Results 1 to 1 of 1

Thread: QuickMap

  1. #1
    Coders (+)_'s Avatar
    Join Date
    Jan 2010
    Location
    Earth
    Posts
    455

    Talking QuickMap

    Quick Manual Map.

    Quick and simple way to Manual Map your D3D Dll. xD
    Tested on RaKS BF2 and some COD4 Cheats. Miaaauuu!! :3
    Subsequent Dll injections or Unloading may require fixing the IAT again. xD

    DllMain.h

    Code:
    #include <windows.h>
    #include <time.h>
    #include <d3d9.h>
    #include <d3dx9.h>
    #pragma comment( lib, "d3d9.lib" )
    #pragma comment( lib, "d3dx9.lib" )
    
    #pragma warning(disable : 4996)
    
    //#define RETDLLM
    
    #define D3D_RELEASE(D3D_PTR) if( D3D_PTR )\
    	{ D3D_PTR->Release( ); D3D_PTR	= NULL; }
    
    #define TRANSFER( ADDR ) (((DWORD)moduleBase+\
    		((DWORD)(ADDR)-((DWORD)hModule))))
    
    typedef HRESULT(WINAPI* tEndScene)(LPDIRECT3DDEVICE9 pDevice);
    typedef HRESULT(WINAPI* tDrawIndexedPrimitive)(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
    typedef HRESULT(WINAPI* tReset)(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS* pPresentationParameters);
    extern CHAR DllFilePath[MAX_PATH];
    
    BOOL WINAPI _DllMain( HMODULE hMod, DWORD dwReason, LPVOID lpvReserved );HRESULT WINAPI hkEndScene( LPDIRECT3DDEVICE9 Dev );
    DWORD WINAPI Hook( LPVOID lpThreadParameter );
    DllMain.cpp

    Code:
    #include "DllMain.h"
    
    /*
    Made by zooom @ UCForum on April 6, 2017
    Credits:
    UCForum
    GD
    aB
    
    Steps to QM:
    1. Inject the DLL.
    2. COpy the DLL to other location.
    3. Fix relocs.
    4. Unload the DLL using FreeLibrary!
    5. Align IAT.
    */
    
    CHAR DllFilePath[MAX_PATH]	= {0};
    
    BOOL WINAPI _DllMain( HMODULE hMod, DWORD dwReason, LPVOID lpvReserved )
    {
    	if( dwReason == DLL_PROCESS_ATTACH )
    	{
    		/*
    			Add your DllMain here. This will be your DllMain. :)
    
    			You may need to modify or avoid your log functions and others that
    			require an actual DLL entry. :3 Miaauu!
    
    		*/
    		//MessageBoxA( HWND_DESKTOP, DllFilePath, "Success!", 0 );		// Testing! :D
    		CreateThread( 0, 0, (LPTHREAD_START_ROUTINE)Hook, 0, 0, 0 );	// ...
    		return TRUE;
    	}
    	
    	return FALSE;
    }
    QuickMap.cpp

    Code:
    #include "DllMain.h"
    
    // Pietrek's macro
    //
    // MakePtr is a macro that allows you to easily add to values (including
    // pointers) together without dealing with C's pointer arithmetic. It
    // essentially treats the last two parameters as DWORDs. The first
    // parameter is used to typecast the result to the appropriate pointer type.
    #define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue))
    
    // This one is mine, but obviously..."adapted" from matt's original idea =p
    #define MakeDelta(cast, x, y) (cast) ( (DWORD_PTR)(x) - (DWORD_PTR)(y))
    
    #define IMAGE_EXPORT 0 
    #define IMAGE_IMPORT 1 
    
    HMODULE hModule		= 0;
    DWORD Reason		= 0;
    LPVOID Reserved		= 0;
    void *moduleBase	= 0;
    
    // Matt Pietrek's function
    PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader){
    	PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
    	unsigned int i;
    
    	for ( i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ ){
    		// This 3 line idiocy is because Watcom's linker actually sets the
    		// Misc.VirtualSize field to 0. (!!! - Retards....!!!)
    		DWORD size = section->Misc.VirtualSize;
    		if ( 0 == size )
    			size = section->SizeOfRawData;
    
    		// Is the RVA within this section?
    		if ( (rva >= section->VirtualAddress) &&
    			(rva < (section->VirtualAddress + size)))
    			return section;
    	}
    
    	return 0;
    }
    
    // This function is also Pietrek's
    LPVOID GetPtrFromRVA( DWORD rva, IMAGE_NT_HEADERS *pNTHeader, PBYTE imageBase ){
    	PIMAGE_SECTION_HEADER pSectionHdr;
    	INT delta;
    
    	pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
    	if ( !pSectionHdr )
    	return 0;
    
    
    	delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
    	return (PVOID) ( imageBase + rva - delta );
    } 
    
    DWORD GetSection( void *moduleBase, void *dllBin, IMAGE_NT_HEADERS *ntHd, DWORD Addr ){
    	IMAGE_SECTION_HEADER *header = IMAGE_FIRST_SECTION(ntHd);
    	unsigned int nBytes = 0;
    	unsigned int virtualSize = 0;
    	unsigned int n = 0;
    
    	// Loop through the list of sections
    	for(unsigned int i = 0; ntHd->FileHeader.NumberOfSections; i++){
    		// Once we've reached the SizeOfImage, the rest of the sections
    		// don't need to be mapped, if there are any.
    		if(nBytes >= ntHd->OptionalHeader.SizeOfImage)
    			break;
    
    		DWORD rData		= MakePtr(DWORD, dllBin, header->PointerToRawData);
    
    		if( Addr >= rData && 
    			Addr <= (rData+header->SizeOfRawData) ){
    			DWORD VirtualAddress	= (DWORD)moduleBase + header->VirtualAddress + (Addr - rData);
    			return VirtualAddress;
    		}	
    
    		virtualSize = header->VirtualAddress;
    		header++;
    		virtualSize = header->VirtualAddress - virtualSize;
    		nBytes += virtualSize;
    	}
    
    	return 0;
    }
    
    IMAGE_IMPORT_DESCRIPTOR * GetImpTable( PVOID hMod ){
    	IMAGE_DOS_HEADER *dosHd			= (IMAGE_DOS_HEADER*)hMod;
    
    	if(dosHd->e_magic!=0x5A4D)
    		return 0;
    
    	IMAGE_OPTIONAL_HEADER * oph		= (IMAGE_OPTIONAL_HEADER*)((PBYTE)hMod+dosHd->e_lfanew+24);
    
    	if(oph->Magic!=0x10B)
    		return 0;
    
    	if( oph->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size==0|| 
    		oph->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress==0 )
    		return 0;
    
    	return (IMAGE_IMPORT_DESCRIPTOR *)((PBYTE)hMod+oph->DataDirectory
    		[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
    }
    
    bool FixRelocs(void *base, void *rBase, IMAGE_NT_HEADERS *ntHd, IMAGE_BASE_RELOCATION *reloc, unsigned int size){
    	unsigned long ImageBase = ntHd->OptionalHeader.ImageBase;
    	unsigned int nBytes = 0;
    	unsigned long delta = MakeDelta(unsigned long, rBase, ImageBase);
    
    	while(1){
    		unsigned long *locBase =
    		(unsigned long *)GetPtrFromRVA((DWORD)(reloc->VirtualAddress), ntHd, (PBYTE)base);
    		unsigned int numRelocs = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
    
    		if(nBytes >= size) break;
    
    		unsigned short *locData = MakePtr(unsigned short *, reloc, sizeof(IMAGE_BASE_RELOCATION));
    		for(unsigned int i = 0; i < numRelocs; i++){ 
    			if(((*locData >> 12) & IMAGE_REL_BASED_HIGHLOW)){
    				DWORD Value	= *MakePtr(unsigned long *, locBase, (*locData & 0x0FFF));
    				DWORD VirtualAddress	= GetSection( rBase, base, ntHd,
    					MakePtr(unsigned long, locBase, (*locData & 0x0FFF)) );
    				*(PDWORD)VirtualAddress = Value+delta;
    			}
    			locData++;
    		}
    
    		nBytes += reloc->SizeOfBlock;
    		reloc = (IMAGE_BASE_RELOCATION *)locData;
    	}
    
    	return true;
    }
    
    void FixIAT( ){   
    	IMAGE_IMPORT_DESCRIPTOR *impDesc = 
    		(IMAGE_IMPORT_DESCRIPTOR *)GetImpTable( moduleBase );
    
    	while(impDesc->FirstThunk){
    		int n = 0;
    		IMAGE_THUNK_DATA* itd	= (IMAGE_THUNK_DATA*)
    			((PBYTE)moduleBase+impDesc->OriginalFirstThunk);
    
    		while(itd->u1.Function){
    			PCHAR FuncName		= (PCHAR)((PBYTE)moduleBase+(DWORD)itd->u1.AddressOfData+2);
    			HMODULE Module		= LoadLibraryA( (PCHAR)((PBYTE)moduleBase+impDesc->Name) );
    			PDWORD pAddr		= (PDWORD)((PBYTE)moduleBase+impDesc->FirstThunk)+n;
    			DWORD dwFunc		= (DWORD)GetProcAddress( Module, FuncName );
    			DWORD OLD			= NULL;
    
    			VirtualProtect( pAddr, 4, 0x40, &OLD );
    			*pAddr	= dwFunc;
    			VirtualProtect( pAddr, 4, OLD, &OLD );
    			
    			n++;
    			itd++;
    		}
    		impDesc++;
    	}
    }   
    
    DWORD WINAPI FreeOld( LPVOID lpThreadParameter ){
    	if( FreeLibrary( hModule ) ){
    		FixIAT( );}
    	_DllMain( (HMODULE)moduleBase, Reason, Reserved );
    	return 0;
    }
    
    DWORD WINAPI QuickMap( LPVOID lpThreadParameter ){
    	IMAGE_DOS_HEADER *dosHd		= 0;
    	IMAGE_NT_HEADERS *ntHd		= 0;
    
    	HANDLE hFile = CreateFileA(DllFilePath,
    		GENERIC_READ,
    		FILE_SHARE_READ | FILE_SHARE_WRITE,
    		NULL,
    		OPEN_EXISTING,
    		FILE_ATTRIBUTE_NORMAL,
    		NULL);
    
    	if(hFile == INVALID_HANDLE_VALUE)
    		return false;
    
    	unsigned int fSize;
    
    	if(GetFileAttributesA(DllFilePath) & FILE_ATTRIBUTE_COMPRESSED)
    		fSize = GetCompressedFileSizeA(DllFilePath, NULL);
    	else
    		fSize = GetFileSize(hFile, NULL);
    
    	unsigned char *dllBin = new unsigned char[fSize];
    	unsigned int nBytes;
    
    	ReadFile(hFile, dllBin, fSize, (LPDWORD)&nBytes, FALSE);
    	CloseHandle(hFile);
    
    	// Every PE file contains a little DOS stub for backwards compatibility
    	// it's only real relevance is that it contains a pointer to the actual
    	// PE header.
    	dosHd	 = MakePtr(IMAGE_DOS_HEADER *, dllBin, 0);
    
    	// Make sure we got a valid DOS header
    	if(dosHd->e_magic != IMAGE_DOS_SIGNATURE)
    		return 0;
    
    	// Get the real PE header from the DOS stub header
    	ntHd	= MakePtr(IMAGE_NT_HEADERS *, dllBin, dosHd->e_lfanew);
    
    	// Verify the PE header
    	if(ntHd->Signature != IMAGE_NT_SIGNATURE)
    		return 0;
    
    	// Option to return the DllMain to Original.
    #ifdef RETDLLM
    
    	ntHd->OptionalHeader.AddressOfEntryPoint	
    		= TRANSFER( YourDllMain ) - (DWORD)moduleBase;
    
    #endif RETDLLM
    
    	// Allocate space for the module in the remote process
    	moduleBase = VirtualAlloc(
    		NULL,
    		ntHd->OptionalHeader.SizeOfImage,
    		MEM_COMMIT | MEM_RESERVE,
    		PAGE_EXECUTE_READWRITE);
    
    	// Copy the Dll
    	memcpy( moduleBase, (PVOID)hModule, ntHd->OptionalHeader.SizeOfImage );
    	
    	// Fix "base relocations" of the new module. Base relocations are places
    	// in the module that use absolute addresses to reference data. Since
    	// the base address of the module can be different at different times,
    	// the base relocation data is necessary to make the module loadable
    	// at any address.
    	IMAGE_BASE_RELOCATION *reloc = (IMAGE_BASE_RELOCATION *)GetPtrFromRVA(
    		(DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress),
    		ntHd,
    		(PBYTE)dllBin);
    
    	if(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
    		FixRelocs(dllBin,
    			moduleBase,
    			ntHd,
    			reloc,
    			ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size);
    
    	CreateThread( 0, 0, (LPTHREAD_START_ROUTINE)TRANSFER( FreeOld ), 0, 0, 0 );
    
    	delete dllBin;
    	return 0;
    }
    
    BOOL WINAPI DllMain( HMODULE hMod, DWORD dwReason, LPVOID lpvReserved ){
    	if( dwReason == DLL_PROCESS_ATTACH ){
    		DisableThreadLibraryCalls( hMod );
    		GetModuleFileNameA( hMod, DllFilePath, MAX_PATH );
    
    		hModule			= hMod;
    		Reason			= dwReason;
    		Reserved		= lpvReserved; 
    		CreateThread( 0, 0, QuickMap, 0, 0, 0 );
    		return TRUE;
    	}
    
    	return FALSE;
    }
    Sample.cpp

    Code:
    #include "DllMain.h"
    
    D3DVIEWPORT9 VP				= {0};
    DWORD dwEndScene			= NULL;
    DWORD dwINDPR				= NULL;
    DWORD dwReset				= NULL;
    tEndScene oEndScene			= NULL;
    tReset oReset				= NULL;
    D3DRECT CrssRct				= {0};
    CHAR TimeAndDate[MAX_PATH]	= {0};
    time_t TimeValue			= {0};
    LPD3DXFONT pFont			= NULL;
    tDrawIndexedPrimitive oDrawIndexedPrimitive = NULL;
    D3DPRESENT_PARAMETERS d3dpp		=	{0};
    
    VOID WINAPI DrawTime( LPDIRECT3DDEVICE9 Device_Interface, LONG L, LONG T, LONG R, LONG B ){
    	if( pFont == NULL ) 
    		return;
    	RECT Rect		= { L, T, R, B };
    	TimeValue		= time( NULL );
    	strftime( TimeAndDate, MAX_PATH, "[ %a - %b %d - %I:%m %p ]", localtime( &TimeValue ));
    
    	pFont->DrawTextA( 0, TimeAndDate, -1, &Rect, DT_NOCLIP|DT_CENTER, D3DCOLOR_ARGB( 255, 10, 255, 10 ) );
    }
    
    HRESULT WINAPI hkEndScene( LPDIRECT3DDEVICE9 Dev ){
    	Dev->GetViewport( &VP );
    	LONG SWH					= VP.Width/2;
    	LONG SHH					= VP.Height/2;
    	CrssRct.x1					= SWH;
    	CrssRct.y1					= SHH -  5;
    	CrssRct.x2					= SWH + 1;
    	CrssRct.y2					= SHH + 6;
    
    	Dev->Clear( 1, &CrssRct, D3DCLEAR_TARGET, 
    		D3DCOLOR_ARGB( 255, 255, 20, 20 ), 0,  0 );
    
    	CrssRct.x1					= SWH -  5;
    	CrssRct.y1					= SHH;
    	CrssRct.x2					= SWH + 6;
    	CrssRct.y2					= SHH + 1;
    
    	Dev->Clear( 1, &CrssRct, D3DCLEAR_TARGET, 
    		D3DCOLOR_ARGB( 255, 255, 20, 20 ), 0,  0 ); 
    
    	if( pFont == NULL ) 
    		D3DXCreateFontA( Dev, 15, 0, FW_BOLD, 1, 0, DEFAULT_CHARSET, 
    			OUT_DEFAULT_PRECIS, ANTIALIASED_QUALITY, DEFAULT_PITCH | FF_DONTCARE, "Cambria", &pFont );
    
    	DrawTime( Dev, SWH-20, VP.Height-20, SWH+20, VP.Height );
    
    	return oEndScene( Dev );
    }
    
    HRESULT WINAPI hkDrawIndexedPrimitive( LPDIRECT3DDEVICE9 pDev, D3DPRIMITIVETYPE Type, 
    	INT BaseIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, 
    		UINT PrimitiveCount ){
    			LPDIRECT3DVERTEXBUFFER9 Stream_Data			= NULL;
    			UINT Offset				= 0;
    			UINT Stride				= 0;
    			if( pDev->GetStreamSource( 0, &Stream_Data, &Offset, &Stride ) == D3D_OK ){
    				Stream_Data->Release( );
    				if( Stride == 44 ){
    					pDev->SetRenderState( D3DRS_FILLMODE, D3DFILL_WIREFRAME );
    					oDrawIndexedPrimitive( pDev, Type, BaseIndex, MinIndex, 
    						NumVertices, StartIndex, PrimitiveCount );
    					pDev->SetRenderState( D3DRS_FILLMODE, D3DFILL_SOLID );
    					return D3D_OK;
    				}
    			}
    
    	return oDrawIndexedPrimitive( pDev, Type, BaseIndex, MinIndex, 
    		NumVertices, StartIndex, PrimitiveCount );
    }
    
    HRESULT WINAPI hkReset( LPDIRECT3DDEVICE9 pDev, 
    	D3DPRESENT_PARAMETERS* pPresentationParameters ){
    		D3D_RELEASE( pFont )
    		return oReset( pDev, pPresentationParameters );
    }
    
    //RaKS
    //===============================================================================================================
    //DXINIT FUNCTION ===============================================================================================
    //===============================================================================================================
    LRESULT CALLBACK MsgProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam){ return DefWindowProc(hwnd, uMsg, wParam, lParam); }
    void DX_Init( )
    {
    	WNDCLASSEX wc = { sizeof(WNDCLASSEX), CS_CLASSDC, MsgProc, 0L, 0L, GetModuleHandle(NULL), NULL, NULL, NULL, NULL, "DX", NULL };
    	RegisterClassEx(&wc);
    	HWND hWnd = CreateWindow("DX", NULL, WS_OVERLAPPEDWINDOW, 100, 100, 300, 300, GetDesktopWindow(), NULL, wc.hInstance, NULL);
    	LPDIRECT3D9 pD3D = Direct3DCreate9(D3D_SDK_VERSION);
    	d3dpp.Windowed = TRUE;
    	d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
    	d3dpp.BackBufferFormat = D3DFMT_UNKNOWN;
    	LPDIRECT3DDEVICE9 pd3dDevice;
    	pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hWnd, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pd3dDevice);
    	DWORD* pVTable = (DWORD*)pd3dDevice;
    	pVTable = (DWORD*)pVTable[0];
    
    	dwEndScene = pVTable[42];
    	dwINDPR = pVTable[82];
    	dwReset = pVTable[16];
    
    	DestroyWindow(hWnd);
    }
    
    void * __stdcall DetourFunc( BYTE *src, const BYTE *dst, const int len ){
    	BYTE *jmp		= (BYTE*)VirtualAlloc(0,len+5,MEM_RESERVE|MEM_COMMIT,0x40);
    	DWORD dwback	= NULL;
    	VirtualProtect(src, len, PAGE_READWRITE, &dwback);
    	memcpy( jmp, src, len );	
    	jmp += len;
    	jmp[0] = 0xE9;
    	*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
    	src[0] = 0xE9;
    	*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
    	VirtualProtect(src, len, dwback, &dwback);
    
    	return (jmp-len);
    }
    
    DWORD WINAPI Hook( LPVOID lpThreadParameter ){
    	DX_Init( );
    	oEndScene = (tEndScene)DetourFunc( (PBYTE)dwEndScene, 
    		(PBYTE)hkEndScene, 5 );
    	oDrawIndexedPrimitive = (tDrawIndexedPrimitive)
    		DetourFunc( (PBYTE)dwINDPR, 
    		(PBYTE)hkDrawIndexedPrimitive, 5 );
    	oReset = (tReset)DetourFunc( (PBYTE)dwReset, 
    		(PBYTE)hkReset, 5 );
    	return 0;
    }
    Last edited by (+)_; April 7th, 2017 at 09:59.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •