Category Archives: Projects

D3DModelRipper – Ripping Models From Directx9 Games

[Intro]

While there are tools out there that do this sort of thing, I couldn’t find the source code for any of them.  So I put together this library as a way of knowing how it goes down.  I gotta say 3d graphics is not my thing in the least, so putting this together was both challenging and fun.

[Usage]

To use the library, run your desired game, open up the cmd line, go to your exectuable directory and type in: Injector.exe “EXE Name” d3d9.dll PrimCount NumVerts.

Example:

Injector.exe “Slender – The Eight Pages.exe” d3d9.dll 2136 1469

The above command will pull the geometry for one of the trees in the Slender forest and dump into a file called model.obj in your Slender executable folder.

If you do not know how to get the primcounts and vertnums for the geometry you want check this other tool out.

The resulting file is in obj format.  This is probably the simplest format out there for representing 3d geometry, and most 3d modeling software is able to recognize it.

D3DTextureRipper – Ripping Textures From D3D9 Games

[Intro]

This tool allows you to rip textures from D3D9 games.  It grabs the textures by hooking device->SetTexture method and dumps it to a file inside your game’s path in a folder called “Textures.”  The textures are generated in BMP format and are named in non-descript names (by address in memory at the time SetTexture is called).

D3DWindower – Run Full Screen Games In A Window

D3DWindower allows you to force DirectX applications into windowed mode.  The most common use for this application is to run DirectX games that do not normally allow for windowed mode in windowed mode.  The D3DWindower is implemented by hooking D3DDevice->Reset and changing the present parameters structure. Because of this, the implementation of D3Dwindower is pretty simple.  The code can be found in the link below.

NO PERFORMANCE HIT

The hooking of the D3Device should not affect the game’s performance by much, but like anything that includes a middleman it will slow you down a bit.  Similarly, this program will not work for games that are not written in DirectX and it is likely that it will also not work for versions of DirectX other than 9.  I have not verified whether DirectX versions after 9 use the D3DDevice->Reset structure and what parameters it takes (if any).

Please keep in mind that if you are running multiplayer games with anti-cheat programs this hook might trigger the program because in essence this DirectX hooking method can be used to hook other functions and give you an unfair advantage in the game.  It is possible that the anti-cheat program is not sophisticated enough to tell the difference between malicious and benevolent hooks.  On the other hand many common programs (such as Fraps) use DirectX hooking so hopefully this helps you avoid any issues.

DISCLAIMER

If you get banned for using this from some obscure multiplayer game do not complain to me.  I have no way of preventing some crazy anti-cheat program from flagging you as a cheater for this DirectX injection.  What I can tell you is that nothing in this program does anything malicious.  Feel free to check the source code on my github project page.

USAGE

Inside the D3DWindowerClient bin\ folder run D3DWindowerClient.exe “YOUREXENAME.exe” d3d9.dll Width Height

The width and height parameters should match the application’s current resolution so that the application can display properly in windowed mode.

MemoryUtility – A Binary Modification Library

[Intro]

I’ve found myself reverse engineering a few applications lately.  Usually I like to go about it with a debugger like ollydbg attached and modify the code during runtime and observe the results as I do it.  This is fine, except when you find yourself twenty instructions deep and having to re-type the instructions every time that you hit “Restart” in olly or every time that the process crashes on you.

So I’ve put together a simple library that injects bytes into the target process and that way I don’t have to retype work previously done every time that happens.

D3DTextureLoggerClient – A simple Primitive Finding Utility for Game Hacks and Chams

[Intro]

D3DTextureLoggerClient is a program that eases getting primitives for Direct3D games.  The current source can be found here. Binary build as of 07_06_2013 can be found here.

Values of the selected primitive are displayed in the form. Hitting “Save Primitive” saves a screenshot of the selected geometry to an Output folder in the executable directory. The “Forward” and “Backward” buttons traverse the geometry list currently in memory. “Reset Prims” clears the geometry list. This is good for when you just got out of a scene where a lot of stuff was rendered and now you are looking for a geometry in a scene with much less geometries being rendered. Or just if you have been looking for geometry for a while it is a good idea to clear it as it might have stale geometry that are just wasting your time.  “Add to Chams” clears the z-buffer on that geometry and applies a pixelshader to it so it stands out.  “Toggle Display” makes the geometry not be rendered by skipping the draw call to that geometry.  “Rip Model” dumps the geometry’s vertex and index data to a file in bin\Output\ExeName\modelX.obj.

If you get errors about assemblies not being strong named, you need to add “..\StrongName.snk” in the linker options for the VtableLookup project.  If problem persists follow this link.