Monthly Archives: June 2013

Ripping Models From Directx9 Games Part 1 – The Basics

Ripping Models

If you’re like me you’ve seen games with really cool looking models and wondered how they were put together.  You might have searched online and seen a couple of tools that allowed you to get the models you were interested in.  And once you did that you couldn’t help but wonder how the process of ripping models from a game goes down.

In this tutorial I’ll show you what it takes to code a program for ripping models, something like this, and send you on your way to experiment with the world of directx9.

I’ll be splitting this tutorial into parts since otherwise it would get pretty long.  This first part will cover the concepts involved so that you can have the understanding required to implement a 3d ripper for directx9 for ripping models in directx.

ripping models

D3DModelRipper – Ripping Models From Directx9 Games

[Intro]

While there are tools out there that do this sort of thing, I couldn’t find the source code for any of them.  So I put together this library as a way of knowing how it goes down.  I gotta say 3d graphics is not my thing in the least, so putting this together was both challenging and fun.

[Usage]

To use the library, run your desired game, open up the cmd line, go to your exectuable directory and type in: Injector.exe “EXE Name” d3d9.dll PrimCount NumVerts.

Example:

Injector.exe “Slender – The Eight Pages.exe” d3d9.dll 2136 1469

The above command will pull the geometry for one of the trees in the Slender forest and dump into a file called model.obj in your Slender executable folder.

If you do not know how to get the primcounts and vertnums for the geometry you want check this other tool out.

The resulting file is in obj format.  This is probably the simplest format out there for representing 3d geometry, and most 3d modeling software is able to recognize it.

The Storytelling Animal: How Stories Make Us Human

StorytellingAnimalWhy do we tell stories? Is it genetics? Is it evolution? Is it simply our preffered way to waste time born in an era when technology was non-existent? The Storytelling Animal: How Stories Make Us Human tries to answer these questions with very compelling arguments.

In The Storytelling Animal: How Stories Make Us Human Jonathan Gottschall shows you how the world of stories is fundamental to the human condition. Through the chapters Gottschall takes you through many current theories of why we as humans have developed, and kept, the art of storytelling. The book also explores the science behind storytelling, and some of the reasons why stories have a magical pull on our attention and decision-making process.

The book is written in a very active and readable tone.  Gottschall himself, taking his own example, makes use of varied stories frequently throughout the book.  Through his use of powerful storytelling the reader gets a first-hand look at how a good narrative can immerse us and capture us.

All in all The Storytelling Animal: How Stories Make Us Human is a delightful reading experience, filled with insight into the many different types of storytelling, and why storytelling is, hands-down, the way to go when attempting to ingrain memorable experiences in the minds of other human beings.

For anyone looking to explore the importance of storytelling, or anyone looking to understand why the world of make-believe has such a great allure, The Storytelling Animal: How Stories Make Us Human is certainly the book to read. I give this book an 8/10.

D3DTextureRipper – Ripping Textures From D3D9 Games

[Intro]

This tool allows you to rip textures from D3D9 games.  It grabs the textures by hooking device->SetTexture method and dumps it to a file inside your game’s path in a folder called “Textures.”  The textures are generated in BMP format and are named in non-descript names (by address in memory at the time SetTexture is called).

D3DWindower – Run Full Screen Games In A Window

D3DWindower allows you to force DirectX applications into windowed mode.  The most common use for this application is to run DirectX games that do not normally allow for windowed mode in windowed mode.  The D3DWindower is implemented by hooking D3DDevice->Reset and changing the present parameters structure. Because of this, the implementation of D3Dwindower is pretty simple.  The code can be found in the link below.

NO PERFORMANCE HIT

The hooking of the D3Device should not affect the game’s performance by much, but like anything that includes a middleman it will slow you down a bit.  Similarly, this program will not work for games that are not written in DirectX and it is likely that it will also not work for versions of DirectX other than 9.  I have not verified whether DirectX versions after 9 use the D3DDevice->Reset structure and what parameters it takes (if any).

Please keep in mind that if you are running multiplayer games with anti-cheat programs this hook might trigger the program because in essence this DirectX hooking method can be used to hook other functions and give you an unfair advantage in the game.  It is possible that the anti-cheat program is not sophisticated enough to tell the difference between malicious and benevolent hooks.  On the other hand many common programs (such as Fraps) use DirectX hooking so hopefully this helps you avoid any issues.

DISCLAIMER

If you get banned for using this from some obscure multiplayer game do not complain to me.  I have no way of preventing some crazy anti-cheat program from flagging you as a cheater for this DirectX injection.  What I can tell you is that nothing in this program does anything malicious.  Feel free to check the source code on my github project page.

USAGE

Inside the D3DWindowerClient bin\ folder run D3DWindowerClient.exe “YOUREXENAME.exe” d3d9.dll Width Height

The width and height parameters should match the application’s current resolution so that the application can display properly in windowed mode.

Slenderman – The Eight Pages – Chams

Here are some chams for the Slenderman – The Eight Pages that I pulled in about 5 minutes while testing my d3dlogger.  A side effect of the logger for slenderman is that you can see the slenderman while he is hiding in the forest because his model is highlighted red.  I found it surprising just how few models are used by the developer.  If you scroll through all the models present in a scene using the tool you’ll see that there’s maybe 15 models on scene at any given time.

The captions under the picture as well as the file names denote primcount and vertcount. 300×200.bmp means 300 primcount, 200 vertcount.

Enjoy.

Quickly Patching Binaries With OllyDbg and OllyDump

Quick post here gents. If you’ve been looking to patch a binary you can load it up in IDA, make your changes, commit your changes, make a diff and use a patcher to apply the patch to the original binary. If you’re tinkering with a project in olly and are making modifications to the binary continuously this can get old fast. So go grab yourself OllyDump and you can automatically patch your memory changes by generating a fresh new exe with it.

See: http://guidedhacking.com/showthread.php?5857-OllyDbg-Saving-Your-Changes-To-An-exe

MemoryUtility – A Binary Modification Library

[Intro]

I’ve found myself reverse engineering a few applications lately.  Usually I like to go about it with a debugger like ollydbg attached and modify the code during runtime and observe the results as I do it.  This is fine, except when you find yourself twenty instructions deep and having to re-type the instructions every time that you hit “Restart” in olly or every time that the process crashes on you.

So I’ve put together a simple library that injects bytes into the target process and that way I don’t have to retype work previously done every time that happens.

D3DTextureLoggerClient – A simple Primitive Finding Utility for Game Hacks and Chams

[Intro]

D3DTextureLoggerClient is a program that eases getting primitives for Direct3D games.  The current source can be found here. Binary build as of 07_06_2013 can be found here.

Values of the selected primitive are displayed in the form. Hitting “Save Primitive” saves a screenshot of the selected geometry to an Output folder in the executable directory. The “Forward” and “Backward” buttons traverse the geometry list currently in memory. “Reset Prims” clears the geometry list. This is good for when you just got out of a scene where a lot of stuff was rendered and now you are looking for a geometry in a scene with much less geometries being rendered. Or just if you have been looking for geometry for a while it is a good idea to clear it as it might have stale geometry that are just wasting your time.  “Add to Chams” clears the z-buffer on that geometry and applies a pixelshader to it so it stands out.  “Toggle Display” makes the geometry not be rendered by skipping the draw call to that geometry.  “Rip Model” dumps the geometry’s vertex and index data to a file in bin\Output\ExeName\modelX.obj.

If you get errors about assemblies not being strong named, you need to add “..\StrongName.snk” in the linker options for the VtableLookup project.  If problem persists follow this link.