I am revisiting Assembly/Dissassembly and haven't worked with it since 286 or 386's so for the purposes of this board i am a newbie.

I have a very specific thing i want to do and (being new to this) I need help from guys in the trenches.

I want to track down an executable's call to DirectX9 or DirectX8's D3DXMatrixPerspectiveFovLH. I want to do this solely for the purpose of tracking down and modifying the FOV and aspect parameters passed to it. My nefarious purpose is to get the aspect ratio to run correctly on a widescreen display.

I am guessing there is a byte signature for a procedure offset in near proximity to register loading of the parameter values or variable locations. Does anyone know if this is possible? If my assumptions above are correct, does anyone know what the procedure offset for D3DXMatrixPerspectiveFovLH() is? And would the parameters be loaded before them? I downloaded MASM but it doesn't appear to have a dissassember, where is a good dissassembler to use or are the modifications so minor I could do them in a hex editor?

If someone can help or knows a simpler way, let me know please-- Thanks!
Posted on 2004-06-20 13:05:07 by polypusher
simplest way would be to make a fake stub of the direct x dll it uses with exports calling the real dll (real dll being loaded by your fake stub with the same named exports), and put the fake stub dll into the same dir the exe is in, that way windows loads your dll (which then loads the real dll and 'forwards' the exports), thus enabling you to debug and mess with it pretty easily
Posted on 2004-06-20 16:15:52 by evlncrn8
I want to track down an executable's call to DirectX9 or DirectX8's D3DXMatrixPerspectiveFovLH.

Those come from d3dx8/9.lib and are thus linked statically.
The only way to find the function would be to scan for the actual binary code in the exe image, I suppose.
Posted on 2004-06-20 16:44:04 by Scali
Thanks for some ideas and to see some other reality checks on what im up against.

Man would i love source code to a directx stub wrapper in something like c++... i will look into open source wrappers to see if i can steal some code to do that.

scali : do you know how i would find out the binary signature of that function? that signature (procedure offset?) is contained in some kind of lookup table in the lib file? If i knew that signature i might be able to wing the rest in a hex editor.
Posted on 2004-06-20 17:37:30 by polypusher
Afternoon, polypusher.

You'll have to use the "myDXx.Dll->DXx.dll" idea, as any chatter regarding RE is frowned upon here.

Please check out the Rules for this board.

Posted on 2004-06-20 17:50:01 by Scronty
And I thought i was enhancing or extending the engineering shortfall :rolleyes:

Well i suppose you have to draw some lines even though this is probably the least offensive use of reverse engineering.

Well if anyone else wants to provide insight and its re related, send it in an email.

My motives are pure and my concience is clear :alright:

I do like the idea of a wrapper with all sorts of configuration settings you could intercept... that would be very 'All Purpose', although more complicated to rig up.

Posted on 2004-06-20 18:41:03 by polypusher
what is RE?

as for hooking api calls

i have often used a library what is decribed here CodeHook

you can get C++ or delphi version of it at www.madshi.net (click C++ and delphi links)

it allows you to hook an API call (well actually any cool , (like an internal function/method call) in any app
if its for an external progam, you can make a loader application, and have all your code in a dll, and the loader application will load your DLL into the other programs program space, where you can then hook functions etc..

how i have used these techniques before..

1) CHINESE/JAPANESSE app.. before win2k and XP when english windows was not unicode.. i would do such a technique and hook an applications call to the winapi (TextOut) which is used to display all text.. and in my hooked code, i would then check the string that was to be displayed, and also the font name, if it was a font name that i was to display in chinese or japanese, then i would render the 'text' "ascii" in chinese or japanese, otherwise i would just then call the original TextOut with the parameters.. This way i could turn any english windows app into chiense/ or japanese or both..

2)adding features to abadonware... often i have apps that i use so much, b ut have been abandoned and i want to add features.. so sometimes its just inserting my DLL into the process.. then using findwindow etc (which i know which windows to find by using visual studios SPY++ app), and then i can add menu items to the program.. maybe hook buttons or winAPIU function calls (or internal function calls (harder to find what to hook in this case)) to do whatever my functionality requires.. i've added spellchecks, dictionaries and all sorts with this technique.. i've added publishing straight to webserver, XHTML checking etc, to blog engines etc with this technique.. done alot

3)another case i hooked all ODBC calls, because a program i was using was using Access for its data storage and i wanted to use a different database backend..

nice and powerful, and fully legal means.. i've actually modified my own programs that i havce since lost the source for as well..
plus i've written Plugins for various apps, where the plugin api was quie limited and this allowed me greater flexibility.

Posted on 2004-06-20 19:01:53 by klumsy
ok soo RE = reverse engineering..
API hooking is not reverse engineering.. windows has various api (keybouard, mouse) hooking etc..

directX is a public api, and he would not be hooking any methods which already aren't published in header files.. so i don't see wher the problem is.
Posted on 2004-06-20 19:03:41 by klumsy
Thanks for the info on the madshi code hook, i will look into seeing if it can let me hook into that statically linked function. I can see that being very useful in many situations... excellent!

Wow seems you guys have very concisely answered my question :

(1) Wrappers for elaborate interception of API calls
(2) My function is statically linked
(3) Reverse engineering is BAAD... discuss discreetly
(4) Hooking for interception of small number of functions

Man you assembly guys are efficient even when working independently!
Posted on 2004-06-20 19:37:05 by polypusher
As I already said, that function is NOT an API function. At least, it is NOT a function exported by a DLL. It is linked STATICALLY.
Hence it is embedded in the exe, and you cannot find a fixed offset or anything.
Posted on 2004-06-21 01:59:03 by Scali
though it is statically linked, it is still calling lower level directx calls i am sure.. other than the 'helper' functions of directx, static linnking libraries are little more the helpers..

even so though, with mad lib you can still hook anything

if i make a function

void myratdogfunction(int whatever);

in my code.. i can hook that function.. its just a matter of knowing its prameters,calling convention, and in case of static linked thing.. its address which might be a bit to get, would still be easy to find, though might take some time. however i'd hook lower level directX calls.. at least as part of the discovery process.. i did this with ODBC stuff. the program used some high level wrapper, and i think it was around ADO as well, however i didn't have docs on the ado drivers dlls.. but i know that the ADO provider was going through a ODBC provider, so i just hooked the ODBC calls. i didn't know which one to really hook at first, but hooking them all and seeing what was coming through at different times helped me narrow down my needs.

however i wouldn't start with madcodehook trying to hook whatever app you are working
compile one of the directXsample applications that you have the source from and try it on that.. save yourself alot of grief..
Posted on 2004-06-21 02:56:25 by klumsy
Afternoon, klumsy.

... and in case of static linked thing.. its address which might be a bit to get, would still be easy to find, though might take some time.

... , and the only way to find the address is by REing the exe.

though it is statically linked, it is still calling lower level directx calls i am sure...

All it does is calculate a new perspective matrix.

This is the declaration inside d3dx8math.h:
// Build a perspective projection matrix. (left-handed)

( D3DXMATRIX *pOut, FLOAT fovy, FLOAT Aspect, FLOAT zn, FLOAT zf );

The actual code for the perspective functions would be similar to:

ProjectionMatrix(const float near_plane, // Distance to near clipping
// plane
const float far_plane, // Distance to far clipping
// plane
const float fov_horiz, // Horizontal field of view
// angle, in radians
const float fov_vert) // Vertical field of view
// angle, in radians
float h, w, Q;

w = (float)1/tan(fov_horiz*0.5); // 1/tan(x) == cot(x)
h = (float)1/tan(fov_vert*0.5); // 1/tan(x) == cot(x)
Q = far_plane/(far_plane - near_plane);

ZeroMemory(&ret, sizeof(ret));

ret(0, 0) = w;
ret(1, 1) = h;
ret(2, 2) = Q;
ret(3, 2) = -Q*near_plane;
ret(2, 3) = 1;
return ret;
} // End of ProjectionMatrix

As you can see; it's just a bit of floatingpoint calculation.

Posted on 2004-06-21 04:06:30 by Scronty
Afternoon, polypusher.

If you still wish to discuss possible ways to complete your mission, then you'll have to go with the Dll approach.

As D3DXMatrixPerspectiveFovLH is staticly linked and we cannot discuss RE techniques, the only other possible approach I can think up would be to hook (via own dll?) IDirect3DDevice8::SetTransform.

Remember: D3DXMatrixPerspectiveFovLH only returns a matrix calculated with the parameters supplied.
For perspective to actually be changed;- a call to IDirect3DDevice8::SetTransform with D3DTS_PROJECTION and the address of that matrix given as parameters has to be made.

Now all you'd need to do is to figure out how to create your own dll (myd3d8/9.dll) inwhich you hook the IDirect3DDevice8::SetTransform calls.

Posted on 2004-06-21 04:19:11 by Scronty
Thanks guys, you have been way more helpful than i ever expected.

scali : yes i realize that being statically linked meant i probably couldn't discuss methods any more (hence bullet point 3)

That is an excellent suggestion Scronty, thanks for the info on that function, perhaps i can intercept the settransform calls as you suggested. With the info you provided, that should be feasable. I would like to keep the solution as legitimate as possible so i can share the solution with others and will not pursue discussion of re related methods.

klumsy : that mch looks very cool, i will have to do some testing with it on a dx sample app. I will try to get it to play nice with visual c++ 7.

Thanks guys i will look at intercepting that settransform call.
Posted on 2004-06-21 06:00:02 by polypusher
You can't even be sure the game is using these functions, the developers might have coded their own... so you'll have to approach each game individually, RE'ing. datarescue/IDA is the way to go, but can't be discussed here - even if your intentions are fine.

You could perhaps do a signature scanner for the D3DXMatrixPerspectiveFovLH and replace code - but this would also require RE to complete...
Posted on 2004-06-21 07:24:27 by f0dder
I appreciate your help.. if i had not seen the error of my ways i might pursue such unorthodox practices. I am, however, now perched atop lofty ethical codes of conduct that prevent me from such actions.

<Copy/Paste><Google><Add Bookmark just in case>
Posted on 2004-06-21 18:47:24 by polypusher