Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[Solved] CreateDevice hook crash

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
661089799107
Expert Cheater
Reputation: 3

Joined: 25 Jan 2009
Posts: 186
PostPosted: Fri Mar 25, 2011 11:39 am    Post subject: [Solved] CreateDevice hook crash Reply with quote
Below is the function that is jumped to from IDirect3D9::CreateDevice.

If I attempt to access any of the args or get the return value of "oCreateDevice", then the program crashes. However if I don't access them, then it works fine.

I had the same problem when I forgot to add __stdcall for the Direct3D9Create hook. But that works fine now.

Code:

typedef HRESULT(WINAPI *r_createDevice)(UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS *pPresentationParameters, IDirect3DDevice9 **ppReturnedDeviceInterface);

r_createDevice ocreateDevice;

HRESULT WINAPI CreateDevice(UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS *pPresentationParameters, IDirect3DDevice9 **ppReturnedDeviceInterface) {
   output("d3d->CreateDevice");
   
   return ocreateDevice(Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface);;
}


Last edited by 661089799107 on Sat Mar 26, 2011 10:10 am; edited 1 time in total
Back to top
View user's profile Send private message
sloppy
Expert Cheater
Reputation: 0

Joined: 17 Aug 2008
Posts: 123
PostPosted: Fri Mar 25, 2011 4:48 pm    Post subject: Reply with quote
Your declaration looks fine to me.. but without implementation details of the hook it is difficult to offer any helpful advice.
Back to top
View user's profile Send private message
Innovation
Grandmaster Cheater
Reputation: 12

Joined: 14 Aug 2008
Posts: 617
PostPosted: Fri Mar 25, 2011 4:50 pm    Post subject: Reply with quote
What makes you assume that IDirect3D9::CreateDevice uses the stdcall calling convention?
Back to top
View user's profile Send private message
661089799107
Expert Cheater
Reputation: 3

Joined: 25 Jan 2009
Posts: 186
PostPosted: Fri Mar 25, 2011 5:32 pm    Post subject: Reply with quote
Innovation wrote:
What makes you assume that IDirect3D9::CreateDevice uses the stdcall calling convention?


I'm not sure which one it is. I've tried using cdecl/stdcall/thiscall, but it still crashes (if I try to access an arg/return value).

CreateDevice uses "RETN 1C" to return - so it would have to be thiscall/stdcall(?)

sloppy wrote:
Your declaration looks fine to me.. but without implementation details of the hook it is difficult to offer any helpful advice.


CreateDevice hook:

Code:

IDirect3D9* __stdcall Direct3DCreate9(UINT SDKVersion) {
   IDirect3D9*      retVal;
   unsigned int   createDeviceAddress;

   output("Direct3DCreate9");
   
   __asm {
      push SDKVersion
      call ocreate

      mov retVal, eax

      push edi

      mov edi, eax

      // EAX = the value EDI is pointing to (4FDD1A98)
      mov eax, dword ptr ds:[edi]

      // EDI = [4FDD1A98 + 40] = 4FE51670
      mov edi, dword ptr ds:[eax+40h]

      // EDI = 4FEE51670 (d3d9.CreateDevice)
      mov createDeviceAddress, edi
      pop edi
   }

   if(!ocreateDevice)
      ocreateDevice = static_cast<r_createDevice>(setHook(reinterpret_cast<BYTE*>(createDeviceAddress), reinterpret_cast<BYTE*>(&CreateDevice)));

   return retVal;
}


Direct3DCreate9 hook: (inside DllMain)

Code:

ocreate = static_cast<r_D3DCreate>(setHook(reinterpret_cast<BYTE*>(GetProcAddress(GetModuleHandle("d3d9.dll"), "Direct3DCreate9")), reinterpret_cast<BYTE*>(&Direct3DCreate9)));


Function that replaces opcodes with a jump:

Code:

void* setHook(BYTE *src, const BYTE *dst, int len=5) {
   BYTE *jmp = (BYTE*)malloc(len+5);
   DWORD dwback;

   VirtualProtect(src, len, PAGE_READWRITE, &dwback);
   memcpy(jmp, src, len); jmp += len;

   jmp[0] = 0xE9;
   *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;

   src[0] = 0xE9;
   *(DWORD*)(src+1) = (DWORD)(dst - src) - 5;

   VirtualProtect(src, len, dwback, &dwback);

   return (jmp-len);
}


Last edited by 661089799107 on Sat Mar 26, 2011 1:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
sponge
I'm a spammer
Reputation: 1

Joined: 07 Nov 2006
Posts: 6009
PostPosted: Fri Mar 25, 2011 9:04 pm    Post subject: Reply with quote
Code:
STDMETHOD(CreateDevice)(THIS_ UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, struct IDirect3DDevice9** ppReturnedDeviceInterface) PURE;


Code:
#define STDMETHOD(method)        virtual HRESULT STDMETHODCALLTYPE method
#define STDMETHODCALLTYPE       __stdcall

Code:
#define THIS_ INTERFACE *This,
#define INTERFACE IDirect3D9

Sneaky macros in my SDK?!?!

Macro deobfuscation:
Code:
virtual HRESULT __stdcall CreateDevice(IDirect3D9 *This, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, struct IDirect3DDevice9** ppReturnedDeviceInterface) = 0;


COM Interface methods all have a hidden first parameter, the interface pointer.
_________________
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 205

Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
PostPosted: Sat Mar 26, 2011 5:27 am    Post subject: Reply with quote
@Bill87: Why are you using inline asm? There isn't any reason to use it. Along with that you are probably crashing because you aren't respecting the registers previous values and just overwriting them.

Cast your pointer to the definition of Direct3DCreate9:
Code:
typedef IDirect3D9* (__stdcall oD3DCreate9)( UINT );
oD3DCreate9 ocreate = 0x12345678; // Your addr here etc.


And just call it normally:
Code:
IDirect3D9* pD3D9 = ocreate( SDKVersion );

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
661089799107
Expert Cheater
Reputation: 3

Joined: 25 Jan 2009
Posts: 186
PostPosted: Sat Mar 26, 2011 10:08 am    Post subject: Reply with quote
sponge wrote:

Macro deobfuscation:
Code:
virtual HRESULT __stdcall CreateDevice(IDirect3D9 *This, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, struct IDirect3DDevice9** ppReturnedDeviceInterface) = 0;


COM Interface methods all have a hidden first parameter, the interface pointer.


I added the "hidden parameter", and now it works Very Happy

Thanks everyone
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites