How To Make A D3D Hook [-Complete Tutorial-] ..

First of all i m not like those who afraid on giving a hook..i don't care about this i care bout helping people,,
______________________________________________________________
Quote: #include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <d3d9.h>
#include <d3dx9.h>


okay first lets start naked function

Quote: DWORD* DIP_hook = NULL;
DWORD DIP_return = NULL;

bool wallhack = true;

void myDIP(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount)
{
IDirect3DVertexBuffer9* pStreamData = NULL;
UINT iOffsetInBytes,iStride;
pDevice->GetStreamSource(0,&pStreamData,&iOffsetInBytes,&iStride);

if(wallhack)
if ((iStride==40)||(iStride==44))
{
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE );
pDevice->SetRenderState(D3DRS_ZFUNC, D3DCMP_NEVER);
}
}

_declspec(naked) void dwmyDIP()
{
__asm
{
//Call myDIP
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
MOV EAX, DWORD PTR [ESP+40];
PUSH EAX;
CALL myDIP;
ADD ESP, 28;


Then Restore EAX original value:

Quote: MOV EAX,DWORD PTR FS:[0];


Then put back the Original code:

Quote: PUSH EAX;
SUB ESP,0x20;


Then Return ur JMP Back:

Quote: JMP DIP_return;


Then Close ur naked Function:

Quote: }
}

Quote: Then We Use The bCompare() Method

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask) return 0;
return (*szMask) == NULL;
}


Then We Find The Pattern For Our Wall Hack:

Quote: DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i<dwLen; i++)
if (bCompare((BYTE*)(dwAddress+i),bMask,szMask)) return (DWORD)(dwAddress+i);
return 0;
}


Then We start our 5 Bytes Hunting

Quote: void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen)
{
DWORD dwOldProtect, dwBkup, dwRelAddr;


Then we give the paged memory read/write permissions:

Quote: VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);


Then We calculate the distance between our address and our target location and subtract the 5bytes, which is the size of the JMP:

Quote: dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;


Then We overwrite the byte at pAddress with the jmp opcode (0xE9):

Quote: *pAddress = 0xE9;


Then We overwrite the next 4 bytes (which is the size of a DWORD) with the dwRelAddr:

Quote: *((DWORD *)(pAddress + 0x1)) = dwRelAddr;


Then we overwrite the remaining bytes with the NOP opcode (0x90):

Quote: for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;


Then we restore the paged memory permissions saved in dwOldProtect:

Quote: VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);


Then We close the JMNo Advertisingok:

Quote: return;

}


Then Create Our Hack Thread

Quote: void WallHack()
{
LoadLibraryA("d3d9.dll");
DWORD D3D9, adr, *VTable;
do
{
D3D9 = (DWORD)LoadLibraryA("d3d9.dll");
Sleep(100);
} while (D3D9 == NULL);

adr = FindPattern(D3D9, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x8", "xx????xx????xx");
if (adr) {
memcpy(&VTable,(void *)(adr+2),4);

MakeJMP((BYTE *)0x4FF51658, (DWORD)dwmyDIP, 0x6);
DWORD dwJMPback = 0x4FF51658;
}
}

C.R.E.D.I.T.S
--> ALAS003
( MODERATOR )

COPY PASTE hahaha