如何创建一个基本的魔兽全图外挂 HowTo create a basic Maphack by Chaotic

HowTo create a basic Maphack

 by:Chaotic

 

Requirements:

- Ollydbg
- A memory searcher (e.g. ArtMoney)
- ASM knowledge
- Warcraft III in window mode
-->Create a shortcut, right click and “Properties“
Then add “ -window“


This is my first tutorial, so I hope it has no mistakes and is understandable for everyone.
The main-idea is NOT to follow it step by step and say “I’ll got it, I’m a uber-1337-Hax0r!” Wink
I just want to show you a little part of Warcraft III hacking. I hope this inspires you to learn more by yourself. To be a good hacker, you’ve to know much more and you’ve to get those offsets alone, that’s one reason why I choose a method to get a detectable offset!
[SO DON’T USE IT IN LADDER!]

PART I Instruction

Well, first we’ve to think about a method how to find a offset which reveals the units..
There are many ways...use your brain and try to think like blizzard did when they made this nice game Wink So we need to know how the game manages it if the unit is visible or not.
*IDEA*
“Enemy unit visible” = TRUE = 1
“Enemy unit hidden in fog of war” = FALSE = 0
This makes any sense?
Yeah, let’s try it!


PART II Main Part

Now start Warcraft III and enter a singleplayer game.
(In singleplayer games you won’t disc if you’re pausing the game too long and you’re able to play alone)
Then start ArtMoney and choose “kernel32.dll” as library for process viewer.
Now you should be able to select Warcraft III as process.
Back to Warcraft III
Just move your unit near a random creep so it’s in your sight range.

Switch to ArtMoney
Now press on Search and search for “1” as Integer.
Wait until it’s finished and you’ll see that
there are many addresses holding the
Value 1…
So we’ve to filter until there are only a
couple addresses left. So...



Switch back to Warcraft III
Now move away so that you can’t see your creep anymore.

Now back to Artmoney and Filter [don't’ search again Wink ]
for “0” as Integer.
After it’s finished, move your unit in the creep’s sight rangeagain and filter for “1” as integer….
After repeating this step ~15 times you should have ~7
addresses left.
Now you’ve to filter by hand:
Move your unit away again, so all rest addresses should be “0”.
Now set the first value to “1” and “Freeze” it
And have a look at Warcraft III if anything changes…

Nothing happened?
So unfreeze the first value, set it to 0 and remove the first value from your table.
Do the same steps until you notice this: (no pictures remember?)
This looks right (in my case it’s 0x12CD337.

So now the interesting part, that’s the time for Ollydbg! Smiley
Attach Warcraft III and move to your address in dump.
Now do a “Memory breakpoint on access” onto the first 8 bytes!
You should reach this address:
6F2A3B91 |. 66:8B3C41 MOV DI,WORD PTR DS:[ECX+EAX*2]
Remove that memory breakpoint again and try to change it like this :
MOV DI,1
And have a look at Warcraft III…
I can see every creep on the mainmap and even buildings on the minimap!
Yeah, it looks like we’re finished!

But wait…!
If you join some custom games you’ll notice that sometimes there’s a bug…
You can’t click any unit, even not your own ones! Sad

So we’ve to look at 0x6F2A3B91 again in Ollydbg and fix this problem.
Now we must understand how Warcraft III works…
MOV DI,WORD PTR DS:[ECX+EAX*2] is a simple part of the draw function which checks which player has the control about the unit.
So we need to change the part so, that it will reveal the unit for all players (1-16).
Well, the number “tells” this part for which players it should check.
MOV DI,

0x1=1. Player
0x2=1-2.Player

0xF=1-16. Player

So what we have to do is change our MOV DI,1 to MOV DI,0xF.
So that it will work every time even if we’re not player 1!



Part III The Coding

Now we have our offset + correct changes, but we don’t want to do this change every time we restart Warcraft III by hand with Ollydbg, do we ?!
So now we’ve to code a program which writes into Warcraft III’s memory
Code in C++:



/************************************************** ***************




  *Made by Chaotic *


  *Shoutouts to: Exzap, Alpha_Hacka & xliqz^ *


  *www.SkillHackerZ.com *


  *Remember: Don't use it in Laddergames because it is not allowed!*


  *Only with friends *


************************************************** ****************/




#include <windows.h>


void EnableDebugPriv();


int main()
{


//We have to set debug privileges for our app to be allowed to OpenProcess (war3.exe)
EnableDebugPriv();
//Get a Handle on Warcraft III window
HWND hwar3 = FindWindow("Warcraft III",NULL);
if (!hwar3) //If we can't find the window...
{
MessageBox(0, "Run Warcarft III First!", "", MB_OK);
return false;
}
DWORD pid;
GetWindowThreadProcessId(hwar3, &pid);
HANDLE hopen = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (!hopen) //Can't open Warcarft III's process.. Must be a PID error.
{
MessageBox(0, "Your getting a PID error, use LoaderZ.", "", MB_OK);
return false;
}
//Now we're ready to change the memory!
//We remember: 6F2A3B91 66:BF 0F00 MOV DI,0x0F
BYTE data[] = {0xBF,0x0F,0x00};
bool success = WriteProcessMemory(hopen,(LPVOID)0x6F2A3B92, &data,3, NULL);


if(success)//Everything worked
MessageBox(NULL, "Hack Loaded - Remember to Vist www.SkillHackerZ.com", "", MB_OK);
else//There was an error!
MessageBox(NULL, "Couldn't load hack", "", MB_OK);
// Remember to be clean
CloseHandle(hopen);
//Done!
return true;
}


void EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof tkp, NULL, NULL);
CloseHandle(hToken);
}

你可能感兴趣的:(如何创建一个基本的魔兽全图外挂 HowTo create a basic Maphack by Chaotic)