Cheat Engine

[Chris12]

Hi,

i want to get image data from a game (dx9) with cheatengine.
my idea was to hook some directx function (endscene, present, ... ?) and then get a pointer to the pixel data there.

I intended to allocate a large enough block of memory to hold a frame in the game process and then write the data to this buffer.

Getting the image into a separate buffer inside the game memory would be enough for me to continue. Pixelformat doesn't matter.

But what directx function do I use?
How would I get the directx interface?
How do I get the pixel data when I'm in the function.

I have no problems with the hooking itself or writing the assembler.
But I never really worked with directx before.

Is what I described possible? If so how?

[atom0s]

There are few different ways you could go about doing it.

Keep in mind access to the back buffer is dependent on if its lockable. In most cases it wont be by default so you may need to do some extra work to make it lockable if you go that route. The method I use the most in my projects is just locking the back buffer and using its data.

Firstly, you will have to ensure the back buffer is lockable. This is done with the creation flag 'D3DPRESENTFLAG_LOCKABLE_BACKBUFFER' set as one of the present parameters 'Flags' field. Keep in mind as well there are limits to using this flag and it does have a performance hit on certain cards. So use with care.

In order to set this you will need to hook:
- IDirect3D9::CreateDevice
- IDirect3DDevice9::Reset (The present parameters can be rewritten here so you want to hook it and reset the flag as needed.)

Afterward you can hook Present or EndScene to obtain the back buffer as needed and do what you will with the pixel data.
Something like this:

[Chris12]

Thanks,
so CreateDevice and Reset to modify the flag; BeginScene, EndScene or Present to get the image.

If possible I'd like to write all this in assembler, no dll injection.
But getting all offsets dynamically will be quite a bit of work I think.

What do you think would be the easiest way to get all the functions and struct offsets? like the offset of m_RenderTarget?

I'm not the first person who does this so maybe someone even has a list of offsets for every function and struct member^^
If not I guess I'll get them by injecting a dll, read the function addresses, subtract the d3d9 base and dumping them to a file or something...

endscene should be d3d9.dll+0x1ce09 right?

[atom0s]

Pointers like that wont be reliable since systems can have different versions of Direct3D installed which can get used while the game loads. So hard coding any offset like that will result in major issues.

Since you are working with Direct3D9 there is a signature trick to locate the device pointer that works universally.
Pattern: "\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86"
Mask: "xx????xx????xx"

Or you could write a proxy that hooks and wraps the entire d3d9 dll.

As for the offsets, you can just take the interface from d3d9.h and determine them manually. Once you have the device pointer, you are just working with a vtable. So you would take the index of the function, multiply it by 4 and add that to the device pointer to get the function address.


From the sound of it you are trying to do this externally, which is not going to really work in your favor and is going to land up being a shit-ton more work then is needed if you just instead, injected a dll.

[Chris12]

many thanks for the pattern.
yea with the vtable it should be np.
member offsets (struct fields) are unlikely to change between versions i guess.

yes, what im trying is to write all the code with fasm, inject it myself and then just read the image data from the outside, with mutex lock to prevent frame tearing.

i agree it will be more work, but im not really comfortable with writing c++, but asm is no problem. Maybe i'll use a c# dll, there's a way to get "normal" dll exports to work in them too.

[atom0s]

[Chris12]

I already tried a lot of code from the internet using easyhook, but its not as stable and fast as I hoped it would be.
so i decided to do it myself and mis-use readprocessmemory+mutex as a sort of ipc.

If all fails I think I'll just combine that copy to buffer thing with easyhook.
btw you're a great help. thanks

[atom0s]

[Chris12]

i hope this is still somewhat on topic,
but is it theoretically possible (if i can grab the dx device from the target process) to sort of "hijack" its device in my own process and directly grab image frames with it?

like sharing a hdc with gdi (drawing onto another process' window).

it works with the desktop, so wouldn't it work with other processes too?

similar to the code inside this:
http://www.codeproject.com/Articles/274461/Very-fast-screen-capture-using-DirectX-in-Csharp

[atom0s]

A device context is handled within the given processes memory space. Taking the pointer to it and using it inside of your own memory will not work.

The example you linked to is doing nothing more then creating a new device within its own memory space and obtaining the front buffer of the screen. This works because they are using the desktop HWND as the target in the device creation.

[Chris12]

But wouldn't it be possible to use the target process' window as target instead of the desktop?
or is the desktop special?

[atom0s]