/*remote function hook*/ LPVOID addr_endframe = (LPVOID)0x00586E00; //to 0x00

1.     /*remote function hook*/
2.     LPVOID addr_endframe = (LPVOID)0x00586E00; //to 0x00586EC4
3.     DWORD endframe_size = 0xC4;
4.     BYTE real_endframe_code[0xC4] = {0};
5.     BYTE noparray[0xC4] = {0};
6.     for (int tidx = 0; tidx < 0xC4; tidx++) { noparray[tidx] = 0x90; }
7.     LPVOID moved_endframe = NULL;
8.     LPVOID hook_endframe = NULL;
9.     DWORD dwBytesWritten = NULL;
10.  
11.     /*no idea why these addresses arent in iw4mp.exe, ReadProcessMemory on both return the right values*/
12.     ReadProcessMemory(mw2_proc, addr_endframe, real_endframe_code, endframe_size, &dwBytesWritten);
13.     wprintf(L"Read real endframe function [size: %d], relocating...\n", endframe_size);
14.     moved_endframe = VirtualAllocEx(mw2_proc, 0, endframe_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
15.     VirtualProtectEx(mw2_proc, moved_endframe, endframe_size, PAGE_EXECUTE_READWRITE, NULL);
16.     WriteProcessMemory(mw2_proc, moved_endframe, real_endframe_code, endframe_size, &dwBytesWritten);
17.     wprintf(L"Moved real endframe to %X. Bytes written: %d / %d\n", (DWORD)moved_endframe, dwBytesWritten, endframe_size);
18.  
19.     int codeSize = ((LPBYTE)nendframe_after - (LPBYTE)nendframe);
20.     hook_endframe = VirtualAllocEx(mw2_proc, 0, codeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
21.     VirtualProtectEx(mw2_proc, hook_endframe, codeSize, PAGE_EXECUTE_READWRITE, NULL);
22.     WriteProcessMemory(mw2_proc, hook_endframe, &nendframe, codeSize, &dwBytesWritten);
23.     wprintf(L"Wrote hook_endframe @ %X. Bytes written: %d / %d\n", (DWORD)hook_endframe, dwBytesWritten, codeSize);
24.     /*no idea why these addresses aren't in iw4mp.exe, ReadProcessMemory on both return the right values*/
25.  
26.     WriteProcessMemory(mw2_proc, addr_endframe, &noparray, endframe_size, &dwBytesWritten); //Fill with NOP
27.     wprintf(L"Filled %X to %X with NOP. Bytes written: %d / %d\n", (DWORD)addr_endframe,
28.         (DWORD)addr_endframe + endframe_size, dwBytesWritten, endframe_size);
29.  
30.     *BYTE new_endframe[] = {
31.         //MOV EAX, <hook_endframe>
32.         //CALL EAX
33.         0xB8, LOBYTE(LOWORD(hook_endframe)), HIBYTE(LOWORD(hook_endframe)),
34.         LOBYTE(HIWORD(hook_endframe)), HIBYTE(HIWORD(hook_endframe)), 0x90,
35.         0xFF, 0xD0,
36.         //MOV EAX, <moved_endframe>
37.         //CALL EAX
38.         0xB8, LOBYTE(LOWORD(moved_endframe)), HIBYTE(LOWORD(moved_endframe)),
39.         LOBYTE(HIWORD(moved_endframe)), HIBYTE(HIWORD(moved_endframe)), 0x90,
40.         0xFF, 0xD0,
41.         //RETN
42.         0xC3
43.     };
44.  
45.     WriteProcessMemory(mw2_proc, addr_endframe, new_endframe, sizeof(new_endframe), &dwBytesWritten);
46.     wprintf(L"Wrote new enframe @ %X. Bytes written: %d / %d\n", (DWORD)addr_endframe, dwBytesWritten, sizeof(new_endframe));
47.     /*remote function hook*/