First find an interface string like "VClient018" (hint use the source sdk) Next either grab the export address manually from IDA, or resolve the ordinal (Export 4) Cast it into the function "CreateInterfaceFn" Code: typedef void* (*CreateInterfaceFn)(const char *pName, int *pReturnCode); Next use this vftable hooking class to hook the interface Code: #pragma once //Credits: Casual_Hacker #include <winbase.h> class CVMTHookManager { public: CVMTHookManager( ) { memset( this, 0, sizeof( CVMTHookManager ) ); } CVMTHookManager( PDWORD* ppdwClassBase ) { bInitialize( ppdwClassBase ); } ~CVMTHookManager( ) { UnHook(); } bool bInitialize( PDWORD* ppdwClassBase ) { m_ppdwClassBase = ppdwClassBase; m_pdwOldVMT = *ppdwClassBase; m_dwVMTSize = dwGetVMTCount( *ppdwClassBase ); m_pdwNewVMT = new DWORD[ m_dwVMTSize ]; memcpy( m_pdwNewVMT, m_pdwOldVMT, sizeof( DWORD ) * m_dwVMTSize ); *ppdwClassBase = m_pdwNewVMT; return true; } bool bInitialize( PDWORD** pppdwClassBase ) // fix for pp { return bInitialize( *pppdwClassBase ); } void UnHook( ) { if ( m_ppdwClassBase ) { *m_ppdwClassBase = m_pdwOldVMT; } } void ReHook( ) { if ( m_ppdwClassBase ) { *m_ppdwClassBase = m_pdwNewVMT; } } int iGetFuncCount( ) { return ( int ) m_dwVMTSize; } DWORD dwGetMethodAddress( int Index ) { if ( Index >= 0 && Index <= ( int )m_dwVMTSize && m_pdwOldVMT != NULL ) { return m_pdwOldVMT[ Index ]; } return NULL; } PDWORD pdwGetOldVMT( ) { return m_pdwOldVMT; } DWORD dwHookMethod( DWORD dwNewFunc, unsigned int iIndex ) { if ( m_pdwNewVMT && m_pdwOldVMT && iIndex <= m_dwVMTSize && iIndex >= 0 ) { m_pdwNewVMT[ iIndex ] = dwNewFunc; return m_pdwOldVMT[ iIndex ]; } return NULL; } private: DWORD dwGetVMTCount( PDWORD pdwVMT ) { DWORD dwIndex = 0; for ( dwIndex = 0; pdwVMT[ dwIndex ]; dwIndex++ ) { if ( IsBadCodePtr( ( FARPROC ) pdwVMT[ dwIndex ] ) ) { break; } } return dwIndex; } PDWORD* m_ppdwClassBase; PDWORD m_pdwNewVMT, m_pdwOldVMT; DWORD m_dwVMTSize; }; result Code: typdef void* (*tCreateMove)(int,float,bool) CVMTHookManager* g_pHLClient = NULL; tCreateMove oldCreateMove = NULL; VOID HookedCreateMove(int sequence_number, float input_sample_frametime, bool active) { //do CUserCMD haxing here oldCreateMove(sequence_number, input_sample_frametime, active); } //in dll main g_pHLClient = new CVMTHookManager(); g_pHLClient->bInitialize((PDWORD*)createInterface("VClient018", 0)); //24 is the index of Createmove oldCreateMove = (tCreateMove)g_pHLClient->dwHookMethod((DWORD)hookedCreateMove, 24); thanks and have fun
