Getting Addresses in Tier0 [Archive] - GameDeception - A Development Site for Reverse Engineering

P47R!CK

02-18-2005, 01:15 PM

// this is an example of PlatTime
00893C20 83EC 18 SUB ESP,18
00893C23 E8 98000000 CALL tier0.00893CC0
00893C28 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00893C2C 50 PUSH EAX
00893C2D FF15 08448C00 CALL DWORD PTR DS:[<&KERNEL32.QueryPerfo>; kernel32.QueryPerformanceCounter
00893C33 8B15 D8F98B00 MOV EDX,DWORD PTR DS:[8BF9D8]
00893C39 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
00893C3D A1 DCF98B00 MOV EAX,DWORD PTR DS:[8BF9DC]
00893C42 2BCA SUB ECX,EDX
00893C44 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00893C48 1BD0 SBB EDX,EAX
00893C4A 894C24 00 MOV DWORD PTR SS:[ESP],ECX
00893C4E 895424 04 MOV DWORD PTR SS:[ESP+4],EDX
00893C52 DF6C24 00 FILD QWORD PTR SS:[ESP]
00893C56 A1 60FA8B00 MOV EAX,DWORD PTR DS:[8BFA60]
00893C5B 85C0 TEST EAX,EAX
00893C5D DD5C24 00 FSTP QWORD PTR SS:[ESP]
00893C61 DF2D D0F98B00 FILD QWORD PTR DS:[8BF9D0]
00893C67 DD5C24 10 FSTP QWORD PTR SS:[ESP+10]
00893C6B DD4424 00 FLD QWORD PTR SS:[ESP]
00893C6F DC7424 10 FDIV QWORD PTR SS:[ESP+10]
00893C73 DD5C24 00 FSTP QWORD PTR SS:[ESP]
00893C77 75 08 JNZ SHORT tier0.00893C81
00893C79 DD4424 00 FLD QWORD PTR SS:[ESP]
00893C7D 83C4 18 ADD ESP,18
00893C80 C3 RETN
00893C81 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00893C85 8B4C24 00 MOV ECX,DWORD PTR SS:[ESP]
00893C89 8B15 C4A48B00 MOV EDX,DWORD PTR DS:[g_pVCR] ; tier0.008BA438
00893C8F 50 PUSH EAX
00893C90 51 PUSH ECX
00893C91 FF52 18 CALL DWORD PTR DS:[EDX+18]
00893C94 83C4 08 ADD ESP,8
00893C97 83C4 18 ADD ESP,18
00893C9A C3 RETN
00893C9B 90 NOP
00893C9C 90 NOP
00893C9D 90 NOP
00893C9E 90 NOP
00893C9F 90 NOP

DWORD dwGetAddressFromJump(PDWORD pdwAddress)
{
PBYTE pbAddress = (PBYTE)pdwAddress; // reinterprete to PBYTE
pbAddress = &pbAddress[1]; // skip the opcode

DWORD dwAddress; // create the return buffer
memcpy((void*)&dwAddress,pbAddress,sizeof(DWORD));// copy the relative address
return (dwAddress + (DWORD) pdwAddress + 5);// calculate the final address
}

void HookPlatTime()
{
HMODULE hModule = GetModuleHandle("tier0.dll");

while (!hModule)
{
Sleep(10);
hModule = GetModuleHandle("tier0.dll");
}

if (hModule == NULL)
{
add_log("hModule == NULL");
return;
}

DWORD dwAddr = (DWORD)::GetProcAddress( hModule, "Plat_FloatTime");

if (!dwAddr)
{
return;
}
add_log("0x%x",dwGetAddressFromJump((PDWORD)dwAddr));
pPlat_FloatTime = (Plat_FloatTime_org)RedirectFunction((PBYTE)dwGetAddressFromJump((PDWO RD)dwAddr),(PBYTE)xPlat_FloatTime);
}

Credits: Paleface / PizzaPan and me!

c0re

02-18-2005, 01:52 PM

Nice! This should be stickied.

P47R!CK

02-18-2005, 02:21 PM

Nice! This should be stickied.
thank you but stickying things tetsuos task :o

dabuzz

02-18-2005, 02:23 PM

beat him to it :eek:

RunningBon

02-18-2005, 02:41 PM

Nice..... A QPC Speedhack :banana:

sp0rky

02-18-2005, 08:23 PM

beat him to it :eek:

Only because I was not here! >_<

P47R!CK

02-19-2005, 05:03 AM

Only because I was not here! >_<
that and because of your scary sig! :P