Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Mercenary_Frank

Pages: [1] 2
4
FREE WARBAND HACK

EXAMPLE FOOTAGE: https://youtu.be/jVBZ8t2amgI?t=43s

Since I am pretty much done with hacking this game I decided it was time to release my hack to the community. It is pretty powerfull including unblockable that makes your attacks unstoppable works on any mod I have tried so far.

unpack the rar file and run XGameInjector.exe

INSTRUCTIONS

1. F7 to enable the menu and to traverse the menu use the arrow keys.

2. press the F key to aim at people.

3. double click the exe to start the hack if that doesn't work use cheat engine to inject the dll into the warband process or wait for warband to be started.

SHARING = CARING

http://tkc-community.net/forum/index.php?action=downloads;sa=view;down=473

5
This question is mostly aimed at mrmedic since I doubt anybody else has any knowledge on windows internals.

I am trying to get the directory table base so I can translate a physical address to a linear one. How can one achieve getting the dirbase of the current process in userland? It is possible to read the CR3 for the table offset but I need a vulnerable driver that allows reading of the register. Does anybody know of any driver that allows you to do that? KPROCESS struct has an offset to the dirBase and EPROCESS has an offset to KPROCESS. How can one get the EPROCESS struct of the current process who is executing the code?

Solving any of the questions would help me a great deal and solve the problem.

6
cuz Douggem said so

[youtube]https://www.youtube.com/watch?v=k8CDak_WmtA[/youtube]

7
Mount and Blade / Bannerlord will have an anti-cheat
« on: August 29, 2017, 07:43:45 pm »
I can confirm from a trusted source that Bannerlord will have an anti-cheat. I am unsure of which anti-cheat it could but I am putting my money on EAC since their previous publisher Paradox Interactive are using it now on all of their new online games.

That means there won't be any public releases for autoblocks or whatever but I am in working on something that will prevent detection by EAC since they stripe handle of access rights and they have a callback on loadlibrary.

What are your thoughts about this?

9
Mount and Blade / The key to unblockable
« on: July 24, 2017, 08:48:44 pm »
I can't be arsed anymore view angles got jack shit to do with this it's something related to the parry mechanics of this game. I got my aimbot which is what I wanted so I can't be bothered to reverse 2000 lines of code just to find one gimmick that will most likely get you banned from the server.

Here is my dumped function for check parry that holds key information on how to achieve the unblockable exploit mrmedic got.

Code: [Select]
int __fastcall Mission::check_parry(mission *a1, int a2, unsigned int *a3, unsigned int *a4, int a5, int a6, int a7, int *a8, float *a9, float *a10)
{
  DWORD *v10; // ecx@1
  agent *v11; // edi@1
  agent *v12; // ebp@1
  agent *v13; // ecx@1
  bool v14; // bl@1
  agent *v15; // eax@5
  double v16; // st7@5
  float v17; // edx@8
  double v18; // st7@8
  int v19; // eax@8
  unsigned int v20; // ecx@8
  double v21; // st6@8
  double v22; // st5@8
  double v23; // st4@8
  unsigned int v24; // ebx@9
  double v25; // st3@9
  int (__thiscall *v26)(void *, char); // edx@12
  float v27; // esi@12
  float v28; // edi@12
  float v29; // ebp@12
  double v30; // st7@20
  DWORD *v31; // eax@25
  DWORD v32; // edi@25
  _DWORD *v33; // ecx@26
  rgl::vector4 *v34; // eax@29
  int v35; // ecx@29
  unsigned int v36; // edx@29
  double v37; // st6@29
  double v38; // st7@30
  int v39; // ecx@34
  double v40; // st7@35
  double v41; // st6@35
  int v42; // eax@42
  double v43; // st7@42
  double v44; // st6@42
  double v45; // st7@47
  bool v46; // zf@51
  int result; // eax@53
  void *v48; // ecx@56
  signed __int32 v49; // eax@57
  double v50; // st5@61
  double v51; // st7@61
  int v52; // ecx@62
  double v53; // st7@64
  int v54; // esi@67
  double v55; // st7@71
  bool v56; // zf@80
  item *v57; // eax@91
  int v58; // ecx@97
  double v59; // st7@99
  int v60; // edx@133
  agent *v61; // [sp+10h] [bp-248h]@5
  float v62; // [sp+14h] [bp-244h]@34
  float v63; // [sp+18h] [bp-240h]@34
  item v64[2]; // [sp+1Ch] [bp-23Ch]@5
  float v65; // [sp+2Ch] [bp-22Ch]@19
  bool v66; // [sp+33h] [bp-225h]@8
  float v67; // [sp+34h] [bp-224h]@3
  float v68; // [sp+38h] [bp-220h]@8
  int v69; // [sp+3Ch] [bp-21Ch]@8
  float v70; // [sp+40h] [bp-218h]@8
  float v71; // [sp+44h] [bp-214h]@8
  float v72; // [sp+48h] [bp-210h]@9
  int v73; // [sp+4Ch] [bp-20Ch]@1
  agent *v74; // [sp+50h] [bp-208h]@1
  rgl::vector4 a4a; // [sp+58h] [bp-200h]@5
  float v77; // [sp+68h] [bp-1F0h]@12
  float v78; // [sp+6Ch] [bp-1ECh]@12
  float v79; // [sp+70h] [bp-1E8h]@12
  float v80; // [sp+78h] [bp-1E0h]@8
  float v81; // [sp+7Ch] [bp-1DCh]@8
  float v82; // [sp+80h] [bp-1D8h]@8
  float v83; // [sp+84h] [bp-1D4h]@12
  float v84; // [sp+88h] [bp-1D0h]@8
  float v85; // [sp+8Ch] [bp-1CCh]@8
  float v86; // [sp+90h] [bp-1C8h]@8
  float v87; // [sp+94h] [bp-1C4h]@29
  rgl::vector4 v88; // [sp+98h] [bp-1C0h]@6
  item v89; // [sp+A8h] [bp-1B0h]@19
  item a2a; // [sp+B0h] [bp-1A8h]@6
  rgl::matrix a1a; // [sp+B8h] [bp-1A0h]@29
  rgl::vector4 a3a; // [sp+F8h] [bp-160h]@19
  rgl::matrix v93; // [sp+108h] [bp-150h]@29
  int (__thiscall **v94)(void *, char); // [sp+148h] [bp-110h]@8
  float v95; // [sp+18Ch] [bp-CCh]@12
  float v96; // [sp+190h] [bp-C8h]@12
  float v97; // [sp+194h] [bp-C4h]@12
  float v98; // [sp+198h] [bp-C0h]@12
  float v99; // [sp+19Ch] [bp-BCh]@12
  float v100; // [sp+1A0h] [bp-B8h]@12
  float v101; // [sp+1A4h] [bp-B4h]@12
  unsigned int v102; // [sp+1A8h] [bp-B0h]@12
  float v103; // [sp+1CCh] [bp-8Ch]@12
  capsule v104; // [sp+1D0h] [bp-88h]@8

  *a10 = 1.0;
  *a9 = 1.0;
  v10 = cur_mission->agents.items.start_ptr;
  v11 = (v10[*a3 >> 4] + 25088 * (*a3 & 0xF));
  v12 = (v10[*a4 >> 4] + 25088 * (*a4 & 0xF));
  v13 = (v10[*a3 >> 4] + 25088 * (*a3 & 0xF));
  v73 = 0;
  v74 = v12;
  v14 = a5 != 0;
  if ( agent::is_riding_with_lance(v13) || v14 )
    v67 = 0.0;
  else
    v67 = *a8;
  *&v15 = COERCE_FLOAT(action_channel::is_defending(v12->action_channels[1].action_no));
  v16 = v11->position.x - v12->position.x;
  v61 = v15;
  *&v64[0].item_no = v16;
  *&v64[0].item_flags = v11->position.y - v12->position.y;
  sub_4328F0(v64);
  sub_502620(v12, &a4a);
  if ( v14 )
  {
    v88.x = *a7 - *a6;
    v88.y = *(a7 + 4) - *(a6 + 4);
    v88.z = *(a7 + 8) - *(a6 + 8);
    Vector4::length_or_normalize(&v88);
    Agent::get_weapon_item(v12, &a2a, 1);
    if ( a2a.item_no < 0 || LOBYTE(item_kinds[0][a2a.item_no].properties) != 7 )
      return 0;
    Body_part::ctor(&v94);
    v94 = &rglCapsule::`vftable';
    Body_part::ctor(&v104);
    v104.VTABLE = &rglCapsule::`vftable';
    Agent::get_body_capsule(v12, &v104);
    v17 = *(a7 + 4);
    v18 = 0.5;
    v19 = *(a7 + 8);
    v64[0].item_no = *a7;
    *&v69 = v88.x * 0.5;
    *&v64[0].item_flags = v17;
    v64[1].item_no = v19;
    v20 = *(a7 + 12);
    v66 = v61 == 319;
    v70 = v88.y * 0.5;
    v64[1].item_flags = v20;
    v68 = 0.0;
    v71 = v88.z * 0.5;
    v80 = *a6 - *&v69;
    v81 = *(a6 + 4) - v70;
    v82 = *(a6 + 8) - v71;
    v21 = v80;
    v84 = *&v64[0].item_no - v80;
    v22 = v81;
    v85 = v17 - v81;
    v23 = v82;
    v86 = *&v19 - v82;
    *&v61 = v85 * v85 + v84 * v84 + v86 * v86;
    if ( *&v61 > 0.0020000001 )
    {
      v24 = LODWORD(v72);
      v25 = *&v64[1].item_no;
      while ( SLODWORD(v68) < 20 )
      {
        v95 = v80;
        v77 = v21 + *&v64[0].item_no;
        v96 = v81;
        v97 = v82;
        v98 = v83;
        v78 = v22 + *&v64[0].item_flags;
        v26 = v94[14];
        v102 = v24;
        v79 = v25 + v23;
        *&v69 = v77 * v18;
        v27 = *&v69;
        v99 = *&v69;
        v70 = v78 * v18;
        v28 = v70;
        v100 = v70;
        v71 = v18 * v79;
        v29 = v71;
        v101 = v71;
        v103 = 0.0099999998;
        (v26)(&v94);
        if ( rgl_intersect_bodies(&v104, &v94, 0, 0) )
        {
          *&v64[0].item_no = v27;
          *&v64[0].item_flags = v28;
          *&v64[1].item_no = v29;
          v64[1].item_flags = v24;
        }
        else
        {
          v80 = v27;
          v81 = v28;
          v82 = v29;
          v83 = *&v24;
        }
        ++LODWORD(v68);
        v84 = *&v64[0].item_no - v80;
        v85 = *&v64[0].item_flags - v81;
        v23 = v82;
        v86 = *&v64[1].item_no - v82;
        *&v61 = v85 * v85 + v84 * v84 + v86 * v86;
        if ( *&v61 <= 0.0020000001 )
          break;
        v18 = 0.5;
        v21 = v80;
        v25 = *&v64[1].item_no;
        v22 = v81;
      }
      v12 = v74;
    }
    a3a.y = v81;
    a3a.x = v80;
    a3a.z = v82;
    a3a.w = v83;
    v61 = 26;
    a1 = sub_48A010(cur_game, &v12->troop_no, &v61, 1);
    Agent::get_weapon_item(v12, &v89, 1);
    v65 = 0.1;
    if ( v89.item_no >= 0 )
    {
      *&v61 = item_kinds[0][v89.item_no].weapon_length * 0.009999999776482582;
      v30 = *&v61;
      if ( *&v61 > 0.6000000238418579 )
        v30 = 0.60000002;
      v65 = v30;
    }
    *&v64[0].item_no = -v88.x;
    *&v64[0].item_flags = -v88.y;
    sub_4328F0(v64);
    *&v61 = *&v64[0].item_flags * a4a.y + *&v64[0].item_no * a4a.x;
    v67 = *&v61 * (*&v61 * *&v61);
    if ( v67 < 0.0 )
      v67 = 0.0;
    v31 = v12->entity;
    v32 = v31[181];
    if ( !*(v32 + 96) )
    {
      v33 = v31[181];
      if ( *(v32 + 120) )
        rglSkeleton::setup_frames_ragdoll(v33);
      else
        rglSkeleton::setup_frames_dynamic(v33);
    }
    rglMat3::transform_to_parent(&v12->rot_frame, &v93, &v93, (*(v32 + 4) + 6612));
    v77 = v93.rot.f.x * 0.2000000029802322;
    v78 = v93.rot.f.y * 0.2000000029802322;
    v79 = 0.2000000029802322 * v93.rot.f.z;
    v84 = v77 + v93.o.x;
    v85 = v93.o.y + v78;
    v86 = v93.o.z + v79;
    *&v69 = v93.rot.s.x + v93.rot.f.x;
    LODWORD(a1a.rot.u.x) = v69;
    a1a.rot.u.w = v72;
    v70 = v93.rot.s.y + v93.rot.f.y;
    a1a.rot.u.y = v70;
    v71 = v93.rot.s.z + v93.rot.f.z;
    a1a.rot.u.z = v71;
    *&v69 = v93.rot.f.x - v93.rot.s.x;
    LODWORD(a1a.rot.s.x) = v69;
    a1a.rot.s.w = v72;
    v70 = v93.rot.f.y - v93.rot.s.y;
    a1a.rot.s.y = v70;
    a1a.rot.f.x = v93.rot.u.x;
    v71 = v93.rot.f.z - v93.rot.s.z;
    a1a.rot.s.z = v71;
    a1a.rot.f.z = v93.rot.u.z;
    a1a.rot.f.y = v93.rot.u.y;
    a1a.rot.f.w = v93.rot.u.w;
    Vector4::length_or_normalize(&a1a.rot.s);
    Vector4::length_or_normalize(&a1a.rot.f);
    Vector4::length_or_normalize(&a1a.rot.u);
    sub_410AA0(&a1a);
    a1a.o.y = v85;
    a1a.o.z = v86;
    a1a.o.x = v84;
    a1a.o.w = v87;
    v34 = sub_410B30(&a1a, &a4a, &a4a, &a3a);
    v35 = SLODWORD(v34->x);
    v70 = v34->y;
    v72 = v34->w;
    v64[0].item_flags = LODWORD(v34->y);
    v36 = LODWORD(v34->w);
    v69 = v35;
    v71 = v34->z;
    v64[0].item_no = LODWORD(v34->x);
    v64[1].item_no = LODWORD(v34->z);
    v64[1].item_flags = v36;
    v77 = a1a.rot.s.z * v88.z + a1a.rot.s.y * v88.y + a1a.rot.s.x * v88.x;
    v78 = a1a.rot.f.x * v88.x + a1a.rot.f.y * v88.y + a1a.rot.f.z * v88.z;
    v79 = v88.y * a1a.rot.u.y + v88.x * a1a.rot.u.x + v88.z * a1a.rot.u.z;
    v37 = v78;
    *&v61 = *&v64[0].item_flags * v78 + v77 * *&v64[0].item_no + v79 * *&v64[1].item_no;
    if ( *&v61 <= 0.0 )
    {
      v38 = 0.0;
    }
    else
    {
      *&v61 = v70 / v37;
      v77 = v77 * *&v61;
      v78 = v37 * *&v61;
      v38 = 0.0;
      v79 = *&v61 * v79;
      v88.x = *&v69 - v77;
      *&v64[0].item_no = v88;
      v88.y = v70 - v78;
      v88.z = v71 - v79;
    }
    if ( v66 )
      v65 = a1 * 0.03999999910593033 * v67 + v65;
    v39 = v89.item_no;
    v63 = v38;
    v62 = v38;
    if ( v89.item_no >= 0 )
    {
      *&v61 = item_kinds[0][v89.item_no].weapon_length * 0.009999999776482582;
      v74 = v61;
      v40 = *&v61;
      *&v61 = 0.009999999776482582 * item_kinds[0][v89.item_no].missile_speed;
      v41 = *&v61;
      if ( *&v74 >= *&v61 )
        v41 = *&v74;
      v63 = v41;
      if ( v63 < 0.0099999998 )
        v63 = 0.5;
      v62 = v40;
      if ( v62 > 0.30000001 )
        v62 = 0.30000001;
    }
    if ( v12->troop_no >= 0 )
    {
      v61 = 26;
      v42 = sub_48A010(cur_game, &v12->troop_no, &v61, 1);
      v39 = v89.item_no;
      *&v61 = v42;
      v43 = 0.01999999955296516 * *&v61 + 1.0;
      v44 = *&v61 * 0.1000000014901161;
      *&v61 = v62 * v43;
      v62 = *&v61 + v44;
      *&v61 = v43 * v63;
      v63 = v44 + *&v61;
    }
    *&v61 = a1;
    v63 = 0.05000000074505806 * *&v61 * v67 + v63;
    v62 = v67 * (*&v61 * 0.01999999955296516) + v62;
    if ( !v66 )
    {
      *&v61 = item_kinds[0][v39].weapon_length * 0.009999999776482582;
      v63 = *&v61 * 0.8999999761581421;
      v62 = v63;
    }
    if ( *&v64[0].item_flags <= -0.1000000014901161 )
      return 0;
    if ( v62 <= *&v64[1].item_no )
      return 0;
    *&v61 = -v63;
    v45 = *&v61;
    if ( *&v61 >= *&v64[1].item_no )
      return 0;
    if ( -v65 < *&v64[0].item_no )
    {
      if ( v65 > *&v64[0].item_no )
      {
        *&v61 = v82 - v86;
        if ( *&v61 > v45 )
        {
          v46 = v62 > *&v61;
          goto LABEL_52;
        }
      }
      return 0;
    }
    return 0;
  }
  v89.item_no = -1;
  v65 = -6.8056469e38/*NaN*/;
  Action_channel::get_melee_defend_data(&v12->action_channels[1], &v74, &a2a);
  if ( v74 < 0 )
  {
    if ( (Action_channel::get_attack_direction(&v12->action_channels[1], &v89, &v65),
          v49 = v12->action_channels[0].action_no,
          v49 >= 20)
      && v49 <= 24
      || v89.item_no )
    {
      v89.item_no = -1;
      v65 = -6.8056469e38/*NaN*/;
    }
  }
  v50 = *&v64[0].item_no;
  *&v64[0].item_no = a4a.y * *&v64[0].item_no - *&v64[0].item_flags * a4a.x;
  *&v64[0].item_flags = a4a.y * *&v64[0].item_flags + a4a.x * v50;
  v51 = -*&v64[0].item_no;
  sub_6297FA(v48);
  a4a.x = v51;
  a4a.x = a4a.x + 3.141592741012573;
  a4a.x = fmod(a4a.x, 6.283185482025146);
  *&v64[0].item_no = a4a.x - 3.141592741012573;
  LOBYTE(v68) = 0;
  v62 = -0.69999999;
  v63 = 0.69999999;
  if ( Agent::get_weapon_item(v11, &a4a, 0)->item_no >= 0 )
  {
    v52 = HIDWORD(item_kinds[0][Agent::get_weapon_item(v11, &a4a, 0)->item_no].properties) & 0x200000;
    LOBYTE(v68) = 1;
    if ( !v52 )
      LOBYTE(v68) = 0;
  }
  a4a.x = Mission::get_swing_power(a1, a3, a4, v68);
  v53 = 0.5;
  if ( a4a.x >= 0.5 )
  {
    v53 = a4a.x;
    if ( a4a.x >= 1.5 )
      v53 = 1.5;
  }
  a4a.x = v53;
  v54 = a2a.item_no;
  *a10 = 1.0 / a4a.x * *a10;
  if ( LODWORD(v67) == 2 )
  {
    if ( v54 == 1 || v54 == 5 )
    {
      v62 = -1.2;
      v55 = 1.6;
      goto LABEL_85;
    }
    if ( v54 == LODWORD(v67) )
    {
      v62 = 0.60000002;
      v55 = 2.8;
LABEL_85:
      v63 = v55;
      goto LABEL_86;
    }
  }
  else if ( LODWORD(v67) == 1 )
  {
    if ( v54 == 2 || v54 == 5 )
    {
      v62 = -1.6;
      v55 = 1.2;
      goto LABEL_85;
    }
    if ( v54 == LODWORD(v67) )
    {
      v62 = -2.8;
      v55 = -0.60000002;
      goto LABEL_85;
    }
  }
  else
  {
    if ( LODWORD(v67) == 3 )
      v56 = v54 == 3;
    else
      v56 = v54 == 0;
    if ( v56 || v54 == 5 )
    {
      v62 = -1.4;
      v55 = 1.4;
      goto LABEL_85;
    }
  }
LABEL_86:
  if ( *&v64[0].item_no < v62
    || v63 <= *&v64[0].item_no
    || agent::is_riding_with_lance(v11) && Agent::get_weapon_item(v12, v64, 1)->item_no < 0 )
  {
    return 0;
  }
  LODWORD(a4a.x) = 100;
  if ( Agent::get_weapon_item(v12, v64, 1)->item_no >= 0 )
  {
    v57 = Agent::get_weapon_item(v12, v64, 1);
LABEL_94:
    LODWORD(a4a.x) = Item::speed_rating(v57);
    goto LABEL_95;
  }
  if ( Agent::get_weapon_item(v12, v64, 0)->item_no >= 0 )
  {
    v57 = Agent::get_weapon_item(v12, v64, 0);
    goto LABEL_94;
  }
LABEL_95:
  v62 = 100.0 / SLODWORD(a4a.x) * 0.05000000074505806;
  if ( multiplayer_mode == 2 || multiplayer_mode == 3 )
  {
    v58 = 33032 * v12->player_no;
    a4a.x = 0.0;
    v64[0].item_no = word_DE913E[v58];
    *&v64[0].item_no = v64[0].item_no * 0.001000000047497451;
    *&v64[0].item_no = v62 - *&v64[0].item_no * 0.800000011920929;
    v62 = sub_416170(v64, &a4a.x, &v62);
  }
  if ( v74 >= 0 )
  {
    v59 = Timer::get_time_in_seconds(&v12->u9);
    if ( v62 > v59 )
      return 0;
  }
  if ( v61 == 310 && Agent::get_weapon_item(v11, v64, 0)->item_no < 0 )
    return 5;
  if ( v74 < 0 )
  {
    if ( !v89.item_no )
    {
      v62 = v12->action_channels[1].progress;
      if ( LODWORD(v67) == 3 )
      {
        if ( LODWORD(v65) == LODWORD(v67) && v62 >= 0.300000011920929 )
        {
          if ( v62 >= 0.69999999 )
            return v73;
          return 7;
        }
      }
      else if ( v67 == 0.0 )
      {
        if ( LODWORD(v65) == 3 )
        {
          if ( v62 >= 0.300000011920929 && v62 < 0.69999999 )
          {
            if ( LOBYTE(v68) )
              return v73;
            return 7;
          }
        }
        else if ( v65 == 0.0 && v62 >= 0.300000011920929 )
        {
          if ( v62 >= 0.69999999 )
            return v73;
          return 7;
        }
      }
      else if ( LODWORD(v67) == 2 )
      {
        if ( LODWORD(v65) == 1 && v62 >= 0.300000011920929 )
        {
          if ( v62 >= 0.69999999 )
            return v73;
          return 7;
        }
      }
      else if ( LODWORD(v67) == 1 && LODWORD(v65) == 2 && v62 >= 0.300000011920929 && v62 < 0.69999999 )
      {
        return 7;
      }
    }
    return v73;
  }
  if ( v61 != 319 && v61 == 310 )
  {
    if ( !sub_4A2250(v11, 0) )
      return 6;
    return v73;
  }
  if ( sub_4E4BD0(&a2a.item_no, &v67) )
  {
    if ( v60
      || v12->action_channels[1].progress < 0.2000000029802322
      || v12->action_channels[1].progress >= 0.8999999761581421 )
    {
      return 5;
    }
    v73 = 6;
    result = 6;
  }
  else
  {
    if ( LODWORD(v67) != 2 )
    {
      if ( LODWORD(v67) == 1 )
      {
        v46 = v54 == 1;
LABEL_52:
        if ( v46 )
          return 5;
      }
      return 0;
    }
    if ( v54 == 2 )
      return 5;
    result = 0;
  }
  return result;
}

Good luck on the person who wants to figure this out since I am going to check back into it next month or so.

EDIT: Hi FSE no clue why you linked this native code to NW but nice having the sherlock holmes around here!

10
Mount & Blade: Napoleonic Wars/Warband/PW autoblock version 1.172

http://tkc-community.net/forum/index.php?action=downloads;sa=view;down=466

Warband autoblock

11
I am releasing my autoblock that I have been working on for the last week. It will work for any modification of the game, with the version of the game being v1.172.

For the menu to work you need to be running under D3D9 mode. You can toggle  the menu  off or on with the F7 key.

if you have any questions feel free to ask.

DOWNLOAD: http://tkc-community.net/forum/index.php?action=downloads;sa=view;down=466

12
Mount and Blade / d3d9 drawings glitching out
« on: April 14, 2017, 01:52:06 pm »
I am hacking a game called mount and blade and I want to draw an ESP overlay with directx drawindexedprimitive. However when I try to draw my shape it sometimes glitches out to the top left of the corner. I was hoping somebody could check my code and see what I am doing wrong. Here is an example

my d3dx9 test bench showing my drawing functions work just fine.



my triangle being drawn fine



one of my vertices randomly going to the top corner



my code

Code: [Select]
void CDraw::DrawTrapeziumFilled(int x, int y, int h, int w, int s, DWORD color)
{
CUSTOMVERTEX vertices[] =
{
{ x - w, y , 1.0f, 1.0f, color }, // vertex 0
{ x, y - h, 1.0f, 1.0f, color }, // vertex 1
{ x + w, y, 1.0f, 1.0f, color }, // vertex 2
};

unsigned short indexes[] = {
0,1,2
};

pDevice->CreateVertexBuffer(3 * sizeof(vertex), D3DUSAGE_WRITEONLY, D3DFVF_XYZRHW | D3DFVF_DIFFUSE, D3DPOOL_DEFAULT, &buffer, NULL);
pDevice->CreateIndexBuffer(1 * sizeof(short), D3DUSAGE_WRITEONLY, D3DFMT_INDEX16, D3DPOOL_DEFAULT, &indexBuffer, NULL);

VOID* pVoid;
buffer->Lock(0, sizeof(vertices), (void**)&pVoid, 0);
memcpy(pVoid, vertices, sizeof(vertices));
buffer->Unlock();

VOID* pIndex;
indexBuffer->Lock(0, sizeof(indexes), (void**)&pIndex, 0);
memcpy(pIndex, indexes, sizeof(indexes));
indexBuffer->Unlock();

pDevice->SetIndices(indexBuffer);

pDevice->SetTexture(0, NULL);
pDevice->SetPixelShader(NULL);

pDevice->SetRenderState(D3DRS_ALPHABLENDENABLE, TRUE);
pDevice->SetRenderState(D3DRS_SRCBLEND, D3DBLEND_SRCALPHA);
pDevice->SetRenderState(D3DRS_DESTBLEND, D3DBLEND_INVSRCALPHA);

pDevice->SetStreamSource(0, buffer, 0, sizeof(vertex));
pDevice->SetFVF(D3DFVF_XYZRHW | D3DFVF_DIFFUSE);

pDevice->DrawIndexedPrimitive(D3DPT_TRIANGLESTRIP, 0, 0, 3, 0, 2);

buffer->Release();
indexBuffer->Release();
}

These drawings take place in present because in endscene the shaps would cause my entire screen to flicker. weird...

I am but a mere novice in directx and more used to openGL so I would be happy if somebody could point out to me what I am doing wrong :)

13
Mount and Blade / [Tut]How I did W2S
« on: March 09, 2016, 04:23:19 am »
Tally-ho chaps!

Since mrmedic is away for a bit I think ill step in to fill his void

This tut continues straight off where worm left off so If you haven't read it go do that before you continue reading. All code is C++ with the lib detours 1.5

In order to do Worldtoscreen(convert 3D coordinates onto a 2D plane) you need several things. A viewmatrix, projectionmatrix, screen hight width(viewport) and ofcourse your 3D coordinates. First things first find the D3DX device pointer with a pattern scan like so

Code: [Select]
DWORD dwDXDevice = utility.FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx")
After REing this game for over 2 months because mrmedic told me about that function that converted the coordinates for you I discovered something. The first time D3DXMATRIXMULTIPLY is called it passes both the viewmatrix and projmatrix. Perfect! so lets hook that!

Code: [Select]
DWORD D3DXMatrixMultiply = (DWORD)GetProcAddress(GetModuleHandleA("d3dx9_42.dll"), "D3DXMatrixMultiply");
and to save the values

Code: [Select]
HRESULT WINAPI hkD3DXMatrixMultiply(_Inout_ D3DXMATRIX *pOut, _In_ D3DXMATRIX *pM1, _In_ D3DXMATRIX *pM2)
{

if (!trigger&&GetAsyncKeyState(VK_NUMPAD1) & 1)
{
D3DXVECTOR3 vector2;
D3DXMATRIX WorldToLocal;
D3DXMatrixIdentity(&WorldToLocal);

for (int i = 0; i < cPlayerBase.size(); i++)
{

D3DXVECTOR3 vector3(cPlayerBase[i]->vec[0], cPlayerBase[i]->vec[1], cPlayerBase[i]->vec[2]);

D3DXVec3Project(&vector2, &vector3, &Viewport, pM2, pM1, &WorldToLocal);
cPlayerBase[i]->vec2Dpoint[0] = vector2.x;
cPlayerBase[i]->vec2Dpoint[1] = vector2.y;
cPlayerBase[i]->vec2Dpoint[2] = vector2.z;

std::cout << " X on screen " << vector2.x << " Y on screen"  << vector2.y << std::endl;

if (i == cPlayerBase.size() - 1)
trigger = true;
}
}

return oD3DXMatrixMultiply(pOut, pM1, pM2);
}

Now only when the function is called does the parameter contain a valid pointer to the viewmatrix so I do the D3DXVec3Project function inside matrixmultiply the first time it called the bool gets set true in present(you can pick wherever you like)

This is the result



big thanks to mrmedic btw may he return back to us :D

14
Mount and Blade / W2S function what does it check?
« on: February 10, 2016, 03:33:47 am »
Goodday

This question is more aimed at mrmedic but anybody is free to answer this. Its about the W2S function mrmedic told me about I am still trying to call it. It doesn't crash anymore but it checks something but I don't know what. here is the provided code.

my code

Code: [Select]
float offsets[3]{500,500,500};
HookWorldToScreen hookWorldToScreen = reinterpret_cast<HookWorldToScreen(0x0434CA0);
goldenKey = new D3DXMATRIX(offsets);

DWORD a = hookWorldToScreen(0x8E3120,0xA633F0,(DWORD)goldenKey,0x0);
cout << a;
Code: [Select]
 
result = a4;
v8 = *(_DWORD *)(*(_DWORD *)(a4 + 520) + 4 * a6);
v9 = *(_DWORD *)(*(_DWORD *)(v8 + 2344) + 4);
v10 = *(_DWORD *)(v9 + 164);
if ( !(v10 & 0x10000) && !(v10 & 0xC) && !(*(_DWORD *)(*(_DWORD *)(v9 + 332) + 160) & 0x100) )

the if checks fails going straight to the end of the function and returning "result", a4 is the second parameters so its returning 0xA633F0

I suspect the & has something to do with ANDing however I still don't know what is making this test fail or why it is ever there in a worldtoscreen function.

EDIT: also what is the purpose of the last parameters? whenever the code is run it is an index starting from 0 going up 1 everytime it is called

Thanks for your help.

15
Tally-ho chaps,

I have been very busy with my exams and all so I havn't been able to finish the W2S function that mrmedic told me about. I managed to scramble together some code so that I could draw in fullscreen since my last one was just an overlay. Some functions are C+P from the internet and mrmedic helped me out allocating a console (Thanks buddy!  :icon_thumbsup)
Code: [Select]
#ifdef _MSC_VER
#define _CRT_SECURE_NO_WARNINGS
#endif

#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <d3d9.h>
#include <d3dx9.h>
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return false;
return (*szMask) == NULL;
}

DWORD FindPattern(DWORD dValor, DWORD dLer, BYTE *bMaskara, char * szMaskara)
{
for (DWORD i = 0; i < dLer; i++)
if (bCompare((PBYTE)(dValor + i), bMaskara, szMaskara))
return (DWORD)(dValor + i);
return false;
}

DWORD value;
DWORD* pdwVTable;
DWORD endSceneAddy;
DWORD endSceneretrn;
bool hooked = false;

__declspec (naked) void Endscene_Detour(LPDIRECT3DDEVICE9 pDevice)
{
__asm
{
xor esi, esi
test edi, edi
lea ebx, [edi + 4]
PUSHAD
}

D3DRECT rec;
rec.x1 = 10;
rec.y1 = 10;
rec.x2 = 50;
rec.y2 = 50;

pDevice->Clear(1, &rec, D3DCLEAR_TARGET, D3DCOLOR_ARGB(232, 100, 145, 30), 0, 0);

__asm
{
POPAD
jmp endSceneretrn
}

}
void JmpPatch(void *pDest, void *pSrc, int nNops = 0) {

DWORD OldProt;

VirtualProtect(pSrc, 5 + nNops, PAGE_EXECUTE_READWRITE, &OldProt);

*(char*)pSrc = (char)0xE9;
*(DWORD*)((DWORD)pSrc + 1) = (DWORD)pDest - (DWORD)pSrc - 5;

for (int i = 0; i < nNops; ++i) { *(BYTE*)((DWORD)pSrc + 5 + i) = 0x90; }

VirtualProtect(pSrc, 5 + nNops, OldProt, &OldProt);
}

DWORD WINAPI HookD3D(LPVOID lpParameter)
{
DWORD dwDXDevice = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
DWORD* pdwVTable;
memcpy(&pdwVTable, (VOID *)(dwDXDevice + 2), 4);

endSceneAddy = pdwVTable[42] + 0xf;
endSceneretrn = endSceneAddy + 0x6;

JmpPatch((PVOID)Endscene_Detour, (PVOID)endSceneAddy);
return 0;
}

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
AllocConsole();

freopen("CONIN$", "r", stdin);
freopen("CONOUT$", "w", stdout);
freopen("CONOUT$", "w", stderr);

printf("> Started.\n");

DisableThreadLibraryCalls(GetModuleHandle(NULL));

CreateThread(NULL, 0, HookD3D, NULL, 0, 0);
printf("> Threads Active.\n");
}
else if (dwReason == DLL_PROCESS_DETACH)
{
Sleep(500);
}

return TRUE;
}

Anyway when I figure out the W2S function medic provided me I will be able to finally create that ESP  :icon_cool2

Pages: [1] 2