• 🏆 Texturing Contest #33 is OPEN! Contestants must re-texture a SD unit model found in-game (Warcraft 3 Classic), recreating the unit into a peaceful NPC version. 🔗Click here to enter!
  • It's time for the first HD Modeling Contest of 2024. Join the theme discussion for Hive's HD Modeling Contest #6! Click here to post your idea!

[General] Protect against code injections

Status
Not open for further replies.
Level 19
Joined
Aug 16, 2007
Messages
881
Is it possible to mitigate code injections into the map script?

Personally I tried using a MPQ editor on my (protected) map and then edited the code, but it fails to save. I'm not sure how it's done and what I can do to prevent the injections.

I can add code that checks gold amount, etc, but if anyone can inject code I asume they can remove code as well?
 
Without of external help (not inside map), like verification from a website for scoring or a verification from Warcraft III, I doubt you can ensure integrity of a map. For example, you built up some "security" in code, but what does it help lastly, if someoe can modify this code.

Personally I tried using a MPQ editor on my (protected) map and then edited the code, but it fails to save
But so the protection succeeded in this case? If you want you can upload your map for others to try, too.
 
Level 19
Joined
Aug 16, 2007
Messages
881
Without of external help (not inside map), like verification from a website for scoring or a verification from Warcraft III, I doubt you can ensure integrity of a map. For example, you built up some "security" in code, but what does it help lastly, if someoe can modify this code.
Yeah, I thought so, but if it's only possible to inject and not remove code, such security protections can be useful.

But so the protection succeeded in this case? If you want you can upload your map for others to try, too.
I've attached the map in question, the following code was added: call SetPlayerState( Player( 0 ), PLAYER_STATE_RESOURCE_GOLD, 1000000000 ) into the script.

The script file is File00000011.xxx.
 

Attachments

  • injectedmap.w3x
    499.6 KB · Views: 57
Level 19
Joined
Aug 16, 2007
Messages
881
With a little research I was able to find step by step on how to do it and to be quite honest, if the game can read your map so can these tools out there, I don't think making any sort of anti-inject will be feasible. you can do like scripts to prevent the commands or similar like some ORPG's out there.
I thought that was the case sadly, just hoped for some ugly fix or something.

But how you edited it then at first?
You can rename the file to "war3map.j" and the error should not occur anymore.
I tried to edit the file directly through the MPQ and extract it and then import the file again with no luck.
 
If mpq has no listfile the filename will appear like "File00000000.xxx". (that's just how the FindFile method in mpq editor works MPQ Archives - StormLib) But it will iterate over all files, regardless of their names.
I exported jass file, modified the file, renamed the file to "war3map.j", deleted the old code file from mpq, and imported the new "war3map.j" file and it worked. But of course, next time when you open the map with mpq editor, it will be again something like "File0000..." if there's still no listfile, but now it was the last one for me, not File00000011.xxx.
 
Last edited:
Level 19
Joined
Aug 16, 2007
Messages
881
I mean don't let that deter you maybe you can think of something that might be a game changer, some of the greatest inventions of all time were things people said couldn't be done.
Inspiring! I have a few ideas, but nothing bullet proof as it's mostly script adjustments.

If mpq has no listfile the filename will appear like "File00000000.xxx". (that's just how the FindFile method in mpq editor works MPQ Archives - StormLib) But it will iterate over all files, regardless of their names.
I exported jass file, modified the file, renamed the file to "war3map.j", deleted the old code file from mpq, and imported the new "war3map.j" file and it worked. But of course, next time when you open the map with mpq editor, it will be again something like "File0000..." but now it was the last one for me, not File00000011.xxx.
I see, so it's simply replacing the file, not really an easy way to counter that. If there was a way to check and validate a file that would be great.
 
Level 4
Joined
Feb 11, 2020
Messages
61
For example getting the namespaces of the files is quite easy, so in order to protect them is a challenge also. You can always obfuscate the actual contents of these thus making it harder to figure out what it contains but as for actually injecting and stopping the injection process isnt hard since you can easily find the function names by editing the actual .j once you find the name just Wc3 nature most of the protectors dont actually protect anymore thus the reason they are now labeled Optimizer's :D



e4c9f20778137072b6d0af538ff56bc3.png
 
Level 6
Joined
Mar 7, 2011
Messages
124
like other people have said, you don't have access to the tools or a context that can securely test this. wc3 maps are stored and run client-side, so they can never be 100% trustworthy. this is problematic bc you don't have access to any trustworthy context, so no matter how you test for code injection, those tests can never be relied on because what if they were faked or otherwise manipulated? but say you did have a trustworthy context, you still dont have the tools to test for injection. there is no jass / lua native to get the hash of a map's mpq during game execution, or anything similar

here's my take on the options that are available
  • target specific injection code. theres one code injection library that's very popular for rpgs, so you could target its specific commands. this struggles with mpq edits still, as the "hacker" could just remove your injection targeting functionality. more importantly, the commands can be simply changed, also eluding your counter-protection
  • discourage the benefit of injection code. injection code is often made to be portable, and so is generally not specifically targeting your map. you can abuse this by creating content which is not meant to appear naturally within your game. this content can be detected by your game and used to identify a version of the game which has been hacked. you can either scold or punish players detected
i recommend the latter approach. its still not a sure thing, but it forces the hacker to at least be competent and willing to get very familiar with your map's specific implementation
 

Dr Super Good

Spell Reviewer
Level 63
Joined
Jan 18, 2005
Messages
27,180
With Lua one might be able to introduce self defence to the script. Of course nothing would stop the hacker removing the self defence code but it would potentially be immune to dumb injection attacks.

As a very simple example of self defence one could store a hash value computed from hashing all the names in the global/root table. If dumb injection is used the calculated hash would no longer match the stored one and hence the map knows it has been injected into.

However an injector could be written that detects such a test and dummies it out to always return that the hashes matched. Fortunately Lua has methods to combat this as well.

In 1.31 (not sure if it still works with 1.32) one could dynamically parse Lua script (not bytecode) during runtime. Thus one could encode part of the map script into binary data. This binary data could be encrypted and secured with a cryptographic hash to prevent dumb tampering. A boot loader loads this encoded data into code at map initialization.

If one combines critical map functions, such as save/load triggers and the like, into this binary data and add random elements to it then automatic injection of cheats should no longer be possible. A person would need to defeat the protection and remove the encoding before they can even look for the detection function.

Of course to make things even harder, the detection functions could be automatically integrated into multiple points of the code. One could even get constant values to be automatically derived from hashes to further obfuscate and prevent automatic tampering. At this point it is unlikely many people would care about making a tool to inject into maps.
 
Level 6
Joined
Mar 7, 2011
Messages
124
dsg with the save. okay so you do possess the tools, so long as you use lua, but you still don't possess the secure context. 100% immune to dumb injection attacks would be pretty amazing though

i really like that dsg's suggestion would be preventative - you could detect a breached version of the map and immediately shut it down to prevent that breach from effecting other players. this is a third option to my two that i didn't think was available

that's such a good idea though, it'd be amazing to have a portable anti-injection script. lua save/load + lua anti-injection would be the dream for rpgs. i think its definitely worth it for dumb injection scripts


my 2nd bullet is also a type of security through obscurity, but its more like soft security in that it takes effect after the breach has already occurred. on the other hand, it also forces the smart injector to go through a much more boring and lengthy challenge. while you cant quantify that, i think there's a lot of value to the challenge being boring/longer just because of the human variable

in general, you should only worry about dumb injection on your map, and you should only worry about it if your audience is at risk from its effects (ex rpgs, competitive maps, popular). i would definitely do dsg's preventative suggestion before my discourage suggestion, and i would only do both if you had reason to worry about smart injectors
 
Level 19
Joined
Aug 16, 2007
Messages
881
Unfortunately the map I'm working with is locked with JASS, as it was created pre-LUA patch. I could export all files and reimport them into a new LUA map, but I'd still have to rewrite the entire script into LUA with no LUA experience.

What DSG suggested is beyond my knowledge, but it sure sounds like a great solution.

I'll start with only focusing on targeting dumb injections, using several functions scattered around the map script.

One idea I had was if you could read files from the map MPQ and then get the file size or something similar. If the file size didn't match a set value, it would detect that the file was modified.
 
Level 6
Joined
Mar 7, 2011
Messages
124
I'll start with only focusing on targeting dumb injections, using several functions scattered around the map script.
that seems like a good place to draw the line, unless it becomes an issue

One idea I had was if you could read files from the map MPQ and then get the file size or something similar. If the file size didn't match a set value, it would detect that the file was modified.
thats similar to the hash idea dsg proposed, but a little more basic. your idea has problems that sorta go like this
Uovbqh6.gif

while dsg's is more like a complex lock that can't be auto picked

don't worry about either idea though, because you don't have access to a function in JASS to get the map's current filesize or bytecode, so i dont think you can do either in JASS
 
Last edited:
Status
Not open for further replies.
Top