Category Archives: Programming

Ripping Models From Directx9 Games Part 3 – Making Use Of Exported Data

[Intro]

If you read part 2 of this series, you have yourself a bunch of indices and vertices for 3d geometry in a game.  The question now is, how are you going to do anything with them?  That’s where this final part of the tutorial comes in.  Here we turn the geometry vertex data into a usable format- Wavefront OBJ, which is a format that is readily understood by most 3D modeling software.

ripping models

Slenderman Re-Textured Model

Ripping Models From Directx9 Games Part 2 – Implementing

wowmodel

[Introduction]

In this part we’ll talk about what needs to be done under the hood to implement a directx9 model ripper.  To implement 3d geometry I used hooking.  I won’t get into the details of how to hook directx calls here since that subject has been more than covered online.  You should be familiar with that subject before continuing this tutorial.

Ripping Models From Directx9 Games Part 1 – The Basics

Ripping Models

If you’re like me you’ve seen games with really cool looking models and wondered how they were put together.  You might have searched online and seen a couple of tools that allowed you to get the models you were interested in.  And once you did that you couldn’t help but wonder how the process of ripping models from a game goes down.

In this tutorial I’ll show you what it takes to code a program for ripping models, something like this, and send you on your way to experiment with the world of directx9.

I’ll be splitting this tutorial into parts since otherwise it would get pretty long.  This first part will cover the concepts involved so that you can have the understanding required to implement a 3d ripper for directx9 for ripping models in directx.

ripping models

D3DModelRipper – Ripping Models From Directx9 Games

[Intro]

While there are tools out there that do this sort of thing, I couldn’t find the source code for any of them.  So I put together this library as a way of knowing how it goes down.  I gotta say 3d graphics is not my thing in the least, so putting this together was both challenging and fun.

[Usage]

To use the library, run your desired game, open up the cmd line, go to your exectuable directory and type in: Injector.exe “EXE Name” d3d9.dll PrimCount NumVerts.

Example:

Injector.exe “Slender – The Eight Pages.exe” d3d9.dll 2136 1469

The above command will pull the geometry for one of the trees in the Slender forest and dump into a file called model.obj in your Slender executable folder.

If you do not know how to get the primcounts and vertnums for the geometry you want check this other tool out.

The resulting file is in obj format.  This is probably the simplest format out there for representing 3d geometry, and most 3d modeling software is able to recognize it.

D3DTextureRipper – Ripping Textures From D3D9 Games

[Intro]

This tool allows you to rip textures from D3D9 games.  It grabs the textures by hooking device->SetTexture method and dumps it to a file inside your game’s path in a folder called “Textures.”  The textures are generated in BMP format and are named in non-descript names (by address in memory at the time SetTexture is called).

D3DWindower – Run Full Screen Games In A Window

D3DWindower allows you to force DirectX applications into windowed mode.  The most common use for this application is to run DirectX games that do not normally allow for windowed mode in windowed mode.  The D3DWindower is implemented by hooking D3DDevice->Reset and changing the present parameters structure. Because of this, the implementation of D3Dwindower is pretty simple.  The code can be found in the link below.

NO PERFORMANCE HIT

The hooking of the D3Device should not affect the game’s performance by much, but like anything that includes a middleman it will slow you down a bit.  Similarly, this program will not work for games that are not written in DirectX and it is likely that it will also not work for versions of DirectX other than 9.  I have not verified whether DirectX versions after 9 use the D3DDevice->Reset structure and what parameters it takes (if any).

Please keep in mind that if you are running multiplayer games with anti-cheat programs this hook might trigger the program because in essence this DirectX hooking method can be used to hook other functions and give you an unfair advantage in the game.  It is possible that the anti-cheat program is not sophisticated enough to tell the difference between malicious and benevolent hooks.  On the other hand many common programs (such as Fraps) use DirectX hooking so hopefully this helps you avoid any issues.

DISCLAIMER

If you get banned for using this from some obscure multiplayer game do not complain to me.  I have no way of preventing some crazy anti-cheat program from flagging you as a cheater for this DirectX injection.  What I can tell you is that nothing in this program does anything malicious.  Feel free to check the source code on my github project page.

USAGE

Inside the D3DWindowerClient bin\ folder run D3DWindowerClient.exe “YOUREXENAME.exe” d3d9.dll Width Height

The width and height parameters should match the application’s current resolution so that the application can display properly in windowed mode.

MemoryUtility – A Binary Modification Library

[Intro]

I’ve found myself reverse engineering a few applications lately.  Usually I like to go about it with a debugger like ollydbg attached and modify the code during runtime and observe the results as I do it.  This is fine, except when you find yourself twenty instructions deep and having to re-type the instructions every time that you hit “Restart” in olly or every time that the process crashes on you.

So I’ve put together a simple library that injects bytes into the target process and that way I don’t have to retype work previously done every time that happens.

D3DTextureLoggerClient – A simple Primitive Finding Utility for Game Hacks and Chams

[Intro]

D3DTextureLoggerClient is a program that eases getting primitives for Direct3D games.  The current source can be found here. Binary build as of 07_06_2013 can be found here.

Values of the selected primitive are displayed in the form. Hitting “Save Primitive” saves a screenshot of the selected geometry to an Output folder in the executable directory. The “Forward” and “Backward” buttons traverse the geometry list currently in memory. “Reset Prims” clears the geometry list. This is good for when you just got out of a scene where a lot of stuff was rendered and now you are looking for a geometry in a scene with much less geometries being rendered. Or just if you have been looking for geometry for a while it is a good idea to clear it as it might have stale geometry that are just wasting your time.  “Add to Chams” clears the z-buffer on that geometry and applies a pixelshader to it so it stands out.  “Toggle Display” makes the geometry not be rendered by skipping the draw call to that geometry.  “Rip Model” dumps the geometry’s vertex and index data to a file in bin\Output\ExeName\modelX.obj.

If you get errors about assemblies not being strong named, you need to add “..\StrongName.snk” in the linker options for the VtableLookup project.  If problem persists follow this link.