1. Updated Resource Submission Rules: All model & skin resource submissions must now include an in-game screenshot. This is to help speed up the moderation process and to show how the model and/or texture looks like from the in-game camera.
    Dismiss Notice
  2. DID YOU KNOW - That you can unlock new rank icons by posting on the forums or winning contests? Click here to customize your rank or read our User Rank Policy to see a list of ranks that you can unlock. Have you won a contest and still havn't received your rank award? Then please contact the administration.
    Dismiss Notice
  3. The Lich King demands your service! We've reached the 19th edition of the Icon Contest. Come along and make some chilling servants for the one true king.
    Dismiss Notice
  4. The 4th SFX Contest has started. Be sure to participate and have a fun factor in it.
    Dismiss Notice
  5. The poll for the 21st Terraining Contest is LIVE. Be sure to check out the entries and vote for one.
    Dismiss Notice
  6. The results are out! Check them out.
    Dismiss Notice
  7. Don’t forget to sign up for the Hive Cup. There’s a 555 EUR prize pool. Sign up now!
    Dismiss Notice
  8. The Hive Workshop Cup contest results have been announced! See the maps that'll be featured in the Hive Workshop Cup tournament!
    Dismiss Notice
  9. Check out the Staff job openings thread.
    Dismiss Notice
Dismiss Notice
60,000 passwords have been reset on July 8, 2019. If you cannot login, read this.

Accessing memory from the script - it's time of the revolution

Discussion in 'The Lab' started by leandrotp, May 17, 2016.

  1. Waffle

    Waffle

    Joined:
    Jul 30, 2013
    Messages:
    271
    Resources:
    0
    Resources:
    0
    there was like w3mmd or sth.. some ghost format for passing data to the bot via replays. not sure how flexible but you could basically do sth like that. or maybe even use that like replace player names with cd-keys for example :p
     
  2. Dr Super Good

    Dr Super Good

    Spell Reviewer

    Joined:
    Jan 18, 2005
    Messages:
    25,590
    Resources:
    3
    Maps:
    1
    Spells:
    2
    Resources:
    3
    When playing online it does. It could send it to the host robot, which could be spoofing the name of a reliable host robot source.

    Is it deleted from memory? Normal memory allocation does not zero out deallocated memory to save time, after all it is correct programming practice to initialize all memory upon allocation anyway. Since the deallocated memory might still be mixed with in use pages it is possible that it still can be read by the application without causing a memory access exception. Once read it could be relayed to a host robot for being stored and stolen.

    With C++ when dealing with passwords or other sensitive information you are meant to zero the buffers out upon deallocation to make sure they leave no footprint in the memory for people to read. Java and languages with similar memory model should not suffer from such a problem as arbitrary memory reading is not permitted by the language and is considered a critical security exploit so patched ASAP.
     
  3. leandrotp

    leandrotp

    Joined:
    Jul 30, 2012
    Messages:
    153
    Resources:
    1
    Tutorials:
    1
    Resources:
    1
    I see why your name is "Dr. Super Good". You really like to be the politically correct guy.

    Well, I can't say that your arguments are wrong. If something like the Java VM, that is used by millions of applications worldwide, had a vulnerability that allowed memory reading, it would surely be a critical issue that would have to be patched immediately.

    But this is not the Java VM. This is fucking Warcraft III. A 15-year old game, played by "almost nobody", if you compare it with other popular games, and even with itself in the past. A game with a very old and limited engine, and when someone finds a way to remove a small bit of those limitations, we even have to hear people complaining about safety.

    Man, seriously, DO YOU REALLY THINK SOMEONE WILL TAKE THE JOB TO MAKE A MAP JUST TO STEAL CD KEYS? IN 2K17? First, it may probably not be possible at all. I'm not gonna take my time to research about this, and I'm pretty sure no one will. Second, it will certainly not be trivial, it may possibly be in a dynamically allocated memory area instead of a fixed address, and that would require scanning the memory for patterns in order to find it, which will probably crash the game before finding valid data, since Jass VM has no exception handling.

    And third, if we ignore all these obstacles, WHO IS GONNA TAKE THIS JOB JUST TO STEAL USER'S CD KEYS? Warcraft III is so fucking cheap, and we even have random CD Key generator in the web, of course those keys don't work in bnet, but there are plenty of other places to play WC3 online.

    The amount of security in an application is proportional to its size, a game like WC3 doesn't need as much security as something big like Java, especially when these "security measures" will take away useful features from the game, something WE REALLY DON'T NEED considering how limited the engine is already.

    When the original Memory hack was released (the full version with write access), the community has been split in two. Those that wanted to use that power for map development, and those that saw it as a critical issue that should be patched. After it got patched by 1.27b, the community has been split once again: those that are happy with read-only access, and those who still think we should go back to the no-returnbug era.

    So now there are basically 3 groups in the WC3 community around the world:
    1. The group that wants to stay on older patches, because they don't fucking care about new patches that bring more harm than good. Most of this group uses 3rd party addons for WC3, like W3Arena, iccup, and the chinese dota that uses Lua engine, so they don't need Blizzard to do their shit for them. This group also includes the new generation of maps that use the full Memhack, like DracoL1ch's Dota.

    2. The group that wants to stay on the latest patches and play a safe game, but also want some new cool features that Blizzard has never given us, and probably never will. The read-only memhack is targeted at this group

    3. The "Dr Super Good" group.
    I don't need to say that splitting the player base brings no good for the life of WC3. Blizzard has just forgotten about WC3 for years, and people didn't want to wait for them so they made 3rd party addons. Now these new patches are fucking with these addons, and they are giving nothing in exchange.

    If read-only memhack is removed there will be again a community split, as the mapmakers that are using it and their playerbase will simply stop updating. They might even migrate back to 1.26 since it's quite stable and gives the full power of memhack.

    There's no logical reason to take this decision. Fixing the write exploit was a necessity because it allowed arbitrary code execution. But the read-only mode allows to do what? Stealing CD Keys? Really, removing the ability to read memory, without giving anything in exchange (and what could possibly replace this power?), is nothing but bad for everyone.

    Btw, I just had a glimpse: why not implement a "safe-mode" of memory hack? I mean, an option where the player could explicitly give permission for a map to access the memory? We could have something like a "Trusted" folder inside the maps folder, and only maps manually placed on this folder by the player will have special privileges. This way a player could download their favorite map from a trusted source and play with the full power of memhack without worrying about security. Maps downloaded via bnet will never go into this folder of course. And if you want more safety they could even display a message to the user before running a map from the "trusted" folder.
     
  4. A Void

    A Void

    Joined:
    Mar 29, 2011
    Messages:
    2,498
    Resources:
    10
    Models:
    2
    Spells:
    1
    Tutorials:
    7
    Resources:
    10
    And you did this by memory editing? How? I'm shocked.

    Is there are guide on how to do this?
     
  5. fenix140

    fenix140

    Joined:
    Sep 6, 2010
    Messages:
    46
    Resources:
    0
    Resources:
    0
    Buying a key now does not require a minimum email account ?.
    What is the point, increase the number of keygen systems for an XD game?. Not really!, stop looking for something bad to this, since as leantrop said, there is 1.26 as a patch and 1.28.1 on (protected). Nothing more lol.
     
  6. Dr Super Good

    Dr Super Good

    Spell Reviewer

    Joined:
    Jan 18, 2005
    Messages:
    25,590
    Resources:
    3
    Maps:
    1
    Spells:
    2
    Resources:
    3
    Wc3 used to be capable of arbitrary code execution. Someone made a fake DotA map which deleted Warcraft III and possibly even damaged the Windows folder if running as administrator.
     
  7. leandrotp

    leandrotp

    Joined:
    Jul 30, 2012
    Messages:
    153
    Resources:
    1
    Tutorials:
    1
    Resources:
    1
    And that is not possible anymore, so I'd say the game is fine as it is now.
     
  8. Waffle

    Waffle

    Joined:
    Jul 30, 2013
    Messages:
    271
    Resources:
    0
    Resources:
    0
    ... that we know of.

    its quite hard to make a complex c or c++ program truly safe, its quite plausible there are still some exploits waiting to be uncovered.(ex JASM could possibly emit some exotic bytecode seq not otherwise possible that exposes a vulnerability)

    And reading arbitrary memory is a lesser capability than executing arbitrary code.
    we already can read a subset of memory, its not that farfetched to soppose that subset could be expanded to include the location the CD-key is stored in.

    If such a way were to be found we can certainly expect a prompt response from blizzard to minimise the damage.
     
  9. A Void

    A Void

    Joined:
    Mar 29, 2011
    Messages:
    2,498
    Resources:
    10
    Models:
    2
    Spells:
    1
    Tutorials:
    7
    Resources:
    10
    leandrotp, what's the memory offset to hide black borders behind UI? Just like DracoL1ch did?

    There's also a lack of natives, you should include more. Like mouse click events...
     
  10. @leandrotp I want to know the render viewport extension trick as well. E.g. for Ice Escape the bottom UI is unnecessary, if not for abilities (which are cast exclusively with hotkeys).
     
  11. MindWorX

    MindWorX

    Joined:
    Aug 3, 2004
    Messages:
    690
    Resources:
    5
    Tools:
    1
    Tutorials:
    4
    Resources:
    5
    If the current state is read-only, then you can't do the UI hack.
     
  12. Quilnez

    Quilnez

    Joined:
    Oct 12, 2011
    Messages:
    3,258
    Resources:
    37
    Icons:
    2
    Tools:
    1
    Maps:
    7
    Spells:
    21
    Tutorials:
    2
    JASS:
    4
    Resources:
    37
    That's what I thought.
    But...
    Will you update dota after 1.28? - DotA Allstars
    He's updated it to work on 1.28. It probably means it's still possible to write stuffs in recent patches.
    Or... he's doin it by removing UI feature. Don't know, never checked the map.
     
  13. Marcos_M

    Marcos_M

    Joined:
    Jan 23, 2011
    Messages:
    347
    Resources:
    0
    Resources:
    0
    He said that 6.85 is working on 1.28
    That version doesn't use Memory Hack
     
  14. TriggerHappy

    TriggerHappy

    Code Moderator

    Joined:
    Jun 23, 2007
    Messages:
    3,668
    Resources:
    22
    Spells:
    11
    Tutorials:
    2
    JASS:
    9
    Resources:
    22
    There's a function at 0x629490 of game.dll which sets the position of a frame. Using this I could hide the black bars behind the UI as well as re-position / hide most UI elements.

    Here's how I have it working in my code:

    Code (C++):
    int __fastcall HookSetFramePosition(int a1, int a2, int x, int y) {

        if (y == -1130113270 || y == 1040522936) {
            y = 0;
        }

        return RealSetFramePosition(a1, a2, x, y);
    }
     

    Attached Files:

    Last edited: May 9, 2017
  15. A Void

    A Void

    Joined:
    Mar 29, 2011
    Messages:
    2,498
    Resources:
    10
    Models:
    2
    Spells:
    1
    Tutorials:
    7
    Resources:
    10

    wow! can you please elaborate how to use it? where to paste the function?
     
  16. TriggerHappy

    TriggerHappy

    Code Moderator

    Joined:
    Jun 23, 2007
    Messages:
    3,668
    Resources:
    22
    Spells:
    11
    Tutorials:
    2
    JASS:
    9
    Resources:
    22
    I don't have the JASS code to do this in 1.26, but I have a custom launcher which can do it.

    Download War3Loader.zip and extract the contents to your Warcraft III folder (alongside war3.exe and game.dll).

    Features (Works on 1.26 and 1.28.1)
    • Works for any graphic renderer that the game uses (D3D8/D3D9/OGL).
    • Remove black bars from behind the UI. This allows you to completely hide the UI with a transparent texture.
    • Widescreen fix. The game view is no longer stretched and you can see more on the screen.
    • JASS operation limit increased by x1000.
    • Custom JASS natives.
    It comes with some basic natives for benchmarking.

    Code (vJASS):
    native StopWatchCreate takes nothing returns integer
    native StopWatchTicks takes integer swid returns integer
    native StopWatchDestroy takes integer swid returns nothing

    There are no configuration options and everything is as-is.

    How I specifically removed black bars is reveled in the C++ code in my above post.
     

    Attached Files:

    Last edited: May 8, 2017
  17. mori

    mori

    Joined:
    Jun 13, 2016
    Messages:
    361
    Resources:
    2
    Spells:
    1
    Tutorials:
    1
    Resources:
    2
    Is there any kind of thread/place for this resource where it belongs?
    The widescreen fix is really tempting, and I would like to keep using it, but as with everything that messes with WC3, it tends to break with each update.
    Also, oh god, this is really funky:
    [​IMG]
     
  18. TriggerHappy

    TriggerHappy

    Code Moderator

    Joined:
    Jun 23, 2007
    Messages:
    3,668
    Resources:
    22
    Spells:
    11
    Tutorials:
    2
    JASS:
    9
    Resources:
    22
    I mainly posted it for the people interested in hiding the UI. Another user posted a widescreen fix in the form of .mix file, so I would suggest that if all you want is widescreen.

    [RenderEdge] Widescreen Fix

    On a side note, I have successfully re-positioned UI elements (see screenshot).
     

    Attached Files:

  19. mori

    mori

    Joined:
    Jun 13, 2016
    Messages:
    361
    Resources:
    2
    Spells:
    1
    Tutorials:
    1
    Resources:
    2
    Wow, this is really neat (the screenshot).

    Do you know of a fix that works with the most recent WC3 version? The RenderEdge one doesn't work with 1.28.1

    I really hope Blizzard just includes proper widescreen rendering in WC3 at some point.
     
  20. TriggerHappy

    TriggerHappy

    Code Moderator

    Joined:
    Jun 23, 2007
    Messages:
    3,668
    Resources:
    22
    Spells:
    11
    Tutorials:
    2
    JASS:
    9
    Resources:
    22
    THW is not letting me edit my old post so I'm going to upload to this one.

    Download

    I attached an updated version of the launcher I previously posted. This one has a config.ini file where you can toggle some settings. I also included a demo map which uses the StopWatch natives, as well as a plugin folder. Beware of the lag spike when benchmarking with an increased JASS operation limit.

    Works on 1.26, 1.28.1, and 1.28.2.

    Code (Text):
    [Main]
    ExtendGameView=1
    WidescreenFix=1
    JASSOperationLimit=100000000
    Executable=D:\Games\Warcraft III\war3.exe
     

    Attached Files: