a way to bypass bnet/garena detection

This is a discussion on a way to bypass bnet/garena detection within the Warcraft 3 Hacks, bots and tools board part of the Warcraft 3 forum category; How does bnet warden detect your maphack ? since it knows about "common" maphacks, it scans several addresses in game.dll ...

Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31
  1. #1
    thewisp is offline Advanced Hacker
    Array
    Join Date
    Jun 2008
    Posts
    390
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    256

    a way to bypass bnet/garena detection

    How does bnet warden detect your maphack ?

    since it knows about "common" maphacks, it scans several addresses in game.dll module (the loaded game.dll in RAM, not the file) , these are the address where maphack would change.

    now the question is : WHY does warden know it is "game.dll" ?

    is there anywhere the base address of game.dll being saved?

    i have traced war3.exe, it loads game.dll with LoadLibraryA, then call gamemain with arg base address of game.dll (6F000000), this gamemain would only return when the game quits. During the whole thing, war3.exe knows nothing about game.dll, and doesnt use any function from game.dll.

    I guess bnet just uses "game.dll" as name to get address and scans in it.

    So actually you can modify war3.exe, so that it loads "another" game.dll after the normal one. lets say "gamehack.dll". see the pic

    push game.dll
    call edi ; here edi = LoadLibraryA

    before next step (mov esi , eax) where saves the result (6F000000)
    u gotta insert another load

    push game.dll
    call edi
    push gamehack.dll
    call edi
    mov esi , eax
    ...

    now it returns the base address of gamehack.dll, not game.dll, which means the game uses gamehack.dll as main code, but game.dll is also loaded (taking address 6F000000)

    now you can do any change to gamehack.dll, because warden never knows about it. warden only knows "game.dll " so it will have game.dll and its code , but there is no changes at all .

    Attached Images

  2. The Following User Says Thank You to thewisp For This Useful Post:


  3. #2
    starss is offline Member
    Array
    Join Date
    Nov 2008
    Posts
    41
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    9
    Reputation
    1
    Bravo!

  4. #3
    cr1st1 is offline Newbie
    Array
    Join Date
    May 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    0
    thx for this!

  5. #4
    s4k0n's Avatar
    s4k0n is offline Wannabe Member
    Array
    Join Date
    Dec 2008
    Location
    Poland
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    0
    Going to check it out : )
    Last edited by s4k0n; 06-07-2009 at 12:52 PM.
    hardstyle 4ever

  6. #5
    TheParanoidOne is offline Newbie
    Array
    Join Date
    Mar 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    0
    Sounds Really great, but i dont get it. normally im not that stupid by acting with the computer, but all that
    ...
    "push game.dll
    call edi ; here edi = LoadLibraryA

    before next step (mov esi , eax) where saves the result (6F000000)
    u gotta insert another load

    push game.dll
    call edi
    push gamehack.dll
    call edi
    mov esi , eax"
    ...
    makes me crazy. Do i have to use any Visual Studio stuff or things like that? Cause all that "edi" "mov esi, eax" stuff confuses me, never heard of it.

    Btw, Rep'd

  7. #6
    SebiP is offline Wannabe Member
    Array
    Join Date
    Nov 2008
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    0
    Same problem like TheParanoidOne

  8. #7
    thewisp is offline Advanced Hacker
    Array
    Join Date
    Jun 2008
    Posts
    390
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    256
    Quote Originally Posted by TheParanoidOne View Post
    Sounds Really great, but i dont get it. normally im not that stupid by acting with the computer, but all that
    ...
    "push game.dll
    call edi ; here edi = LoadLibraryA

    before next step (mov esi , eax) where saves the result (6F000000)
    u gotta insert another load

    push game.dll
    call edi
    push gamehack.dll
    call edi
    mov esi , eax"
    ...
    makes me crazy. Do i have to use any Visual Studio stuff or things like that? Cause all that "edi" "mov esi, eax" stuff confuses me, never heard of it.

    Btw, Rep'd
    this is assembly language.
    since we don't have the source code of war3, we can only modify it in this way.

    edi/esi/eax are registers. in that step, edi = function LoadLibraryA
    push x <- string "game.dll"
    call edi <- load it

    then this LoadLibraryA will give back the modul address of loaded game.dll
    which is usually 0x6F000000
    then it uses 0x6F000000 as parameter to call gamemain, gamemain is the main process of war3, everything is in it.

    what if we do this twice ?
    load game.dll
    load gamehack.dll

    and then continue, it will use the address of gamehack.dll as main, which means war3 doesnt use game.dll at all.. but game.dll is just there to show "i dont cheat"

  9. #8
    yinghanhan is offline Newbie
    Array
    Join Date
    Jan 2009
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    0
    Reputation
    0
    can use odlydebug to show all the assembly language, use ihex editor to edit he opcode ... thanks for giv this information ^^

  10. #9
    thewisp is offline Advanced Hacker
    Array
    Join Date
    Jun 2008
    Posts
    390
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    256
    to complete the hack , you either need to write a loader, or modify war3.exe file.(remember bnet logon needs to check the file ! so u have to bypass it with war3.org or like this)

    a loader can load war3.exe, hook 0x0040130A to add 2 more orders (load another file)
    also u need to copy game.dll and rename to something like gamehack.dll
    actually this provides a way to hack by static changes
    you can patch gamehack.dll FILE instead of process for maphack.

  11. #10
    Wolfszorn's Avatar
    Wolfszorn is offline Advanced Hacker
    Array
    Join Date
    Sep 2007
    Posts
    318
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    12
    Reputation
    212
    Anyone confirmed it, that this bypass warden? I thought warden checks for offsets, not for running processes.

Page 1 of 4 123 ... LastLast

Similar Threads

  1. Memoirs of World of Warcraft
    By Hallowsend in forum WoW forum
    Replies: 21
    Last Post: 08-28-2013, 10:34 AM
  2. Dota Client Bypass
    By Shad0wKn1ght in forum Warcraft 3 Hacks, bots and tools
    Replies: 35
    Last Post: 10-07-2009, 02:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •