内容纲要
  1. DLL 写内挂
  2. DLL 初始化两个线程,一个用于 hook IDirect3DDevice9 的函数,另一个线程用于获取用户输入与外挂交互
DWORD WINAPI DirectXInit(__in  LPVOID lpParameter)
{
    while (GetModuleHandle("d3d9.dll") == 0)
    {
        Sleep(100);
    }

    IDirect3D9* d3d = NULL;
    IDirect3DDevice9* d3ddev = NULL;
    HWND tmpWnd = NULL;
    #if defined _M_X64
        DWORD64* dVtable = NULL;
    #elif defined _M_IX86
        DWORD* dVtable = NULL;
    #endif

    DWORD TableAddress = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    if (TableAddress == 0) {
        Log("[PATTERN NOT FOUND]");
        tmpWnd = CreateWindowA("BUTTON", "Temp Window", WS_SYSMENU | WS_MINIMIZEBOX, CW_USEDEFAULT, CW_USEDEFAULT, 300, 300, NULL, NULL, dllHandle, NULL);
        if (tmpWnd == NULL)
        {
            Log("[DirectX] Failed to create temp window");
            return 0;
        }

        d3d = Direct3DCreate9(D3D_SDK_VERSION);
        if (d3d == NULL)
        {
            DestroyWindow(tmpWnd);
            Log("[DirectX] Failed to create temp Direct3D interface");
            return 0;
        }

        D3DPRESENT_PARAMETERS d3dpp;
        ZeroMemory(&d3dpp, sizeof(d3dpp));
        d3dpp.Windowed = TRUE;
        d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
        d3dpp.hDeviceWindow = tmpWnd;
        d3dpp.BackBufferFormat = D3DFMT_UNKNOWN;

        HRESULT result = d3d->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, tmpWnd, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &d3ddev);
        if (result != D3D_OK)
        {
            d3d->Release();
            DestroyWindow(tmpWnd);
            Log("[DirectX] Failed to create temp Direct3D device");
            return 0;
        }

        // We have the device, so walk the vtable to get the address of all the dx functions in d3d9.dll
        #if defined _M_X64
            dVtable = (DWORD64*)d3ddev;
            dVtable = (DWORD64*)dVtable[0];
        #elif defined _M_IX86
            dVtable = (DWORD*)d3ddev;
            dVtable = (DWORD*)dVtable[0]; // == *d3ddev
        #endif
    }
    else 
    {
        Log("[PATTERN FOUND - 0x%x]", TableAddress);
        #if defined _M_X64
            dVtable = (DWORD64*)(TableAddress + 2);
            dVtable = (DWORD64*)dVtable[0]; // == *d3ddev
        #elif defined _M_IX86
            dVtable = (DWORD*)(TableAddress + 2);
            dVtable = (DWORD*)dVtable[0]; // == *d3ddev
        #endif
    }

    // Set EndScene_orig to the original EndScene etc.
    Present_orig = (Present)dVtable[17];
    EndScene_orig = (EndScene)dVtable[42];
    SetVertexShaderConstantF_orig = (SetVertexShaderConstantF)dVtable[94];
    DrawIndexedPrimitive_orig = (DrawIndexedPrimitive)dVtable[82];
    DrawPrimitive_orig = (DrawPrimitive)dVtable[81];
    Reset_orig = (Reset)dVtable[16];
    SetStreamSource_orig = (SetStreamSource)dVtable[100];
    //SetIndices_orig = (SetIndices)dVtable[104];
    SetVertexDeclaration_orig = (SetVertexDeclaration)dVtable[87];
    SetVertexShader_orig = (SetVertexShader)dVtable[92];
    SetPixelShader_orig = (SetPixelShader)dVtable[107];
    SetTexture_orig = (SetTexture)dVtable[65];
    SetViewport_orig = (SetViewport)dVtable[47];

    // Detour functions x86 & x64
    if (MH_Initialize() != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[17], &Present_Hook, reinterpret_cast<void**>(&Present_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[17]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[42], &EndScene_hook, reinterpret_cast<void**>(&EndScene_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[42]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[94], &SetVertexShaderConstantF_hook, reinterpret_cast<void**>(&SetVertexShaderConstantF_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[94]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[82], &DrawIndexedPrimitive_hook, reinterpret_cast<void**>(&DrawIndexedPrimitive_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[82]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[81], &DrawPrimitive_hook, reinterpret_cast<void**>(&DrawPrimitive_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[81]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[16], &Reset_hook, reinterpret_cast<void**>(&Reset_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[16]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[100], &SetStreamSource_hook, reinterpret_cast<void**>(&SetStreamSource_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[100]) != MH_OK) { return 1; }
    //if (MH_CreateHook((DWORD_PTR*)dVtable[104], &SetIndices_hook, reinterpret_cast<void**>(&SetIndices_orig)) != MH_OK) { return 1; }
    //if (MH_EnableHook((DWORD_PTR*)dVtable[104]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[87], &SetVertexDeclaration_hook, reinterpret_cast<void**>(&SetVertexDeclaration_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[87]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[92], &SetVertexShader_hook, reinterpret_cast<void**>(&SetVertexShader_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[92]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[107], &SetPixelShader_hook, reinterpret_cast<void**>(&SetPixelShader_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[107]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[65], &SetTexture_hook, reinterpret_cast<void**>(&SetTexture_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[65]) != MH_OK) { return 1; }
    if (MH_CreateHook((DWORD_PTR*)dVtable[47], &SetViewport_hook, reinterpret_cast<void**>(&SetViewport_orig)) != MH_OK) { return 1; }
    if (MH_EnableHook((DWORD_PTR*)dVtable[47]) != MH_OK) { return 1; }

    if (TableAddress == 0) {
        d3ddev->Release();
        d3d->Release();
        DestroyWindow(tmpWnd);
    }

    return 1;
}

DWORD WINAPI GetUserInput(LPVOID)
{
    while (1)
    {
        if (GetAsyncKeyState(VK_MENU) & 1)
        {
            ShowOverlay = !ShowOverlay;

            DWORD localPlayer = *(DWORD*)0x006CC294;
            int localplayer_tid = *(int*)(localPlayer + 0x134);

            if (localplayer_tid != 0 && !bRoot) ShowOverlay = FALSE;
            ShowOverlay ? Log("[Show Overlay - true]") : Log("[Show Overlay - false]");

        }

        if (GetAsyncKeyState(VK_F9) & 1)
        {
            ShowMenu = !ShowMenu;
            DWORD localPlayer = *(DWORD*)0x006CC294;
            int localplayer_tid = *(int*)(localPlayer + 0x134);

            if (localplayer_tid != 0 && !bRoot) ShowMenu = FALSE;

            ShowMenu ? Log("[Show Menu - true]") : Log("[Show Menu - false]");
        }

        if (GetAsyncKeyState(VK_INSERT) & 1)
        {
            bSpecmode = !bSpecmode;
            bSpecmode ? Log("[Free Look - true]") : Log("[Free Look - false]");
            DWORD localPlayer = *(DWORD*)0x006CC294;
            DWORD Specmodeaddr = *(DWORD*)0x006CC400;

            int localplayer_tid = *(int*)(localPlayer + 0x134);
            if (bSpecmode && localplayer_tid == 0) {
                OldSpecmode = *(int*)(Specmodeaddr + 0x19);
                *(int*)(Specmodeaddr + 0x19) = 1;
            }
            else if (!bSpecmode && localplayer_tid == 0)
            {
                *(int*)(Specmodeaddr + 0x19) = OldSpecmode;
            }
        }

        if (GetAsyncKeyState(VK_F6) & 1)
        {
            scoreTT += 1;
        }

        if (GetAsyncKeyState(VK_F7) & 1)
        {
            scoreCT += 1;
        }
        if (GetAsyncKeyState(VK_F8) & 1)
        {
            scoreCT = 0;
            scoreTT = 0;
        }

        if (GetAsyncKeyState(0x58) & 1)     //  X
        {
            XrayHook();
            bXray = !bXray;
        }

        if (GetAsyncKeyState(VK_CAPITAL) & 1)
        {
            iShowDMGDealt++;
            if (iShowDMGDealt == 4) iShowDMGDealt = 1;
        }

        if (GetAsyncKeyState(VK_END) & 1)
        {
            exit(0);
        }
        if (GetAsyncKeyState(VK_PRIOR) & 1)
        {
            DWORD localPlayer = *(DWORD*)0x006CC294;
            int localplayer_tid = *(int*)(localPlayer + 0x134);
            bNoFow = !bNoFow;
            if (localplayer_tid != 0) bNoFow = FALSE;
            bNoFow ? Log("[No FOW - true]") : Log("[No FOW - false]");
            NoFow(bNoFow);
        }

        if (GetAsyncKeyState(VK_NEXT) & 1)
        {
            DWORD localPlayer = *(DWORD*)0x006CC294;
            int localplayer_tid = *(int*)(localPlayer + 0x134);
            bNoFlash = !bNoFlash;
            if (localplayer_tid != 0) bNoFlash = FALSE;
            bNoFlash ? Log("[No Flash - true]") : Log("[No Flash - false]");
            NoFlash(bNoFlash);
        }
        Sleep(10);
    }
    return 0;
}

发表评论

电子邮件地址不会被公开。 必填项已用*标注