Thread: Clienthooking Quake 2 games

Clienthooking it is similar to Warsow; if you have figured that game out this would be a piece of cake.

The engine has a ref function importer/exporter called GetRefAPI (just like Quake 3).
Hook it and you can fill refExport and refImport structures.

GetRefAPI is exported from ref_pbgl.dll (FOR DIGITAL PAINTBALL) so I just hooked LoadLibrary and got its full module handle from that...

The refExport and refImport structs have a lot of goodie functions so its easier to use them then c&p all the code out of the src.

PHP Code:

refExport_t g_GetRefAPI(refImport_t g_RefImport)
{
    MessageBox(NULL, "Lol GetRefAPI hooked", "Lol!", MB_OK);
    refExport_t g_RetVal = pOrigGetRefAPI(g_RefImport);
    g_Imports = g_RefImport;
    g_Exports = g_RetVal;
    g_RetVal.api_version = API_VERSION;
    g_RetVal.BeginRegistration = R_BeginRegistration;
    g_RetVal.RegisterModel = R_RegisterModel;
    g_RetVal.RegisterSkin = R_RegisterSkin;
    g_RetVal.RegisterPic = Draw_FindPic;
    g_RetVal.SetSky = R_SetSky;
    g_RetVal.EndRegistration = R_EndRegistration;
    g_RetVal.RenderFrame = R_RenderFrame;
    g_RetVal.DrawGetPicSize = Draw_GetPicSize;
    g_RetVal.DrawPic = Draw_Pic;
    g_RetVal.DrawStretchPic = Draw_StretchPic;
    g_RetVal.DrawChar = Draw_Char;
    g_RetVal.DrawTileClear = Draw_TileClear;
    g_RetVal.DrawFill = Draw_Fill;
    g_RetVal.DrawFadeScreen= Draw_FadeScreen;
    g_RetVal.DrawStretchRaw = Draw_StretchRaw;
    g_RetVal.DrawFindPic = Draw_FindPic;
    g_RetVal.DrawPic2 = Draw_Pic2;
    g_RetVal.DrawStretchPic2 = Draw_StretchPic2;
    g_RetVal.DrawTileClear2 = Draw_TileClear2;
    g_RetVal.DrawString = Draw_String;
    g_RetVal.DrawStringAlpha = Draw_StringAlpha;
    g_RetVal.DrawGetStates = Draw_GetStates;
    g_RetVal.Init = R_Init;
    g_RetVal.Shutdown = R_Shutdown;
    g_RetVal.CinematicSetPalette = R_SetPalette;
    g_RetVal.BeginFrame = R_BeginFrame;
    g_RetVal.EndFrame = GLimp_EndFrame;
    g_RetVal.AppActivate = GLimp_AppActivate;
    return g_RetVal;
}

// I'll leave you to wrap all the exports you want; example below

void R_RenderFrame(refdef_t *rd) // we all know what this does now
{
    g_Exports.RenderFrame(rd);
    g_Imports.Con_Printf(0, "Couch pwnd Digital Paintball!");
    g_Imports.Cvar_Set("unbindall", "1", CVAR_ARCHIVE); 
} 


I'm getting all sorts of errors w the GetRefAPI hook, mostly due to redefinitions of refExport_t and undeclared identifiers all over the place :.

Originally Posted by TheSorc3r3r

I'm getting all sorts of errors w the GetRefAPI hook, mostly due to redefinitions of refExport_t and undeclared identifiers all over the place :.

Wasn't meant to be c&p, etc...

btw if you want to draw something draw your text/quads after the original RenderScene was called.

I didn't copy and paste; I meant with declarations and such:

refExport_t GetRefAPI_Hook( ... );

take the quake2 cgame sdk and include it

: I'll be specific.

I included the SDK, and my first problem arose when I tried to declare the variable to hold the original GetRefAPI..

refExport_t (WINAPI* orig_GetRefAPI)( args );

There were about nine errors, and most had to do with refExport_t being redefined and refImport_t being undeclared.

should be self explanatory, find where refImport_t is, and find where refExport_t is defined a second time and add / remove them to project

Thanks for the help so far, guys.

I've stumbled across a (seemingly common) problem, but I can't find/figure out any fix. Google/MSDN were useless here >.

Immediately after refExport.Init() is called (whether or not I fed the export my function or the original), I get the debugging exception:

... Privileged instruction (0xC0000096) occurred at ...

Here's some of my code (I truncated parts (// continue exports) to make it easier to read).

DLL:

Code:

#include <windows.h>
#include <detours.h>
#include "Engine/ref.h"

#pragma comment(lib, "detours.lib")
#pragma warning(disable: 4996)

refexport_t refExports;
refimport_t refImports;

static bool dtrSet = false;

typedef HMODULE (WINAPI *LoadLibrary_t)(LPCSTR);
// this is already defined in ref.h
//typedef refexport_t (*GetRefAPI_t)(refimport_t);

qboolean h_Init(void *hInstance, void *wndProc)
{
	return refExports.Init(hInstance, wndProc);
}

void h_Shutdown()
{
	refExports.Shutdown();
}

void h_BeginRegistration(char *map)
{
	refExports.BeginRegistration(map);
}

... // continue exports

#define DEF_EXPORT(name) ret.##name = h_##name

GetRefAPI_t o_GetRefAPI;
refexport_t h_GetRefAPI(refimport_t refImport)
{
	refexport_t ret = o_GetRefAPI(refImport);

	refExports = ret;
	refImports = refImport;

	ret.api_version = API_VERSION;

	DEF_EXPORT(Init);
	DEF_EXPORT(Shutdown);
	DEF_EXPORT(BeginRegistration);
    ... // continue exports

	return ret;
}
	
LoadLibrary_t o_LoadLibrary;
HMODULE h_LoadLibrary(LPCSTR lpLibrary)
{
	HMODULE hM = o_LoadLibrary(lpLibrary);
	if (hM)
	{
		if (strstr(lpLibrary, "ref_pbgl.dll") && !dtrSet)
		{
			DetourFunction(
				(PBYTE)GetProcAddress(hM, "GetRefAPI"),
				(PBYTE)h_GetRefAPI);

			__asm mov [o_GetRefAPI], eax;
			
			dtrSet = true;
		}
	}

	return o_LoadLibrary(lpLibrary);
}

bool WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
	switch (dwReason)
	{
	case DLL_PROCESS_ATTACH:
		DetourFunction(
			(LPBYTE)LoadLibraryA,
			(LPBYTE)h_LoadLibrary);
		__asm mov [o_LoadLibrary], eax;
		break;
	case DLL_PROCESS_DETACH:
		if (dtrSet)
			DetourRemove((LPBYTE)h_GetRefAPI, (LPBYTE)o_GetRefAPI);
		DetourRemove((LPBYTE)h_LoadLibrary, (LPBYTE)LoadLibraryA);
		break;
	}

	return true;
}

Injector:

Code:

#include <windows.h>
#include <iostream>
#include <detours.h>
using namespace std;

#pragma comment(lib, "detours.lib")

int main()
{
	const char *appName = "C:\\games\\PAINTB~1\\paintball2.exe";
	const char *dllName = "C:\\Documents and Settings\\Admin\\My Documents\\Visual Studio 2005\\Projects\\pb2_BaseHook2\\debug\\pb2_BaseHook2.dll";
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	memset(&si, 0, sizeof(si));
	memset(&pi, 0, sizeof(pi));
	si.cb = sizeof(si);

	cout << "Paintball2 Hackz - By TheSorc3r3r\nCredits: Panzer, inspire-, Couch, null"
		<< "\nGameDeception.com & CheatersUtopia.com"
		<< "\n\nStarting Digital Paintball 2 with hacks...";

	if (DetourCreateProcessWithDll(appName, "", 0, 0, 0, 0, 0, 0, &si, &pi, dllName,
		0))
		cout << "\nHacks successful =)!";
	else
		cout << "\nHacks unsuccessful =(.\nError was:" << GetLastError();

	cout << "\n\n";
	return 1;
}

Thanks for any help !

Sorc: Have you downloaded the DPB basehook here and compared those?
I dont have access to mess around atm and really check out your code in depth, but I would suggest just a bit of general logging to see where the errors happening.

Originally Posted by null

Sorc: Have you downloaded the DPB basehook here and compared those?
I dont have access to mess around atm and really check out your code in depth, but I would suggest just a bit of general logging to see where the errors happening.

I thought this was the only Q2/DPB (close-to)basehook around here :P. I'll check it out.

I did some logging (I just took it out to make the code easier to read). That's how I found out that the error happens right after refExport.Init() returns.

Edit: Found Couch's basehook, but the download isn't there (or in the database). I'm probably going blind :P