Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 09:11 PM CEST

How to reverse Warcraft 3 1.18 Memory access protection

   

TutorialsLevel : newbie

Warcraft 3 seems to use the SetSecurityInfo() api to prevent us to obtain its process handle.

Okay, I debugged and I played around Warcraft 3 for some time.

Trying myself to understand this protection scheme, I bring
the proof here how to defeat this protection.

SetSecurityInfo() blocks us from accessing it's memory.
Let me explain SetSecurityInfo() to you:

------------------------------------------
The SetSecurityInfo function sets specified security information
in the security descriptor of a specified object.
The caller identifies the object by a handle.

DWORD SetSecurityInfo(

HANDLE handle, // handle to the object
SE_OBJECT_TYPE ObjectType, // type of object
SECURITY_INFORMATION SecurityInfo, // type of security information to set
PSID psidOwner, // pointer to the new owner SID
PSID psidGroup, // pointer to the new primary group SID
PACL pDacl, // pointer to the new DACL
PACL pSacl // pointer to the new SACL
);
------------------------------------------

Warcraft3 passes params to this function to block us from getting a valid process handle, or from altering its memory.
We want this if we want to fiddle with it ;)

But where is Warcraft doing this? Simply, debug it and set a breakpoint on SetSecurityInfo.

After debugging as results we get:

------------ game.dll snippet ------------
.6F009962: 53 push ebx ;0
.6F009963: 8D95E0FDFFFF lea edx,[ebp][-00000220]
.6F009969: 52 push edx ; 0012FB4Ch
.6F00996A: 53 push ebx ; 0
.6F00996B: 53 push ebx ; 0
.6F00996C: 6804000080 push 080000004 ; DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION
.6F009971: 6A06 push 006 ; 6
.6F009973: 50 push eax ; FFFFFFFFh
.6F009974: FF55EC call d,[ebp][-14] ; SetSecurityInfo()
------------ game.dll snippet ------------

From here, we have the SetSecurityInfo() API call with params:
SetSecurityInfo(0xFFFFFFFF, 6, DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, 0, 0, 0x0012FB4C, 0);

We just have to pass NULL as a third parameter.

Passing NULL as SecurityInfo param, makes sure the api doesn't do anything that can block us. To be exact by making the param NULL, the api doesn't set the specified security information in the discretionary access control list (DACL) of the specified objects security descriptor.

We patch 6804000080 at address 6F00996C to 6800000000.

Just edit game.dll with ANY hex editor and patch it.
I accessed Warcraft 3 memory without any problems :-)

Good luck working on your map hacks, namespoof hacks, etc.

;---------------------------------
Thanks to BiW Reversing Community!
Our site can be reached at:

http://biw.rult.at/
http://www.reversing.be/
;---------------------------------

Thanks: Detten, zeph, CopyMasta,[Wizzer] ; ...

copyright (c) BoR0
March, 2005




What's Related

Story Options

How to reverse Warcraft 3 1.18 Memory access protection | 7 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
How to reverse Warcraft 3 1.18 Memory access protection
Authored by: l1_gold on Tuesday, May 10 2005 @ 09:14 PM CEST
Hey boro i've trying to disasemble game.dll without success the file is 8mb, my pc is a P IV 2.2 GHZ with 1024 MB RAM, iam using w32dasm demo version 8.7 I always get a Windows error(Program crashes) while trying to disasemble that file.

The problem is cuz is a demo version or the release have some bugs, or am i doing something wrong, btw i'm a new member just starting (newbee), so I'll apreciatte the help. Thanks in advance
How to reverse Warcraft 3 1.18 Memory access protection
Authored by: l1_gold on Wednesday, May 11 2005 @ 06:17 PM CEST
Hi boro, i went to the shorcut sites u have in ur signatures, i found the pvdasm in the tools section, it works great, just a bit too slow, but it works anyway. Now i got another problem :(, the problem is that when i edit any thing in game.dll including what u posted on this ex. i got a version check error when i try to access pvpgn servers (i am running with the acid pvpgn loader)
How to reverse Warcraft 3 1.18 Memory access protection
Authored by: Arbitel on Saturday, January 21 2006 @ 02:05 AM CET
hei BoRO, I tried your loader to remove the protection but it does not work because I need to use the pvpgn loader to run in order to play in my server. Weirdly, I did not encounter this error just by yesterday. Help~
How to reverse Warcraft 3 1.18 Memory access protection
Authored by: peterpan on Tuesday, August 15 2006 @ 08:38 AM CEST
i am also playing warcraft with PvPGN Loader ACiD. can someone show me step my step. i dont quite get it . MSN maybe ? thanks :)
asian_crusader@hotmail.com
im just trying to play warcraft with my maphacks , but they get blocked by the protection, i have tried loaders but then i cant connect to battle.net =(
so sad
thanks in advance.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.76 seconds