Blizzhackers

Home of the Dupe since 2001

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


It is currently Sun Jun 25, 2017 4:39 am


All times are UTC [ DST ]





Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 2:23 am 
 
User
User

Joined: Tue Oct 19, 2010 12:44 pm
Quote:
zo_Rival v1.0.0
StarCraft II v1.1.2
by Zoro


Instructions:
1. Run StarCraft II
2. Run zLoader.exe before logging in
3. If you get a error, just reinject

Features:
- Warden Scan Detection
- Check for update
- Tie hack
- Map hack


Hotkeys:
F5 -Toggle this to desync from the game without getting a win or loss.
F6 - Toggle 2 state maphack off and lite.
Home - Check for updates

Notes:

- Warden Scan Detection
Warden is a anti-cheat program that silently report hackers to Blizzard. With this information,
Blizzard can do what they want. To prevent this plot of Blizzard, there is a automatic
Warden Detector in this hack. This feature detects if Warden is scanning and if so it gives
you the option to continue playing at your own risk or exit. This feature still needs improving
and MIGHT only alert when in-game or exiting. However if it still alerts though take caution.

- Check for update
This gives you a option to check for updates when you press (Home).

- Tie hack
This amazing feature, different from NAME HERE, allow users to drop out the game, get a tie, and
its so easy to use with a push of a button (F5).

- Map hack
View all around and/or across any place of the map with a easy push of a button (F6).


Let the C&D begin.
http://www.mediafire.com/?1fy676txan87ga4

Added a toggle for the desync hack.


Last edited by ZoroX on Fri Oct 22, 2010 12:52 pm, edited 3 times in total.
Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 2:33 am 
 
Banned
Banned

Joined: Wed Oct 13, 2010 12:53 pm
Good luck and have fun with that.

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 5:45 am 
 
User
User

Joined: Fri Oct 22, 2010 5:43 am
Thanks for the hack. Is tie hack detectable?

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 6:00 am 
 
User
User

Joined: Fri Oct 22, 2010 4:15 am
The point of this pseudo review is to explain the anti-warden techniques going on behind the scenes. Hearing those familiar words 'anti-detection' is generally not enough in today's hack scene where bans are swift and result in loss of game access.

With tools that scan for changes and reviews like this, we can only hope to encourage more secure and sturdy hacks. A swift wave of a magic wand with the mention of the words 'safe, undetectable, etc' will not save the day, we must approach these problems analytically with solutions that do the job they intend.

This review might not be 100% accurate.
Static analysis of zO_Rival. v1.0.0

Lets look at the entry point to start off:
BOOL DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
  switch ( fdwReason )
  {
    case DLL_PROCESS_ATTACH:
      g_hIstance = hinstDLL;
      UnlinkDllFromPeb( );
      CreateThread( NULL, 0, HackPulse, NULL, 0, &ThreadId );
      PatchJmpCall( 0x774F32E5, WardenChecker, PATCH_JMP );
  }
  return TRUE;
}


As we can see this hack assumes it has been loaded as a native DLL into the target game process. It saves it's own instance handle to a global variable then calls 3 functions in order; UnlinkDllFromPeb, CreateThread, PatchJmpCall.

UnlinkDllFromPeb( );

This function goes through various link lists inside of the PEB(Process environment block) http://en.wikipedia.org/wiki/Process_Environment_Block and removes itself so it cannot be found by handle or name. This protects itself from only 1 scan technique : wardens method of using GetModuleHandle to look up individual modules.

CreateThread( NULL, 0, HackPulse, NULL, 0, &ThreadId );

This creates a thread no doubt, for pseudo reference it has been labeled HackPulse, more on HackPulse later.

PatchJmpCall( 0x774F32E5, WardenChecker, PATCH_JMP );

param1: 0x774F32E5 - the offset to patch
param2: WardenChecker - the function address to patch with
param3: the patch type (jmp or call) in this case it's PATCH_JMP

It expects to write a jmp patch for code WardenChecker at address 0x774F32E5 which is outside the scope of the game code (sc2.exe) or the hack itself (zO_Rival.dll) very unusual... Anything can be loaded at 0x774F32E5, there is no guarantee the expected code is at that location, nor is there any check to see if this task is unsuccessful.

Let us continue.

Now we shall look at HackPulse, the very meat of this hack.

void HackPulse( int )
{
  while ( true )
  {
    if ( GetAsyncKeyState( VK_F5 ) ) // Execute if F5 key is held down.
    {
      WriteMemory((LPVOID)0xF10D04, (int)&g_dwPatchDesyncOn, 7); // Write desync code to game.
    }
    else if ( GetAsyncKeyState( VK_F6 ) ) // Execute if F6 key is held down.
    {
      if ( g_dwToggleState )
      {
        WriteMemory((LPVOID)0x18276B8, (int)&g_dwPatchHack???, 0); // does nothing
      }
      else
      {
        g_dwToggleState = 1;
        WriteMemory((LPVOID)0x18276B8, (int)&g_dwPatchHackON, 1); // Write maphack code to game.
      }
    }
    else if ( GetAsyncKeyState( VK_HOME ) ) // Execute if HOME key is held down.
    {
      // Launch the following website in your computers default web browser.
      ShellExecute(0, "open", "http://www.blizzhackers.cc/viewtopic.php?f=220&t=470322", 0, 0, SW_SHOWNORMAL);
    }
   
    Sleep( 50 ); // wait 50 miliseconds
  }
}


It checks every 50miliseconds if you have a key pressed down, VK_F5, VK_F6, VK_HOME.
Both offsets 0xF10D04 and 0x18276B8 reside inside (sc2.exe) there is a slight chance this hack will completely fail if sc2.exe is rebased to another location.

0xF10D04 is executable game code, 0x18276B8 is a global game variable.

Pressing a button to desync will modify.
0x00F10D04 add dword ptr [esi+424h], 1
to
0x00F10D04 add dword ptr [esi+424h], 2

The issue with this is it does not revert the change, so you will remain stuck in 'desync' hack mode until you reload the game. And the state switching code seems to be broken.

Conclusion of this hack has a very round about way of really wanting to do something, but it doesn't really know what to do. Like a dog chasing it's own tail. It has potential but has a long way to go. If the warden scan hook fails you will be non the wiser, also all warden scan techniques are capable of detecting this. Only two anti-detection methods attempted in this hack, and neither protect the hack from the true danger it exposes itself to, the VirtualQuery scan.

some monkey.

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 6:12 am 
 
User
User
User avatar

Joined: Sun Mar 01, 2009 10:46 am
Awesome disassembly there SomeMonkey
nice work ; )

_________________
You take and you learn, give and teach back.
For we will give and teach what we have taken and learned.
- CTS_AE -

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 12:47 pm 
 
Banned
Banned

Joined: Wed Oct 13, 2010 12:53 pm
Anybody could of disassemble this. Right Rolle3k? The offsets you posted are not detected by Warden. However, now its gonna be detected by Warden since you broke the hack down, public. I also don't see anywhere in the readme where this hack says it is "anti-detected", "safe", and/or "anti-warden".

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 4:27 pm 
 
Moderator Gold
Moderator Gold
User avatar

Joined: Thu Aug 16, 2007 8:36 pm
Dewe wrote:
Anybody could of disassemble this. Right Rolle3k? The offsets you posted are not detected by Warden. However, now its gonna be detected by Warden since you broke the hack down, public. I also don't see anywhere in the readme where this hack says it is "anti-detected", "safe", and/or "anti-warden".


I'm not 'someMonkey', if you are trying to imply this. But thanks to ZoroX's Warden-Scan technique this hack will let you chose if you want to continue playing when Warden attempts to scan!

_________________
Image

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 10:17 pm 
 
Banned
Banned

Joined: Wed Oct 13, 2010 12:53 pm
rolle3k wrote:
I'm not 'someMonkey', if you are trying to imply this. But thanks to ZoroX's Warden-Scan technique this hack will let you chose if you want to continue playing when Warden attempts to scan!


Ehh. I'm sorry because I thought it said "Curious Monkey".

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Fri Oct 22, 2010 11:43 pm 
 
Moderator Gold
Moderator Gold
User avatar

Joined: Thu Aug 16, 2007 8:36 pm
Dewe wrote:
rolle3k wrote:
I'm not 'someMonkey', if you are trying to imply this. But thanks to ZoroX's Warden-Scan technique this hack will let you chose if you want to continue playing when Warden attempts to scan!


Ehh. I'm sorry because I thought it said "Curious Monkey".

Neither I am CuriousMonkey.

_________________
Image

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Sat Oct 23, 2010 3:40 am 
 
User
User

Joined: Fri Oct 22, 2010 4:15 am
CTS_AE wrote:
Awesome disassembly there SomeMonkey
nice work ; )


np, thanks.

Dewe wrote:
Anybody could of disassemble this. (...) now its gonna be detected by Warden


Correct.

Dewe wrote:
I also don't see anywhere in the readme where this hack says it is "anti-detected", "safe", and/or "anti-warden".


Sure let me help you there, from the readme: Warden Scan Detection (...) To prevent this plot of Blizzard, there is a automatic
Warden Detector in this hack.


The Monkey.

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Sat Oct 23, 2010 3:42 am 
 
Banned
Banned

Joined: Wed Oct 13, 2010 12:53 pm
@SomeMonkey:
Dang dude. You are a real gangsta. 40z up! On a serious note, good reversing.

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Mon Oct 25, 2010 2:57 am 
 
Moderator Gold
Moderator Gold
User avatar

Joined: Sun Nov 24, 2002 9:42 pm
Location: Eastern Michigan University
As always use hacks at your own risk.

_________________
R.I.P. Magichound March 2005
Image

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Sat Nov 13, 2010 12:48 am 
 
Section Leader
Section Leader

Joined: Fri Jul 05, 2002 8:51 pm
Location: /sbin/
SomeMonkey wrote:
This function goes through various link lists inside of the PEB(Process environment block) http://en.wikipedia.org/wiki/Process_Environment_Block and removes itself so it cannot be found by handle or name. This protects itself from only 1 scan technique : wardens method of using GetModuleHandle to look up individual modules.


Unlinking yourself from the PEB is not the only method usable for detection. Just because you've unlinked from the PEB doesn't mean you're suddenly invisible--there are two other ways to detect you: the last loaded module info and hooking just below LoadLibrary. If you really want to be "undetected" in the module list, you must manually map your DLL onto the process. Good luck reverse engineering the windows module loading code.

_________________
D2BS
Programming motherfuckers... DO YOU SPEAK IT?!
I, for one, welcome our new black overlo... I mean, president!
  1. Create signature generator.
  2. ???
  3. Profit!

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Sat Nov 13, 2010 11:45 am 
 
User
User

Joined: Sun Aug 01, 2010 10:38 pm
lord2800 wrote:
Unlinking yourself from the PEB is not the only method usable for detection. Just because you've unlinked from the PEB doesn't mean you're suddenly invisible--there are two other ways to detect you: the last loaded module info and hooking just below LoadLibrary. If you really want to be "undetected" in the module list, you must manually map your DLL onto the process. Good luck reverse engineering the windows module loading code.


That;s done long ago starting from Darawk's Manual Mapper, to Hades, preety stable one, and others...

_________________
sc2.exe cannot read inside a virtual environment, especially encrypted code ;)

Top
 Profile  
 Post subject: Re: [Undetected] zO_Rival v1.0.0
PostPosted: Sun Nov 14, 2010 9:59 am 
 
Section Leader
Section Leader

Joined: Fri Jul 05, 2002 8:51 pm
Location: /sbin/
DefNotACop wrote:
That;s done long ago starting from Darawk's Manual Mapper, to Hades, preety stable one, and others...


And yet this "undetectable" hack does not use it, as testified by the reverse engineering analysis by "SomeMonkey".

_________________
D2BS
Programming motherfuckers... DO YOU SPEAK IT?!
I, for one, welcome our new black overlo... I mean, president!
  1. Create signature generator.
  2. ???
  3. Profit!

Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron