Author : Chaotic

Website: www.skillhackers.com

 

Requirements:

- Ollydbg

- A memory searcher (e.g. ArtMoney)

- ASM knowledge

- Warcraft III in window mode

-->Create a shortcut, right click and “Properties“

     Then add “ -window“

PART I Instruction

Well, first we’ve to think about a method how to find a offset which reveals the units..

There are many ways...use your brain and try to think like blizzard did when they made this nice game ;)

*IDEA*

“Enemy unit visible” = 1

“Enemy unit hidden in fog of war” = 0

This makes any sense?

Yeah, let’s try it!

PART II Main Part

Now start Warcraft III and enter a singleplayer game.

(In singleplayer games you won’t disc if you’re pausing the game too long and you’re able to play alone)

Then start ArtMoney and choose “kernel32.dll” as library for process viewer.

 

 

Now you should be able to select Warcraft III as process.

 

Back to Warcraft III

Just move your unit near a random creep so it’s in your sight range.

 

 

 

 

Switch to ArtMoney

Now press on Search and search for “1” as Integer.

 

Wait until it’s finished and you’ll see that

there are many addresses holding the

Value 1…

So we’ve to filter until there are only a

couple addresses left. So...

 

 

 

 

Switch back to Warcraft III

Now move away so that you can’t see your creep anymore.

 

Now back to Artmoney and Filter [don't’ search again ;) ]

for “0” as Integer.

After it’s finished, move your unit in the creep’s sight range

again and filter for “1” as integer….

 

After repeating this step ~15 times you should have ~7

addresses left.

 

Now you’ve to filter by hand:

Move your unit away again, so all rest addresses should be “0”.

Now set the first value to “1” and “Freeze” it

And have a look at Warcraft III if anything changes…

Nothing happened?

So unfreeze the first value, set it to 0 and remove the first value from your table.

Do the same steps until you notice this:

 

 

 

 

 

 

 

 

This looks right (in my case it’s 0x12CD3378).

 

 

 

 

 

 

 

 

So now the interesting part, that’s the time for Ollydbg! :)

 

Attach Warcraft III and move to your address in dump.

Now do a “Memory breakpoint on access” onto the first 8 bytes!

You should reach this address:

6F2A08B1  |. 66:8B3C41      MOV DI,WORD PTR DS:[ECX+EAX*2]

Remove that memory breakpoint again and try to change it like this :

MOV DI,1

And have a look at Warcraft III…

I can see every creep on the mainmap and even buildings on the minimap!

Yeah, it looks like we’re finished!

But wait...

If you join some custom games you’ll notice that sometimes there’s a bug…

You can’t click any unit, even not your own ones! :(

 

So we’ve to look at 0x6F2A08B1 again in Ollydbg and fix this problem.

Now we must understand how Warcraft III works…

MOV DI,WORD PTR DS:[ECX+EAX*2] is a simple part of the draw function which checks which player has the control about the unit.

So we need to change the part so, that it will reveal the unit for all players (1-16).

Well, the number “tells” this part for which players it should check.

MOV DI,

                  0x1=1. Player

                  0x2=1-2.Player

                  …

                  0xF=1-16. Player

 

So what we have to do is change our MOV DI,1 to MOV DI,0xF.

So that it will work every time even if we’re not player 1!

 

 

 

 

Part III The Coding

Now we have our offset + correct changes, but we don’t want to do this  change every time we restart Warcraft III by hand with Ollydbg, do we ?!

So now we’ve to code a program which writes into Warcraft III’s memory

Code in C++:

 

//Originally made by buyaoa

//Changed by Chaotic

//Remember: Don‘t use it in Laddergames or you‘re ROC Key+Account get banned!

#include <windows.h>

 

int main()

{

    //Find wc3 windows

    HWND hwar3=::FindWindow(NULL,"Warcraft III")

 

    HANDLE hcurrent=GetCurrentProcess();

    HANDLE hToken;

    BOOL bret=OpenProcessToken(hcurrent,40,&hToken);

    LUID luid;

    bret=LookupPrivilegeValue(NULL,"SeDebugPrivilege",&luid);

    TOKEN_PRIVILEGES NewState,PreviousState;

    DWORD ReturnLength;

    NewState.PrivilegeCount =1;

    NewState.Privileges[0].Luid =luid;

    NewState.Privileges[0].Attributes=2;

    bret=AdjustTokenPrivileges(hToken,FALSE,&NewState,28,&PreviousState,&ReturnLength);

 

    DWORD PID, TID;

    TID = ::GetWindowThreadProcessId (hwar3, &PID);

    //Open wc3 process

    HANDLE hopen=OpenProcess( PROCESS_ALL_ACCESS|PROCESS_TERMINATE|PROCESS_VM_OPERATION|PROCESS_VM_READ|

                  PROCESS_VM_WRITE,FALSE,PID);

 

 

    //Write memory

    //6F2A08B1     66:BF 0100     MOV DI,0FF

    DWORD data=0xBF;

    bret=WriteProcessMemory(hopen,(LPVOID)0x6F2A08B2,&data,1,0);

    data=0x0F;

    bret=WriteProcessMemory(hopen,(LPVOID)0x6F2A08B3,&data,1,0);

    data=0x00;

    bret=WriteProcessMemory(hopen,(LPVOID)0x6F2A08B4,&data,1,0);

 

    //Close handle

    bret=CloseHandle(hopen); 

    return 0;

}

HowTo create a basic Maphack

This is my first tutorial, so I hope it has no mistakes and is understandable for everyone.

The main-idea is NOT to follow it step by step and say “I’ll got it, I’m a uber-1337-Hax0r!” ;)

I just want to show you a little part of Warcraft III hacking. I hope this inspires you to learn more by yourself. To be a good hacker, you’ve to know much more and you’ve to get those offsets alone, that’s one reason why I choose a method to get a detectable offset!

[SO DON’T USE IT IN LADDER!]

 

This is the end of my first tutorial!

I hope you enjoyed it and maybe I’ll do new ones in future.

Don’t forget to visit our nice Skillhackers Community