Hi all, for those who don't know who i am i'm an old member of GzP but i just recently left GameDeception because the admin refused to pay me -.-
Anyway onto this wallhack code. First lets analise Fatboy's source code as your all firmilia with it (wallhacks are very basic but theres alot of crap you have to add like hooking D3D and generating texture ect.
Firstly, we see that he defined his D3D API hook
Code:
static DWORD dwBeginScene = 0x6D9D9250;
static DWORD dwEndScene = 0x6d9d93a0;
static DWORD dwDrawIndexedPrimitive = 0x6d9d73a0;
static DWORD dwSetStreamSource = 0x6d9d6760;
static DWORD dwSetViewport = 0x6d9d5b90 ;
Now GameGuard Scans BeginScene, Endscene and the DIP. Although
Writing code into the DIP dosnt seem to cause any problems.
You can throw away BeginScene Altogether - i don't see it as any importance
Now Endscene is very useful but there is an alternative.
Use present :) Normaly this is for stride logging but i find its a good
alternative display pod. Its a little laggy but in SF you can use that to glitch :)
Code:
int m_Stride;
int texnum;
int nNumVertices;
int nPrimitiveCount;
Were just going to focus on Strides - You will still get a nice wallhack :)
m_Stride has been defined in his code somewhere as a Stride which 30 == players
Code:
LPDIRECT3DTEXTURE8 Red,Yellow,Green,Blue,Purple,Pink,Orange;
This generates the color's we want for our Cham Shading.
Then he just defines all his variables as follows:
Code:
bool Color = true;
bool Logger = false;
ofstream ofile;
char dlldir[320];
float ScreenCenterX = 0.0f;
float ScreenCenterY = 0.0f;
bool xhair = false;
bool WallHack = false;
bool WallHack2 = false;
HANDLE hand1 =NULL;
HANDLE hand2 =NULL;
Just throw away the logger function. You don't really need to log unless your wallhack is commercial
Add the Texture Generation code and im going to skip past his crosshair function and all that and we can look at
some more useful stuff.
We Are now in the hacks DIP, All the fun hacks are here :P
Lets use some info Fatboy provided - he says that the stride for players
is 40 "if(m_Stride==40" now we don't want to add all the other info
lets keep it simple and close the if ")"
Now he has the start of the cham wallhack
Code:
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
pDevice->SetRenderState(D3DRS_ZFUNC,D3DCMP_NEVER);
pDevice->SetTexture(0,Orange);
Now we say that here it says (D3DRS_ZENABLE, D3DZB_FALSE);
So this is when the player is behind a wall.
He then sets the texture of stride 40 (players) to orange
Code:
//pDevice->SetRenderState(D3DRS_FILLMODE, D3DFILL_WIREFRAME );
pDrawIndexedPrimitive(pDevice, pType, nMinIndex, nNumVertices, nStartIndex, nPrimitiveCount);
//pDevice->SetRenderState(D3DRS_FILLMODE, D3DFILL_SOLID );
Here he has commented out another nice hack (WireFrame) probably wanted to keep it private
or just let people who can read his source use it.
Code:
pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_TRUE);
pDevice->SetRenderState(D3DRS_ZFUNC,D3DCMP_LESSEQUAL);
pDevice->SetTexture(0,Pink);
This is when there visable to you, the stride then is textured with a pink color.
[code]now we see more objects amungst the 40 stride such as grenades in his next cham code.
Anyway, now that i explained a bit about the wallhack. You will want to make it undetected.
This guy provides you all the info! im just going to explain it to you in a bit of depth.
Quote:
Createdevice->pointers to the functions
kinda like a class or a struct.
and GG scans createdevice right off the back
|
Ok all your D3D hooks go through to be formed into the device. Once this is done and D3D is hooked you can release create device so that it wont be detected.
I do so in my base with this code in my CreateDevice Reclass
Code:
//your create device code
//the we move onto
//Device Unhooking
unsigned long ulProtect;
VirtualProtect(&D3D8_object[15], 4, PAGE_EXECUTE_READWRITE, &ulProtect);
*(unsigned long*)&D3D8_object[15] = (unsigned long)pCreateDevice;
VirtualProtect(&D3D8_object[15], 4, ulProtect, &ulProtect);
//
Then you will need to initialise your device
Code:
YourDevice = *ppReturnedDeviceInterface; //Rename to your Device
Its also a good idea to log this to see if it worked
to do that just say
else{ add_log("D3D create device error...\n"); }
Then return to your device.
Now lets look at another method
2)another way **** it hack GG.
4)code cave the hook int3->Jmp then in the code cave->Jmp(detour)d3d functions ->jmp back to original flow ;Hook hopin
Now i thought Number 2 looked hansom but then i thought that i could adapt that view point to number 4 which basicly bypasses GG.
now I am not going to go through ASM debugging to detour your d3d hook
but were not really going to be caving like 4) says. Due to the fact that were dropping the Cave early - we can just Jmp to a nice clean bit of space (0900001C) looks pretty nice place to settle.
Then in our C++ for this we __asm for the jmp. Now fatboy88 says to detour our d3d functions, thats all good fun but more univsersaly we could Jmp the GG check. Therefore placing more memory crazy hacks and also you would be bypassing a clean reg for debugger logging and looting.
Don't PM me constantly with help for this - i would rather you do quick posts here.
I don't give my new msn out, or xfire for that matter.
I'm still pondering on the thought of releases
I hope these comments will discourage your annoying spam.
Enjoy your wallhacks - credit where due.