如何创建一个基本的魔兽全图外挂 HowTo create a basic Maphack by Chaotic
2013-07-02 15:22
495 查看
HowTo create a basic Maphack
by:ChaoticRequirements:
- Ollydbg
- A memory searcher (e.g. ArtMoney)
- ASM knowledge
- Warcraft III in window mode
-->Create a shortcut, right click and “Properties“
Then add “ -window“
This is my first tutorial, so I hope it has no mistakes and is understandable for everyone.
The main-idea is NOT to follow it step by step and say “I’ll got it, I’m a uber-1337-Hax0r!” Wink
I just want to show you a little part of Warcraft III hacking. I hope this inspires you to learn more by yourself. To be a good hacker, you’ve to know much more and you’ve to get those offsets alone, that’s one reason why I choose a method to get a detectable
offset!
[SO DON’T USE IT IN LADDER!]
PART I Instruction
Well, first we’ve to think about a method how to find a offset which reveals the units..
There are many ways...use your brain and try to think like blizzard did when they made this nice game Wink So we need to know how the game manages it if the unit is visible or not.
*IDEA*
“Enemy unit visible” = TRUE = 1
“Enemy unit hidden in fog of war” = FALSE = 0
This makes any sense?
Yeah, let’s try it!
PART II Main Part
Now start Warcraft III and enter a singleplayer game.
(In singleplayer games you won’t disc if you’re pausing the game too long and you’re able to play alone)
Then start ArtMoney and choose “kernel32.dll” as library for process viewer.
Now you should be able to select Warcraft III as process.
Back to Warcraft III
Just move your unit near a random creep so it’s in your sight range.
Switch to ArtMoney
Now press on Search and search for “1” as Integer.
Wait until it’s finished and you’ll see that
there are many addresses holding the
Value 1…
So we’ve to filter until there are only a
couple addresses left. So...
Switch back to Warcraft III
Now move away so that you can’t see your creep anymore.
Now back to Artmoney and Filter [don't’ search again Wink ]
for “0” as Integer.
After it’s finished, move your unit in the creep’s sight rangeagain and filter for “1” as integer….
After repeating this step ~15 times you should have ~7
addresses left.
Now you’ve to filter by hand:
Move your unit away again, so all rest addresses should be “0”.
Now set the first value to “1” and “Freeze” it
And have a look at Warcraft III if anything changes…
Nothing happened?
So unfreeze the first value, set it to 0 and remove the first value from your table.
Do the same steps until you notice this: (no pictures remember?)
This looks right (in my case it’s 0x12CD337.
So now the interesting part, that’s the time for Ollydbg! Smiley
Attach Warcraft III and move to your address in dump.
Now do a “Memory breakpoint on access” onto the first 8 bytes!
You should reach this address:
6F2A3B91 |. 66:8B3C41 MOV DI,WORD PTR DS:[ECX+EAX*2]
Remove that memory breakpoint again and try to change it like this :
MOV DI,1
And have a look at Warcraft III…
I can see every creep on the mainmap and even buildings on the minimap!
Yeah, it looks like we’re finished!
But wait…!
If you join some custom games you’ll notice that sometimes there’s a bug…
You can’t click any unit, even not your own ones! Sad
So we’ve to look at 0x6F2A3B91 again in Ollydbg and fix this problem.
Now we must understand how Warcraft III works…
MOV DI,WORD PTR DS:[ECX+EAX*2] is a simple part of the draw function which checks which player has the control about the unit.
So we need to change the part so, that it will reveal the unit for all players (1-16).
Well, the number “tells” this part for which players it should check.
MOV DI,
0x1=1. Player
0x2=1-2.Player
…
0xF=1-16. Player
So what we have to do is change our MOV DI,1 to MOV DI,0xF.
So that it will work every time even if we’re not player 1!
Part III The Coding
Now we have our offset + correct changes, but we don’t want to do this change every time we restart Warcraft III by hand with Ollydbg, do we ?!
So now we’ve to code a program which writes into Warcraft III’s memory
Code in C++:
/************************************************** ***************
*Made by Chaotic *
*Shoutouts to: Exzap, Alpha_Hacka & xliqz^ *
*www.SkillHackerZ.com *
*Remember: Don't use it in Laddergames because it is not allowed!*
*Only with friends *
************************************************** ****************/
#include <windows.h>
void EnableDebugPriv();
int main()
{
//We have to set debug privileges for our app to be allowed to OpenProcess (war3.exe)
EnableDebugPriv();
//Get a Handle on Warcraft III window
HWND hwar3 = FindWindow("Warcraft III",NULL);
if (!hwar3) //If we can't find the window...
{
MessageBox(0, "Run Warcarft III First!", "", MB_OK);
return false;
}
DWORD pid;
GetWindowThreadProcessId(hwar3, &pid);
HANDLE hopen = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (!hopen) //Can't open Warcarft III's process.. Must be a PID error.
{
MessageBox(0, "Your getting a PID error, use LoaderZ.", "", MB_OK);
return false;
}
//Now we're ready to change the memory!
//We remember: 6F2A3B91 66:BF 0F00 MOV DI,0x0F
BYTE data[] = {0xBF,0x0F,0x00};
bool success = WriteProcessMemory(hopen,(LPVOID)0x6F2A3B92, &data,3, NULL);
if(success)//Everything worked
MessageBox(NULL, "Hack Loaded - Remember to Vist www.SkillHackerZ.com", "", MB_OK);
else//There was an error!
MessageBox(NULL, "Couldn't load hack", "", MB_OK);
// Remember to be clean
CloseHandle(hopen);
//Done!
return true;
}
void EnableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, false, &tkp, sizeof tkp, NULL, NULL);
CloseHandle(hToken);
}
相关文章推荐
- jQuery:如何创建一个最基本的插件(How to Create a Basic Plugin)
- 怎么创建一个基本的jQuery插件 - How to Create a Basic Plugin
- BW--如何创建一个BW的数据源(How to Create a Generic Datasource)
- BW--如何创建一个BW的数据源(How to Create a Generic Datasource)
- BW--如何创建一个BW的数据源(How to Create a Generic Datasource)
- BW--如何创建一个BW的数据源(How to Create a Generic Datasource)
- How To ... Create a MonoChrome RenderEffect(如何创建灰度渲染效果)
- How To Create A Client Server Application In Minutes[如何在几分钟的时间里编写一个客户机/服务器控制台程序]
- how to sign an assembly with a strong name & how to create a pair key怎样通过强名给程序集签名以及如何创建钥匙对?
- 如何创建软链接 how to create a symbolic link in clearcase
- How To Create Custom Skins For DotText(如何为DotText创建自定义风格的皮肤)
- How to create a zip file in NetSuite SuiteScript 2.0 如何在现有SuiteScript中创建和下载ZIP压缩文档
- TORQUE引擎里如何生成一个在天空中移动的太阳(How to create a sun moving on the sky in the Torque)
- RevitAPI: 如何创建云线?How to create RevisionCloud
- How to create an RMI system——怎样创建一个RMI系统
- 如何在SharePoint 2013 创建Power pivot 库(How to create a PowerPivot Gallery )及错误解决方法
- [转]how to sign an assembly with a strong name & how to create a pair key怎样通过强名给程序集签名以及如何创建钥匙对?
- HowTo create a basic Maphack
- HowTo create a basic Maphack
- How to create an XTR file from XML in Delphi XE4 using XML Mapper?(delphi中如何通过xmlmapper创建xtr文件)