• Use [hide] Content [/hide] to prevent leeching of your content.

EAT Hooking

Jimster480

Administrator
Staff member
C++:
DWORD EATHook(HMODULE mod,CHAR * FN,VOID* HA,VOID** OA) // Credits: Jimster480
{
    DWORD EATA,OP;
    IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
    IMAGE_NT_HEADERS *NTH = NULL;

    if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
   
    NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));
   
    if(NTH->Signature != IMAGE_NT_SIGNATURE) return NULL;

    EATA = NTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
    IMAGE_EXPORT_DIRECTORY *EATP = (IMAGE_EXPORT_DIRECTORY*) ((DWORD)EATA + (DWORD)mod);


    for (DWORD i = 0;i < EATP->NumberOfFunctions;i++)
    {

        DWORD * ENTP = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNames + (sizeof(DWORD)*i)));

        if(strcmp((char*)((DWORD)mod + *ENTP),FN)== 0)
        {
            WORD * AONP = (WORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNameOrdinals + (i*sizeof(WORD))));
            DWORD * AOF  = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfFunctions + (sizeof(DWORD)**AONP)));

            if(!VirtualProtect(AOF,sizeof(DWORD),PAGE_READWRITE,&OP)) return NULL;
            *OA = (void*)(*AOF+DWORD(mod));
            *AOF = (((DWORD)HA)-DWORD(mod));
            if(!VirtualProtect(AOF,sizeof(DWORD),OP,&OP)) return NULL;
            return 1;
        }
    }
    return NULL;
}

How To Use.
Ex: EATHook(GetModuleHandle("Opengl32.dll"),"glBegin",((VOID*)(&h_glBegin)),((VOID**)(&d_glBegin)));
that would be how you would hook GL Begin.
Basically what it does is modify the address of the DLL's export so that any calls to GetProcAddress return your function address instead of the real one.
 
Last edited by a moderator:
C++:
DWORD EATHook(HMODULE mod,CHAR * FN,VOID* HA,VOID** OA) // Credits: Jimster480
{
DWORD EATA,OP;
IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
IMAGE_NT_HEADERS *NTH = NULL;

if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return NULL;

NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));

if(NTH->Signature != IMAGE_NT_SIGNATURE) return NULL;

EATA = NTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
IMAGE_EXPORT_DIRECTORY *EATP = (IMAGE_EXPORT_DIRECTORY*) ((DWORD)EATA + (DWORD)mod);


for (DWORD i = 0;i < EATP->NumberOfFunctions;i++)
{

DWORD * ENTP = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNames + (sizeof(DWORD)*i)));

if(strcmp((char*)((DWORD)mod + *ENTP),FN)== 0)
{
WORD * AONP = (WORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNameOrdinals + (i*sizeof(WORD))));
DWORD * AOF = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfFunctions + (sizeof(DWORD)**AONP)));

if(!VirtualProtect(AOF,sizeof(DWORD),PAGE_READWRITE,&OP)) return NULL;
*OA = (void*)(*AOF+DWORD(mod));
*AOF = (((DWORD)HA)-DWORD(mod));
if(!VirtualProtect(AOF,sizeof(DWORD),OP,&OP)) return NULL;
return 1;
}
}
return NULL;
}
lol ass script
 
Last edited by a moderator:

(+)

Member
Is there an update for your EAT hook Mr. Prod . :D ( If theres is somethin to update anyways ) Window 7 Ultimate ...

Great work ! As usual ... :p

Been tryin to use it like this ( Am I wrong ? ). Compiles but the dll keeps on detaching ... Or rather doesnt attach .

Thanks . :mrgreen: ( Im not saying it doesnt work or anything else like that ... )

~~~~Edit~~~~~~~
Hmm, seems to be the injection method your using is a lot better than mine ...
Whats the right way to inject this mr . prod ?

J480.cpp
C++:
---------------------------------------------------------
#include "J480.h"
typedef void (APIENTRY*f_glbegin)(GLenum mode);
typedef void (APIENTRY*f_glviewport) (GLint x, GLint y, GLsizei width, GLsizei height);
typedef void (APIENTRY*f_glvertex3fv) (const GLfloat *v);
typedef void (APIENTRY*f_glvertex2f) (GLfloat x, GLfloat y);
typedef void (APIENTRY*f_glpolygonOffset) (GLfloat factor, GLfloat units);
typedef void (APIENTRY*f_glclear)(GLbitfield mask);
typedef void (APIENTRY*f_glTranslatef)(GLfloat x,GLfloat y,GLfloat z);
typedef void (APIENTRY*f_wglSwapBuffers)(HDC hDC);
typedef void (APIENTRY*f_glPushMatrix)(void);
typedef void (APIENTRY*f_glVertex3f)(GLfloat x,GLfloat y,GLfloat z);
typedef void (APIENTRY*f_glPopMatrix)(void);
typedef void (APIENTRY*f_glEnable)(GLenum cap);
//------------------------------------------------------------------------
f_glbegin d_glBegin= NULL;
f_glviewport d_glViewport= NULL;
f_glvertex3fv d_glVertex3fv= NULL;
f_glvertex2f d_glVertex2f= NULL;
f_glpolygonOffset d_glPolygonOffset= NULL;
f_glclear d_glClear= NULL;
f_glTranslatef d_glTranslatef= NULL;
f_wglSwapBuffers d_wglSwapBuffers= NULL;
f_glPushMatrix d_glPushMatrix= NULL;
f_glVertex3f d_glVertex3f= NULL;
f_glPopMatrix d_glPopMatrix= NULL;
f_glEnable d_glEnable= NULL;
//------------------------------------------------------------------------
void APIENTRY h_glBegin(GLenum mode)
{
d_glBegin(mode);
}
void APIENTRY h_glViewport (GLint x, GLint y, GLsizei width, GLsizei height)
{
d_glViewport(x, y, width, height);
}
void APIENTRY h_glVertex3fv (const GLfloat *v)
{
d_glVertex3fv(v);
}
void APIENTRY h_glVertex2f(GLfloat x, GLfloat y)
{
d_glVertex2f (x, y);
}
void APIENTRY h_glPolygonOffset (GLfloat factor, GLfloat units)
{
d_glPolygonOffset (factor, units);
}
void APIENTRY h_glClear (GLbitfield mask)
{
d_glClear(mask);
}
void APIENTRY h_glTranslatef(GLfloat x,GLfloat y,GLfloat z)
{
d_glTranslatef(x,y,z);
}
void APIENTRY h_wglSwapBuffers(HDC hDC)
{
d_wglSwapBuffers(hDC);
}
void APIENTRY h_glPushMatrix(void)
{
d_glPushMatrix();
}
void APIENTRY h_glVertex3f(GLfloat x,GLfloat y,GLfloat z)
{
d_glVertex3f(x,y,z);
}
void APIENTRY h_glPopMatrix(void)
{
d_glPopMatrix();
}
void APIENTRY h_glEnable(GLenum cap)
{
d_glEnable(cap);
}

BOOL APIENTRY DllMain(HANDLE hModule,DWORD reason,LPVOID lpReserved)
{switch(reason){case DLL_PROCESS_ATTACH:{
DisableThreadLibraryCalls((HMODULE)hModule);
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glBegin",((VOID*)(&h_glBegin)),((VOID**)(&d_glBegin)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glClear",((VOID*)(&h_glClear)),((VOID**)(&d_glClear)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glTranslatef",((VOID*)(&h_glTranslatef)),((VOID**)(&d_glTranslatef)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"wglSwapBuffers",((VOID*)(&h_wglSwapBuffers)),((VOID**)(&d_wglSwapBuffers)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glViewport",((VOID*)(&h_glViewport)),((VOID**)(&d_glViewport)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glPushMatrix",((VOID*)(&h_glPushMatrix)),((VOID**)(&d_glPushMatrix)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glVertex3f",((VOID*)(&h_glVertex3f)),((VOID**)(&d_glVertex3f)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glPopMatrix",((VOID*)(&h_glPopMatrix)),((VOID**)(&d_glPopMatrix)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glEnable",((VOID*)(&h_glEnable)),((VOID**)(&d_glEnable)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glVertex2f",((VOID*)(&h_glVertex2f)),((VOID**)(&d_glVertex2f)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glVertex3fv",((VOID*)(&h_glVertex3fv)),((VOID**)(&d_glVertex3fv)));
EATHook(GetModuleHandle((LPCWSTR)"Opengl32.dll"),"glPolygonOffset",((VOID*)(&h_glPolygonOffset)),((VOID**)(&d_glPolygonOffset)));
}break;case DLL_PROCESS_DETACH:{
}break;}return TRUE;}

---------------------------------------------------------
J480.h
---------------------------------------------------------

#pragma once
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include "GL/gl.h"
#include "GL/glu.h"
#include "GL/glaux.h"
#include "GL/glut.h"
#pragma comment(lib, "GL/opengl32.lib")
#pragma comment(lib, "GL/glaux.lib")
#pragma comment(lib, "GL/glu32.lib")
#pragma comment(lib, "GL/glut32.lib")
#pragma comment(lib, "user32.lib")

DWORD EATHook(HMODULE mod,CHAR * FN,VOID* HA,VOID** OA) // Credits: Jimster480
{
DWORD EATA,OP;
IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
IMAGE_NT_HEADERS *NTH = NULL;

if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return NULL;

NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));

if(NTH->Signature != IMAGE_NT_SIGNATURE) return NULL;

EATA = NTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
IMAGE_EXPORT_DIRECTORY *EATP = (IMAGE_EXPORT_DIRECTORY*) ((DWORD)EATA + (DWORD)mod);


for (DWORD i = 0;i < EATP->NumberOfFunctions;i++)
{

DWORD * ENTP = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNames + (sizeof(DWORD)*i)));

if(strcmp((char*)((DWORD)mod + *ENTP),FN)== 0)
{
WORD * AONP = (WORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNameOrdinals + (i*sizeof(WORD))));
DWORD * AOF = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfFunctions + (sizeof(DWORD)**AONP)));

if(!VirtualProtect(AOF,sizeof(DWORD),PAGE_READWRITE,&OP)) return NULL;
*OA = (void*)(*AOF+DWORD(mod));
*AOF = (((DWORD)HA)-DWORD(mod));
if(!VirtualProtect(AOF,sizeof(DWORD),OP,&OP)) return NULL;
return 1;
}
}
return NULL;
}
//-----------------------------------------------------------------
 
Last edited by a moderator:

Jimster480

Administrator
Staff member
you must have the right sleep time in order for it to work.
you can also try hooks like this
C++:
OGL = GetModuleHandle("Opengl32.dll");
        if(!EATHook(OGL,"glBegin",((VOID*)(&h_glBegin)),((VOID**)(&d_glBegin)))) return false;
that way if the hook fails it ejects the DLL. Then you can put debug info in between the hooks and see when it fails.
 
Last edited by a moderator:

(+)

Member
ok , i understand it all now ... :)

Eathook + module hide is best .

One more question .

Is it safe to use SetCursorPos(); on vac2 ?
 

Jimster480

Administrator
Staff member
yes, they dont check for you using any API's, only hooking API's. So you can call w/e u want.
 

(+)

Member
Your EAT Hook Mr. Prod , is the perfect EAT HooK ... 8)

EXTRA SIMPLE WALLHACK :
C++:
/*----------------------------------------------------------------------------------------------------------------------------*/
#include <windows.h>
#include <gl/gl.h>
#include <gl/glu.h>
#include <gl/glaux.h>
#include <GL/glut.h>
#pragma comment(lib, "GL/opengl32.lib")
#pragma comment(lib, "GL/glaux.lib")
#pragma comment(lib, "GL/glu32.lib")
#pragma comment(lib, "GL/glut32.lib")
///////////////////////////////////
typedef void (APIENTRY*f_glbegin)(GLenum mode);
void APIENTRY h_glBegin(GLenum mode);
DWORD EATHook(HMODULE mod,CHAR * FN,VOID* HA,VOID** OA);
///////////////////////////////////
f_glbegin d_glBegin = NULL;
////////////////////////////////////////////////////////////////////////////////////////
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
   if (ul_reason_for_call == DLL_PROCESS_ATTACH)
   {
      DisableThreadLibraryCalls(hModule);
      EATHook(LoadLibraryA((LPCSTR)"Opengl32.dll"),"glBegin",((VOID*)(&h_glBegin)),((VOID**)(&d_glBegin)));
   }                                        
    return TRUE;
}
////////////////////////////////////////////////////////////////////////////////////////
void APIENTRY h_glBegin(GLenum mode)
{
    if(mode==GL_TRIANGLES||mode==GL_TRIANGLE_FAN||mode==GL_TRIANGLE_STRIP)
    {
        glDisable(GL_DEPTH_TEST);
    }
    return d_glBegin(mode);
}
/////////////////////////////////////////
DWORD EATHook(HMODULE mod,CHAR * FN,VOID* HA,VOID** OA) // Credits: Jimster480
{
DWORD EATA,OP;
IMAGE_DOS_HEADER *DOSH = (IMAGE_DOS_HEADER*)mod;
IMAGE_NT_HEADERS *NTH = NULL;
if(DOSH->e_magic != IMAGE_DOS_SIGNATURE) return NULL;
NTH = ((PIMAGE_NT_HEADERS)((DWORD)(DOSH) + (DWORD)(DOSH->e_lfanew)));
if(NTH->Signature != IMAGE_NT_SIGNATURE) return NULL;
EATA = NTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
IMAGE_EXPORT_DIRECTORY *EATP = (IMAGE_EXPORT_DIRECTORY*) ((DWORD)EATA + (DWORD)mod);
for (DWORD i = 0;i < EATP->NumberOfFunctions;i++)
{
DWORD * ENTP = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNames + (sizeof(DWORD)*i)));
if(strcmp((char*)((DWORD)mod + *ENTP),FN)== 0)
{
WORD * AONP = (WORD*)((DWORD)mod + ((DWORD)EATP->AddressOfNameOrdinals + (i*sizeof(WORD))));
DWORD * AOF = (DWORD*)((DWORD)mod + ((DWORD)EATP->AddressOfFunctions + (sizeof(DWORD)**AONP)));
if(!VirtualProtect(AOF,sizeof(DWORD),PAGE_READWRITE,&OP)) return NULL;
*OA = (void*)(*AOF+DWORD(mod));
*AOF = (((DWORD)HA)-DWORD(mod));
if(!VirtualProtect(AOF,sizeof(DWORD),OP,&OP)) return NULL;
return 1;
}
}
return NULL;
}
//////////////////////////////////////////////////////////////////////////////////
/*----------------------------------------------------------------------------------------------------------------------------*/
 
Last edited by a moderator:

Linux

New Member
(+) said:
Your EAT Hook Mr. Prod , is the perfect EAT HooK ... 8)

EXTRA SIMPLE WALLHACK :
/*----------------------------------------------------------------------------------------------------------------------------*/
#include <windows.h>
#include <gl/gl.h>
#include <gl/glu.h>
#.....

Not SSW !! But

ESW !!!!!!!
:mrgreen: :mrgreen:
 

(+)

Member
I finally understand the best way for eathook to work without sleep time dependency.

You need to do LoadLibraryA("opengl32.dll"); at the first instance you dll is injected .

This will force Opengl.dll to load at your specified time and not have to
wait for the game to load it which is much too long . Around 100+ ms .

So don't use GetModuleHandleA and sleep combination it makes it harder .
And doing while ( hMod == NULL) hMod = GetModuleHandleA("...");
Will cause crash with premature injection . (Injecting before opengl.dll is loaded by the game.)

So if you dont add any sleep time and just force OGL.dll to load earlier is best .

But just my opinion ...
 

Jimster480

Administrator
Staff member
ive never tried this before ill have to try it now and release it in my next update. Ill try doing the same thign on the D3D cheats by loading the D3D dll file.
 

(+)

Member
Now you see , even doing LoadLib early you still need to give the dll a bit of time to load .

Now thats small and precise than waiting for the game .

So when the time comes the game calls LoadLib on the OGL dll and the OS sees that its already loaded ,
it will just pass the Handle to the one thats already loaded and offcourse with your payload ...

Remember , when the game engine/linker/whatever calls loadlib , at that very instant , the linker/whatever also pases the offset of the glBegin func to the game exe . And thats way to fast !
And it becomes like a game of cat and mouse . And only by chance will you get it right depending on OS used and specific system speed .

But loading early , you come first before the game engine .

=======================================
Edit:

Best might be to do " HMODULE hMod = NULL; while ( hMod == NULL) hMod = LoadLibraryA("opengl32.dll") "
 
Top Bottom