Hook CL_CreateMove using stack manipulation from a GetCursorPos hook

社区服务
高级搜索
猴岛论坛CSGO反恐精英CS作弊器交流讨论Hook CL_CreateMove using stack manipulation from a GetCursorPos hook
发帖 回复
倒序阅读 最近浏览的帖子最近浏览的版块
« 返回列表
3个回复

Hook CL_CreateMove using stack manipulation from a GetCursorPos hook

 楼层直达
莎仕芘亞

ZxID:1171401

等级: 元老
猴岛国防部部长

举报 只看楼主 使用道具 楼主   发表于: 2007-06-24 0
This works on the principle that the game only calls GetCursorPos from a few different points, and one of them is in CL_CreateMove (actually, a couple of function calls deeper than CL_CreateMove, but it doesn't matter) which is really the only client function you need to hook for most things. So in the GetCursorPos hook the code checks to see if this call has in fact been made by CL_CreateMove and if so it changes the return address of the CL_CreateMove call so that it returns to our post hook gateway, and then back to hw.dll.

Substitute my detours for whatever hook method you prefer. But be aware that VAC2 can "see" simple jmp call and int3 detours on imports. hook_CL_CreateMove has the same prototype as the actual CL_CreateMove from the client and is __cdecl.
code:
DWORD g_dwHW_Base 0x01D00000;
DWORD g_dwHW_Len 0x01100000;

DWORD g_dwClient_Base 0x01900000;
DWORD g_dwClient_Len 0x000AA000;


BOOL (WINAPI *tramp_GetCursorPos)(LPPOINT lpPoint);

void install_hooks(void)
{
    detour *pdtgcp = new detour(GetCursorPosdetour_GetCursorPos5);
    pdtgcp->install();
    tramp_GetCursorPos = (BOOL(WINAPI*)(LPPOINT lpPoint))pdtgcp->gettrampoline();
}

size_t g_saved_cl_createmove_ra;

BOOL WINAPI detour_GetCursorPos(LPPOINT lpPoint)
{
    BOOL ret FALSE;

    ret tramp_GetCursorPos(lpPoint);

    DWORD *pstack 0;
    DWORD gcp_ra 0;

    _asm
    {
        mov pstackesp;
        mov edx, [ebp+0x4];
        mov gcp_raedx;
    }

    // we are only interested if this has been called from the client dll since that contains CL_CreateMove
    if(gcp_ra g_dwClient_Base || gcp_ra >= g_dwClient_Base g_dwClient_Len)
        return ret;


    // find the first return address on the stack that points to code inside hw.dll (since that is what calls CL_CreateMove)
    size_t ras_found 0;
    DWORD *pra 0;
    while(ras_found 1)
    {
        if(*pstack >= g_dwHW_Base && *pstack g_dwHW_Base g_dwHW_Len)
        {
            pra pstack;
            ras_found++;
        }
        pstack++;
    }

    // the first byte of code at the return address of a CL_CreateMove call is e8, so check that
    if(*(char*)*pra == '\xe8')
    {
        // replace this return address with our gateway so it gets called before control returns to hw.dll
        g_saved_cl_createmove_ra = *pra;
        *pra = (DWORD)gateway_CL_CreateMove;
    }

    return ret;
}

_declspec(nakedvoid gateway_CL_CreateMove(void)
{
    _asm
    {
        call hook_CL_CreateMove;
        mov edxg_saved_cl_createmove_ra;
        jmp edx;
    }
打赏 收藏 新鲜事

相关主题

回复 引用
  鲜花[0]  鸡蛋[0]
莎仕芘亞

ZxID:1171401

等级: 元老
猴岛国防部部长

举报 只看该作者 沙发   发表于: 2007-06-24 0
发帖申明:此文章出自国外的 Game Deception
回复 引用 新鲜事
  鲜花[0]  鸡蛋[0]
guoliwen111

ZxID:8522124

等级: *
举报 只看该作者 板凳   发表于: 2009-08-21 0
GetCursorPos hook the code checks to see if this call has in fact been made by CL_CreateMove and if so it changes the return address of the CL_CreateMove call so that it returns to our post hook gateway, and then back to hw.dll.

Substitute my detours for whatever hook method you prefer. But be aware that VAC2 can "see" simple jmp call and int3 detours on imports. hook_CL_CreateMove has the same prototype as the actual CL_CreateMove from the client and is __cdecl.

code:

DWORD g_dwHW_Base = 0x01D00000;
DWORD g_dwHW_Len = 0x01100000;

DWORD g_dwClient_Base = 0x01900000;
DWORD g_dwClient_Len = 0x000AA000;


BOOL (WINAPI *tramp_GetCursorPos)(LPPOINT lpPoint);

void install_hooks(void)
{
    detour *pdtgcp = new detour(GetCursorPos, detour_GetCursorPos, 5);
    pdtgcp->install();
    tramp_GetCursorPos = (BOOL(WINAPI*)(LPPOINT lpPoint))pdtgcp->gettrampoline();
}

size_t g_saved_cl_createmove_ra;

BOOL WINAPI detour_GetCursorPos(LPPOINT lpPoint)
{
    BOOL ret = FALSE;
回复 引用 新鲜事
  鲜花[]  鸡蛋[]
guoliwen111

ZxID:8522124

等级: *
举报 只看该作者 地板   发表于: 2009-08-21 0
GetCursorPos hook the code checks to see if this call has in fact been made by CL_CreateMove and if so it changes the return address of the CL_CreateMove call so that it returns to our post hook gateway, and then back to hw.dll.

Substitute my detours for whatever hook method you prefer. But be aware that VAC2 can "see" simple jmp call and int3 detours on imports. hook_CL_CreateMove has the same prototype as the actual CL_CreateMove from the client and is __cdecl.

code:

DWORD g_dwHW_Base = 0x01D00000;
DWORD g_dwHW_Len = 0x01100000;

DWORD g_dwClient_Base = 0x01900000;
DWORD g_dwClient_Len = 0x000AA000;


BOOL (WINAPI *tramp_GetCursorPos)(LPPOINT lpPoint);

void install_hooks(void)
{
    detour *pdtgcp = new detour(GetCursorPos, detour_GetCursorPos, 5);
    pdtgcp->install();
    tramp_GetCursorPos = (BOOL(WINAPI*)(LPPOINT lpPoint))pdtgcp->gettrampoline();
}

size_t g_saved_cl_createmove_ra;

BOOL WINAPI detour_GetCursorPos(LPPOINT lpPoint)
{
    BOOL ret = FALSE;
回复 引用 新鲜事
  鲜花[]  鸡蛋[]
« 返回列表
发帖 回复