reading wc3 memory using Jass

[edo494]

so we know that Player values will crash the game, but strangly enough, Player(0x100) didnt crash for me. Also this script:

        private static method playerToUnit takes player p returns unit
            call SaveFogStateHandle(h, 0, 0, ConvertFogState(0x6DAB5))
            return LoadUnitHandle(h, 0, 0)
        endmethod
        
        static method onInit takes nothing returns nothing
            call BJDebugMsg(R2S(GetWidgetLife(playerToUnit(Player(0)))))
        endmethod

doesnt seem to crash. It should read memory around 0x0B294118, which for some reason is valid. I didnt manage to typecast the fog state to anything that is readable tho.

Your thoughts?

Also, players for me at least, seem to be valid in range <230; 953>

Just a little note: FogState occupies 12 bytes

 

[Ceday]

My Player native doesn't crashing after 162(minimum valid 163)

 

[Rui]

According to the findings of this thread, fog state is a byte of flags (each bit is a boolean), hence why the only predefined ones are 1, 2 and 4. It occupies 12 bytes? How did you find out? =o

I was more interested in this. This undefined behavior is very awkward.

My theory: SetUnitColor() executes some routine dependent on the value taken as parameter. Possibly, in the zone of memory referenced by it, values defined by the game instance or in-game intermittent values such as the time of day or game time?

 

[edo494]

well, I just made it critical error with ConvertFogState(0x10000000) and then with 0x10000001 and the difference was 12, hence 12 bytes . The values seem consistant for me(multiple runs of the game outputted the same addresses)

 

[Dr Super Good]

That would mean its 3 32 bit words. This probably represents a complex structure.

If all bits are used is another question. A badly packed bit field might take up as many as 4 bytes even if only 1 bit is used.

 

[edo494]

well, it is kind of obvious that 3 * 4 = 12 isnt it?

Its silly tho that for what is really a bitset they use 12 bytes

 

[Ceday]

well, I just made it critical error with ConvertFogState(0x10000000) and then with 0x10000001 and the difference was 12, hence 12 bytes . The values seem consistant for me(multiple runs of the game outputted the same addresses)

What is going on and what difference is 12 here

 

[Dr Super Good]

Its silly tho that for what is really a bitset they use 12 bytes

Not if it is a c++ class and they have virtual methods declared.

The function table pointer would take 4 bytes then. The flag itself might be 4 bytes (word aligned). Finally there may be some other trivial attribute such as a object pointer or something.

You are also making the assumption that this structure only does fog state flags. There is a chance that the fog state flags are only a small part of what the structure does while the rest is used internally by the game engine.

You should hex the memory and see what the structure looks like. Are they just 0ed memory or are they values? Are they pointers (where do they point if they were)?

 

[Rui]

I can't tell, either o.o'

 

[Dr Super Good]

What is going on and what difference is 12 here

He is referring to the number of bytes between locations that the call tried to read from. Computer memory is addressed in bytes (8 bits of sequential storage, some European countries refer to it as an "octet" for historical reasons but byte is now standardized to represent 8 bits in industry). He knows where it was trying to read because when you try and read from process virtual memory pages that you cannot read from it throws a fatal error "the memory could not be read".

His change of 1 to the function call corresponds to a change of 12 bytes. This is exactly the kind of behaviour you get if you interpret a pointer to a struct/class that has a size of 12 bytes as an array or add an index to it that is increased by 1. For convenience sake when indexing arrays of structures you refer to each complete element as an index. This means that index 0 will not overlap with index 1. The actual mathematics needed to find the address is then handled by the compiler automatically, and often can be optimized by special assembly instructions which were created to support this kind of indexing.

The problem with this approach is that it only gives you a very sparse idea of memory contents. 3 bits every 12 bytes is not very useful. You need whole bytes and preferably sequential bytes to get anything really useful.

 

[Rui]

Ah, I wasn't aware that increasing the parameter by 1 was the same as incrementing a struct pointer. Now it makes more sense =P

No further way to investigate what the struct contents are, is there?

 

[Imp Midna]

The critical errors on the ConvertFogState calls are not actually happening in the call itself; the ConvertFogState native simply returns its parameter (yeah, sounds like a dumb function, but that's exactly what it does.) The error itself is likely not linked to the native itself but, thought thats a pure guess on my part, to some handle keeping mechanism. The function that crashes takes values starting at 0x00100000, and uses its offset (value - 0x00100000) as an index in a 12 byte structure, where its ultimately increasing the first 4 byte value of that struct by 1 and returning it. Looks like the reference counter to me, but your guess is as good as mine to what this is really supposed to do. You can also use other convert functions (like ConvertPlayerColor) with similar values and it will crash at the exact same location.

 

[WaterKnight]

Which is strange, a reference counter on static types?

 

[Dr Super Good]

Which is strange, a reference counter on static types?

If it extends handle then not really...

 

[Imp Midna]

Which is strange, a reference counter on static types?

They don't necessarily have to be. i used edo's parameter (0x10000000) to reproduce his crash, thus creating a handle with the id 0x10000000 (as the function just returns its parameter). The function that crashes only operates on handles with a value of 0x00100000 or higher, while ignoring values below it. (I remember some kind of handles starting with relatively high values, so i thought it would make sense that reference counted handles would have a value >= 0x00100000). The Convert functions wouldn't produce such high values and would therefor normally be ignored by this function, however, since i created a handle with an unusually high value, it DOES kick in and subsequently cause a crash.

 

[Zwiebelchen]

I guess the real question is: is there any possible way to use this to read text files from the hard disc?

 

[edo494]

This reads from RAM, not hard.drives

 

[Zwiebelchen]

This reads from RAM, not hard.drives

Which basicly makes it pointless for any real-world application except hacking stuff. And I might rather not find out what evilminded people could do with this...


EDIT: Nevermind... if we can find a serious security hole in WC3, they might give us another emergency patch... which will probably not fix any other bug, but here's hoping it will.

 

[Ezekiel12]

Thats the main goal, force blizzard to do a patch. Evil masterplan
Except as you said that they might not include anything else.. but who knows. Last time the community messed up wc3 we got hashtables.

 

[Deleted member 219079]

so let's hack the s*it outta wc3 so they'll give us a patch including account banks (for credits and stuff), interface manipulation and more player slots!! and better collision checking gogo!

 

[Dr Super Good]

No they will just shut down WC3 until its remade (they are already doing this along with all old legacy games in the background due to the fact that eventually computers will stop running them) in which case all this stuff is fixed, most old maps will no longer work and it still is less powerful than SC2.

People should just move to SC2 already.

 

[Frotty]

People should just move to SC2 already.

Can't you just move out of hive?

 

[Dr Super Good]

Can't you just move out of hive?

No I cannot seem to find where the door is.

In any case reading from WC3 memory is not at all useful or a security risk since I do not think WC3 processes much sensitive information and virtual memory means that other processes that do process sensitive information are secure. Only if you find a way to write to WC3 memory (an integer array does this, no need to be smart), and then jump to that written WC3 array so it is executed as machine code then you have a security risk. This is what typecast code type JASS objects used to allow, they were simply a function pointer that was called so if you put certain addresses in it you could get it to start executing the contents of an integer array.

The result of this was someone made a fake DotA map that caused serious loss of data on the client system when run. It was so small and signed like the real DotA Allstars so that as soon as you realised something was wrong you were already in game and all your WC3 maps and lots of other data was already deleted, permanently (not in recycle bin).

So type casting was fixed, code was given huge restrictions and we got hashtables. It took them many months to do this back then when they still actively supported WC3 (before BattleNet 2.0 took off).

 

[muzzel]

 

[Deleted member 219079]

No they will just shut down WC3 until its remade (they are already doing this along with all old legacy games in the background due to the fact that eventually computers will stop running them) in which case all this stuff is fixed, most old maps will no longer work and it still is less powerful than SC2.

One update is for sure; they'll add wc3 to the battle.net launcher. Blizzard CM confirmed this on the bnet client feedback page. I dunno how much they'll blend wc3 into the client, maybe not at all (to make it only as a shortcut) or then you can choose whether it auto logs you into bnet or main menu. But yea that's the only confirmed update I've heard of.

 

[Zwiebelchen]

One update is for sure; they'll add wc3 to the battle.net launcher. Blizzard CM confirmed this on the bnet client feedback page. I dunno how much they'll blend wc3 into the client, maybe not at all (to make it only as a shortcut) or then you can choose whether it auto logs you into bnet or main menu. But yea that's the only confirmed update I've heard of.

Seriously, just having even a single person at blizzard working with WC3 would be an improvement. So let's stay optimistic!

 

[dd_mn]

Its not likely Blizzs will open WC3 code like other gamedevs do with old games...they are not so generous

 

[Dr Super Good]

Seriously, just having even a single person at blizzard working with WC3 would be an improvement. So let's stay optimistic!

Except why allocate resources to a game that is not really earning money when they could be better spent on a new game that is still in development like StarCraft II LotV?

This is the most common reason for games to stop receiving updates.

Its not likely Blizzs will open WC3 code like other gamedevs do with old games...they are not so generous

It would help if people actually started movements to try and get this done, or at least open discussions with Blizzard. The big problem is often licenced components were used (in WC3's case this is the PKWare compression library among other things) so they cannot be open sourced.

 

[Zwiebelchen]

Except why allocate resources to a game that is not really earning money when they could be better spent on a new game that is still in development like StarCraft II LotV?

I know their reasoning. But come on, Blizzard is a multi-billion dollar company and Warcraft III is a modern classic. They even offered a compilation box with Warcraft I, II and III, so there are still people that buy this game.
Now with Garena dying, they can expect at least enough new sales to justify just one programmer.

 

[chobibo]

Maybe they're planning to re-release wc3 for modern machines? Falcom did that to the Ys series(Ys collection, Oath in Felghana, Memories in Celceta), and it worked miraculously well for them.

 

[Ezekiel12]

I think three more reasons why they did not already update wc3 are:

*An update creates publicity, if directly pushed by blizzard, then a lot of it. Blizzard wants to be judged by the highest standards. They could do just small changes, but then wc3 would in many places still not hold up to those standards and people would complain more. So if they would do it right, its not just creating some natives for our pleasure, its a lot of work.

*A really good update to wc3 might draw players/map makers away from sc2 and last time I checked, sc2 badly needed them.

*The managerial structure changed a lot. Even if there is an executive somewhere left who didnt leave and has love for the game, the new big bosses might just deny in disbelief when someone comes asking for >100k for a more than 10 years old game which isnt supposed to generate big revenue anymore.

Not saying it wont ever happen though.. theres still hope.

 

[Zwiebelchen]

*An update creates publicity, if directly pushed by blizzard, then a lot of it. Blizzard wants to be judged by the highest standards. They could do just small changes, but then wc3 would in many places still not hold up to those standards and people would complain more. So if they would do it right, its not just creating some natives for our pleasure, its a lot of work.

Hmm... I don't really believe that. Did the 1.26 patch create publicity? Not really. I mean ... let's be honest; we would be totally fine with just another 1.26, wouldn't we? A minor patch fixing some of the most annoying bugs (and this security hole as a legitimation for patching). We don't need balancing or new game features, just some bugfixes and maybe a new native or two. They did exactly that when they added hashtables and added 8 mb map support. Why not just do this again?

In fact, I might even be fine if WC3 would be moved over to Bnet 2.0. At least that would allow us to bypass the stupid file size limit and maybe give us a robust import mechanic.

 

[Deleted member 219079]

One update is for sure; they'll add wc3 to the battle.net launcher. Blizzard CM confirmed this on the bnet client feedback page. I dunno how much they'll blend wc3 into the client, maybe not at all (to make it only as a shortcut) or then you can choose whether it auto logs you into bnet or main menu. But yea that's the only confirmed update I've heard of.

This, plus, on their official wc3 community site a guy with nickname "Nebu" has made 2 update posts during last 2 months. Here's some info about him.

He's a Blizzard employee, which means he still has to work on the community site. This means Blizzard has only 99.9999999% forgotten Warcraft 3.

So stay positive, there's a s*itton of updates coming to Warcraft!

 

[Zwiebelchen]

This, plus, on their official wc3 community site a guy with nickname "Nebu" has made 2 update posts during last 2 months. Here's some info about him.

He's a Blizzard employee, which means he still has to work on the community site. This means Blizzard has only 99.9999999% forgotten Warcraft 3.

So stay positive, there's a s*itton of updates coming to Warcraft!

"Nebu" has 4 letters. WARCRAFT 4 CONFIRMED!