Hey guys,
I want to show you how you easily can get (for ex.) EndScene Address in d3d9.dll.
What do I need ?
So now I'll describe how to find EndScene (other functions works the same way)
Tutorial :
First, load "temp.exe" (I named I so because I didn't find any name for it, lol) in OllyDBG. I think you know how this works.
After you did this press F9 twice so temp.exe starts.
Should look like this :
This image has been resized. Click this bar to view the full image. The original image is sized 1130x653.
Now press RBM (Right Mouse Button), select "Search for" and then "All referenced text strings"
Like this :
After you did this it should look like this :
Click this bar to view the small image.
Now do a double click at "EndScene", you'll land here :
This image has been resized. Click this bar to view the full image. The original image is sized 627x194.
So, now we see after the PUSH a CALL, you can ignore that CALL and scroll down until you see the next CALL.
This image has been resized. Click this bar to view the full image. The original image is sized 640x77.
Now set a Hardware Breakpoint there and wait until OllyDBG stop to run the application.
This image has been resized. Click this bar to view the full image. The original image is sized 751x526.
When the State changed to "Paused" you should see a black number where the CALL normally happens.
Click this bar to view the small image.
If you didn't had any problems you can just hit Enter and you will land somewhere at the module d3d9 (d3d9.dll)
This image has been resized. Click this bar to view the full image. The original image is sized 1058x554.
Write the down the address and close OllyDBG.
Now you have your EndScene Address!
But..wait...the Address change after restart or similar No problem! I'll explain now how to find the Offset
First we need to find the EntryPoint, I'll show you an example how to do this in PureBasic. (I'll add later/tomorrow a C++ Version too)
Example : [You must be registered and logged in to see this link.]
At my case the EntryPoint is 70BF01A9, now we'll calculate the offset.
It's very easy :
EntryPoint - EndSceneAddress = EndSceneOffset
(70BF01A9 - 70BCF8DF = 208CA)
Now you have the offset, but how to use it in your DLL?
Like this :
EntryPoint - EndSceneOffset = EndSceneAddress
(70BF01A9 - 208CA = 70BCF8DF)
That's all for now. It is very very noob friendly and really, really everyone can understand this. (I hope so)
I want to show you how you easily can get (for ex.) EndScene Address in d3d9.dll.
What do I need ?
- OllyDBG 1.10 (only tested it there)
- My Program (temp.exe)
- A bit Reversing Knowledge (Not really needed because it's so easy and I describe everything I do very detailed)
So now I'll describe how to find EndScene (other functions works the same way)
Tutorial :
First, load "temp.exe" (I named I so because I didn't find any name for it, lol) in OllyDBG. I think you know how this works.
After you did this press F9 twice so temp.exe starts.
Should look like this :
This image has been resized. Click this bar to view the full image. The original image is sized 1130x653.
Now press RBM (Right Mouse Button), select "Search for" and then "All referenced text strings"
Like this :
After you did this it should look like this :
Click this bar to view the small image.
Now do a double click at "EndScene", you'll land here :
This image has been resized. Click this bar to view the full image. The original image is sized 627x194.
So, now we see after the PUSH a CALL, you can ignore that CALL and scroll down until you see the next CALL.
This image has been resized. Click this bar to view the full image. The original image is sized 640x77.
Now set a Hardware Breakpoint there and wait until OllyDBG stop to run the application.
This image has been resized. Click this bar to view the full image. The original image is sized 751x526.
When the State changed to "Paused" you should see a black number where the CALL normally happens.
Click this bar to view the small image.
If you didn't had any problems you can just hit Enter and you will land somewhere at the module d3d9 (d3d9.dll)
This image has been resized. Click this bar to view the full image. The original image is sized 1058x554.
Write the down the address and close OllyDBG.
Now you have your EndScene Address!
But..wait...the Address change after restart or similar No problem! I'll explain now how to find the Offset
First we need to find the EntryPoint, I'll show you an example how to do this in PureBasic. (I'll add later/tomorrow a C++ Version too)
Example : [You must be registered and logged in to see this link.]
At my case the EntryPoint is 70BF01A9, now we'll calculate the offset.
It's very easy :
EntryPoint - EndSceneAddress = EndSceneOffset
(70BF01A9 - 70BCF8DF = 208CA)
Now you have the offset, but how to use it in your DLL?
Like this :
EntryPoint - EndSceneOffset = EndSceneAddress
(70BF01A9 - 208CA = 70BCF8DF)
That's all for now. It is very very noob friendly and really, really everyone can understand this. (I hope so)