d3d9esp_s struct
regEdi dd ?
regEsi dd ?
regEbp dd ?
regEsp dd ?
regEbx dd ?
regEdx dd ?
regEcx dd ?
regEax dd ?
call_ret dd ?
arg1 dd ?
arg2 dd ?
arg3 dd ?
arg4 dd ?
arg5 dd ?
arg6 dd ?
arg7 dd ?
arg8 dd ?
d3d9esp_s ends
D3DXFONT_DESCA struct
height dd ?
d3width dd ?
Weight dd ?
MipLevels dd ?
Italic dd ?
CharSet dd ?
OutputPrecision dd ?
Quality dd ?
PitchAndFamily dd ?
FaceName db 256 dup(?)
D3DXFONT_DESCA ends
.data
pDirect3DCreate9 dd ?
Direct3DCreate9_ret dd ?
pCreateDevice dd ?
CreateDevice_ret dd ?
pCreateDevice_jmp dd ?
pIDirect3DDevice9 dd ?
pDxdevice dd ?
pD3DXCreateFontIndirectA dd ?
pPresent dd ?
lrect RECT<?>
ID3DXFont dd ?
lf D3DXFONT_DESCA<?>
d3dbuf db 256 dup(?)
.code
d3dajmpb proc a_addr:dword,b_addr:dword
local OldProtect
pushad
invoke IsBadWritePtr,a_addr,8
.if eax!=0
invoke VirtualProtect,a_addr,8,PAGE_EXECUTE_READWRITE,addr OldProtect
.endif
mov eax,a_addr
mov edx,b_addr
sub edx,eax
sub edx,5
mov byte ptr[eax],0e9h
xchg [eax+1],edx
popad
ret
d3dajmpb endp
lpfnBeginScene proc
mov eax,pIDirect3DDevice9
mov eax,dword ptr[eax]
mov ecx,dword ptr[eax]
mov eax,dword ptr[ecx+0a4h]
push pDxdevice
call eax
ret
lpfnBeginScene endp
lpfnEndScene proc
mov eax,pIDirect3DDevice9
mov eax,dword ptr[eax]
mov ecx,dword ptr[eax]
mov eax,dword ptr[ecx+0a8h]
push pDxdevice
call eax
ret
lpfnEndScene endp
formatstr proc
LOCAL lbuf[64]:byte
invoke crt_sprintf,addr lbuf,SADD("[%0.4f %0.4f %0.4f]",0),pos_x,pos_y,pos_z
invoke wsprintf,addr d3dbuf,SADD("%s",0),addr lbuf
ret
formatstr endp
;ID3DXFont.38h==drawtext 要this指针
;INT DrawText(
; [in] LPD3DXSPRITE pSprite,
; [in] LPCTSTR pString,
; [in] INT Count,
; [in] LPRECT pRect,
; [in] DWORD Format,
; [in] D3DCOLOR Color
;);
New_Present proc
pushad
invoke lpfnBeginScene
;在这里写字
invoke formatstr
.if ID3DXFont ;
push 0ff00ff00h
push 0
push offset lrect
invoke szLen,addr d3dbuf
push eax
push offset d3dbuf
push NULL
push ID3DXFont ;
mov ecx,ID3DXFont
mov ecx,dword ptr[ecx]
call dword ptr[ecx+38h] ;ID3DXFont.DrawText
.endif
invoke lpfnEndScene
popad
mov edi,edi
push ebp
mov ebp,esp
mov eax,pPresent
add eax,5
jmp eax
ret
New_Present endp
New_CreateDevice proc
;修改返回地址.
pop eax
mov CreateDevice_ret,eax
push offset New_CreateDevice_sub
;--------------------------------------------------------------------------------
pushad
mov edi,esp
assume edi:ptr d3d9esp_s
; 这里什么都不做可以输出
mov eax,[edi].arg7
mov pIDirect3DDevice9,eax ;
invoke wsprintf,addr szbuf,SADD("pIDirect3DDevice9:%08x"),pIDirect3DDevice9
invoke OutputDebugString,addr szbuf
invoke wsprintf,addr szbuf,SADD("CreateDevice_ret:%08x"),CreateDevice_ret
invoke OutputDebugString,addr szbuf
invoke OutputDebugString,SADD("New_CreateDevice_START")
popad
;--------------------------------------------------------------------------------
;执行函数
mov edi,edi
push ebp
mov ebp,esp
push eax
mov eax,pCreateDevice
add eax,5
mov pCreateDevice_jmp,eax
pop eax
jmp pCreateDevice_jmp
;--------------------------------------------------------------------------------
New_CreateDevice_sub:
pushad
invoke wsprintf,addr szbuf,SADD("111pIDirect3DDevice9:%08x"),pIDirect3DDevice9
invoke OutputDebugString,addr szbuf
.if eax
mov eax,pIDirect3DDevice9
mov eax,dword ptr[eax]
mov pDxdevice,eax
mov eax,dword ptr[eax]
mov eax,dword ptr[eax+44h]
mov pPresent,eax
invoke d3dajmpb,pPresent,offset New_Present
invoke wsprintf,addr szbuf,SADD("pPresent:%08x pDxdevice:%08x"),pPresent,pDxdevice
invoke OutputDebugString,addr szbuf
invoke OutputDebugString,SADD("New_Present hooked New_CreateDevice_end")
.if pD3DXCreateFontIndirectA
push offset ID3DXFont
push offset lf
push pDxdevice
call pD3DXCreateFontIndirectA
invoke wsprintf,addr szbuf,SADD("ID3DXFont:%08x"),ID3DXFont
invoke OutputDebugString,addr szbuf
.endif
.else
invoke OutputDebugString,SADD("ERROR::New_CreateDevice_end")
.endif
popad
jmp CreateDevice_ret
ret
New_CreateDevice endp
New_Direct3DCreate9 proc
;修改返回地址.
pop eax
mov Direct3DCreate9_ret,eax
push offset New_Direct3DCreate9_sub
;--------------------------------------------------------------------------------
pushad
mov edi,esp
assume edi:ptr d3d9esp_s
; 这里什么都不做可以输出
invoke OutputDebugString,SADD("New_Direct3DCreate9_START")
popad
;--------------------------------------------------------------------------------
;执行函数
mov edi,edi
push ebp
mov ebp,esp
mov eax,pDirect3DCreate9
add eax,5
jmp eax
;--------------------------------------------------------------------------------
New_Direct3DCreate9_sub:
pushad
.if eax
mov eax,dword ptr[eax]
mov eax,dword ptr[eax+40h]
mov pCreateDevice,eax
invoke d3dajmpb,pCreateDevice,offset New_CreateDevice
invoke wsprintf,addr szbuf,SADD("pCreateDevice:%08x"),pCreateDevice
invoke OutputDebugString,addr szbuf
invoke OutputDebugString,SADD("New_CreateDevice hooked New_Direct3DCreate9_end")
.else
invoke OutputDebugString,SADD("ERROR::New_Direct3DCreate9_end")
.endif
popad
jmp Direct3DCreate9_ret
ret
New_Direct3DCreate9 endp
gamed3d_hook proc
;查找 Direct3DCreate9函数
.while TRUE
invoke GetModuleHandle,SADD("d3d9.dll")
.break .if eax
invoke Sleep,500
.endw
invoke GetProcAddress,eax,SADD("Direct3DCreate9")
mov pDirect3DCreate9,eax
;HOOK Direct3DCreate9函数
invoke d3dajmpb,pDirect3DCreate9,offset New_Direct3DCreate9
invoke OutputDebugString,SADD("gamed3d_hook hooked")
;查找 D3DXCreateFontIndirectA 创键字体要用
;此处 D3DX9_37 是游戏加载的DLL。可以使用其它dll
.while TRUE
invoke GetModuleHandle,SADD("D3DX9_37.dll")
.break .if eax
invoke Sleep,500
.endw
invoke GetProcAddress,eax,SADD("D3DXCreateFontIndirectA")
mov pD3DXCreateFontIndirectA,eax
;RECT 初始化结构
mov lrect.left,0
mov lrect.top,0
mov lrect.right,1024
mov lrect.bottom,100
;D3DXFONT_DESCA 初始化结构
mov lf.height,12
mov lf.d3width,8
mov lf.Weight,100
mov lf.Italic,0
mov lf.CharSet,1
invoke wsprintf,addr lf.FaceName,SADD("%s"),SADD("Times New Roman")
ret
gamed3d_hook endp
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
