Blizzhackers

Return of the Jedi

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


MuleFactory
It is currently Mon May 20, 2013 3:41 am

View unanswered posts | View active topics



Board index » Starcraft 2 » Starcraft 2 Hacking

All times are UTC [ DST ]




Post new topic Reply to topic  Page 1 of 3
  [ 43 posts ]  Go to page 1, 2, 3  Next
  Print view Previous topic | Next topic 
Author Message
ValiantChaos
 Post subject: [1.4.3] Warden Scan Info
PostPosted: Sun Dec 12, 2010 6:37 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Offset Scans (Absolute address and the offset are the same, SC2 base is however 0x00800000)
Code: Select all
; Absolute_Address, Length
0x009020C0    0x08
0x00990950    0x07
0x00997EC0    0x08
0x009981D6    0x06
0x009981EA    0x06
0x0099EDF3    0x07
0x009A78B6    0x07
0x009A78BB    0x0D
0x009A78C7    0x0B
0x009B86A6    0x07
0x009B86B7    0x07
0x009B86D5    0x07
0x009B86FA    0x07
0x009B97AB    0x08
0x009BDF7D    0x09
0x009C2417    0x06
0x009D9BAD    0x06
0x009DBC6B    0x05
0x009DBC70    0x05
0x009DBC8A    0x05
0x009DD320    0x07
0x009DD720    0x06
0x009DD726    0x07
0x009DD72D    0x08
0x009DD73D    0x07
0x009DD74B    0x06
0x009DD756    0x07
0x009DD75B    0x0B
0x009DD763    0x08
0x009DD769    0x06
0x009DD76F    0x0A
0x009DE1A0    0x0B
0x009E0347    0x07
0x009E0467    0x07
0x009E04C7    0x07
0x009E0F77    0x07
0x009EC7E2    0x09
0x009F24B7    0x07
0x009F2AAF    0x09
0x009F488F    0x05
0x009F91D6    0x07
0x009F9CFF    0x07
0x009FC3DC    0x07
0x00A0A2AA    0x08
0x00A104F5    0x06
0x00A1AF9E    0x0C
0x00A1AFDD    0x07
0x00A23FE0    0x07
0x00A2EB20    0x08
0x00A2EB40    0x06
0x00A2EF57    0x0B
0x00A3385D    0x07
0x00A33E54    0x07
0x00A33FDC    0x07
0x00A33FE8    0x09
0x00A471CF    0x07
0x00A472E6    0x06
0x00A475A4    0x05
0x00A4A327    0x07
0x00A4A5FF    0x06
0x00A4ABE6    0x03
0x00A4AC1F    0x06
0x00A4B4AD    0x06
0x00A4B4B6    0x05
0x00AABB30    0x07
0x00ABDCE8    0x07
0x00ABEEE9    0x0A
0x00B8491C    0x07
0x00D35D06    0x06
0x00D4B0F4    0x07
0x00D5F7E2    0x07
0x00D613AE    0x07
0x00D8CA80    0x08
0x00DA21D0    0x08
0x00DB7092    0x0A
0x00E2C220    0x07
0x00E2C2E0    0x07
0x00E2C442    0x07
0x00E2C69E    0x07
0x00E619C6    0x06
0x00E6D85E    0x07
0x00E6D9DD    0x0C
0x00EDB694    0x08
0x00EDB7D1    0x08
0x00FE1791    0x05
0x00FF449F    0x06
0x00FF6A20    0x08
0x00FF8CF0    0x0B
0x00FF9A49    0x04
0x00FFA0C2    0x07
0x00FFA0EF    0x07
0x00FFA0F6    0x09
0x00FFA10A    0x04
0x01017ABA    0x08
0x0102528C    0x04
0x010252D0    0x04
0x0105D04F    0x04
0x0105E9D0    0x07
0x0105EAA0    0x07
Signature Scans (Type 1 checks for IMAGE_DOS_SIGNATURE and IMAGE_NT_SIGNATURE before scanning)
Code: Select all
; Offset, Length, Type, Hash, Seed
0x00000000    0x09    0    5D50C72E5AB9CDAFD741946D71ABF827C3C4DE1F    372AD374
0x00000010    0x12    0    4AB1856E5C402542513747E0AAEDBA49E98EA4F4    71D163D6
0x000000FA    0x0B    0    B1964F0C35135CD742E1A52678717EBE9F9C6579    70B9EE71
0x00001000    0x21    0    532FEB7A81E8B4558F7AA0A0723C8D2D375EDD16    16B6703C
0x000013B6    0x31    0    CF07B543EFDD17B96E4070E5CE59F3DC8490298C    BF6EBF9F
0x000013E6    0x31    0    C54769FBE54ECD692DB53DEA176C16EBB0069243    20510888
0x00002118    0x14    1    8CA4480E98B97505C36F0E78F507FEDCC36F2B4F    DA9D327A
0x00002128    0x14    1    B426D8FBEC15B099BE085F756D387EBEB3683B86    C0F2CCF3
0x000026F9    0x20    1    BB51F6A167F67E65B51B23D7459FD21DB9E7E9C2    F6BBD548
0x00003024    0x0D    1    870183AED1A536E8EFC40A02CF4AE03A3AE5FF1A    E23B4182
0x0000302E    0x1F    0    FD6BC9F48C80B6D1FC9747B7D592E4A5EBF63AA0    947D15ED
0x00003073    0x37    0    6E6A7CACCF08A74F45DE1568789D0411D09912BD    FE492E3E
0x000031B8    0x19    0    38D16938DDCEFD258D6E4BC2AA3764C6DB1316C1    3116B8FE
0x000032D0    0x36    0    01EEF3D6E91C4CF1369867770ADDB6C069B3A9CC    8C8ADFE0
0x00004302    0x0B    1    EAB008379D74840C425CCEFA68692C3CD50152DA    A6BA7E4B
0x00004312    0x0B    1    FC0DF17E3D15C4F0D909C833ACB37F23FCBAE074    10798D91
0x00004322    0x0B    1    5DF4DE14EF005C6BB2A9848912B89A7CEDC7FFA0    F5457348
0x00004342    0x0B    1    A35E2FCF1306F0D0F1CACEA06246F88EBC42922E    5262E3FF
0x00004352    0x0B    1    E193655AB96C0E285E9042CA3ABC7547D254AE04    5578762A
0x00004392    0x0B    1    FD746AE9A18A1427C0F5E957318E814DA2417E38    B1093CD3
0x000043B2    0x0B    1    610629AFCC8F3BF600525BB4ECCB745952D4185F    F78B3B47
0x00004492    0x0B    1    32A94F1432255C62FAB718F1A6FA4BC4D5062FCD    174F0C22
0x000044E2    0x0B    1    E43354E1214F145D65AD4D03FA770E6118D17E96    53470043
0x000044F2    0x0B    1    EB8FAB962C3A637868F351CD2F2714F6B89FDEA3    14FB20E7
0x00004502    0x0B    1    997353469267210BF6D829F613210AAD859F5AA0    87E8A3B0
0x00004522    0x0B    1    D91CC38C4BAAF93651A2F567BDB82516899D5DFC    BC93B452
0x00004532    0x0B    1    62F36E0E3B3017408E534721FA55C0E010E41D06    9001D4CA
0x00004562    0x0B    1    DAAFA434F1C1B0843C2E8699CA3A147D303AB080    FC642504
0x000045F2    0x0B    1    6580082CF33CB49F288B060D15EF4193E50A17DC    50445C4E
0x000054B2    0x0B    1    2379940022380DD0DAB85863698C5AC4912DD8D4    32F88BA0
0x0000701C    0x16    1    F08A228EECC29BF790081DFA780758D06E0A96FA    63447A84
0x000071E4    0x17    1    B44186AA6699D895D4F42A7605D24BB23D70C5C8    7E830DBB
0x000071F8    0x13    1    EA58ACABAFDD5E200A570E9460E998FB6E9C5D46    7416EA33
0x0000722C    0x1F    1    D6A417A834FAE18F960E69CEB60A0EEDEAAB0CD8    6D5E6502
0x00007234    0x13    1    0C3F40BC520FEBE966B2CCB59962B67D5E676942    BB43AF0C
0x0000749C    0x14    1    06A85C840EFEB1ACD020A5049382EAAF42F74AA9    72D32576
0x000076C4    0x0E    1    BC57C85B15A38E650703D843A438EF1EFD1CFF7F    0C750C79
0x00007724    0x0E    1    94CBDE59E41BDF5558FDC56DD299E0E4311EA248    E7E77FDE
0x000081E0    0x1B    1    93C8E8E29B64029DFD787A068E26CE6F7A405C02    6A5AD505
0x0000A848    0x13    1    EB45A85C2F33EA616B8E5E3A6A949F9CD7AE231F    4D30854E
0x0000A854    0x13    1    423D4A24DC4EFED3DA5820B40F78ABDD540F1C85    9D17C483
0x0000A858    0x13    1    C53BB786A4B1E6FB6AACA95BDBE2E51DB3E8B66A    62D8C6AB
0x0000A864    0x1F    1    4B019676931FB37D88FBF37AB6CCB59065F81179    65504F63
0x0000B0D0    0x0C    1    4158D3048EC5283435352A48613FC9C03F2AAD4F    D370C5F7
0x0000C130    0x29    1    DD48D555F80BA8C6FD79B62231C680896FE67D52    07EF5CD4
0x0000C17C    0x22    1    B2BACD48189603F0816081F47D9F1B841C15F81F    91B05A4B
0x00016740    0x23    1    C6D676A063E9BC0153530D412CA6BF29EF78D70F    E7AC187F
0x0001AFA8    0x29    1    F3B8C67F2305D4DB6D3CFF0B690F087DE3988520    37D44948
0x0001C9C8    0x22    1    3E86ABBF02326460378793A87D5748D98ECCAA01    E76B340A
0x0001CA68    0x23    1    6F1B43F3D1C129937A095D325A769B6C53AE1A89    A9944495
0x0001DA40    0x25    1    21223767D4F6DF5F8A11EAA0B638DFB240FF6272    7A433976
0x0001DA50    0x27    1    286F010667C1AC44EE62D02F6D701DEEE25B4BD1    14633195
0x0001DA60    0x27    1    D178CB915F063FE6D750F9F2F004083087171FA2    2C3CE0F3
0x0001FC3A    0x0C    0    D425B69D8F386ED9DF8592708DE2AEE54147476C    900A1186
0x00020FB8    0x73    0    844B1E492959C67C41FBFC3BA12FC88B32F04F37    2D4B512B
0x000255FE    0x34    0    8277F79186887536232B9C3E3CBB4C1B2182E73D    260F387A
0x0002660E    0x34    0    7D480FBC12993B465FBBE9107630ABADC96DB38C    47EDF21C
0x00034FF4    0x2E    1    D1667DB78FBE2619C07D275FB6F258AEF20AA842    8918CBA8
0x0005C14F    0x08    1    E432F09E32A62F07E7713CDE492F151E95999D11    848C2D78
0x002020FC    0x2E    1    A5E57E8A7C853A07643B846FD90663CD76F8EC44    CBAC5DA9
0x00203C7C    0x14    1    C50392D13A9786FC28CB9284E35120B3F1079F81    39C8E483
0x00245C7B    0x0D    1    F073D2AF0DCDF1DCEA520182F89A5110D8231411    70CE3AB0
0x007E0B5F    0x0C    1    92E7F067C411F59CB015594D7836E5966C4ABA8D    8C803FCB
0x007F92F5    0x0C    1    5DF7D6F3A1B0C2CCA5CD2DD6DE84B25DAE06524F    A010D22D
0x0082402B    0x0C    1    11229CBE5418279635DF83C6A7F37A6D58FA3709    93E208D1
0x00835BE8    0x0C    1    0AF92BCC532F7CDEE954F46A7F955069A7C14100    FEB4AFE9
0x0085BE5A    0x0B    1    7DDBDB98967356BA1E0C361B67FB1E554CA37D4E    A32BD82C
WinAPI Detour Scans (Traces hook to destination and does a signature scan; Only checks the first 6 bytes for a hook)
Code: Select all
; Offset, Length, Hash, Seed, Function_Name
0x00001F58    0x12    C771FFF44E01D36C5BB05EFC0961C3AAF94BBF02    67B96693    kernel32.VirtualQuery


Attached bellow is a program I made to test all the Signature Scans. Load whatever hack/program then run VCScan to see if it finds anything, if so then that program might be detected by Warden with that specific scan type.

DOWNLOAD - VCScan


Last edited by ValiantChaos on Wed Jul 20, 2011 6:06 am, edited 25 times in total.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Sun Dec 12, 2010 8:19 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Dewe wrote:
Good job Troy. For signatures isn't it like SC2 Base + Offset = Signature?


Signatures scans search the entire process memory, so it's Base + Offset and then it makes a hash of those bytes with the given length and compares it to another hash, if the hashes are matching then your flagged.

Warden uses VirtualQuery() to gather information on the range of pages starting at like 0x00010000, and then adds MEMORY_BASIC_INFORMATION->RegionSize to get the next base address that has different page attributes.
Top
 Profile  
Beaving
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Mon Dec 13, 2010 2:21 pm 
 
User
User
User avatar

Joined: Wed Sep 15, 2010 2:54 pm
Good job man :)
How about just finding it by pattern (hook on Flush) and change the
Code: Select all
2EFE26A4   74 12            JE SHORT 2EFE26B8   ; jump if hashes are not matched ( SAFE! )

to jump always there?, instead of hooking VQ.
Should be also fine.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Mon Dec 13, 2010 4:16 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
I think it's better not to force any jumps in Warden and try to avoid patching in the image section, not to mention that function changes quite a bit so it may require a little more work to find it by pattern.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Tue Dec 21, 2010 11:25 am 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
I updated my first post with the signature scan program I created, you can now download it. I have tried the program on a few other hacks before but the only signatures I found were for my old VCMH and that ghetto maphack method when I NULL the bytes at 0x015C99CC.
Top
 Profile  
longxxx
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Tue Dec 21, 2010 3:01 pm 
 
User
User

Joined: Mon Jun 02, 2008 7:20 pm
Nice tool, thx for sharing
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Wed Jan 12, 2011 3:15 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Updated this info, nothing really new except 1 more offset it seems.
Top
 Profile  
CTS_AE
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Wed Jan 12, 2011 7:09 pm 
 
User
User
User avatar

Joined: Sun Mar 01, 2009 10:46 am
Sweet, thanks

_________________
You take and you learn, give and teach back.
For we will give and teach what we have taken and learned.
- CTS_AE -
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Thu Jan 27, 2011 10:37 am 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Updated first post with new Warden scans

Offsets
Code: Select all
0x00A718D6   0x06 ; DMH hack (Dew's)
0x01067C9A   0x08 ; DMH hack (Dew's)


Signatures
Code: Select all
0x000032D0   0x36   0   2E55851C3679D8F40E9DD27B83BF9EBE3F3DF934   D177CF64 ; DMH module hack (Dew's)
0x0084CCC5   0x0C   1   06EE4AF9A6D7247F6156B478E263505153949A37   DFD2BC3D ; VCMH SC2.exe patch
0x0087450B   0x0C   1   677F369B31D278976B833B0B1372746CA9EEDA8F   2F54C814 ; VCMH SC2.exe patch
0x008356B8   0x0E   1   CFDEF6E7B890C80D54E52D8C871414602FFE5316   77CFD113 ; VCMH SC2.exe patch


Logged these on SEA server, these new scans don't seem to happen in all games. Perhaps Blizzard trying to hide them?
Top
 Profile  
Defqon
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Fri Jan 28, 2011 3:09 pm 
 
User
User

Joined: Sun Jul 04, 2010 2:15 am
hi nub here, but what can these offsets tell us?
Top
 Profile  
CTS_AE
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Fri Jan 28, 2011 4:58 pm 
 
User
User
User avatar

Joined: Sun Mar 01, 2009 10:46 am
Defqon wrote:
hi nub here, but what can these offsets tell us?


"These offsets" tell us what warden is scanning for, and then how much @ that location they are scanning for.
So if you modify the information there, and warden doesn't like it, it's gg for your bnet account next ban wave.

_________________
You take and you learn, give and teach back.
For we will give and teach what we have taken and learned.
- CTS_AE -
Top
 Profile  
danieltan
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Tue Feb 15, 2011 4:43 pm 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
New patch is out, version 1.2.1.
Top
 Profile  
danieltan
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 3:48 am 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!
Top
 Profile  
longxxx
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 4:00 am 
 
User
User

Joined: Mon Jun 02, 2008 7:20 pm
danieltan wrote:
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!


if you want to know about 1.2.2, VC posted it here:
http://www.d3scene.com/forum/starcraft- ... 2-2-a.html
Top
 Profile  
danieltan
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 4:06 am 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
longxxx wrote:
danieltan wrote:
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!


if you want to know about 1.2.2, VC posted it here:
http://www.d3scene.com/forum/starcraft- ... 2-2-a.html


Thank you! :D
Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 3
  [ 43 posts ]  Go to page 1, 2, 3  Next

Board index » Starcraft 2 » Starcraft 2 Hacking

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron