A Development Site for Reverse Engineering

A Development Site for Reverse Engineering - GameDeception http://www.gamedeception.net/ Development site for reverse engineering games and other software en Sat, 19 May 2012 01:27:51 GMT vBulletin 60 http://www.gamedeception.net/images/misc/rss.png A Development Site for Reverse Engineering - GameDeception http://www.gamedeception.net/ MapHack Question http://www.gamedeception.net/threads/24671-MapHack-Question?goto=newpost Fri, 18 May 2012 13:55:01 GMT On a game like diablo, how are maphacks usually implemented. For example, is there usually a simple variable switch that can be turned on and off to enable/disable the view of the full map? On a game like diablo, how are maphacks usually implemented. For example, is there usually a simple variable switch that can be turned on and off to enable/disable the view of the full map? ]]> Beginner maybnxtseasn http://www.gamedeception.net/threads/24671-MapHack-Question Solution Keeping track of runtime http://www.gamedeception.net/threads/24670-Keeping-track-of-runtime?goto=newpost Thu, 17 May 2012 21:58:19 GMT I use this to measure the efficiency of my hack, but you can use it to measure pretty much whatever you want, as long as you have a call at the start and a call at the end. timeGetTime is the most reliable method I have found. QueryPerformanceCounter I have had problems with when getting in... I use this to measure the efficiency of my hack, but you can use it to measure pretty much whatever you want, as long as you have a call at the start and a call at the end.

timeGetTime is the most reliable method I have found. QueryPerformanceCounter I have had problems with when getting in between threads, so I tend to use timeGetTime since it's based on the system clock not processor cycles.

Anywho, as a demonstration, I will use DllMain as an example.

PHP Code:


BOOL WINAPI DllMain( HINSTANCE hInstance, DWORD dwReasonOfCall, LPVOID lpReserved )

{

    static int injectiontime;



    if ( dwReasonOfCall == DLL_PROCESS_ATTACH )

    {

        injectiontime = timeGetTime();

        /*Do your shit here*/

    }



    if ( dwReasonOfCall == DLL_PROCESS_DETACH )

    {

        int dejectiontime = timeGetTime() - injectiontime;



        int iHour = dejectiontime / 1000 / 60 / 60;



        dejectiontime -= (iHour * 60 * 60 * 1000);



        int iMinutes = dejectiontime / 1000 / 60;



        dejectiontime -= (iMinutes * 60 * 1000);

        

        int iSeconds = dejectiontime / 1000;



        std::cout >> "Runtime: %.2i:%.2i\ni", iHour, iMinutes, iSeconds );

    }



    return true;

}

]]> Intermediate !Slrig http://www.gamedeception.net/threads/24670-Keeping-track-of-runtime Question Anyone have a working Hack for sXe 12.3? http://www.gamedeception.net/threads/24668-Anyone-have-a-working-Hack-for-sXe-12-3?goto=newpost Thu, 17 May 2012 18:55:20 GMT Anyone have a working Hack for sXe Wall 12.3? without error notepad Step Down sXe-I I am looking for a mini multihack for this version 12.3 If it can be Aimbot (1 = Head / 2 = Body / 3 = Stomach) AimSpot (1 = Head / 2 = Body / 3 = Stomach) DistanceEsp (Let me show the distance from the... Anyone have a working Hack for sXe Wall 12.3? without error notepad Step Down sXe-I

I am looking for a mini multihack for this version 12.3

If it can be

Aimbot (1 = Head / 2 = Body / 3 = Stomach)
AimSpot (1 = Head / 2 = Body / 3 = Stomach)
DistanceEsp (Let me show the distance from the enemy and friend)
NameEsp (Let me show you the names of enemy and friend)

And antiscreen? I am willing to pay for this in order to support the community ( Platform no steam )

Turns out I was a buyer of xzone gh0s7 h4x-reactor but have patched and no longer works and you function the only ones who used that hack was only, those that I am representing here I would love some antiflash antismoke and also to complete .. ( 4 usd per week paid ) ]]> Counter-Strike 1.6 DragonBallzxDDD http://www.gamedeception.net/threads/24668-Anyone-have-a-working-Hack-for-sXe-12-3 ASM snippet help http://www.gamedeception.net/threads/24667-ASM-snippet-help?goto=newpost Thu, 17 May 2012 18:30:48 GMT Can anyone explain how/why var_18 is being used within the following IDA snippet without having been initialized!? Also...wtf is with the pushing of the DWORD 1 onto the stack? thanks Code: --------- .text:008B49E0 sub_8B49E0 proc near ; CODE XREF: sub_84D760+47p... Can anyone explain how/why var_18 is being used within the following IDA snippet without having been initialized!? Also...wtf is with the pushing of the DWORD 1 onto the stack? thanks

Code:

.text:008B49E0 sub_8B49E0      proc near               ; CODE XREF: sub_84D760+47p

.text:008B49E0                                         ; sub_84D810+47p ...

.text:008B49E0

.text:008B49E0 var_18          = byte ptr -18h

.text:008B49E0 var_10          = dword ptr -10h

.text:008B49E0 var_C           = dword ptr -0Ch

.text:008B49E0 var_8           = dword ptr -8

.text:008B49E0 var_4           = dword ptr -4

.text:008B49E0 arg_0           = byte ptr  8

.text:008B49E0 arg_4           = dword ptr  0Ch

.text:008B49E0 arg_8           = dword ptr  10h

.text:008B49E0

.text:008B49E0                 push    ebp

.text:008B49E1                 mov     ebp, esp

.text:008B49E3                 sub     esp, 18h

.text:008B49E6                 mov     eax, [ecx+120h]

.text:008B49EC                 push    esi

.text:008B49ED                 push    1

.text:008B49EF                 mov     [ebp+var_8], ecx

.text:008B49F2                 or      esi, 0FFFFFFFFh

.text:008B49F5                 push    eax

.text:008B49F6                 lea     ecx, [ebp+var_18]

.text:008B49F9                 mov     [ebp+var_4], esi

.text:008B49FC                 call    sub_85E7A0

.text:008B4A01                 lea     ecx, [ebp+var_18]

.text:008B4A04                 push    ecx

.text:008B4A05                 call    sub_85B870

.text:008B4A0A                 add     esp, 4

.text:008B4A0D                 test    eax, eax

.text:008B4A0F                 jz      loc_8B4B86

.text:008B4A15                 push    ebx

.text:008B4A16                 mov     bl, [ebp+arg_0]

.text:008B4A19                 push    edi

.text:008B4A1A                 mov     edi, [ebp+arg_4]

]]> Beginner maybnxtseasn http://www.gamedeception.net/threads/24667-ASM-snippet-help Discussion Common VAC questions http://www.gamedeception.net/threads/24666-Common-VAC-questions?goto=newpost Thu, 17 May 2012 15:35:02 GMT Where can I find VAC2 and VAC3?

VAC2 is mapped into the steam process as a .tmp file on game startup from SourceInit.gcf.
VAC3 is manual mapped by SteamService.dll inside steam.exe and is streamed from Valve servers.

How does VAC2 and VAC3 function?

VAC2 starts it's own infinite thread and exports DwStatus and some other procedures for SteamClient.dll to invoke to determine if VAC2 is ready to begin scanning or not. VAC2's thread waits indefinitely for the unnamed pipe to have data written on it by SteamClient.dll.

VAC3 is invoked through it's _runfunc export by SteamService.dll

What are VAC2's scans?

VAC2 sports 4 main scans which you can find the details of here:

http://www.gamedeception.net/threads...-Documentation

What are VAC3's scans?

Currently the only scan I know of at this point is the function / string dumper scan. VAC3 scans private memory regions larger than a certain size looking for code markers and when found begins disassembling the procedure and CRCing it until the IsBadOpcode returns 0. Sometimes VAC3 will discard immediate or displacement values when CRCing preferring only to crc the prefix/opcode. The string scan is really nothing special as it appears ripped from a known process utility. You can find any strings VAC3 has found by using ollydbg to find all referenced strings. These strings are only dumped into the scan packet if the function scan doesn't find any code or failed for some reason.

VAC3 does have code for other scans but it doesn't appear to be fully implemented or working. I did notice IsDebuggerPresent string embedded into VAC3 code section so.. Do the math.

Will I get detected for X?

If you honestly can't answer that by this point then you are truly beyond help. VAC2's scans only care about modules and hardware breakpoints and byte patches to VALVE modules. Read that please. VAC3 is for manual mapped modules ( currently only this may change ). VAC2's scan gate 0xF does contain code to deal with manual mapped modules, but it certainly isn't worth mentioning as VAC3 fills that role better.

Additional VAC2/3 threads:

http://www.gamedeception.net/threads/20648-VAC-Emulator
http://www.gamedeception.net/threads...acket-analysis
http://www.gamedeception.net/threads/21400-VAC3-crap
http://www.gamedeception.net/threads...toring-utility
http://www.gamedeception.net/threads...on-Information
http://www.gamedeception.net/threads...Sniffing-Class
http://www.gamedeception.net/threads...28s%29-for-vac
http://www.gamedeception.net/threads...-String-Dumper
http://www.gamedeception.net/threads/20531-VAC2-dump ]]> Valve Anti-Cheat wav http://www.gamedeception.net/threads/24666-Common-VAC-questions Code FarESP Basis http://www.gamedeception.net/threads/24665-FarESP-Basis?goto=newpost Thu, 17 May 2012 15:22:16 GMT Hello, if you want to create your own FarESP, you will see that hooking a function of the exported sound table will not suit for that issue. But you can hook S_StartSound directly from the snd_x_x86.dll (where x is either qf or openal) module. It also gets called by other funcs also by... Hello,

if you want to create your own FarESP, you will see that hooking a function of the exported sound table will not suit for that issue. But you can hook S_StartSound directly from the snd_x_x86.dll (where x is either qf or openal) module. It also gets called by other funcs also by StartRelativeSound. So I made a dynamical way to get the function trough this address. Here is the code:

Code:

//======================================================================

/*

    //How to get address of S_StartSound for FarESP cheat code

    //Found by sk0r / Czybik



    //Note: S_StartSound is like a fast call function, so arguments are

    //passed trough registers and stack and it is called by relative jump cmd



    //Implementation of S_StartRelativeSound by C++ Sourcecode

    void S_StartRelativeSound( sfx_t *sfx, int entnum, int channel, float fvol, float attenuation )

    {

        S_StartSound( sfx, 0, entnum, channel, fvol, attenuation );

    }



    //Implementation of S_StartRelativeSound by Byte Code

    70CC1C80   53               PUSH EBX //Save EBX for using

    70CC1C81   83EC 08          SUB ESP,8 //Allocate 8 bytes on stack

    70CC1C84   8B5C24 20        MOV EBX,DWORD PTR SS:[ESP+20] //Copy to EBX: float attenuation

    70CC1C88   8B5424 18        MOV EDX,DWORD PTR SS:[ESP+18] //Copy to EDX: int channel

    70CC1C8C   8B4424 10        MOV EAX,DWORD PTR SS:[ESP+10] //Copy to EAX: sfx_t* sfx

    70CC1C90   8B4C24 14        MOV ECX,DWORD PTR SS:[ESP+14] //Copy to ECX: int entnum

    70CC1C94   895C24 18        MOV DWORD PTR SS:[ESP+18],EBX //Backup EBX to [ESP+18]

    70CC1C98   8B5C24 1C        MOV EBX,DWORD PTR SS:[ESP+1C] //Copy to EBX: float fvol

    70CC1C9C   895424 10        MOV DWORD PTR SS:[ESP+10],EDX //Backup EDX to [ESP+10]

    70CC1CA0   31D2             XOR EDX,EDX //Clear bits of EDX. It's the pointer to vec3_t origin (in this case NULL)

    70CC1CA2   895C24 14        MOV DWORD PTR SS:[ESP+14],EBX //Copy EBX to [ESP+14]

    70CC1CA6   83C4 08          ADD ESP,8 //Free allocated stack space

    70CC1CA9   5B               POP EBX //Restore EBX

    70CC1CAA  ^E9 F1FAFFFF      JMP snd_qf_x.70CC17A0 //Jump to S_StartSound

    //Function arguments at 0x70CC1CAA:

    EAX: sfx_t* sfx

    ECX: int entnum

    EDX: vec3_t origin

    [ESP+10]: int channel

    [ESP+14]: float fvol

    [ESP+18]: float attenuation

*/

void* Addr_S_StartSound(void* pBy_S_StartRelativeSound)

{

    //Get address of S_StartSound from sound module by StartRelativeSound function address



    #define S_ADD_OFFSET 0x2B //Offset to add to get to the relative address to S_StartSound



    //Check parameter

    if (!pBy_S_StartRelativeSound)

        return NULL;



    //Copy relative jump address

    DWORD dwRelOffset = *(DWORD*)((DWORD)pBy_S_StartRelativeSound + S_ADD_OFFSET);



    //Return absolute address to function

    return (void*)(((DWORD)pBy_S_StartRelativeSound + S_ADD_OFFSET - 1) - (dwRelOffset * -1) + 0x05);

}

//======================================================================

This is my hooked S_StartSound implementation:

Code:

//======================================================================

soundinfo_s* pSoundInfo = &SndInfo[0]; //Points to array start address

soundinfo_s* pCurrentInfo = NULL; //Points to array element for this player

__declspec(naked) void n_S_StartSound(void)

{

        //S_StartSound hook code

        __asm {

                //Most important:

                //entnum=ECX

                //origin=EDX



                //Check for valid player ID

                cmp ECX, MAX_CLIENTS

                jg fSOver

                cmp ECX, g_PlayerNumber

                je fSOver



                //Get pointer to soundinfo_s for current player

                push EAX //Save EAX

                mov EAX, sizeof(soundinfo_s) //Copy structure size to EAX

                mul ECX //Multiplicate with entnum to get structure offset for current player

                add EAX, pSoundInfo //Add soundinfo array start address to EAX so we have absolute address for this player now

                mov pCurrentInfo, EAX //Copy abs. address to current info pointer

                pop EAX //Restore EAX



                // ** Insert your FarESP code part here **



        fSOver:

                jmp o_S_StartSound //Jump to gateway

        }

}

//======================================================================

The rest is up to you now, but obviously it isn’t that hard now to implement the rest of it. I prefer inline assembler for the hooked function, else the compiler corrupts to much of course. You now have only to access entnum and the origin and save them to your structure for this player. In another function (like RenderView or RenderScene) you can check if a player sound has been played and of course if the time passed since this event is not too big and then draw it if default ESP will not be drawn (because of missing infos when player is too far away). Have fun.

Greetings:
sk0r ]]> Warsow sk0r http://www.gamedeception.net/threads/24665-FarESP-Basis <![CDATA[Discussion [BEGINNER] [COD1] [C++] I don't know where to start.. :/]]> http://www.gamedeception.net/threads/24660-BEGINNER-COD1-C-I-don-t-know-where-to-start?goto=newpost Wed, 16 May 2012 20:20:16 GMT Hi :redface:

I'm new on this forum, I ever wanted to code hacks for Call of Duty 1 (My fav' CoD) so I learnt good C++ tutorials, I know bases but I have not been coding for months...
I'm using Microsoft Visual C++ 2010 Express, I'm looking for a CoD1 source code hack which is compatible with it, I think it could help me to start coding.. :redface:
But I'd like your advices please because I'm lost.. :frown:

Thanks I'm very bad with Object-Oriented Programming in C++ :frown:

Thanks you in advance :smile: ]]> Beginner RaiZo http://www.gamedeception.net/threads/24660-BEGINNER-COD1-C-I-don-t-know-where-to-start Info Grabbing Macintosh binaries using DepotDownloader http://www.gamedeception.net/threads/24658-Grabbing-Macintosh-binaries-using-DepotDownloader?goto=newpost Wed, 16 May 2012 02:13:31 GMT This is just gonna be a "figure it out yourself with the info I give you" kinda post.

Don't feel like writing an essay, this post was really just for Casual_Hacker.

Depot IDs of interest:

Multiplayer OB Mac Binary: Depot ID: 316
left 4 dead 2 mac content: Depot ID: 553
portal 2 mac content: Depot ID: 623

DepotDownloader -cellid 66 -depot 316 -username XXXXXXXXXXXXX -password XXXXXXXXXX -version latest -dir "C:\Program Files\Steam\steamapps\common"

There you go. Took me a whole 4 minutes to figure out how to work DepotDownloader properly, and a full 2 days to declare Mac VMs/Hackintosh a piece of shit.

I always use Steam's Sweden server because it always caps out my modem. All the USA servers are slow and don't even come close. They are also unreachable after updates.

Attached Files

DepotDownloader-r705.7z (269.4 KB)

]]> Source/HL2 Engine !Slrig http://www.gamedeception.net/threads/24658-Grabbing-Macintosh-binaries-using-DepotDownloader Recv Hook buffer http://www.gamedeception.net/threads/24656-Recv-Hook-buffer?goto=newpost Mon, 14 May 2012 19:30:36 GMT Hiya ppl, so my question is how can i get the buf here converted to Hexadecimal?? int recv( __in SOCKET s, __out char *buf, __in int len, __in int flags ); Thank You. Hiya ppl, so my question is how can i get the buf here converted to Hexadecimal??

int recv(
__in SOCKET s,
__out char *buf,
__in int len,
__in int flags
);

Thank You. ]]> Beginner konsowa http://www.gamedeception.net/threads/24656-Recv-Hook-buffer Question Direct3DFont DrawText Troubles http://www.gamedeception.net/threads/24652-Direct3DFont-DrawText-Troubles?goto=newpost Sun, 13 May 2012 21:47:45 GMT Hello, sorry for my English skills.

I'm trying to make an overlay for a simple dx9 program. I wrote an IAT Patcher and a COM vTable patcher.
Before i tried to add some DrawText's to EndScene hook function following code worked perfectly.

Code:

HRESULT WINAPI h_d3d9device_EndScene(IUnknown* This)

{

  D3DRECT rec = { 0, 0, 20, 20 };

  // d3ddevice is an interface i stored earlier

  d3d9device->Clear(1, &rec, D3DCLEAR_TARGET, D3DCOLOR_XRGB(255, 255, 255), 0,  0);

  return o_d3d9device_EndScene(This);

}

Then i tried to create font after i hook d3d9devices' methods, used OnLostDevice() and OnResetDevice() but nothing worked.
Finally, after endless amount of attempts i moved the font creation code, drawing and release into EndScene:

Code:



// Global vars



LPD3DXFONT font;

static RECT font_rect={5,5,256,256};

static D3DXFONT_DESC FontDesc = {24,

                          0,

                          400,

                          0,

                          false,

                          DEFAULT_CHARSET,

                          OUT_TT_PRECIS,

                          CLIP_DEFAULT_PRECIS,

                          DEFAULT_PITCH,

                          "Arial"};



// Code itself



HRESULT WINAPI h_d3d9device_EndScene(IUnknown* This)

{

        //D3DRECT rec = { 0, 0, 20, 20 };

        //d3d9device->Clear(1, &rec, D3DCLEAR_TARGET, D3DCOLOR_XRGB(255, 255, 255), 0,  0);



        if ( FAILED( D3DXCreateFontIndirect(d3d9device, &FontDesc,&font) ) )

                        font = NULL;

        if (font != NULL)

        {

                hlog("DrawText (1)");

                if (font->DrawTextA(NULL, "Testing", -1, &font_rect, DT_NOCLIP, D3DCOLOR_XRGB(255, 255, 255)) == 0)

                        hlog("Draw Text Failed");

                font->Release();

                      font = NULL;

        }

        hlog("DrawText (2)");

        return o_d3d9device_EndScene(This);

}

But text appears only for the first call of EndScene, and the problem should not be in lost device, because all the code is in one function.
I already tried to debug it, for no result. Thanks in advance. ]]> Beginner ZaRDaK http://www.gamedeception.net/threads/24652-Direct3DFont-DrawText-Troubles Question Best way to hook undetected? http://www.gamedeception.net/threads/24649-Best-way-to-hook-undetected?goto=newpost Sun, 13 May 2012 14:23:23 GMT At the moment, what is the best and easiest way to hook undetected? Is it VMTHooking or something else? At the moment, what is the best and easiest way to hook undetected? Is it VMTHooking or something else? ]]> Valve Anti-Cheat DerIre http://www.gamedeception.net/threads/24649-Best-way-to-hook-undetected <![CDATA[Tool RA3 [1.12] - Zoomhack]]> http://www.gamedeception.net/threads/24644-RA3-1-12-Zoomhack?goto=newpost Sat, 12 May 2012 20:53:37 GMT Okay, here's a little zoomhack for RA3 1.12!

You don't have to do much, just be sure you already have RA3 started!
The project seems to be written in .Net Framework 2.
So be sure you upodated your windows xp to SP1. :D

Have fun.

Attached Files

RA3_Zoomhack.rar (73.0 KB)
RA3_Zoomhack_v1.001.rar (9.4 KB)

]]> Real Time Strategy / MMORPG bellaPatricia http://www.gamedeception.net/threads/24644-RA3-1-12-Zoomhack Question Other Hooks? D3D9 Help http://www.gamedeception.net/threads/24643-Other-Hooks-D3D9-Help?goto=newpost Sat, 12 May 2012 19:57:32 GMT I made a wallhack for a game using Azorbix's base and it seems their game can detect if I am "hooking" in DIP. I run the hack once it works, go to inject again it crashes.

Is there anything I can read to learn more ways to hook? How all the functions of DirectX go together?

Only things I know how to do right now are to draw on the screen with the device in "end scene" and use DIP function below for a simple wallhack that disables zbuffer. I've also messed with creating textures and using them to color the models for "Chams". But it's really nothing special, I want to learn how to do ESP. I've looked through d3d section and beginner-expert section not anything specific that I saw to help.

Code:

HRESULT APIENTRY hkIDirect3DDevice9::DrawIndexedPrimitive(D3DPRIMITIVETYPE Type,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount)

{

        if(m_Stride == 32)

                {                

                        DWORD dwOldZEnable = D3DZB_TRUE; 

                        m_pD3Ddev->GetRenderState(D3DRS_ZENABLE, &dwOldZEnable); 

                        m_pD3Ddev->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);

                        m_pD3Ddev->DrawIndexedPrimitive(Type,BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount);

                        m_pD3Ddev->SetRenderState(D3DRS_ZENABLE, dwOldZEnable);

                }

        

        return m_pD3Ddev->DrawIndexedPrimitive(Type,BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount);

}

]]> Beginner dbxdx http://www.gamedeception.net/threads/24643-Other-Hooks-D3D9-Help Question Detour, hook and vmthook http://www.gamedeception.net/threads/24641-Detour-hook-and-vmthook?goto=newpost Sat, 12 May 2012 11:23:27 GMT I dont really understand the difference between detour, hook and vmthook.
Detour is removing the first 5 bytes of a function to a jump to your function.
So what does a hook? In many threads, i read something like "Hooking Functions using Detours", so its the same?
It really confuses me. ]]> Binary Modification DerIre http://www.gamedeception.net/threads/24641-Detour-hook-and-vmthook <![CDATA[Release IDA Plugin [ Sig Maker Update ]]]> http://www.gamedeception.net/threads/24640-IDA-Plugin-Sig-Maker-Update?goto=newpost Sat, 12 May 2012 08:32:06 GMT Patrick did an awesome job on his IDA plugin release for his signature maker, so 100% credits to him. The only thing I don't like about it is that I have to manually search many different times to get the shortest signature and half the time the final bytes are masked, which is pointless. I simply updated it to fix these inconveniences for you. The plugin will now automatically search for the shortest signature (or inform you if there is no possible unique signature). Then the final string is trimmed if there are any masked bytes at the end to save you the trouble of doing it yourself. Just click on whatever address you want to make a signature for (no need to highlight anymore) and then open the menu with CTRL+ALT+S and create it just like with the previous version. I plan on adding IDA-Code style a little bit later as well if you want to check back on this thread.

PS: Thank Patrick for his original plugin if you haven't already.

http://www.gamedeception.net/threads...lugins-I-Wrote

Attached Files

SigMaker.rar (3.1 KB)

]]> Tools Forza http://www.gamedeception.net/threads/24640-IDA-Plugin-Sig-Maker-Update