DXT PH
WELCOME TO DXT PH HACKING -

PLEASE REGISTER EXPLORE TO OUR SITE FREE CF VIP HACK FOR FREE ALREADY RELEASE -

LOW RATE OF PSF VIP WARROCK VIP OP7 VIP

Just Register to our site - Thanks


DXT PH Hacking
 
HomePortalCalendarFAQSearchMemberlistUsergroupsRegisterLog in

Share | 
 

 SpeedHack Source in C++ And How To Do it

View previous topic View next topic Go down 
AuthorMessage
koolkid
VIP
VIP


Posts : 6
Coins : 12
Reputation : 0
Join date : 2010-10-24

PostSubject: SpeedHack Source in C++ And How To Do it   Mon Oct 25, 2010 12:16 am

First Step

In order to realize our concept, we have to find a way to hook QueryPerformanceCounter every time Half-Life calls it.
C++ users also could use ForceLibrary (I was thinking about porting Forcelibary into a DLL, untill System game me told me about madshi).
There might be more(elegant) ways to hook the function but i actually chose this.
If you want to take a deeper look at hooks you should click here.
Now Back to MadShi:
The headers we need from Madshi is MadhookCode.pas There are two functions we need: 1.CreateProcessEx and 2.HookCode. In order to make a global hook, we have to write our little cheat in two seperated parts: a DLL with the hooking function and a Executable witch injects you DLL onto a target.


Coding Part

In this part I will post the entire Source and than I will describe it step for step:

In the Loader:

uses....MadHookCode......

procedure TForm1.FormShow(Sender: TObject);
var curpath: String;
begin
Curpath:=ExtractFilePath(Application.ExeName);
CreateProcessEx(PChar('E:\CounterStrike'), PChar('-console -game cstrike'), nil, nil, false, 0, nil, nil, si, pi, PChar(Curpath+'MySpeedhack.dll'));
end;

This is basically all you need in your Loader, the rest is up to you to design....
Now the the DLL:

uses ....Windows,MadHookCode......

var NextQuerryPerform: function(var lpPerformancecount: Int64): longbool; stdcall;
Speedon:bool=FALSE;
ls:bool=FALSE;

function myQuerryPerform(var lpPerformancecount: Int64): longbool; stdcall;
begin
result:=NextQuerryPerform(lpPerformancecount);
if (GetAsyncKeyState(VK_CAPITAL)<0) and (ls=FALSE) Then
begin
ls:=TRUE;
if speedon=TRUE then speedon:=FALSE
else speedon:=TRUE;
end
else if not GetAsyncKeyState(VK_CAPITAL)<0 Then
ls:=FALSE;
if speedon=TRUE Then
lpPerformancecount:=lpPerformancecount*2;
end;

begin
HookCode(@QueryPerformanceCounter,@myQuerryPerform,@NextQuerryPerform) ;
end.

Okay and now to the details:

In our Loader we have......

uses....MadHookCode......

Uses is a expression similar to C++'s #include <> in the upper line we simply tell the compiler that we want to use MadhookCode.pas a "header" file with constants and functions...etc.

procedure TForm1.FormShow(Sender: TObject);

This is one of the "prefabricated" procedures of delphi, similar to C++'s mfc class events. FormShow is the standart name for the procedue for the pre-Dialoge showing.

var curpath: pChar;

Here we declare a private variable of the current procedure, its similar to c's char curpath;


begin......end

Now this is similar to C's brackets "{" and "}" which defines the beginning and the end of the current Proc/loop/if,casestatement..


Curpath:=ExtractFilePath(Application.ExeName)

This Statement assigns curpath to the current DirectoryFullPath of the loader. (where the dll file is also stored) we will need this in the next statement.

CreateProcessEx(PChar('E:\CounterStrike'), PChar('-console -game cstrike'), nil, nil, false, 0, nil, nil, si, pi, PChar(Curpath+'MySpeedhack.dll'));

Now this is our main loader-function, so lets take a closer look at it:

function CreateProcessEx (applicationName, commandLine : pchar;
processAttr, threadAttr : PSecurityAttributes;
inheritHandles : bool;
creationFlags : dword;
environment : pointer;
currentDirectory : pchar;
const startupInfo : TStartupInfo;
var processInfo : TProcessInformation;
loadLibrary : pchar ) : bool; stdcall;
as we see this function is very likely the WindowsFunction CreateProcess the only difference is that CreateProcessEx contains the additional " loadLibrary: pchar ", which specifies the dll, we want to inject.
After CreateProcessEx has been executed, it starts the specified application, but patching it in a way that the app behaves like would have a Loadlibrary call right in its first line.

Okay, that was the Loader, now to the Dll:
var NextQuerryPerform: function(var lpPerformancecount: Int64): longbool; stdcall;


Here we declare a buf-function with the same variables as the Original function. This Function is called in the callback function.

function myQuerryPerform(var lpPerformancecount: Int64): longbool; stdcall;
begin
result:=NextQuerryPerform(lpPerformancecount);
if (GetAsyncKeyState(VK_CAPITAL)<0) and (ls=FALSE) Then
begin
ls:=TRUE;
if speedon=TRUE then speedon:=FALSE
else speedon:=TRUE;
end
else if not GetAsyncKeyState(VK_CAPITAL)<0 Then
ls:=FALSE;
if speedon=TRUE Then
lpPerformancecount:=lpPerformancecount*2;
end;

And now this is the function we let it "replace" instead of the Original function
First we call the original Function in
result:=NextQuerryPerform(lpPerformancecount);

Than there is our simple Key Trigger to turn the speedhack on and off.
And at last, if the speedhack is on(speedon=TRUE)
we change pPerformancecount by double its speed in:
lpPerformancecount:=lpPerformancecount*2;


Now here we go, the last thing we have to do is using MadCodehook's function HookCode to hook the Process QueryProformanceCount :

HookCode(@QueryPerformanceCounter,@myQuerryPerform,@NextQuerryPerform) ;

a "@" indicates a Pointer.

last thing I wanted to mention:

With this method you are also able to hook GetProcAddress or LoadLibrary for example to inject your OpenGl functions...
as it is discribed here

Credit
Coder-original author
Back to top Go down
View user profile
DXT-Ripper
Admin
avatar

Posts : 71
Coins : 114
Reputation : 8
Join date : 2010-10-24

PostSubject: Re: SpeedHack Source in C++ And How To Do it   Mon Oct 25, 2010 8:18 am

Nice TuT . tnx for this !
Back to top Go down
View user profile http://dxtph.forumotion.net
 
SpeedHack Source in C++ And How To Do it
View previous topic View next topic Back to top 
Page 1 of 1
 Similar topics
-
» The Cold War Source Code Released
» xPlicit V1.0 for Counter Strike: Source (SCREENSHOTS ONLY)
» Where can i get the Borland Turbo C++ 3.1 compiler to compile the wolfenstein 3d source code?
» open source tunes
» Version 10 Plugy Source Code - Released

Permissions in this forum:You cannot reply to topics in this forum
DXT PH :: Web Designing & Coding :: Tutorials-
Jump to: