OpenGL hook + textures recognition

[okidoki]

Hi,

Here is a method to hook OpenGL functions without patching memory ( using pointers ), and filter by texture file path/name:

PHP Code:

// Medal of Honor Allied Assault
#define MOHAA_GLBINDTEXTURE    0x13E3EE4
#define MOHAA_GLDRAWELEMENTS    0x13E3D04

// Medal of Honor Spear Head
#define MOHSH_GLBINDTEXTURE    0x16DCED8
#define MOHSH_GLDRAWELEMENTS    0x16DCCF8

// Medal of Honor Break Trough
#define MOHBT_GLBINDTEXTURE    0x170D00C
#define MOHBT_GLDRAWELEMENTS    0x170CE38 


PHP Code:

char *g_pszTextureName;

typedef void ( WINAPI *GLBINDTEXTURE_TYPE )( GLenum iTarget, GLuint iTexture );
DWORD g_dwGlBindTexture = NULL;

void WINAPI glBindTextureHook( GLenum iTarget, GLuint iTexture )
{
    _asm mov g_pszTextureName, esi;

    CAST( GLBINDTEXTURE_TYPE, g_dwGlBindTexture )( iTarget, iTexture );
}

typedef void ( WINAPI *GLDRAWELEMENTS_TYPE )( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices );
DWORD g_dwGlDrawElements = NULL;

void WINAPI glDrawElementsHook( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices )
{
    // Here you can filter any textures using g_pszTextureName

    CAST( GLDRAWELEMENTS_TYPE, g_dwGlDrawElements )( iMode, iCount, iType, pvIndices );
} 


PHP Code:

g_dwGlBindTexture = *( DWORD * )MOHAA_GLBINDTEXTURE;
g_dwGlDrawElements = *( DWORD * )MOHAA_GLDRAWELEMENTS;

// Redirect
*( DWORD * )MOHAA_GLBINDTEXTURE = PtrToUlong( glBindTextureHook );
*( DWORD * )MOHAA_GLDRAWELEMENTS = PtrToUlong( glDrawElementsHook );

// Restore
*( DWORD * )MOHAA_GLBINDTEXTURE = g_dwGlBindTexture;
*( DWORD * )MOHAA_GLDRAWELEMENTS = g_dwGlDrawElements; 


Regards.

[K@N@VEL]

Very nice post OkiDoki well done

[pingu]

neat, although its been done before ( I believe shard posted a method ).

[Shard]

Yeah it was done a few years ago, I think it was tetuzo who originally discovered it. I don't remember the method ever being posted though.

I did post a similar method for ET (or CoD?), which is what pingu must be thinking about.

[2ci-]

Basically does the same as a GetProcAddress hook except you are overwriting afterwards. Nice work though.

[Tamimego]

Umm just a note, this looks like your modifying the import or export table of a module through static addresses.

A quick example of what I mean:

This is from CoD4, a simple reference to a user32.dll function.

Code:

0055A19C  |. 8BF0             MOV ESI,EAX
0055A19E  |. 56               PUSH ESI                                 ; /hWnd
0055A19F  |. FF15 1C136900    CALL DWORD PTR DS:[<&USER32.GetDC>]      ; \GetDC
0055A1A5  |. 8BF8             MOV EDI,EAX

1C136900 from the GetDC call translates to 0x69131C.

A simple GetDC hook would be like:

Code:

void __stdcall PreGetDC ( void )
{
	/*Blah*/
}

unsigned long	GetDCOriginal	= 0;
__declspec ( naked ) void GetDCHook ( void )
{
	_asm pushad
	_asm call	PreGetDC
	_asm popad
	_asm jmp	GetDCOriginal
}

void InitHook ( void )
{
	GetDCOriginal			= *(unsigned long*) 0x69131C;
	*(unsigned long*) 0x69131C	= (unsigned long) GetDCHook;
}

[Shard]

MOHAA gets the GL functions through GetProcAddress and stores them in one block of memory (i.e. MOHAA_GLFUNCTIONS), so it's even simpler than modifying the imports table since you don't have to touch the memory protection. It doesn't matter that he's using static addresses either since there aren't going to be anymore updates to MOHAA.

[2ci-]

Hi,

Yes it is 2ci-

My goal was redirecting functions using pointers only (as I started to do for cge/cgi). Finally I got a full OpenGL and ClientGameXXport access without patching memory.

Regards.

Well you are patching memory, just not hooking GetProcAddress. Same result different method

TLB hook is the best way though since it is static between games and doesn't require direct API hooking ;-)

Another way is to getprocaddr all the funcs you need then scan the data section memory for the pointers

[BiGmAc]

^^ This is the exact same as in Warsow, which uses qfusion engine. I believe MoHAA uses something very similar.

[Tamimego]

Fakk2 Engine iirc

[2ci-]

Same as Q3. That is why you get the "table"

The "table" is just all the global gl pointers in memory

[nahnah]

Hello okidoki i tryed ur first method of hooking opengl/ game is sof2 so i searched the gldrawelements offset in sof2mp.exe and finded it definded and compiled the code but its not hooking anything here is the code if anyone could help then please answer

PHP Code:

#define Client_GLDRAWELEMENTS    0x4E5DA2

typedef void ( WINAPI *GLDRAWELEMENTS_TYPE )( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices );

GLDRAWELEMENTS_TYPE g_dwGlDrawElements = NULL;

void WINAPI glDrawElementsHook( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices )
{
  
    
    if(iCount==2538||iCount==3108||iCount==2802||iCount==2850||iCount==2634||iCount==2964||iCount==2940||iCount==2838||iCount==2700||iCount==2736||iCount==2724||iCount==2616||iCount==2928)
    {
        glDepthRange(-5.5, 0);
    }    
    else
    {
        glDepthRange(0, 1);
    }

    
    

    ( g_dwGlDrawElements )( iMode, iCount, iType, pvIndices );
}  




   


bool WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, PVOID pvReserved)
{
    if(dwReason == DLL_PROCESS_ATTACH)
    {

     g_dwGlDrawElements = *( GLDRAWELEMENTS_TYPE * )Client_GLDRAWELEMENTS;
        *( DWORD*)Client_GLDRAWELEMENTS = PtrToUlong(glDrawElementsHook );    
        
        return true;
    }
    else if(dwReason == DLL_PROCESS_DETACH)
    {
    }
    return false;
} 


[nahnah]

First off thnx for the replay. Well i founded the offset from sof2mp.exe in other words on game executable. Thnx for the tip to check the module (is it loaded or not) OK for checking module im not home(so i couldnt test it) only weekends in home school right now but i think for cheking the module would do that:
BTW the main idea why i tryed this method is to TRIX the punkbuster because standard hooking with detours and IAT are dedected and hooking pb strings main scan is now also dedected so i tought it can be hided from pb

PHP Code:

if( strstr( hinstDLL, "opengl32.dll" ) )
    {
     g_dwGlDrawElements = *( GLDRAWELEMENTS_TYPE * )Client_GLDRAWELEMENTS;
        *( DWORD*)Client_GLDRAWELEMENTS = PtrToUlong(glDrawElementsHook ); 
} 


[nahnah]

sorry for late replay but im not geting this working i think i dont need to check opengl32.dll because i get the pointer from sof2.exe so mybe needing to wait cgame module like u said but still is this method safe from punkbuster ?

[nahnah]

Hello im not getting this working the hook loads into game fine but the wallhack jsut isnt there so i dont know what could cause it very weird. Mybe q3-engine based sof2 just cant be so hooked, or dunno i dont have any ideas ......

PHP Code:

#define Client_GLDRAWELEMENTS    0x4E5DA2

typedef void ( WINAPI *GLDRAWELEMENTS_TYPE )( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices );

GLDRAWELEMENTS_TYPE g_dwGlDrawElements = NULL;


void WINAPI glDrawElementsHook( GLenum iMode, GLsizei iCount, GLenum iType, const GLvoid *pvIndices )
{
  
    
    if(iCount==2538||iCount==3108||iCount==2802||iCount==2850||iCount==2634||iCount==2964||iCount==2940||iCount==2838||iCount==2700||iCount==2736||iCount==2724||iCount==2616||iCount==2928)    {
        glDepthRange(-5.5, 0);
    }    
    else
    {
        glDepthRange(0, 1);
    }


    ( g_dwGlDrawElements )( iMode, iCount, iType, pvIndices );
}  


bool WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, PVOID pvReserved)
{
    if(dwReason == DLL_PROCESS_ATTACH)
    {

    if(GetModuleHandle("opengl32.dll") == NULL)     
    {        
        g_dwGlDrawElements = *( GLDRAWELEMENTS_TYPE * )Client_GLDRAWELEMENTS;
        *( DWORD*)Client_GLDRAWELEMENTS = PtrToUlong(glDrawElementsHook );    
    }
    



        if(GetModuleHandle("cgamex86.dll") == NULL)     
    {        
        g_dwGlDrawElements = *( GLDRAWELEMENTS_TYPE * )Client_GLDRAWELEMENTS;
        *( DWORD*)Client_GLDRAWELEMENTS = PtrToUlong(glDrawElementsHook );    
    }

    return true;
    }
    else if(dwReason == DLL_PROCESS_DETACH)
    {
    }
    return false;
}