx
seg000:00****8                 call    dword ptr [esi+148h]
seg000:00****E                 pop     esi
seg000:00****F                 retn    18h

so i use this 00****8 .

but still detected

hook

Code:

int InstallHooking(void)
{
	DetourFeatures((PBYTE)0x00****8, (PBYTE)DrawIndexedPrimitive_GallGate, 5);
	return 0;
}

why? explaine please!

[Raz9r]

Quote:

Originally Posted by babyiloveyou12

why? explaine please!

Because every single byte of DrawIndexedPrimitive is double checked by Hackshield every five minutes.

Just don't hook DrawIndexedPrimitive, hook one if its callees and get the parameters DrawIndexedPrimitive was called with from the stack using direct access (esp + offset instead of pop directive).

[babyiloveyou12]

ahh?

how can dont hook and how can i hook if its call and get parameter...

sorry

im beginner about hooking..


can you explain it to me..in begginer/newbie method..

Sorry @__underScore

realy need!

[Nullpointer1337]

Just some fresh patterns found with OllyDbg / Sigmaker (took addys from different posts @Pointer & Offsets to find it).

Code:

bool Match(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;
    return (*szMask) == NULL;
}


DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask, bool doExtract, int offset)
{
    for(DWORD i=0; i < dwLen; i++)
        if( Match( (BYTE*)( dwAddress+i ),bMask,szMask) )
			if(doExtract)
				return *(DWORD*)(dwAddress+i+offset);
			else
				return (DWORD)(dwAddress+i+offset);

    return 0;
}

void makeAddressLog(char* mName, unsigned char* Pattern, char* Mask, bool doExtract = false, int offset = 0)
{
	char iBuf[255];
	sprintf(iBuf, "#define %s 0x%08X\n", mName, FindPattern(0x00400000, 0x00986000, Pattern, Mask, doExtract, offset));
	add_log(iBuf);
}


// somewhere in your logging thread

	makeAddressLog("ptrPlayer", (unsigned char*)"\x8B\x0D\x00\x00\x00\x00\x33\xC0\x66\x89\x81\xA0\x01\x01\x00\x5E", "xx????xxxxxxxxxx", true, 2);
	makeAddressLog("ptrServer", (unsigned char*)"\xA1\x00\x00\x00\x00\x3B\xC3\x74\x1A\x38\x98\x38\x09\x0E\x00", "x????xxxxxxxxxx", true, 1);
	makeAddressLog("ptrBase", (unsigned char*)"\x81\xC6\x00\x00\x00\x00\x2B\xC2\x66\x89\x8E\xC8\x1B\x00\x00\x33\xC9", "xx????xxxxxxxxxxx", true, 2);
	makeAddressLog("adrSpeed", (unsigned char*)"\xDC\x0D\x00\x00\x00\x00\x59\x59\xD9\x5D\x08\x5E", "xx????xxxxxx", true, 2);
	makeAddressLog("adrCqcProne", (unsigned char*)"\x83\x3D\x00\x00\x00\x00\x00\x74\x0A\x6A\x03\x8B\x46\x0C\xE8\x00\x00\x00\x00", "xx?????xxxxxxxx????", true, 2);
	makeAddressLog("ofsInvisible", (unsigned char*)"\x8B\x87\x00\x00\x00\x00\x89\x06\x8B\x87\x00\x00\x00\x00\x89\x46\x08", "xx????xxxx????xxx", true, 2);
	makeAddressLog("szGlobalPlayer", (unsigned char*)"\x69\xDB\x00\x00\x00\x00\x8B\x00\x8B\x40\x58\x3B\x83\x00\x00\x00\x00", "xx????xxxxxxx????", true, 2);
	makeAddressLog("adrWeapon1", (unsigned char*)"\x0F\xBF\x86\x00\x00\x00\x00\x83\xC4\x10\xE8\x00\x00\x00\x00\x50\x8B\xCA", "xxx????xxxx????xxx", true, 3);
	makeAddressLog("adrWeapon2", (unsigned char*)"\x0F\xB7\x8E\x00\x00\x00\x00\x51\xE8\x00\x00\x00\x00\x8B\x0D\x00\x00\x00\x00", "xxx????xx????xx????", true, 3);
	makeAddressLog("adrWeapon3", (unsigned char*)"\x0F\xBF\x87\x00\x00\x00\x00\x8B\x0D\x00\x00\x00\x00\x6B\xC0\x34\x0F\xB7\x84\x08\x80\xFF\x0C\x00", "xxx????xx????xxxxxxxxxxx", true, 3);
	makeAddressLog("adrD3DUsername", (unsigned char*)"\x05\x00\x00\x00\x00\x50\x68\x00\x00\x00\x00\xBF\x00\x00\x00\x00\x57\xFF\x15\x00\x00\x00\x00", "x????xx????x????xxx????", true, 1);
	makeAddressLog("adrD3DHealth", (unsigned char*)"\xDB\x83\x00\x00\x00\x00\xDA\xB3\x00\x00\x00\x00\xD9\x5D\x08\xD9\x45\x08", "xx????xx????xxxxxx", true, 2);
	makeAddressLog("adrSpawnTime", (unsigned char*)"\x8B\x0D\x00\x00\x00\x00\x69\xC9\x00\x00\x00\x00\x85\xC0", "xx????xx????xx", true, 2);
	makeAddressLog("adrFallDamage", (unsigned char*)"\x8D\x8F\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x6A\x00\x6A\x09", "xx????x????xxxx", true, 2);
	makeAddressLog("adrFireDelay", (unsigned char*)"\x8D\x86\x00\x00\x00\x00\x50\x51\xD9\x1C\x24\xE8\x00\x00\x00\x00", "xx????xxxxxx????", true, 2);
	makeAddressLog("adrUnlimitedAmmo", (unsigned char*)"\xA1\x00\x00\x00\x00\xFF\x70\x30\x8B\xC6\xE8\x00\x00\x00\x00", "x????xxxxxx????", true, 1);
	makeAddressLog("ofsPremium1", (unsigned char*)"\x8B\x94\x24\x00\x00\x00\x00\x8B\x8C\x24\x00\x00\x00\x00\x03\xD3\x41\x3B\xCD\x0F\x8C\x00\x00\x00\x00", "xxx????xxx????xxxxxxx????", true, 3);
	makeAddressLog("ofsPremium2", (unsigned char*)"\x50\x8D\x84\x24\x00\x00\x00\x00\x50\xFF\x15\x00\x00\x00\x00\x8B\xD8\xE9\x00\x00\x00\x00", "xxxx????xxx????xxx????", true, 4);

	makeAddressLog("fWRNoDetection", (unsigned char*)"\x55\x81\xEC\x00\x00\x00\x00\x8D\x6C\x24\xFC\xA1\x00\x00\x00\x00\x33\xC5", "xxx????xxxxx????xx");
	makeAddressLog("fWRHSCallback", (unsigned char*)"\x57\xE8\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\x68\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x8B\xF8\x85\xFF\x0F\x84\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x3B\xF8", "xx????x????x????x????x????x????x????x????xxxxxx????x????xx");
	makeAddressLog("fWRHSHandler", (unsigned char*)"\x68\x00\x00\x00\x00\xBA\x20\x7A\x00\x00\x8B\xC6\xE8\x00\x00\x00\x00", "x????xxx??xxx????", true, 1);
	makeAddressLog("fEngineText", (unsigned char*)"\x6A\x04\xB8\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x8B\xF1\x89\x75\xF0", "xxx????x????xxxxx");

[diehuman1330]

#request ESP Source thank you.

[Kazbah__]

Quote:

#request ESP Source thank you.

Code:

if (cEsp.CH_EspName )
	{
          char chName[100];
          sprintf(chName,"%s [%.0fm]",GetGlobalInfo(MaxPlayer)->Name,GetDistance(p_Player2->pLocal, pPlayer)/10);
          Kazbah->DrawTextC((float)vHead.x,(float)vHead.y,EspColor,chName,pFont);
	}

[Aleister C]

nevermind, fixed it.

[diehuman1330]

#request aimbot source full ty

[Kazbah__]

Quote:

#request ESP Source thank you.

Quote:

#request aimbot source full ty

macht doch mal eine neue regel das man erst ab 100 post oder so requesten darf ist ja voll dreist....

[Xave :)]

Code:

#define ADR_ARTILLERY1              0x004E8C67
#define ADR_ARTILLERY2              0x004E8EC9
#define ADR_ARTILLERY3              0x005822CC	
#define ADR_ARTILLERY4              0x0056616B

	   WriteMem((void *)ADR_ARTILLERY1, (byte *)"\x90\x90", 2);
		   WriteMem((void *)ADR_ARTILLERY2, (byte *)"\x90\x90", 2);

		   if(GetAsyncKeyState(VK_SPACE)&1)
		   {
			WriteMem((void *)ADR_ARTILLERY3, (byte *)"\xEB", 1);
			WriteMem((void *)ADR_ARTILLERY4, (byte *)"\x90\x90\x90\x90\x90\x90", 6);
		   }else{
			WriteMem((void *)ADR_ARTILLERY3,(byte *)"\x75",1);
			WriteMem((void *)ADR_ARTILLERY4,(byte *)"\x0F\x85\x87\x02\x00\x00",6);
		   }

Have Fun leeching

[diehuman1330]

Quote:

Originally Posted by Zyzz__

macht doch mal eine neue regel das man erst ab 100 post oder so requesten darf ist ja voll dreist....

what is the use of this section if we don't request? don't be ignorant, you saying because we are noob we can't request here. i know all of people here are all Copy and Paste and i admit it. so please... stop being such an hero.

[~ExoduS~*]

Quote:

Originally Posted by .χανє

Code:

#define ADR_ARTILLERY1              0x004E8C67
#define ADR_ARTILLERY2              0x004E8EC9
#define ADR_ARTILLERY3              0x005822CC	
#define ADR_ARTILLERY4              0x0056616B

	   WriteMem((void *)ADR_ARTILLERY1, (byte *)"\x90\x90", 2);
		   WriteMem((void *)ADR_ARTILLERY2, (byte *)"\x90\x90", 2);

		   if(GetAsyncKeyState(VK_SPACE)&1)
		   {
			WriteMem((void *)ADR_ARTILLERY3, (byte *)"\xEB", 1);
			WriteMem((void *)ADR_ARTILLERY4, (byte *)"\x90\x90\x90\x90\x90\x90", 6);
		   }else{
			WriteMem((void *)ADR_ARTILLERY3,(byte *)"\x75",1);
			WriteMem((void *)ADR_ARTILLERY4,(byte *)"\x0F\x85\x87\x02\x00\x00",6);
		   }

Have Fun leeching

Wieso leeched oO ist doch Public von R3dl!n3 und mit dein Bypass wird crashen.Du sagtest Check 2 fehlt aber hab's geaddet und am Ende crashed Oder Partyprogramm detected.

MFG

EXO