#include <Windows.h>
#include <stdio.h>
#include <conio.h>
#include <d3d9.h>
#include <d3dx9.h>
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")
#define PI 3.141
#define Yellow D3DCOLOR_ARGB( 255, 255, 255, 000 )
typedef HRESULT ( WINAPI * DrawIPrim )( LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT );
VOID Jump( DWORD Address, DWORD Your_Detour );
DWORD Old = NULL;
LPDIRECT3DDEVICE9 pDev;
LPDIRECT3D9 pD3D;
D3DVIEWPORT9 Viewport;
DrawIPrim pDrawIPrim = NULL;
DWORD dwEndscene_hook = NULL;
DWORD dwEndscene_ret = NULL;
DWORD dwDIP_hook = NULL;
DWORD dwDIP_ret = NULL;
DWORD dwReset_hook = NULL;
DWORD dwReset_ret = NULL;
DWORD bJump = NULL;
LPD3DXFONT pFont=NULL;
LPD3DXLINE pLine=NULL;
HMODULE D3D9 = NULL;
VOID RenderString(LPDIRECT3DDEVICE9 pDev, int x, int y, DWORD color, LPD3DXFONT g_pFont, const char *fmt, ...)
{
if( !pFont )
D3DXCreateFontA( pDev,13,0,FW_BOLD,1,0,DEFAULT_CHARSET,OUT_DEFAULT_PRECIS,DEFAULT_QUALITY,DEFAULT_PITCH | FF_DONTCARE,"Arial", &pFont );
if(!g_pFont)
return;
RECT FontPos = { x, y, x + 50, y + 50};
char buf[1024] = {'\0'};
va_list va_alist;
va_start(va_alist, fmt);
vsprintf_s(buf, fmt, va_alist);
va_end(va_alist);
pDev->SetRenderState( D3DRS_ZENABLE,false );
pDev->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
g_pFont->DrawTextA(NULL, buf, -1, &FontPos, DT_NOCLIP, color);
pDev->SetRenderState( D3DRS_ZENABLE, true );
pDev->SetRenderState( D3DRS_FILLMODE,D3DFILL_SOLID );
}
VOID FillRGB(LPDIRECT3DDEVICE9 pDev,int x, int y, int w, int h, DWORD color )
{
D3DRECT rec = { x, y, x + w, y + h };
pDev->Clear( 1, &rec, D3DCLEAR_TARGET, color, 0, 0 );
}
VOID RenderBox(LPDIRECT3DDEVICE9 pDev, int x, int y, int w, int h, int px, DWORD color, DWORD color2)
{
//box
FillRGB(pDev, x, y, w, h, color);
//border
FillRGB(pDev, x, (y + h - px), w, px,color2);
FillRGB(pDev, x, y, px, h,color2 );
FillRGB(pDev, x, y, w, px,color2);
FillRGB(pDev, x + w - px), y, px, h,color2);
}
VOID RenderCircle(LPDIRECT3DDEVICE9 pDev,int X, int Y, int radius, int numSides, DWORD Color)
{
if (!pLine)
D3DXCreateLine(pDev, &pLine);
D3DXVECTOR2 Line[128];
float Step = (float)(PI * 2.0 / numSides);
int Count = 0;
for (float a=0; a < PI*2.0; a += Step)
{
float X1 = radius * cos(a) + X;
float Y1 = radius * sin(a) + Y;
float X2 = radius * cos(a+Step) + X;
float Y2 = radius * sin(a+Step) + Y;
Line[Count].x = X1;
Line[Count].y = Y1;
Line[Count+1].x = X2;
Line[Count+1].y = Y2;
Count += 2;
}
pLine->Begin();
pLine->Draw(Line,Count,Color);
pLine->End();
pLine->Release();
}
VOID RenderCross(LPDIRECT3DDEVICE9 pDev, DWORD color, int i)
{
pDev->GetViewport( &Viewport );
DWORD ScreenCenterX = (Viewport.Width / 2);
DWORD ScreenCenterY = (Viewport.Height / 2);
D3DRECT rec1 = {ScreenCenterX-i, ScreenCenterY, ScreenCenterX+ i, ScreenCenterY+1};
D3DRECT rec2 = {ScreenCenterX, ScreenCenterY-i, ScreenCenterX+ 1,ScreenCenterY+i};
pDev->Clear( 1, &rec1, D3DCLEAR_TARGET, color, 0, 0 );
pDev->Clear( 1, &rec2, D3DCLEAR_TARGET, color, 0, 0 );
//RenderCircle(pDev, ScreenCenterX, ScreenCenterY, i+3,i+3, color);
}
bool IsMenuOn =false;
VOID WINAPI hkEndScene(LPDIRECT3DDEVICE9 pDev )
{
__asm nop
if((GetAsyncKeyState(VK_DELETE) & 0x1))
IsMenuOn = !IsMenuOn;
RenderString(pDev, 5, 5, Yellow, pFont, "[BugZ v1.0] Press Delete to turn Chams On/Off ");
if (IsMenuOn){
RenderCross(pDev, Yellow, 15);
}
}
__declspec(naked) void MyEndscene( )
{
__asm
{
MOV DWORD PTR SS:[EBP-0x10],ESP
MOV ESI,DWORD PTR SS:[EBP+0x8]
XOR EBX,EBX //replace patched code
PUSHFD
PUSHAD
PUSH [EBP+0x8]
CALL hkEndScene;
POPAD
POPFD
CMP ESI,EBX //replace patched code
jmp dwEndscene_ret; //jump back to normal endscene
}
}
VOID SetModelColor(LPDIRECT3DDEVICE9 pDev, float r, float g, float b, float a, float glowr, float glowg, float glowb, float glowa)
{
float lightValues[4] = {r, g, b, a};
float glowValues[4] = {glowr, glowg, glowb, glowa};
pDev->SetPixelShaderConstantF(1, lightValues, 1);
pDev->SetPixelShaderConstantF(3, glowValues, 1);
}
VOID WINAPI hkDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDev, D3DPRIMITIVETYPE Type, INT BIndex, UINT MIndex, UINT NVertices, UINT SIndex, UINT PCount )
{
bJump = TRUE;
LPDIRECT3DVERTEXBUFFER9 Stream_Data;
UINT Offset = 0;
UINT Stride = 0;
if( pDev->GetStreamSource( 0, &Stream_Data, &Offset, &Stride ) == S_OK )Stream_Data->Release();
if (IsMenuOn)
{
// Disable fog
pDev->SetRenderState(D3DRS_FOGENABLE, false);
// Fullbright
pDev->SetRenderState(D3DRS_LIGHTING, FALSE);
pDev->SetRenderState(D3DRS_AMBIENT,D3DCOLOR_ARGB(255,255,255,255));
switch (Stride)
{
case 20: // Buildings
//pDev->SetRenderState(D3DRS_ALPHABLENDENABLE,TRUE);
pDev->SetRenderState(D3DRS_DESTBLEND,D3DBLEND_INVSRCALPHA); // Transparency
break;
case 32: // Players and Zombies
//PlayerChams
pDev->SetRenderState(D3DRS_LIGHTING, FALSE); // Wallhack
pDev->SetRenderState(D3DRS_ZENABLE, FALSE);
SetModelColor(pDev, 1.0f, 0.0f, 0.0f, 0.50f, 1.5f, 1.5f, 1.5f, 1.5f);
pDrawIPrim( pDev, Type, BIndex, MIndex, NVertices, SIndex, PCount );
pDev->SetRenderState(D3DRS_ZENABLE, TRUE);
break;
default:
break;
}
}
bJump = FALSE;
}
__declspec(naked) void MyDIP( )
{
__asm
{
MOV EDI,DWORD PTR SS:[EBP+0x8]
XOR EBX,EBX
CMP EDI,EBX // replace patched code
PUSHFD
PUSHAD
MOV EDX,[bJump]
CMP EDX,0x0
JG DONE
PUSH [EBP+0x20] // Push arguments of DIP
PUSH [EBP+0x1C]
PUSH [EBP+0x18]
PUSH [EBP+0x14]
PUSH [EBP+0x10]
PUSH [EBP+0x0C]
PUSH [EBP+0x08]
CALL hkDrawIndexedPrimitive
DONE: POPAD
POPFD
jmp dwDIP_ret; // jump back to normal DIP
}
}
VOID WINAPI hkReset( )
{
if( pFont != NULL )
if( pFont->Release( ) == S_OK )
pFont = NULL;
}
__declspec(naked) void MyReset( )
{
__asm
{
PUSHAD
PUSHFD
CALL hkReset
POPFD
POPAD
MOV ESI,DWORD PTR SS:[EBP-0x08]
MOV EDI,DWORD PTR SS:[EBP-0x04]
POP EBX
JMP dwReset_ret
}
}
VOID WINAPI GETD3D( VOID )
{
HWND ConsoleWindow = GetConsoleWindow( );
ShowWindow( ConsoleWindow, SW_HIDE ); // hide ConsoleWindow...
while( D3D9 == NULL )
{
D3D9 = GetModuleHandleA( "d3d9.dll" );
Sleep( 100 );
}
D3DPRESENT_PARAMETERS D3D_PP = {0};
IDirect3D9 * (WINAPI *oDirect3DCreate9)(UINT SDKVersion);
*(PDWORD)&oDirect3DCreate9 = (DWORD)GetProcAddress( D3D9, "Direct3DCreate9" );
_cprintf( "Direct3DCreate9\n" );
pD3D = oDirect3DCreate9( D3D_SDK_VERSION );
D3D_PP.Windowed = TRUE;
D3D_PP.SwapEffect = D3DSWAPEFFECT_DISCARD;
D3D_PP.BackBufferFormat = D3DFMT_UNKNOWN;
_cprintf( "CreateDevice\n" );
pD3D->CreateDevice( D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL,ConsoleWindow, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &D3D_PP, &pDev );
PDWORD VTABLE = *(DWORD**)pDev;
dwEndscene_hook = VTABLE[42] + 0x2A;
dwEndscene_ret = dwEndscene_hook + 0x0A;
dwDIP_hook = VTABLE[82] + 0x2D;
dwDIP_ret = dwDIP_hook + 0x7;
dwReset_hook = VTABLE[16] + 165;
dwReset_ret = dwReset_hook + 0x7;
*(PDWORD)&pDrawIPrim = (DWORD)VTABLE[82];
_cprintf( "Jump\n" );
Jump( (DWORD)dwEndscene_hook, (DWORD)MyEndscene );
Jump( (DWORD)dwDIP_hook, (DWORD)MyDIP );
Jump( (DWORD)dwReset_hook, (DWORD)MyReset );
_cprintf( "Done\n" );
Sleep( 400 );
pDev->Release( );
pD3D->Release( );
FreeConsole( );
}
VOID Jump( DWORD Address, DWORD Your_Detour )
{
VirtualProtect( (LPVOID)Address, 5, PAGE_EXECUTE_READWRITE, &Old );
*(PBYTE)Address = (BYTE)0xE9;
*(PDWORD)(Address + 1) = ( Your_Detour - Address - 5) ;
VirtualProtect( (LPVOID)Address, 5, Old, &Old );
}
BOOL WINAPI DllMain( HINSTANCE hModule, DWORD dwReason, LPVOID lpvReserved )
{
if( dwReason == DLL_PROCESS_ATTACH )
{
DisableThreadLibraryCalls( hModule );
AllocConsole( );
_cprintf( "Ready\n" );
CreateThread( NULL, NULL, (LPTHREAD_START_ROUTINE)
GETD3D, NULL, NULL, NULL);
}
return TRUE;
}
English
