Results 1 to 4 of 4
  1. #1
    Senior Member .Encore's Avatar
    Join Date
    Dec 2007
    Posts
    148

    CoD4 chams via strings

    Based on Decor911's post at UC: MW2 Cham's via strings


    This is my version of it for CoD4 which doesn't detour R_DrawXModelSkinnedCached, but does some stack walking from inside the DrawIndexedPrimitive. So, if you have undetected DrawIndexedPrimitive hook - you can have undetected chams via strings too Here's the code:
    Code:
         // Globally defined
    DWORD * _ESP;
    char * ModelName;
    
    // Inside DrawIndexedPrimitive
        if( (DWORD)_ReturnAddress( ) == ChamsReturnAddress )
        {
            __asm mov _ESP, esp
    
            if( !IsBadReadPtr( (void *)( _ESP + 0x18 ), 8 ) && *( _ESP + 0x18 ) )
            {
                if( !IsBadReadPtr( (void *)( *( _ESP + 0x18 ) + 0xB8 ), 8 ) &&
                    !IsBadReadPtr( (void *)*(DWORD *)( *( _ESP + 0x18 ) + 0xB8 ), 8 ) &&
                    !IsBadReadPtr( (void *)**(DWORD **)( *( _ESP + 0x18 ) + 0xB8 ), 8 ) )
                {
                    ModelName = (char *)**(DWORD **)( *( _ESP + 0x18 ) + 0xB8 );
    
                    if( ModelName )
                    {
                        if( !strstr( ModelName, "mi24p" ) && !strstr( ModelName, "cobra" ) )
                        {
                            if( strstr( ModelName, "opforce" ) || strstr(  ModelName, "op_force" ) || strstr( ModelName, "head_suren" ) || strstr(  ModelName, "arab" ) )
                                ChamsTeam = 2;
                            else if( strstr( ModelName, "sas" ) || strstr( ModelName, "usmc" ) || strstr( ModelName, "marine" ) )
                                ChamsTeam = 1;
    
                            // Do the chams drawing here
    
                            ChamsTeam = 0; // Don't forget this!
                        }
                    }
                }
            }
        }
    As you can see, you also don't have to hook R_DrawXModelSkinnedCached's parent function to prevent crashes - I used a few IsBadReadPtr calls instead of that.
    And here's the pattern for ChamsReturnAddress:
    Code:
         "\x5F\x5E\x5D\x5B\x83\xC4\x0C\xC3\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\x83\xEC\x0C\x53",  "xxxxxxxxxxxxxxxxxxxxxxxx"
    This method can't be used in CoD5 or CoD6.
    Enjoy

  2. #2

    Re: CoD4 chams via strings

    Dunno why no one's said this to you or on this post before:

    Great job, and why aren't you a semi-coder yet??

  3. #3
    Senior Member .Encore's Avatar
    Join Date
    Dec 2007
    Posts
    148

    Re: CoD4 chams via strings

    I'd say it's due to my low activity but it's just an assumption - I don't know real reason.
    Last edited by .Encore; December 26th, 2011 at 18:34.

  4. #4
    Coders (+)_'s Avatar
    Join Date
    Jan 2010
    Location
    Earth
    Posts
    457

    Re: CoD4 chams via strings

    It's called connection. You need to be connected.

    =================================

    EDIT: Okay I got it to work Thanks!!!

    Code:
    //=====================================================================================
    
    char * pChar;
    DWORD DrawSkin_Return_Address = 0x0064695c;
    int ChamsTeam = 0;
    
    __declspec( naked )
    void WINAPI Anti_Crash_Function( void )
    {
    	__asm 
    	{
    		PUSH EBP
    		MOV EBP,ESP
    		PUSH EBX
    		PUSH ESI
    		PUSH EDI
    		PUSH ESP
    		PUSH [EBP+0x04]
    		PUSH [EBP+0x20]
    		PUSH [EBP+0x1C]
    		PUSH [EBP+0x18]
    		PUSH [EBP+0x14]
    		PUSH [EBP+0x10]
    		PUSH [EBP+0xC]
    		PUSH [EBP+0x8]   
    		CALL DrawIndexedPrimitive_Detour              
    		PUSH [EBP+0x20]
    		PUSH [EBP+0x1C]
    		PUSH [EBP+0x18]
    		PUSH [EBP+0x14]
    		PUSH [EBP+0x10]
    		PUSH [EBP+0xC]
    		PUSH [EBP+0x8]
    		CALL DrawIndexedPrimitive_Pointer
    		POP EDI
    		POP ESI
    		POP EBX
    		POP EBP
    		RETN 0x1C
    	}
    }
    
    
    VOID WINAPI DrawIndexedPrimitive_Detour( LPDIRECT3DDEVICE9 Device_Interface, D3DPRIMITIVETYPE Type, INT BaseIndex, 
                UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount, DWORD Return_Address, DWORD dwESP )
    {
    	LPDIRECT3DVERTEXBUFFER9 Stream_Data;
    	UINT Offset = 0;
    	UINT Stride = 0;
    
    	if(Device_Interface->GetStreamSource(0, &Stream_Data, &Offset, &Stride) == D3D_OK)
    	Stream_Data->Release();
    
    	if(Stride == 32)
    	{  
    		if( Return_Address == DrawSkin_Return_Address )
    		{
    			__asm
    			{
    				MOV EDX,[dwESP]
    				ADD EDX,0x18
    				MOV EDX,DWORD PTR SS:[EDX+0x18]
    				MOV EDX,DWORD PTR DS:[EDX+0xB8]
    				MOV EDX,DWORD PTR DS:[EDX]
    				MOV [pChar],EDX
    			}
    			if( pChar != NULL )
    			{
    				if( !strstr( pChar, "mi24p" ) && !strstr( pChar, "cobra" ) )
    				{
    					if( strstr( pChar, "opforce" ) || strstr(  pChar, "op_force" ) 
    						|| strstr( pChar, "head_suren" ) || strstr(  pChar, "arab" ) )
    					{
    						Device_Interface->SetTexture( 0, texMaroon );
    						Device_Interface->SetRenderState( D3DRS_ZENABLE, FALSE );
    						DrawIndexedPrimitive_Pointer(Device_Interface, Type, BaseIndex, 
    							MinIndex, NumVertices, StartIndex, PrimitiveCount);
    						Device_Interface->SetRenderState( D3DRS_ZENABLE, TRUE );
    						Device_Interface->SetTexture( 0, texMecO );
    					}	
    					else if( strstr( pChar, "sas" ) || strstr( pChar, "usmc" ) 
    						|| strstr( pChar, "marine" ) )
         
    					{
    						Device_Interface->SetTexture( 0, texXBlue );
    						Device_Interface->SetRenderState( D3DRS_ZENABLE, FALSE );
    						DrawIndexedPrimitive_Pointer(Device_Interface, Type, BaseIndex, 
    							MinIndex, NumVertices, StartIndex, PrimitiveCount);
    						Device_Interface->SetRenderState( D3DRS_ZENABLE, TRUE );
    						Device_Interface->SetTexture( 0, texXLBlue );
    					}	
    				}
    			}
    		}
    	}
    }
    
    //=====================================================================================
    
    DWORD WINAPI VirtualMethodTableRepatchingLoopToCounterExtensionRepatching(LPVOID Param)
    {
      UNREFERENCED_PARAMETER(Param); 
    
      while(1)
      {
        Sleep(100);
    
        *(PDWORD)&Direct3D_VMTable[16] = (DWORD)Reset_Detour;
        *(PDWORD)&Direct3D_VMTable[42] = (DWORD)EndScene_Detour;
        *(PDWORD)&Direct3D_VMTable[82] = (DWORD)Anti_Crash_Function;
      }
    
      return 1;
    }
    
    //=====================================================================================
    ===========================================

    EDIT:

    Here is my version for midfunction.

    Code:
    DIP_MID_FUNCTION = vTable[82] + 116;
    DIP_RETURN = DIP_MID_FUNCTION + 18;
    
    DIP:
    
    		PUSH EBX
    		PUSH ESI
    		PUSH EDI
    
    		MOV ECX,ESP
    		ADD ECX,0x20
    		ADD ECX,0x1C
    		PUSH ECX
    		PUSH DWORD PTR SS:[EBP+0x04]
    		PUSH DWORD PTR SS:[EBP+0x20]               // /Arg7
    		PUSH DWORD PTR SS:[EBP+0x1C]               // |Arg6
    		PUSH DWORD PTR SS:[EBP+0x18]               // |Arg5
    		PUSH DWORD PTR SS:[EBP+0x14]               // |Arg4
    		PUSH DWORD PTR SS:[EBP+0x10]               // |Arg3
    		PUSH DWORD PTR SS:[EBP+0xC]                // |Arg2
    		PUSH DWORD PTR SS:[EBP+0x8]                // |Arg1
    		CALL DIP_MAIN							   // \__asm
    
    		POP EDI
    		POP ESI
    		POP EBX
    
    		MOV ECX,DWORD PTR DS:[EDI+0x2CF0]
    		MOV EDX,DWORD PTR SS:[EBP+0x10]
    		LEA ESI,DWORD PTR DS:[EDI+0x2B3C]
    		MOV DWORD PTR DS:[ECX+0x14],EDX
    
    		JMP [DIP_RETURN]
    Last edited by (+)_; January 2nd, 2012 at 20:59.

Similar Threads

  1. cod4 chams
    By =1SK=Tony-Ray in forum D3D
    Replies: 5
    Last Post: October 17th, 2009, 16:24
  2. Need cod4 1.7 chams
    By Aqwa in forum Call of Duty 4 Cheats
    Replies: 8
    Last Post: August 25th, 2009, 16:34
  3. Cod4 chams, are c++ help.
    By reversflux in forum D3D
    Replies: 1
    Last Post: July 7th, 2009, 07:10
  4. Cod4 chams
    By foozle in forum Call of Duty 4 Cheats
    Replies: 1
    Last Post: November 28th, 2008, 23:50
  5. COD4: D3D Model rec with strings
    By Sinner in forum Tutorials
    Replies: 1
    Last Post: February 27th, 2008, 09:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •