逆向 | 通过inlinehook opengl实现cs1.6透视[亲测有效]-

逆向 | 通过inlinehook opengl实现cs1.6透视[亲测有效]逆向|通过inlinehookopengl实现cs1.6透视之前一直想弄没弄的，今天给弄了。inlinehook的原理与上一篇文章基本相同。https://www.cnblogs.com/Mz1-rc/p/16586411.htmlcs1.6可以是对d3d可以是opengl，先调成ope

逆向 | 通过inlinehook opengl实现cs1.6透视

之前一直想弄没弄的，今天给弄了。
inlinehook的原理与上一篇文章基本相同。https://www.cnblogs.com/Mz1-rc/p/16586411.html

cs1.6可以是对d3d可以是opengl，先调成opengl，然后开始下面的操作。
主要就是hook glBegin这个函数，然后判断一下mode，对实体强行渲染一下，就可以了。

被注入的dll代码如下：

// inject_dll.cpp : Defines the entry point for the DLL application.//#include "stdafx.h"#include <stdio.h>#include <gl/glut.h>DWORD g_dwOldAddr;         // 原始函数地址DWORD g_dwNewAddr;         // Hook函数地址DWORD g_dwHookFlag;     // 标志有没有被hook#define PATCH_LENGTH 5DWORD dwRetAddress;BOOL setInlineHook(DWORD dwOldAddr, DWORD dwNewAddr){BOOL bRet = FALSE;dwRetAddress = dwOldAddr + PATCH_LENGTH;       // hook结束以后的返回地址BYTE byJmpCode[PATCH_LENGTH] = {0xe9};DWORD dwOldProtect;// 之前的字节码static BYTE byOriginalCode[PATCH_LENGTH] = {0};static BOOL bHookFlag = FALSE;// 测试用char buf[1024] = {0};// 1. 初始化byJmpCodememset(&byJmpCode[1], 0x90, PATCH_LENGTH-1);// 2. 存储跳转地址*(DWORD*)&byJmpCode[1] = (DWORD)dwNewAddr - (DWORD)dwOldAddr - 5;// 3. 备份被覆盖的codememcpy(byOriginalCode, (LPVOID)dwOldAddr, PATCH_LENGTH);// 4. 开始patchif (!bHookFlag){// hookVirtualProtect((LPVOID)dwOldAddr,PATCH_LENGTH, PAGE_EXECUTE_READWRITE, &dwOldProtect);     // 这个是成功执行的// 好了它又没问题了，不知道咋回事之前会崩溃memcpy((LPVOID)dwOldAddr, byJmpCode, PATCH_LENGTH);     // 这里拷贝的时候有问题，会出现不可写的问题VirtualProtect((LPVOID)dwOldAddr, PATCH_LENGTH, dwOldProtect, 0);bHookFlag = TRUE;bRet = TRUE;}else{// 取消hookVirtualProtect((LPVOID)dwOldAddr,PATCH_LENGTH, PAGE_EXECUTE_READWRITE, &dwOldProtect);memcpy((LPVOID)dwOldAddr, byOriginalCode, PATCH_LENGTH);VirtualProtect((LPVOID)dwOldAddr, PATCH_LENGTH, dwOldProtect, 0);bHookFlag = FALSE;bRet = TRUE;}return bRet;}char szNewText[] = "Hook!";void __declspec(naked) MyglBegin(GLenum mode){// GL_TRIANGLE_STRIP 0x0005// GL_TRIANGLE_FAN 0x0006__asm{// 1. 保存寄存器pushad;pushfd;// 2. 修改数据// 判断mode 原[esp+8] 现在的[esp+32+4+4]mov eax, dword ptr [esp+32+4+4];   // eax=modecmp eax, 5;jz disable;cmp eax, 6;jz disable;jmp back_to_func;}disable:// 调用glDisableglDisable(GL_DEPTH_TEST);__asm{back_to_func:// 3. 恢复寄存器popfd;popad;// 4. 执行覆盖的代码mov edi, edi;push ebp;mov ebp, esp;// 5. 返回执行jmp dwRetAddress;}}/*void WINAPI MyglBegin(GLenum mode){MessageBox(0,"获取到调用",0,0);if(mode==GL_TRIANGLE_STRIP||mode==GL_TRIANGLE_FAN){glDisable(GL_DEPTH_TEST);MessageBox(0,"获取到调用",0,0);} glBegin(mode);}*/// 线程函数DWORD WINAPI ThreadProc(LPVOID lpParameter){// 保存原始函数地址DWORD pOldFuncAddr = (DWORD)GetProcAddress(LoadLibrary("opengl32.dll"), "glBegin");//DWORD pOldFuncAddr = (DWORD)GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");char buf[1024] = {0};sprintf(buf, "获取到函数地址：%p ", pOldFuncAddr);MessageBox(0, buf, 0, 0);// 安装或者卸载HOOKBOOL ret;if (!g_dwHookFlag){ret = setInlineHook(pOldFuncAddr, (DWORD)MyglBegin);if (ret){MessageBox(0, "安装hook成功！", 0, 0);}else{MessageBox(0, "安装hook失败！", 0, 0);}}return 0;}BOOL APIENTRY DllMain( HANDLE hModule,                        DWORD  ul_reason_for_call,                        LPVOID lpReserved ){switch ( ul_reason_for_call)    {    case DLL_PROCESS_ATTACH:        CreateThread(NULL,0,            (LPTHREAD_START_ROUTINE)ThreadProc,            NULL, 0,NULL);//创建新线程执行代码        break;    case DLL_PROCESS_DETACH:        break;    case DLL_THREAD_ATTACH:        break;    case DLL_THREAD_DETACH:        break;}    return TRUE;}

【正版授权，激活自己账号】：Jetbrains全家桶Ide使用，1年售后保障，每天仅需1毛