Blizzhackers

Return of the Jedi

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


MuleFactory
It is currently Wed Jun 19, 2013 3:56 am

View unanswered posts | View active topics



Board index » Starcraft 2 » Starcraft 2 Hacking

All times are UTC [ DST ]




Post new topic Reply to topic  Page 1 of 3
  [ 44 posts ]  Go to page 1, 2, 3  Next
  Print view Previous topic | Next topic 
Author Message
ValiantChaos
 Post subject: [2.0.8] Warden Scan Info
PostPosted: Sun Dec 12, 2010 6:37 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Offset Scans (Absolute address and the offset are the same, SC2 base is however 0x00800000)
Code: Select all
; Offset - Length
0x000469B3    6
0x001E4380    5
0x001EC90E    9
0x0020126C    4
0x00279AB6    5
0x0027CE50    8
0x00280640    11
0x00283838    4
0x00284BEC    3
0x00284C07    6
0x00284C0B    9
0x00284C1A    4
0x00298BDC    4
0x0029A9D0    7
0x002A30D2    4
0x002A3124    4
0x004D4803    7
0x004D70E6    7
0x004D7550    7
0x004EC1A1    8
0x004F3FED    9
0x004F87E0    6
0x0050FB40    7
0x005102D0    6
0x005102DD    4
0x005102E9    3
0x0051032D    3
0x0051033B    3
0x00510346    7
0x0051034B    4
0x00510353    8
0x00510366    4
0x0051036C    5
0x00519F76    6
0x005301BD    9
0x005378EF    7
0x005632DA    8
0x0056ACC4    6
0x0057704A    12
0x00577089    7
0x00582FF4    5
0x0058D45B    7
0x005A6DBD    6
0x005A6DCF    5
0x005AA677    7
0x005AA797    7
0x005AA7F7    7
0x005AB9F7    7
0x005BB520    7
0x005BB635    6
0x005BB8F6    5
0x00600800    8
0x00600807    7
0x00600820    9
0x00600A1B    7
0x00601008    6
0x00602694    11
0x0060966F    7
0x0060967C    9
0x006225F8    6
0x00684545    7
0x0069E3D0    8
0x0070D8FF    9
0x00754316    7
0x00779FB4    7
0x0078A028    6
0x007B3900    8
0x007E2EAA    7
0x007E3019    7
0x007E3950    7
0x007E3F2E    7
0x007F52D3    6
0x007F60B3    8
0x008037DE    7
0x008039A9    12
0x00A42D90    7
0x00A4CCB0    8
0x00A4D004    6
0x00A5F7D4    8
0x00A5F910    8
0x00A866C0    7
Signature Scans (Type 1 checks for IMAGE_DOS_SIGNATURE and IMAGE_NT_SIGNATURE before scanning)
Code: Select all
; Offset - Length - Type - Hash - Seed
0x00002060    19    0    DA6A80B20895BF623D24F553D05A504BAB9F18DA    813B413E
0x00002118    20    0    A2FF59ADA5443FCDEF7325DF5AEDD3443F2BC7DE    FC420380
0x00002128    20    0    8CFB4F6AF59180B3F6352286896F4139562B8452    52426E38
0x00003024    13    0    0DB9DA9A0B0A45BE75CC653AC0E32F3FEC2B5B9E    726C5179
0x000031B8    25    0    335A28119B40FEB4ABF6658111A458281D0CE3C8    24B834E9
0x00003262    10    0    38EB3E5EEBB6FCC55571202065A842641C54DB38    89AC4DC0
0x000041FC    7     0    56B41E40A427E0074F08FEC561E60B26F77A2CE1    83485BBB
0x0000420C    7     0    31EE8FDC02DCACFA7DE1D74A72485F5038A79ABF    E95DB14A
0x00004322    11    0    B4A8D97774750E4FB0C5916FCC58559BE207FC85    1B5F6F5A
0x00004492    11    0    E2BED8674DB3D5C5BC0615719FEE1EDE75BC83E4    1254E4C6
0x000048BC    7     0    8230007BE5650BE889EAFC86DF71E8D55C5758A8    51440D80
0x00005246    7     0    5E3015A0D4335119E5CE26B7581ECA767C3F0262    6EE58A0D
0x000052B0    7     0    8540BF8176A05517F39EF8E3FDFC7953460C8B81    A40D14A1
0x00005500    29    0    A50002DCDDFC4AD74741EEA073D0E62E5920DC7D    4C4E2888
0x00006E00    23    0    77755D6B9FFD55AD7EDD88A9B747EC569F3236FF    5EF7E53F
0x000071F8    19    0    336A21E03A9AA0B085F83CF6F44609A39441101C    B50BA485
0x00007234    19    0    78B486A775C5E61F34EEFD1D434E0F3574859955    246A28B6
0x0000749C    20    0    7485838325D04464566976643F54A1F6D76BAEAF    501717FA
0x000074BC    20    0    89B07756B3382F5187A0ECE6228C1BFAFEFD1D8E    A91D19F3
0x00007724    14    0    6FFA7A840E1375D2DFBA86C6576F9B88F1E69DBC    F5A1E546
0x00007840    32    0    257FAA2A78FF4902DF1193991E44FF10F435BC58    FB1FD4D2
0x000081E0    27    0    632226C0552B442F74893DED4A8CD63022CFDE9B    0CCC288B
0x00008DE0    12    0    C73FE3C1411B53BF76CFF76DAE8B2D39EBE9754C    75685169
0x0000A864    39    0    30EC25433715A8DBFEDF31FF54364AD9ABA62BC7    B2E38146
0x0000B864    47    0    8ACBDD2D41A4E5E72963980DC30FFEFA54592D4C    2CE8500D
0x0000DD68    30    0    493A297B201541087F3F9B71ECF8E9095AA9585D    23F5A91F
0x00016740    35    0    6350063D37CEE5FDA814CE9175476C4210E6AF42    4CAA5ACC
0x000168E4    28    0    7ABA537BD8628348230B8D8DF8DD675EE1DB5F0D    036B109D
0x000352BC    7     0    AC3EBFCA3BE54E7EAE9C829EEF294D3D3152DB58    A98BF175
0x002020FC    46    0    A41BD7909D9F78EE25474BD0F3EE30840EB7D245    7EBBD464
0x002031DC    7     0    D6D1C9BA8CA37BAE448DCA0A67237B15429AD30D    8C336748
WinAPI Detour Scans (Traces hook to destination and does a signature scan; Only checks the first 6 bytes for a hook)
Code: Select all
; Offset, Length, Hash, Seed, Function_Name
; Offset - Length - Hash - Seed - API
0x0000000A    8     8FFD9CC20B8EEA01B8BA14F634A189229A39D21A    4E9A219E    kernel32.FlushInstructionCache
0x00001F58    18    EA03ECA7821869220A9D377EF6008EB4A5EDA9E5    A87FEAB2    kernel32.VirtualQuery


Attached bellow is a program I made to test all the Signature Scans. Load whatever hack/program then run VCScan to see if it finds anything, if so then that program might be detected by Warden with that specific scan type.

DOWNLOAD - VCScan


Last edited by ValiantChaos on Wed Jul 20, 2011 6:06 am, edited 25 times in total.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Sun Dec 12, 2010 8:19 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Dewe wrote:
Good job Troy. For signatures isn't it like SC2 Base + Offset = Signature?


Signatures scans search the entire process memory, so it's Base + Offset and then it makes a hash of those bytes with the given length and compares it to another hash, if the hashes are matching then your flagged.

Warden uses VirtualQuery() to gather information on the range of pages starting at like 0x00010000, and then adds MEMORY_BASIC_INFORMATION->RegionSize to get the next base address that has different page attributes.
Top
 Profile  
Beaving
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Mon Dec 13, 2010 2:21 pm 
 
User
User
User avatar

Joined: Wed Sep 15, 2010 2:54 pm
Good job man :)
How about just finding it by pattern (hook on Flush) and change the
Code: Select all
2EFE26A4   74 12            JE SHORT 2EFE26B8   ; jump if hashes are not matched ( SAFE! )

to jump always there?, instead of hooking VQ.
Should be also fine.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Mon Dec 13, 2010 4:16 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
I think it's better not to force any jumps in Warden and try to avoid patching in the image section, not to mention that function changes quite a bit so it may require a little more work to find it by pattern.
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Tue Dec 21, 2010 11:25 am 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
I updated my first post with the signature scan program I created, you can now download it. I have tried the program on a few other hacks before but the only signatures I found were for my old VCMH and that ghetto maphack method when I NULL the bytes at 0x015C99CC.
Top
 Profile  
longxxx
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Tue Dec 21, 2010 3:01 pm 
 
User
User

Joined: Mon Jun 02, 2008 7:20 pm
Nice tool, thx for sharing
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.1.3.16939)
PostPosted: Wed Jan 12, 2011 3:15 pm 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Updated this info, nothing really new except 1 more offset it seems.
Top
 Profile  
CTS_AE
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Wed Jan 12, 2011 7:09 pm 
 
User
User
User avatar

Joined: Sun Mar 01, 2009 10:46 am
Sweet, thanks

_________________
You take and you learn, give and teach back.
For we will give and teach what we have taken and learned.
- CTS_AE -
Top
 Profile  
ValiantChaos
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Thu Jan 27, 2011 10:37 am 
 
BHDev
BHDev
User avatar

Joined: Fri Dec 10, 2010 5:36 am
Location: Blizzard
Updated first post with new Warden scans

Offsets
Code: Select all
0x00A718D6   0x06 ; DMH hack (Dew's)
0x01067C9A   0x08 ; DMH hack (Dew's)


Signatures
Code: Select all
0x000032D0   0x36   0   2E55851C3679D8F40E9DD27B83BF9EBE3F3DF934   D177CF64 ; DMH module hack (Dew's)
0x0084CCC5   0x0C   1   06EE4AF9A6D7247F6156B478E263505153949A37   DFD2BC3D ; VCMH SC2.exe patch
0x0087450B   0x0C   1   677F369B31D278976B833B0B1372746CA9EEDA8F   2F54C814 ; VCMH SC2.exe patch
0x008356B8   0x0E   1   CFDEF6E7B890C80D54E52D8C871414602FFE5316   77CFD113 ; VCMH SC2.exe patch


Logged these on SEA server, these new scans don't seem to happen in all games. Perhaps Blizzard trying to hide them?
Top
 Profile  
Defqon
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Fri Jan 28, 2011 3:09 pm 
 
User
User

Joined: Sun Jul 04, 2010 2:15 am
hi nub here, but what can these offsets tell us?
Top
 Profile  
CTS_AE
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Fri Jan 28, 2011 4:58 pm 
 
User
User
User avatar

Joined: Sun Mar 01, 2009 10:46 am
Defqon wrote:
hi nub here, but what can these offsets tell us?


"These offsets" tell us what warden is scanning for, and then how much @ that location they are scanning for.
So if you modify the information there, and warden doesn't like it, it's gg for your bnet account next ban wave.

_________________
You take and you learn, give and teach back.
For we will give and teach what we have taken and learned.
- CTS_AE -
Top
 Profile  
danieltan
 Post subject: Re: Warden scan info (SC2 v1.2.0)
PostPosted: Tue Feb 15, 2011 4:43 pm 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
New patch is out, version 1.2.1.
Top
 Profile  
danieltan
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 3:48 am 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!
Top
 Profile  
longxxx
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 4:00 am 
 
User
User

Joined: Mon Jun 02, 2008 7:20 pm
danieltan wrote:
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!


if you want to know about 1.2.2, VC posted it here:
http://www.d3scene.com/forum/starcraft- ... 2-2-a.html
Top
 Profile  
danieltan
 Post subject: Re: Warden Scan Info (SC2 v1.2.1)
PostPosted: Sat Feb 19, 2011 4:06 am 
 
User
User

Joined: Mon Feb 14, 2011 3:49 pm
longxxx wrote:
danieltan wrote:
Just want to clarify, this is for version 1.2.1? Because the MH is for version 1.2.2, and the current version of SC2 is 1.2.1. Im just a bit confused of the version. Thanks VC!


if you want to know about 1.2.2, VC posted it here:
http://www.d3scene.com/forum/starcraft- ... 2-2-a.html


Thank you! :D
Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 3
  [ 44 posts ]  Go to page 1, 2, 3  Next

Board index » Starcraft 2 » Starcraft 2 Hacking

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to: