duki

Cool

Yeah, that would be cool thing to do without fully getting into reverse-engineering the game, and it could even be almost "universal" across all DX9 versions of the game. I tested a few things with this hook, like rotating them or making them bigger by multiplying their matrix. goofy ah pheasant rotating with wrong axis xD:

Following my previous D3D9-Base setup, here's an example using it for a simple DIP (DrawIndexedPrimitive) hook. Wireframe example code targeting pheasants: typedef HRESULT(WINAPI* tDrawIndexedPrimitive)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT); tDrawIndexedPrimitive oDrawIndexedPrimitive = nullptr; HRESULT APIENTRY hkDrawIndexedPrimitive(LPDIRECT3DDEVICE9 device, D3DPRIMITIVETYPE dType, INT baseVertexIndex, UINT minVertexIndex, UINT numVertices, UINT startIndex, UINT primCount) { //targeting pheasants models (mainly 6609 clients) if (numVertices == 420 && primCount == 544) { DWORD dwOldFillMode; device->GetRenderState(D3DRS_FILLMODE, &dwOldFillMode); device->SetRenderState(D3DRS_FILLMODE, D3DFILL_WIREFRAME); //here you could return directly, to make it more noticeable oDrawIndexedPrimitive(device, dType, baseVertexIndex, minVertexIndex, numVertices, startIndex, primCount); device->SetRenderState(D3DRS_FILLMODE, dwOldFillMode); } return oDrawIndexedPrimitive(device, dType, baseVertexIndex, minVertexIndex, numVertices, startIndex, primCount); } This example code has only wireframe "effect" for the texture targeted (pheasants), but you can change the colors of the texture too (know as Chams), gather realtime w2s positions, adding effects/shaders, etc. Some preview of how it could work (chams & w2s from texture):

Silly hook to "always" jump without the game being focused. Grab og function: typedef BOOL(WINAPI* tGetKeyboardState)(PBYTE); tGetKeyboardState oGetKeyboardState = GetKeyboardState; Our function: bool alwaysJump = true; //could be toggleable in menu or using a keybind BOOL WINAPI hkGetKeyboardState(PBYTE lpKeyState) { BOOL result = oGetKeyboardState(lpKeyState); if (alwaysJump) lpKeyState[VK_CONTROL] |= 0x80; return result; } Then you can use your desired hook method.

Simple find pattern: uintptr_t findPattern(uintptr_t start, size_t length, const std::vector<int>& pattern) { auto patternLength = pattern.size(); auto data = reinterpret_cast<const uint8_t*>(start); for (size_t i = 0; i <= length - patternLength; ++i) { bool found = true; for (size_t j = 0; j < patternLength; ++j) { if (pattern[j] != -1 && pattern[j] != data[i + j]) { found = false; break; } } if (found) { return start + i; } } return 0; } Then get the base: auto d3d9Module = reinterpret_cast<uintptr_t>(GetModuleHandleA("d3d9.dll")); std::vector<int> pattern = { 0xC7, 0x06, -1, -1, -1, -1, 0x89, 0x86, -1, -1, -1, -1, 0x89, 0x86 }; auto d3dBase = findPattern(d3d9Module, 0x128000, pattern); auto d3dVMT = *reinterpret_cast<uintptr_t**>(d3dBase + 2); And you can use it normally: oDrawIndexedPrimitive = reinterpret_cast<tDrawIndexedPrimitive>(d3dVMT[82]); oEndScene = reinterpret_cast<tEndScene>(d3dVMT[42]); oReset = reinterpret_cast<tReset>(d3dVMT[16]); Check out d3d9 indexes here: https://pastebin.com/raw/QbPhkCKh Note: you'll need to grab d3d9 Device from EndScene You can use this to properly render imgui. - Check out how DrawIndexedPrimitive could be implemented: DIP-Hook

Yeah that's possible, if you have a prefix of the item such as "[S]" -> Super or any other prefix you can do that Example targeting "(3rd)" You can prevent it from being draw, add to a list of drawable items & re-render it in endscene. I'll upload in a few days my old imgui project for d3d9 client.

This is just a proxy to load your own module into the game without modifying or injecting a DLL into the client, while maintaining the chat functionality (Chat.dll manages private message window creation)

Forgot to mention: newer versions of the game uses ShowStringW Function: ?ShowStringW@CMyBitmap@@SA?AUC3_SIZE@@HHKPBGPBDH_NW4RENDER_TEXT_STYLE@@KUC3_POS@@@Z Example: typedef struct { int width; int height; } C3_SIZE; typedef struct { int x; int y; } C3_POS; enum RENDER_TEXT_STYLE { STYLE_DEFAULT = 0, STYLE_BOLD = 1, }; typedef C3_SIZE(__cdecl* tShowStringW)(int, int, DWORD, const wchar_t*, const char*, int, bool, RENDER_TEXT_STYLE, DWORD, C3_POS); tShowStringW oShowStringW = nullptr; C3_SIZE __cdecl hkShowStringW(int iPosX, int iPosY, DWORD color, const wchar_t* pszString, const char* pszFont, int nFontSize, bool bAntialias, RENDER_TEXT_STYLE style, DWORD secondColor, C3_POS ptOffset) { //call og function }

Newer versions of the game changed to ShowStringW. ?ShowStringW@CMyBitmap@@SA?AUC3_SIZE@@HHKPBGPBDH_NW4RENDER_TEXT_STYLE@@KUC3_POS@@@Z You can make changes in real time to the content with this too.

Then this will help you: post

Old code found on my disk, this could be used as a gate to make a bot targeting specific strings in game... but this is just a cute rainbow example!!1! You can also change font/text content in real-time too. ShowStringEx: HMODULE hGraphic = GetModuleHandleA("graphic.dll"); oShowStringEx = (tShowStringEx)GetProcAddress( hGraphic, "?ShowStringEx@CMyBitmap@@SA?AUC3_SIZE@@HHKPBD0H_NW4RENDER_TEXT_STYLE@@KUC3_POS@@@Z"); Example code: typedef struct { int width; int height; } C3_SIZE; typedef struct { int x; int y; } C3_POS; enum RENDER_TEXT_STYLE { STYLE_DEFAULT = 0, STYLE_BOLD = 1, }; typedef C3_SIZE(__cdecl* tShowStringEx)(int, int, unsigned long, const char*, const char*, int, bool, RENDER_TEXT_STYLE, unsigned long, C3_POS); ShowStringEx_t oShowStringEx = nullptr; float fRed = 0.0f, fGreen = 0.0f, fBlue = 0.0f; float fTime = 0.0f; DWORD lastTick = 0; void updateRainbowColors() { DWORD currentTick = GetTickCount(); float deltaTime = (currentTick - lastTick) / 1000.0f; lastTick = currentTick; fTime += deltaTime; fRed = (sin(fTime) + 1.0f) / 2.0f; fGreen = (sin(fTime + 2.0f) + 1.0f) / 2.0f; fBlue = (sin(fTime + 4.0f) + 1.0f) / 2.0f; } D3DCOLOR gRainbow() { return D3DCOLOR_RGBA(static_cast<int>(fRed * 255), static_cast<int>(fGreen * 255), static_cast<int>(fBlue * 255), 255); } C3_SIZE __cdecl hkShowStringEx(int a1, int a2, unsigned long a3, const char* str1, const char* str2, int a6, bool a7, RENDER_TEXT_STYLE style, unsigned long a9, C3_POS pos) { //example targeting fps/ping counter if (strstr(str1, ("FpsAver")) != nullptr)//or C3Ver:DX { updateRainbowColors(); return oShowStringEx(a1, a2, gRainbow(), str1, str2, a6, a7, style, a9, pos); } return oShowStringEx(a1, a2, a3, str1, str2, a6, a7, style, a9, pos); } Preview:

Used this for few years as loader. Rename og Chat.dll to OChat.dll #include <map> std::map<std::string, FARPROC> ogFuncs; HMODULE hOGDLL = NULL; //this was just one of the modules that i did proxied FARPROC gOGFunc(const char* funcName) { if (!ogFuncs[funcName]) { ogFuncs[funcName] = GetProcAddress(hOGDLL, funcName); } return ogFuncs[funcName]; } extern "C" { typedef void* (*ChaterInfoMgrQueryFunc)(); typedef int(__cdecl* ChatInfoManagerDestroyFunc)(int, int); __declspec(dllexport) void* ChaterInfoMgrQuery() { ChaterInfoMgrQueryFunc original = (ChaterInfoMgrQueryFunc)gOGFunc("ChaterInfoMgrQuery"); return original ? original() : nullptr; } __declspec(dllexport) int __cdecl ChatInfoManagerDestroy(int a1, int a2) { ChatInfoManagerDestroyFunc original = (ChatInfoManagerDestroyFunc)gOGFunc("ChatInfoManagerDestroy"); return original ? original(a1, a2) : 0; } } void Hook() { //your stuff here :) } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: hOGDLL = LoadLibrary("OChat.dll"); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Hook, NULL, 0, NULL); break; case DLL_PROCESS_DETACH: if (hOGDLL) FreeLibrary(hOGDLL); break; } return TRUE; } This is just for chat.dll, you can replace almost any module of the game by doing proxy.

Just hook d3d9, use imgui, disable/prevent og game functions to being rendered.

If you're using some sort of graphics API, the game fails to reset dx9 properly (index 16), so whenever the game uses that function, it crash/freezes since you ain't restarting/cleaning/releasing functions properly, or the API isn't doing it properly. PS: i could be wrong and it could be another issue which isn't related to what i said, i just response this based on my experiences. You can experience this issue when you start another program as administrator when the game is open or changing resolution of the game which all leads to crash/freeze of the game.

I used to do this few years ago, but for other purposes of the game. You can also disable some functions of the game and start rendering by your own module.