How to circumvent D3DPERF_SetOptions

最新推荐文章于 2024-04-21 08:21:55 发布
最新推荐文章于 2024-04-21 08:21:55 发布
阅读量804 收藏
点赞数

I think we are all on this website because we are in a constant urge for knowledge.
And then it is possible that in our journey we encounter this:

Posted Image


This happens if you use PIX on an application that uses the D3DPERF_SetOptions(1) function to disable profiling/analysis tools.

An easy way to circumvent this problem is to edit the binary of the application.
Then the only thing we need to change in the binary is the argument of D3DPERF_SetOptions from 1 to 0.

As an example I will demonstrate it with the game Portal 2.

The tools I used:
WinAPIOverride32: http://jacquelin.pot...napioverride32/
MHS6.1.rar: http://memoryhacking.com/download.php 

Step 1: Locate where D3DPERF_SetOptions is called

First we need to figure out where D3DPERF_SetOptions is called in the application. For that we can use the API monitoring software WinAPIOverride32. The official website of WinAPIOverride32 contains very good tutorials.

First you need to create a monitoring file in order to let WinAPIOverride know what we want to monitor. Because D3DPERF_SetOptions is located in the Direct3D 9 DLL we want to create a description of the d3d9.dll. Thus, you can use DllExportFinder.exe on d3d9.dll in your Windows system directory or save the following in d3d9.txt at “winapioverride32_bin\monitoring files” in your WinApiOverride32 directory.

  
  
  1.    
  2. ;      Monitoring file generated for exports table of d3d9.dll v6.1.7601.17514 by MonitoringFileBuilder
  3. !C:\Windows\SysWOW64\d3d9.dll|Direct3DShaderValidatorCreate9()
  4. !C:\Windows\SysWOW64\d3d9.dll|PSGPError()
  5. !C:\Windows\SysWOW64\d3d9.dll|PSGPSampleTexture()
  6. !C:\Windows\SysWOW64\d3d9.dll|int D3DPERF_BeginEvent(D3DCOLOR col, LPCWSTR wszName)
  7. !C:\Windows\SysWOW64\d3d9.dll|int D3DPERF_EndEvent()
  8. !C:\Windows\SysWOW64\d3d9.dll|DWORD D3DPERF_GetStatus()
  9. !C:\Windows\SysWOW64\d3d9.dll|BOOL D3DPERF_QueryRepeatFrame()
  10. !C:\Windows\SysWOW64\d3d9.dll|D3DPERF_SetMarker(D3DCOLOR col, LPCWSTR wszName)
  11. C:\Windows\SysWOW64\d3d9.dll|D3DPERF_SetOptions(DWORD)
  12. !C:\Windows\SysWOW64\d3d9.dll|D3DPERF_SetRegion(D3DCOLOR col, LPCWSTR wszName)
  13. !C:\Windows\SysWOW64\d3d9.dll|DebugSetLevel()
  14. !C:\Windows\SysWOW64\d3d9.dll|DebugSetMute()
  15. !C:\Windows\SysWOW64\d3d9.dll|IDirect3D9 * Direct3DCreate9(UINT SDKVersion)
  16. !C:\Windows\SysWOW64\d3d9.dll|HRESULT Direct3DCreate9Ex(UINT SDKVersion, IDirect3D9Ex **ppD3D)



Next, attach WinAPIOverride at application startup of the game you want to modify. 


Posted Image



Select the API D3DPERF_SetOptions in the monitoring wizard and resume the execution of the attached application. 

Posted Image



And WinAPIOverride shows us in which DLL and where D3DPERF_SetOptions is called (0x5D496D6F) (shaderapidx9.dll + 0x00026D6F). (I'm keeping Portal 2 running in windowed mode for the next step.)

Posted Image




Step 2: Modify the binary 

Now you have located where D3DPERF_SetOptions is called in the application memory (0x5D496D6F). Lets browse the memory of the running application Portal2.exe and see with our own eyes where exactly the function is called in the memory. For this I like to use L. Spiro's Memory Hacking Software.

Open the running Process “Portal2.exe”. Goto File => Properties and select the right chunk that contains the caller address. If you right click you can view it in a Disassembler or in a Hex Editor.

Posted Image


  This is what the disassembler shows: 

  

Posted Image


You can see where the first argument “1” is PUSHed onto the stack and where D3DPERF_SetOptions is CALLed. You can now choose to replace the “CALL” command by a “NOP”command (no operation) or change the argument that we pass to D3DPERF_SetOptions. I chose the latter option. So we just want to change the code “6A 01” to “6A 00” at 5D496D6B.   This is how the application memory looks of the running portal2.exe in the hexeditor:

Posted Image


But off course we want to change the binary on the hard disk. So open the fileshaderapidx9.dll with the hex editor and go to the same location. (I just searched on the same sequence of hex bytes (55 8B EC 81 4C 01 00 56 etc.) of the line 0x5D496D60 with the find function).

Posted Image


Then modify 6A 01 to 6A 00.


Save the file and you are done! 



Posted Image

marscarlosdylan
关注
DXUT11框架浅析(3)--运行时(Run-Time)动态链接D3D的DLL
TechTiger的博客
09-11 2101
DXUT11框架浅析(3)—运行时(Run-Time)动态链接D3D的DLL                用depends打开C:\Windows\System32\d3d9.dll文件,可以看到:            我们知道动态库(dll)的使用方式有两种:一种是加载时动态连接(Load-TimeDynamic Linking),需要为项目配置这个dll的导
DXUT11框架浅析(4)--调试相关
TechTiger的博客
09-11 3187
DXUT11框架浅析(4)—辅助调试       D3D8/9和D3D10/11的调试区别           只要安装了DXSDK,有个调试工具DirectX ControlPanel,如下图所示。这里可以将Direct3D 9设置为调试运行时(Debug D3D9 Runtime)或零售运行时(RetailD3D9 Runtime)。注意这里的设置是全局的,如果改成调试运行时,则所
Direct3D9初始化-------VB6编程学习DX9游戏编程DirectX9编程2D小游戏源码冷风引擎CoolWind2D游戏引擎(6)
gosub60的博客
10-05 1082
DX9初始化
direct3d9做的水纹效果
02-14
自己做的一个验证程序,用shader实现水波效果,使用vs2005编程,内含生成的debug生成.exe程序,可以直接看效果,但需要有安装direct3d9 及framework 2.0以上
013-【直播】劫持注入(郁金香).c
05-14
d3d9劫持dll 示例代码 //保持原来d3d9.dll的功能 UINT_PTR g_Call14[15]={0}; void InitCall14() { LoadLibraryA("MyGame"); HMODULE hdll=LoadLibraryA("c:\\windows\\syswow64\\d3d9.dll"); //DWORD 地址=GetProcAddress(LoadLibraryA("d3d9.dll"),2); //PSGPError for(int i=1;i<=14;i++) { g_Call14[i]=(UINT_PTR)GetProcAddress(hdll,(char*)i); } return; } //1 __declspec(naked) void Direct3DShaderValidatorCreate9() { //跳转到 原来d3d9.dll Direct3DShaderValidatorCreate9 _asm jmp dword ptr [g_Call14+1*4] ; } //2 __declspec(naked) void PSGPError() { _asm jmp dword ptr [g_Call14+2*4] }
a_simple_proxy_to_circumvent_the_sop
05-19
规避SOP的简单代理 一个简单的Node.js代理,可通过不带CORS标头的远程API协助前端开发。 它就地提供文件,并且可以定义将被代理到远程主机的URL模式。 这样,即使远程API没有设置CORS标头(因此,同源起点策略也会...
python pcl库_python-pcl: Python bindings to the pointcloud library (pcl)
weixin_39641450的博客
12-16 259
IntroductionThis is a small python binding to the pointcloud library.Currently, the following parts of the API are wrapped (all methods operate on PointXYZ)point typesI/O and integration; saving and l...
SPM How-tos SPM预处理及统计分析指南
weixin_34041003的博客
01-10 2374
Source: SPM How-tos NOTE: The manual is detailed but too long to edit. Just pasted here for further consulting. This web-page contains excerpts from the SPM user-group's burster. SPM users around th...
The right to contest automated decisions under the General Data Protection Regulation: Beyond the so
weixin_42786150的博客
02-28 2461
The right to contest automated decisions under the General Data Protection Regulation: Beyond the so-called “right to explanation”
End-to-End Data Engineering System on Real Data with Kafka, Spark, Airflow, Postgres, and Docker
Nobigo
04-21 1064
【代码】End-to-End Data Engineering System on Real Data with Kafka, Spark, Airflow, Postgres, and Docker。
使用纯C语言通过Direct3D 11的Compute Shader做通用目的计算
zenny_chen的专栏
10-30 4174
从2010年起,基于GPGPU的通用目的计算随着OpenCL以及CUDA的大热而变得异常火热。而基于GPU的通用目的计算,其实从其本质上上来说就是通过GPU内部的Compute Shader来完成的。而OpenCL以及CUDA则是将主机端与GPU端的通信接口做了更为标准化的统一。而在最近这几年中,除了OpenCL与CUDA之外,还有像微软发布的C++ AMP,还有最近被融合到OpenMP的OpenACC等工具,这些都是利用GPU的大规模数据级并行计算来做数据级密集通用目的计算的。 而现在在高性能计算领域,用
DirectX Sample-PIXGameDebugging:采用PIX调试程序
buck84的专栏
06-16 2484
这个例子用来学习采用PIX调试与检测程序问题,放在dxsample难度比较简单的位置感觉不大恰当 例子中各种选项可以制造各种可能的问题,来说明碰到这种问题如何进行调试 英文文档的Sample Features里面描述了各种可能导致功能问题和性能问题的情况 各种具体调试情况如下: 诊断黑屏 制造黑屏: Fog:None Caustic Texture:Black Black Clea
Idea Debug调试界面详解及技巧总结
Llane Song的博客
07-17 6726
Idea Debug界面整体如下图所示: Rerun(Ctrl+F11):程序项目重启,重新运行。 Update(Ctrl+F10):更新应用程序,点击之后会有如下弹窗。有3个选项:Hot Swap classes,根据描述猜测为可以对修改的java文件热更新;Redeploy,重新发布;Restart server,和ReRun效果一样。 Resume Program(F8):恢复运行,使...
Living without D3DX
海阔凭鱼跃
12-15 6768
General Helpers The DirectX Tool Kit provides a number of helpers that are designed to simplify Direct3D 11 programming in the tradition of the original D3DX library. You can find the library on 
D3D学习框架
假装狠牛逼
09-16 2176
//-------------------------------------------------------------------------------------- // File: EmptyProject.cpp // // Starting point for new Direct3D applications // // Copyright (c) Microsoft Corp
Ada计算机图形DirectX之d3d9
adacore的博客
10-12 352
---------------------------------------- -- File : d3d9.ads -- -- Translator:Dongfeng.Gu,2018/10/12 -- -- Mail: 515639@qq.com -- -- Progress:100% ...
VB程序实例-运用Mschat图表显示数据(方法二).zip
最新发布
11-03
VB程序实例-运用Mschat图表显示数据(方法二).zip
VB程序实例-改变Windows图标大小.zip
11-03
VB程序实例,可供参考学习使用,希望对你有所帮助
Guideline 3.1.1 - Business - Payments - In-App Purchase
05-24
Guideline 3.1.1 of the App Store Review Guidelines for Business and Payments states that apps that offer in-app purchases must use Apple's in-app purchase system. This means that any digital goods or services that users can purchase within the app must be processed through Apple's payment system, which takes a 30% commission on all sales. There are some exceptions to this rule, such as apps that offer physical goods or services that are delivered outside of the app, such as ride-sharing apps or food delivery apps. However, if an app offers any kind of digital content or subscription, it must use Apple's in-app purchase system. It is important to note that Apple strictly enforces this guideline and will reject or remove apps that do not comply. Developers who attempt to circumvent this rule by directing users to make purchases outside of the app or using alternative payment systems risk having their app removed from the App Store.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值