We are back to square one! Warcraft III is UNSAFE again!!!

leandrotp · Feb 28, 2016

The exploit is CONFIRMED! Patch 1.27 is vulnerable to arbitrary code execution!!!

So, I just found a way to typecast values again in the Patch 1.26. With this trick I can perform a I2C and execute raw JASS bytecode, which in turn allows me to read and write memory from the game process, allowing me to execute arbitrary machine code from inside a map!

I thought the release of patch 1.27 only about 3 weeks after I discovered the exploit, was an indication that they were going to fix it. But they didn't, they didn't modify anything in the JASS VM from patch 1.26. I didn't have to change anything in my code, I just ran it in the new patch, and it worked.

This thread discusses not only the exploit, but also the possibility of developing an unofficial community-driven custom patch for Warcraft. This patch would not only fix the security issue, but could also introduce many new features into the game. With time, we could even implement everything in the [thread=257163]1.27 wish list[/thread] by ourselves.

Now, before saying that such a thing would be impossible, impractical, or would not work in Battle.net, please read all posts under this thread, especially my [post=2792981]latest post[/post]. Here follows my original post, before I had finished the exploit:

A brief history of Warcraft

In the pre-historic days of pre-1.20 Warcraft, some unknown guy found the marvelous "Return Bug" thing - the ability to typecast values from one type into another with no restrictions.

Quickly everyone learned about it, and started using it to store things at gamecache. This gave origin to a whole new generation of map making - modders were able to do things that were never thought to be possible.

By that time, everything was wonderful. Every big map started using this thing, everyone was happy, and so was Blizzard - after all, it's not every day that a major bug in your product becomes it's most valuable feature.

Then around the time of 1.23 patch, the Warcraft community was stunned by some (russian?) guy, that found a very dangerous exploit: through the use of I2C, that guy managed to execute arbitrary machine code from inside a map.

Suddenly the world came down in an instant. This thing violates every known principle of computer security. By that time the Warcraft community was much bigger than it is now. People were used to join battle.net and play custom maps they never seen before. So, hackers started to make maps that infect the player's computers with viruses as soon as they join the game. Adding to the fact that most users run Warcraft as Administrator, this allowed them to easily take control of their machines.

So, things couldn't stay as they were. Blizzard was forced to do something as quick as possible. But this exploit was based on the famous "Return Bug", the most valuable thing they have. Every popular map was using it, DotA was using it, so how could they solve this security problem without breaking every map?

As we all know, they came out with a very clever solution. They removed the ability to typecast values, and gave us Hashtables in exchange. Map makers quickly adapted, and everything was good again.

Until now...

The present state of Warcraft III

Warcraft III is now an ancient game. People don't play it anymore - the size of its community now is exponentially smaller than it has been some day.
Blizzard doesn't seem to support the game anymore. The last patch was released 5 years ago. Blizzard's main source of profit is Starcraft II - they don't make money from Warcraft anymore.
There are rumors that they could release a new patch. To be honest, I'm very skeptical about this. Some guy pointed that their site is anouncing job positions for development of "classic games", where WC3 is included. One can assume that no development is being made on WC3 while those job positions are still vacant.

As you can see, things have changed. They are not as they used to be in the times of 1.23. By that time they were able to quickly fix the major security issue. But will they do it now?

What if I told you that I just found a way to do I2C in the 1.26 patch?

The future, and the possibilities

Ok, so what happens if people with intentions not as good as mine become aware of this thing? Either Blizzard will release a quick fix. Or they will simply not care! And what happens if they choose to do that? Will the game definitely die?

I've been thinking, why do we need Blizzard to do everything for us? Just look at the amount of things that people are requesting in the [thread=257163]1.27 wish list[/thread]. I'm pretty sure many people in the community are capable of implementing some of those things by themselves, so what do we need Blizzard for?

We could easiliy create a community-driven unofficial patch for warcraft. To add all the features we have always dreamed about. It could be made open-source, so that everyone could contribute. And look, we already have Sharpcraft as a start point.

But no one uses Sharpcraft natives in map making. Why? I know, it's because it requires the end user to install custom stuff in their computer, as opposed to just join a map in b.net and have it automatically downloaded.

But what if every Warcraft player in the world had Sharpcraft installed? What if it was so popular, that nobody would install one without the other? Think about Firefox and Greasemonkey. Browser scripts have become so popular, that it's no crime if they require Greasemonkey to be installed.

Of course, Sharpcraft doesn't have that much popularity. The average Warcraft player doesn't even know that it exists. But I see a way that this could change: if the game is now unsafe, and hackers start to put viruses on maps, people will start looking for a solution.

And if Blizzard doesn't provide that solution, we can. I could easily fix that bug myself, and then Sharpcraft (or w/e the community custom patch would be called) will become very popular. Every "newbie tutorial" you find in the internet, teaching noobs how to "download and install Warcraft", will also teach them how to install the custom patch, to "make the game safer".

Obviously this patch will do much more than just a security fix. With time, we could implement everything in the 1.27 wish list, without waiting for Blizzard's good will. We will end up with a very powerful game engine, that will have complete support for all the existent resources, but will be also completely free from the current Warcraft III limitations.

What I will be doing now is research a bit more on the I2C thing. I will examine the old 1.23 exploit, try to figure how it works, and if it can be reproduced in 1.26. If I fail to do that, I will conclude that I2C is safe to use, and I will make it public.

If I succeed in executing arbirary code,I have succeeded, the exploit is REAL!!! I'd like to hear your opinion on what should I do with this knowledge. If this was in another time, I would simply report the vulnerability to Blizzard. But I don't have faith that they will do anything about it.

What do you think? A custom community-driven patch for Warcraft is viable?

The_Silent · Feb 28, 2016

Post the results when there is any, I could care less about dramatic filler text, before we even know if there is a problem. Add sub-titles at least. Don't need a whole essay.

Also, as long as Blizzard sell the game, they will make hotfixes if necessary.

A Void · Feb 28, 2016

I also thought about this, but it would be impractical because Blizzard is still supporting this game and we would not be able to play on Battle.Net servers for multiplayer - which is the most important aspect, second being single player.

Hosting a server is a lot to do and we would not get as much people as official servers have. And have you read the agreement that you agreed upon when Installing Warcraft 3?

edo494 · Feb 28, 2016

dont forget yo will probably get sued for reverse-engineering the game code, as well as spreading altered/modified version of the game

leandrotp · Feb 28, 2016

A Void said:
I also thought about this, but it would be impractical because Blizzard is still supporting this game and we would not be able to play on Battle.Net servers for multiplayer - which is the most important aspect, second being single player.

Correct me if I'm wrong, but wouldn't it be possible to play with Sharpcraft on Battle.Net, if all players that join the game had it installed? That's exactly what I'm proposing, a game mod that will be so popular that everyone will install. There would be no custom servers, everyone would play it on B.net itself.

edo494 said:
dont forget yo will probably get sued for reverse-engineering the game code, as well as spreading altered/modified version of the game

I'm no expert in software law, but I'm pretty sure that making an addon to an existent product is NOT illegal. This "custom patch" would not be modifying any of the existent game files, it would only be adding new functionality by loading a DLL in the game process at runtime. After all, that's exactly what Sharpcraft already does.

Kaijyuu · Feb 29, 2016

People who write malicious code generally do so to A) infect as many people as possible, or B) infect specific individuals. Due to the small size of the community, I don't think A is very much of a concern. I find it doubtful anyone would write up an exploit just to wreck a handful of computers when they could write up a virus to wreck hundreds of thousands. B might be more of a problem. If the exploit becomes known, someone might install a keylogger or something in a high profile individual's computer to get access to their passwords or something. I still find this doubtful, but possible enough to warrant caution on the part of people like the admins here.

A Void · Feb 29, 2016

You wont be able to play on Battle.Net with a custom patch or a mod, it has something to do with how Battle.net works. It would have to be super-amazing mod that everybody will go to on unofficial server.

Besides Blizzard ruined RtC (they don't admit it), because it was getting more advanced with features. So they just released a new patch that fixes almost nothing and breaks rtc.

Retera · Feb 29, 2016

For my Heaven's Fall mod, I sometimes face similar questions in terms of public deployment of a custom code upgrade, and I'm doubtful as to whether your suggestion would work. Back in like 1.21ish, a wc3 mod could just be a new war3patch mpq file to load new content into the game in its normal way, but... Around the time they removed need for a CD, they changed war3.exe to recognize the hash of game files I think. I forget for certain whether this included the MPQ files or was just game.dll, but a swap-out of these game files to create a fan mod causes the games EXE to crash with the latest patch. (A deliberate, newly added crash)

Heaven's Fall subroutes this by distributing copies of files from older patches under bogus names to confuse players into seeing "HeavensFall.EXE" and "Frozen Throne.EXE" as two options and hiding from them the details of the difference, but in reality HeavensFall.EXE runs hfmod_pkg.EXE which is a hacked war3.EXE from a prior patch.

Now, see, either you can't run war3.exe because you edited the other files, or you play this Heaven's Fall trick and run an older war3.EXE that lets you get away with editing game files, but the older EXE is blocked from battle.net servers because Blizzard wrote them both and knows the difference.

We all want to believe we're cool enough to reinvent I2C in patch 1.26, I spent today playing with the concept of borked JASS instead of doing my homework, but if you find a way, just...

Keep it safe, keep it secret. Let the ring lie dormant for centuries more, Smeagol. It's better that way.

Heaven's Fall relies on a DLL hack made by the author of the Nirvana mod. His latest addition started adding natives, as you propose, and these natives only work on my Windows 7 machine. On my Windows 10 machine his new natives and therefore the newer edition of his mod doesn't play, even though Heaven's Fall running on a years-older version of his MultiRace Template's DLL hack DOES work.

When you start adding natives, you introduce all kinds of dumb Windows dependency issues for installations you have no way to remind the user he/she must download. Maybe my Windows 10 machine is missing a .NET library that his natives depend upon. Maybe they just don't work on Windows 10. How should I know?

The more modded, moving parts you put into stuff the more broken it becomes and the fewer users actually get to use it. I am somewhat embarrassed that I can't make this latest update I was describing to the library my own mod depends on work on my own computer anymore. The hack technologies that add races and add natives are growing old.

Its late, maybe I'm being a bit of a downer because I'm half asleep. At the very least, know this: to do what you're doing you would need a very hot-shot team of the best of the best the shrinking modding community has to offer. And it's going to need lots of testing to make sure you do it right.

PS: and no matter how hard your team works, blizzard will always have a programmer ready who is paid more than you and will crush any attempt you make to use battle.net with game code other than the exact, legal code they distributed to you (and you agreed not to modify)

PPS: as we're talking about this if you go follow my Sig and download Heaven's Fall and it works the first time please tell me because you will be a light unto my soul

But it will probably just break and tell you to install Java, which a warcraft mod shouldn't require anyway

edo494 · Feb 29, 2016

You are worrying about people exploiting Sharpcraft to make malicious code run, so you suggest to modify the game to run native code, which is as much, if not more vulnerable, since sharpcraft runs in sandbox mode, so you cant do a lot of stuff.

leandrotp · Feb 29, 2016

The exploit is CONFIRMED! Patch 1.26 is vulnerable to arbitrary code execution!!!

Apparently Blizzard has not modified ANYTHING in the JASS VM since patch 1.23. The only thing that prevents you from doing bad things is the JASS parser.

Once you find a way to fool the Jass parser and execute raw JASS bytecode, through the use of I2C, you can do anything you want. I have successfully acquired the ability to read and write memory from within the Jass script, using a method similar to the old 1.23 exploit. And with that power in hands, nothing prevents you from executing native machine code.

edo494 said:
You are worrying about people exploiting Sharpcraft to make malicious code run, so you suggest to modify the game to run native code, which is as much, if not more vulnerable, since sharpcraft runs in sandbox mode, so you cant do a lot of stuff.

You clearly didn't understand what this is all about. It's not Sharpcraft that is vulnerable, it's the game itself! Right now, if anybody gets this knowledge, they will be able to spread viruses to any Warcraft III player!

What this thread is discussing, is the possibility to create and distribute a custom Warcraft patch, to fix this security issue AND implement other things we want, instead of waiting Blizzard do it for us.

A Void said:
You wont be able to play on Battle.Net with a custom patch or a mod, it has something to do with how Battle.net works. It would have to be super-amazing mod that everybody will go to on unofficial server.

I'm pretty sure that it's possible to implement it in a way that will work with B.net. As I said, it would be a non-invasive modification. None of the original game files will be modified. Nothing in the original code would be modified.

Instead I would simply have a DLL running in background. Whenever the user joins a game in B.net the DLL will start reading the map. This map will then have some special resources hidden, something like a hidden JASS script imported.

The unpatched game will completely ignore that hidden script. Instead, it will execute the original war3map.j, that will contain almost nothing. B.net will not complain about that either, because our map is completely valid from their point of view.

But on the machines that have our DLL running, it will open the hidden script and start executing JASS code from there. That hidden script will have access to many new functions that the DLL provides. Those functions will only do local stuff, such as adding abilities or modifying a unit's properties.

Obviously, people that don't have the DLL installed won't be able to play the map. They will ignore the hidden script, and their game will desync. But all players that have the patch installed will be able to play, because they will be executing the same script, so they will be in sync.

In a perfect world, we could even make a system that executes raw jass bytecode from an imported file in the map. This could begin a new generation of map making: complete control over the flow of code, ability to call code variables directly, and the possibility to completely protect the source code of a map - the only thing available to the user would be the compiled JASS bytecode.

Retera said:
Heaven's Fall subroutes this by distributing copies of files from older patches under bogus names to confuse players into seeing "HeavensFall.EXE" and "Frozen Throne.EXE" as two options and hiding from them the details of the difference, but in reality HeavensFall.EXE runs hfmod_pkg.EXE which is a hacked war3.EXE from a prior patch.

My approach would not use any modified files, it will just run the original war3.exe and inject a DLL on it. Since all game files are the original, I don't see why Battle.net would refuse the connection.

Oh, and there's also one more thing that just crossed my mind... We could even use the exploit itself to propagate our mod! People wouldn't have to download it at all, we could simply make a map that uses the exploit to run code in the user's machine, code that will automatically download and install our custom stuff! This could be made to work directly from battle.net, the user would simply join a special map, and his computer would start downloading the whole thing.

edo494 · Feb 29, 2016

yes I didnt understand completly the topic at hand, but you cant expect me to read that choire of text

How can you even read memory other than wc3's when you are not dealing with physical memory but with virtual one anyways? you should get page faults - seg faults - exec kills, just curious(I do not want exact approach, but some fundamentals would be good).

I think sharing details of this exploit with anyone but blizzard is very bad and it will probably put you in a very bad light, and put a lot of people into very good position for themselves to maliciously fuck up others

A Void · Feb 29, 2016

Oh, and there's also one more thing that just crossed my mind... We could even use the exploit itself to propagate our mod! People wouldn't have to download it at all, we could simply make a map that uses the exploit to run code in the user's machine, code that will automatically download and install our custom stuff! This could be made to work directly from battle.net, the user would simply join a special map, and his computer would start downloading the whole thing.

This is sick, why would you want to do that? They removed that exploit for a good reason. Just as edo494 said, this could be a way to infect other people with malicious crap.

Retera · Feb 29, 2016

Dear leandrotp,

If it comes to pass that you who have spent your efforts to find this dark secret spearhead creation of a map that actually does inject in code and download your own user-created game updates, then I would make unto you a special request.

Only about a day or two after you release this map, someone is going to download it and tear it apart and learn how it works. Then, they are going to start hosting an identical clone on Battle.net that runs their own, identical copy of your update but downloads a modified version of your update that infects everyone's computer with a virus.

So, my request is this: if you go off the deep end and make a map that actually does this injected-update, make it really, really obvious to people what you are doing to their computer and provide them with a prompt on the computer that informs them, "I have hacked the bounds of the Warcraft III game engine and taken over your computer to execute arbitrary updates to your game files. Do you accept?".

Since that would scare what little community we have into never playing Warcraft online again, my suggestion is to go through something familiar to users that they could trust -- probably just pop open the user's current web browser pointed at some URL on a site that he or she might trust, like the Hive Workshop itself.

Consider this: if you pointed the user to a download for your patch on the Hive Workshop, and they turned it down, then you are doing something rotten if you force on them the download without asking them to accept.

Anyway, doing your download as a web browser popup and not as forced editing of the game files via the hack will put people copying you for malicious purposes significantly behind you. When they change the web URL without really knowing what they're doing and re-post your map, users will see "Well, hey, this map directed me to 'www.trololol.warcraft.real.ru' and not to 'www.hiveworkshop.com', so it must be a fake!"

So, please remember Retera's special request, that if you get even halfway to attempting what you are describing, you do it in a way that everyone affected knows what you are doing, and accepts to run your code on their computer.

Thank you.

leandrotp · Feb 29, 2016

A Void said:
This is sick, I completely disapprove of your idea. Thank you however, I will email this to Blizzard to let them know.

Edit: This thread is a waste of space, just useless speculation of creating something that we all want gone. Good riddance that they removed that exploit, people like you probably can't wait to infect other computers.

Ok, if you want to be the politically correct guy, so be it.

But you should realize that I am not the bad guy in this story. If I were, I wouldn't be keeping a secret of this thing. I could simply post the complete code and let the world go on fire. But I didn't, and will not do that.

Or instead, I could develop the complete thing to infect people's computers, and spread it over in a custom map. I haven't done that either, I stopped when I acquired the ability to write memory, and didn't bother to go any further, cause I already know it's possible.

Let's come back to the topic: this thread is still discussing the possibility of the custom Warcraft patch. You think that I should not use the exploit to propagate the patch - fine, that's your opinion. I'd like to hear more opinions.

A mod is the most qualified person to say if this thread should be open for discussion, or if it should be deleted. This is an open forum, and I'm just saying what I think, I haven't done anything forbidden.

And if you're reporting this to Blizzard: I strongly encourage you to do that. Maybe I was wrong, maybe they still care about Warcraft and will fix it for the best. I just think that they're not going to give much attention without a concrete proof-of-concept.

Retera said:
Dear leandrotp,

If it comes to pass that you who have spent your efforts to find this dark secret spearhead creation of a map that actually does inject in code and download your own user-created game updates, then I would make unto you a special request.

Only about a day or two after you release this map, someone is going to download it and tear it apart and learn how it works. Then, they are going to start hosting an identical clone on Battle.net that runs their own, identical copy of your update but downloads a modified version of your update that infects everyone's computer with a virus.

So, my request is this: if you go off the deep end and make a map that actually does this injected-update, make it really, really obvious to people what you are doing to their computer and provide them with a prompt on the computer that informs them, "I have hacked the bounds of the Warcraft III game engine and taken over your computer to execute arbitrary updates to your game files. Do you accept?".

Since that would scare what little community we have into never playing Warcraft online again, my suggestion is to go through something familiar to users that they could trust -- probably just pop open the user's current web browser pointed at some URL on a site that he or she might trust, like the Hive Workshop itself.

Consider this: if you pointed the user to a download for your patch on the Hive Workshop, and they turned it down, then you are doing something rotten if you force on them the download without asking them to accept.

Anyway, doing your download as a web browser popup and not as forced editing of the game files via the hack will put people copying you for malicious purposes significantly behind you. When they change the web URL without really knowing what they're doing and re-post your map, users will see "Well, hey, this map directed me to 'www.trololol.warcraft.real.ru' and not to 'www.hiveworkshop.com', so it must be a fake!"

So, please remember Retera's special request, that if you get even halfway to attempting what you are describing, you do it in a way that everyone affected knows what you are doing, and accepts to run your code on their computer.

Thank you.

This is by far the best post in this thread.

Ok, I am convinced. I must not use the exploit to install everything transparently - at the very least, I will use it to open a browser web page. This is certainly the best solution.

Perharps I should not even use the exploit at all - some clever guy could open my map and figure how it works. Even though, once the patch is installed, the game will no longer be vulnerable - but we will still have a virtual race between the legit map, that protects the game, and the malicious map, that will plant a virus. Whichever the end user installs first, will own the machine.

Thanks for your input, I will not forget it

A Void · Feb 29, 2016

leandrotp said:
Ok, if you want to be the politically correct guy, so be it.

But you should realize that I am not the bad guy in this story. If I were, I wouldn't be keeping a secret of this thing. I could simply post the complete code and let the world go on fire. But I didn't, and will not do that.

Or instead, I could develop the complete thing to infect people's computers, and spread it over in a custom map. I haven't done that either, I stopped when I acquired the ability to write memory, and didn't bother to go any further, cause I already know it's possible.

Let's come back to the topic: this thread is still discussing the possibility of the custom Warcraft patch. You think that I should not use the exploit to propagate the patch - fine, that's your opinion. I'd like to hear more opinions.

A mod is the most qualified person to say if this thread should be open for discussion, or if it should be deleted. This is an open forum, and I'm just saying what I think, I haven't done anything forbidden.

And if you're reporting this to Blizzard: I strongly encourage you to do that. Maybe I was wrong, maybe they still care about Warcraft and will fix it for the best. I just think that they're not going to give much attention without a concrete proof-of-concept.

I sounded a bit too harsh, had to edit it. But my point still stands, you may not be the one who is trying to infect but this thread is like a chance for those who want to do it.

They removed or (disabled) that exploit for a good reason. If you really cared for this you would have contacted Blizzard instead of writing huge wall of text.

Ezekiel12 · Feb 29, 2016

I would simply report the vulnerability to Blizzard. But I don't have faith that they will do anything about it.

Do not make anything public, report it with a complete description. Currently Blizzard is allocating resources to sort of revive wc3, so do it now.

As for the community driven wc3 patches, the tl;dr is that it is an immense amount of work to not get buggy code with a quality so low it makes every programmer jump straight out of the window.

Retera · Feb 29, 2016

So when I googled I2C this guy was the first result:

JASS:

function ReturnI takes integer i returns integer
    return i
endfunction
function ReturnC takes code c returns code
    return c
endfunction
function C2I takes code c returns integer // Remember to wrap in ReturnI!
    call ReturnC(c)
    if false then
        return 0
    endif
endfunction
function I2C takes integer i returns code // Remember to wrap in ReturnC!
    call ReturnI(i)
    if false then
        return null
    endif
endfunction

Anybody know what patch this thing is for? It kinda looked like it was working in my JNGP, but... My knowledge of I2C is a little low. I just remember the oblivion of the loss of the return bug (supposedly........ The above seems to suggest you just do it a different way????)

And surely, leandrotp, you're wayyy ahead of the top hit on Google in this regard with how you've been talking?

PurgeandFire · Feb 29, 2016

Retera said:
Anybody know what patch this thing is for? It kinda looked like it was working in my JNGP, but... My knowledge of I2C is a little low. I just remember the oblivion of the loss of the return bug (supposedly........ The above seems to suggest you just do it a different way????)

Information here:
http://www.thehelper.net/threads/jass-bytecode-and-i2c.122614/

@leandrotp: Have you tested running bytecode? Or just getting I2C working?

leandrotp · Feb 29, 2016

Retera said:
So when I googled I2C this guy was the first result:

JASS:

function ReturnI takes integer i returns integer return i endfunction function ReturnC takes code c returns code return c endfunction function C2I takes code c returns integer // Remember to wrap in ReturnI! call ReturnC(c) if false then return 0 endif endfunction function I2C takes integer i returns code // Remember to wrap in ReturnC! call ReturnI(i) if false then return null endif endfunction

Anybody know what patch this thing is for? It kinda looked like it was working in my JNGP, but... My knowledge of I2C is a little low. I just remember the oblivion of the loss of the return bug (supposedly........ The above seems to suggest you just do it a different way????)

And surely, leandrotp, you're wayyy ahead of the top hit on Google in this regard with how you've been talking?

That thing works only up to 1.24b. And do you know how Blizzard fixed that?

I will not explain here how the "return nothing" exploit works. There are plenty of explanations out there. But the cool thing is how blizzard managed to fix that exploit:

All they did was to add an invisiblereturn 0 instruction to the end of every function!

They didn't modify a single thing in the JASS VM. Instead they added this lame measure to the Jass compiler, so that a function can never "return nothing" again.

If they had fixed the problem in its roots, by properly patching the JASS VM, there would be no need to do that. And we would all have free typecasting, and the ability to run JASS bytecode, without compromising security.

After all, what is the purpose of a VM running bytecode, if the code that it runs has the same privileges as native code? A virtual machine is supposed to function like a sandbox, if it cannot do that, then it is pointless. It would be better to compile the JASS script directly into x86 assembly :eekani:

PurgeandFire said:
Have you tested running bytecode? Or just getting I2C working?

I can run bytecode, and from the bytecode I can freely modify memory in the game process. We are back to 1.23 days again!

Retera · Mar 1, 2016

Then the time to assemble a team to rewrite an open-source version of Warcraft III entirely from the ground up has finally come.

To arms, my brethren! To arms, brave orcs, and humans! Twilight falls, and the enemy awaits.

leandrotp · Mar 1, 2016

Have you contacted blizzard yet? Have they responded?
It makes me sad that i agree with you to not post how you did it because it sounds very interesting and i'd love to see how it works.
You said you've got i2c working; do you also have a working c2i?
I've got some ideas how you managed it but i don't think i have the expertise to test my more complex ideas.

LeP said:
Have you contacted blizzard yet? Have they responded?
It makes me sad that i agree with you to not post how you did it because it sounds very interesting and i'd love to see how it works.
You said you've got i2c working; do you also have a working c2i?
I've got some ideas how you managed it but i don't think i have the expertise to test my more complex ideas.

Of course. I2C has no utility if you can't make a C2I first. I can freely typecast between any types just like it was in 1.23.

And btw, you're the developer of Pjass right? Well, I can say that you made it harder for me to find this exploit

I could only find this thing because I was running some tests with Pjass disabled. The exploit relies on some code that has a completely invalid syntax, yet the game WILL ACCEPT it.

And no, I haven't contacted Blizzard yet. First, because I didn't find the correct way to do it (the link I found seems to be broken). Second, if I provide them with a full proof-of-concept, all they will do is fix the Jass parser, so that I can't typecast anymore.

I don't want them to do that. I want them to fix the JASS VM, which is the right thing to do, without removing the ability to typecast. We can do many interesting things with bytecode, things that can benefit the developer community, such as calling code variables or protecting the source code of a map.

But no, they are ignorant and lazy, they didn't even bother to analyze the old 1.23 exploit and figure how it works, they simply took the easy way and forbid typecasting. Or so they thought

leandrotp said:
And btw, you're the developer of Pjass right? Well, I can say that you made it harder for me to find this exploit

Hehe. Than pjass is working as intended

And yes im the current maintainer (because im the only one working on it).

leandrotp said:
Of course. I2C has no utility if you can't make a C2I first. I can freely typecast between any types just like it was in 1.23.

Well i guess you can always take an offset and add it before doing i2c. But ofc it's easier with c2i.

leandrotp said:
And no, I haven't contacted Blizzard yet. First, because I didn't find the correct way to do it (the link I found seems to be broken). Second, if I provide them with a full proof-of-concept, all they will do is fix the Jass parser, so that I can't typecast anymore.

I don't want them to do that. I want them to fix the JASS VM, which is the right thing to do, without removing the ability to typecast. We can do many interesting things with bytecode, things that can benefit the developer community, such as calling code variables or protecting the source code of a map.

But no, they are ignorant and lazy, they didn't even bother to analyze the old 1.23 exploit and figure how it works, they simply took the easy way and forbid typecasting. Or so they thought

Yes. I understand this situation. Bytecode can give us some interesing possibilities for compilers. But on the other hand i like that i can simply open any map and see how they did things. It's one of the charmes of mapping for me.

But when i think about it, we have good and efficient ways for compiling stuff now. I don't think we need bytecode, but maybe im not thinking big enough (as i said, i don't like proteting stuff).

Ezekiel12 · Mar 1, 2016

if I provide them with a full proof-of-concept, all they will do is fix the Jass parser, so that I can't typecast anymore.
I don't want them to do that.

Hack-proofing the JASS VM just so that some people can run bytecode and have small benefits is a task you can not demand from Blizzard.

Now that you released this information the eye of Sauron is upon you. Just report it.

A Void · Mar 1, 2016

Ezekiel12 said:
Hack-proofing the JASS VM just so that some people can run bytecode and have small benefits is a task you can not demand from Blizzard.

Now that you released this information the eye of Sauron is upon you. Just report it.

Yes, please do it.

leandrotp · Mar 1, 2016

Ezekiel12 said:
Hack-proofing the JASS VM just so that some people can run bytecode and have small benefits is a task you can not demand from Blizzard.

Believe me, that thing is so damn easy to fix... all they have to do is to forbid a specific VM instruction - an instruction that has absolutely no utility, and is never generated by the parser, so it should never be allowed by the VM in first place. But it is, ever since 1.23.

It's a very small price to pay, possibly even easier than fixing the parser - and the benefits are greater than you think.

Ezekiel12 said:
Now that you released this information the eye of Sauron is upon you. Just report it.

I'm not sure that this is the right place to report. ("Reports received via this form will not receive a response.") I'd like to receive some response from them, but I can't find a place specific for bug reporting - I can only see some stupid form about installation problems and other help for noob users.

A Void · Mar 1, 2016

leandrotp said:
I'm not sure that this is the right place to report. ("Reports received via this form will not receive a response.") I'd like to receive some response from them, but I can't find a place specific for bug reporting - I can only see some stupid form about installation problems and other help for noob users.

Well it's the one that they will likely notice from, who cares if they wont reply. What matters is the attention that it will will receive. Just write what could be done and the problem. I'm sure that will not go unnoticed, especially the attention they were putting out last year about classic games.

edo494 said:
lets be open and honest here, 99% of people that worked on wc3 are most definately not part of blizzard today, let alone people that coded the VM.

Do you think they will dig through hundreds of thosands of lines of code wrote back in 2000/2001 and repair this? I sure as fuck dont. This is most definately what happened with 1.23, rather than ignorance, it is more like incapability, and they arent going to pour half of their wow dev team to fix some bug in a game that should've been dead for 10 years but "magically" survived and noone knows how it works in blizzard nowadays.

That's why they have opened a job regarding classic games.

It said that you must be okay with working on "unfamiliar code" (made by people who are possibly no longer in Blizzard). They still have open source files for Warcraft 3, .cpp files. They can edit these files and compile a patch any-day.

edo494 · Mar 1, 2016

lets be open and honest here, 99% of people that worked on wc3 are most definately not part of blizzard today, let alone people that coded the VM.

Do you think they will dig through hundreds of thosands of lines of code wrote back in 2000/2001 and repair this? I sure as fuck dont. This is most definately what happened with 1.23, rather than ignorance, it is more like incapability, and they arent going to pour half of their wow dev team to fix some bug in a game that should've been dead for 10 years but "magically" survived and noone knows how it works in blizzard nowadays.

leandrotp · Mar 1, 2016

Ok, I finally took the initiative and made the first contact:

I decided not to explain everything right away. I prefer to wait and see how they will respond, then I will explain everything about the exploit to them.

I even choose the "phone support" option and put my phone number there so they can call me - though I doubt they will make an international call for that.

EDIT: Wow, they just called me, in less than 10 minutes!

But the call was terrible, and it was an electronic voice. I was supposed to press some number, but I couldn't understand anything it was saying. Guess I'll just have to wait for a text response.

EDIT 2: They have responded:

So, I'll do what they're saying. I'll write to that email and explain everything.

The_Silent · Mar 1, 2016

I doubt there will be much reaction if you do not tell them the issue. Blizzard get bombarded every day by trolls, attention seekers, and worse.

DracoL1ch · Mar 2, 2016

The_Silent said:
I doubt there will be much reaction if you do not tell them the issue. Blizzard get bombarded every day by trolls, attention seekers, and worse.

and he just told them. so, it's all fine. also Im amazed Blizzard answered that so fast :O

edo494 · Mar 2, 2016

well they still do support the game after all, so they could be held liable if your computer gets infected from their game, so they should be intrested in things like these

A Void · Mar 3, 2016

Any news?

Dr Super Good · Mar 4, 2016

Can you actually do anything with this? I thought most of the problem was with code arrays, not specific code variables. You cannot just jump a thread to any old memory address as the virtual memory system should have most pages marked as "no execute" so any attempt to run instructions from them will cause a fatal error.

leandrotp · Mar 4, 2016

Dr Super Good said:
Can you actually do anything with this? I thought most of the problem was with code arrays, not specific code variables. You cannot just jump a thread to any old memory address as the virtual memory system should have most pages marked as "no execute" so any attempt to run instructions from them will cause a fatal error.

The possibilities are unlimited... Being able to write memory is an unacceptable risk. There are many techniques to achieve code execution, and circumvent page protection if necessary (have you ever heard of ROP?)

A Void said:
Any news?

Not yet. Actually I've been very busy in the past few days, and I could only send that email last night. I wrote a huge wall of text, explaining everything in detals; why vulnerability exists, how I can exploit it, and what they can do to fix it. They haven't responded yet.

leandrotp · Mar 15, 2016

So, I'm sorry to report that the vulnerability has NOT been fixed in patch 1.27. Maybe they didn't have time to do that (lol seriously it's a 2-line fix), or my e-mail got lost in the middle of a thousand others...

But the fact that they did release a new patch after so many years proves that I was wrong: they still support this game, and I hope that they will fix it in the next patch.

Blizzard employee, if you are reading this, please bring this issue to the attention of those who must learn about it! And feel free to message me if you need any further information.

edo494 · Mar 15, 2016

well they never said they ended support for wc3, so they still support it technically

but the patch was like, fucking nothing, 3 bullet points, out of which none apply to you if you arent mac user

NhazUl · Mar 25, 2016

It was a compatibility patch, not a fix patch. Hopefully they are working on it, but maybe they don't want to break all maps as they did with 1.24. Anyway, why don't you just inform them that the bug persists in 1.27?

Arad MNK · Mar 30, 2016

We don't need an I2C or C2I. We have the preload bug and we can do anything we want with it...

For example I can create a .bat file that removes the windows by warcraft in like, 30 minutes.

Hmmmm... Vexorian said 2009 will be a fun year. I say 2016 will be an even funnier year... If this guy isn't trolling us.

leandrotp · Mar 31, 2016

Arad MNK said:
We don't need an I2C or C2I. We have the preload bug and we can do anything we want with it...

For example I can create a .bat file that removes the windows by warcraft in like, 30 minutes.

Hmmmm... Vexorian said 2009 will be a fun year. I say 2016 will be an even funnier year... If this guy isn't trolling us.

Preload exploit is quite harmless these days. You need to know the user's name to put a .bat file in their Startup folder. And even if you do, it takes effect only after restart.

Executing arbitrary code, on the other hand, is much more dangerous. You can retrieve any information, install any program, do anything. And it takes effect immediately, doesn't need reboot.

And btw, it works on mac too! A skilled hacker could make the 2 exploits, for windows and for mac, then detect the user's platform from the map script and run the appropriate exploit.

Arad MNK · Mar 31, 2016

If I want to make it percise and tell you how to do it someone else might read it and... use it. For the safety I can't reply you but just know that I can do that

DracoL1ch · Mar 31, 2016

leandrotp said:
Preload exploit is quite harmless these days. You need to know the user's name to put a .bat file in their Startup folder. And even if you do, it takes effect only after restart.

Executing arbitrary code, on the other hand, is much more dangerous. You can retrieve any information, install any program, do anything. And it takes effect immediately, doesn't need reboot.

And btw, it works on mac too! A skilled hacker could make the 2 exploits, for windows and for mac, then detect the user's platform from the map script and run the appropriate exploit.

it's not that bad. wc3 players aren't big community, map spreading isn't common thing either. even if you successfully make a virus out of it, there are very limited purposes for that. You can share default .exe virus on some random filetrash site and call it "warcraft 3 hd installer", it's about the same efficiency.

If blizz will patch it, not giving any proper replacement, it won't change anything. People will tend to use the best tool allowed, including old patches, to get the access to high-level self-made natives.

edo494 · Mar 31, 2016

botnet with 10 computers is still bigger than botnet with 0 computers

Richasliodo · Apr 4, 2016

They need to hire or pass on code to work on the game outside of blizzard

karaulov · Apr 9, 2016

leandrotp said:
Preload exploit is quite harmless these days. You need to know the user's name to put a .bat file in their Startup folder.

really?

Windows has a permanent startup folder for all users. :ogre_haosis:

WINXP
DISK:\Documents and Settings\All Users\Start Menu\Programs\Startup
WIN7+
DISK:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

:ogre_rage:

Preload exploit much more dangerous than code execution.

edo494 · Apr 9, 2016

no it isnt, because you can always go there and remove it from there, + it only takes effect after rebooting.

Code execution is much worse, it can start doing really interesting things and you will have no idea why, you would never assume it could be warcraft 3 that is currently formatting your disk, + it takes effect immediately, as the map runs

karaulov · Apr 9, 2016

Nobody checks startup folder!

Preloader can use any beginner. Code execution required to assembler learning.
Preloader executed after each reboot PC, but for the use code execution you want to enter the game, in that there are pros and cons.

Tal'Rarity · Apr 9, 2016

Preload exploit is one of the best modding tools wc3 has to offer, without it save/load codes will revert to crap again. It'd be better just to limit it to wc3 folder only.

By removing/fixing it, it could potentially destroy wc3 for good or at least B.net.

karaulov · Apr 9, 2016

Only warcraft folder???? :ogre_hurrhurr:

try to use:

:ogre_rage:

PreloadGenEnd(".\\d3d8.dll")
:ogre_rage:

PreloadGenEnd(".\\d3d9.dll")

and warcraft can't run)))

Tal'Rarity · Apr 9, 2016

Raichu said:
Only warcraft folder????

try to use:

PreloadGenEnd(".\\d3d8.dll")
PreloadGenEnd(".\\d3d9.dll")

and warcraft can't run)))

Well, that's another thing that should be limited plus you shouldn't be sharing these.

It'd be nice if they could just make it to check for certain extensions only and disable anything else meaning the ability to easily save codes to text files remains fine.

karaulov · Apr 9, 2016

Yes need to limit extension or give access only to "Warcraft III/Preloads/" folder.

DracoL1ch · Apr 9, 2016

with given examples of "listening to the community" blizz would most probably completely ban preload exploit. I don't like to be right in such question, but they aren't gonna "do their best", as they already said - just polish that thing for chineses friends