Analysis of VCMH's Anti-Detection. ================================= . Introduction ValiantChaos is a member of GameThreat since 2004. He is the author of the maphack 'ValiantChaos Maphack' which is classified as a '3rd party tool' and not approved by Blizzard, thus its use could result in a ban. In his readme he states the following: '- Warden protection http://en.wikipedia.org/wiki/Warden_(software) If you don't know what Warden is, read the link above. I will not go into details with how my protection works or what techniques I have used to help prevent detection, but know that it's there and working to protect you. If your game closes when the hack is being loaded or just after entering a game lobby, then the protection probably failed and ended up closing starcraft. If this continues to happen for you, then report it to me so I can can make the changes to my warden protection and fix the problem.' As he refuses to explain how his protection works, I will try to describe it as good as I can, because it's full with flaws and puts its users at very high risk. . Preparation The archive comes with a Loader.exe and a VCMH.dll. Loader.exe is packed with PECompact, the VCMH.dll is encrypted with some basic xor algo. If you want to decrypt the DLL yourself to load it up in IDA or any other diassembler, thats how you do it: for( DWORD i = 0; i < dwFileSize; i++ ) { lpyBuffer[ i ] = ( lpyBuffer[ i ] - 0x6C ) ^ 0x49; } lpyBuffer[ 1 ] += 0xF0; The full version of the code to decrypt it can be found at http://www.skillhackers.com/sc2warden/vcdecrypt.txt. The loader does nothing else but read out the path to the Starcraft installation folder, start SC2 using ShellExecute, decrypt VCMH and map it at a random base. . Analyse The hack applies, besides game hooks, three patches to Battle.net.dll which are all located at the function which initializes and maps a Warden module. Patch 1 & 2: Battle.Net Base + 0x613B28 & 0x613B37 The hack places hooks at both GetProcAddress calls which are used to initialize the import address table of a Warden module. This is done to bypass Wardens VirtualQuery scan. Patch 3: The third patch is required to get past the offset scans done by Warden. It's placed at Battle.Net Base + 0x613BB4. In this hook the hack walks thru the Warden module and looks for a byte pattern ( FC 8B 54 24 14 8B 74 24 10 8B 44 24 0C 8B CA 8B F8 C1 E9 02 ) which is used to find warden's memcpy function. The scan pattern: FC CLD 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14] 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10] 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 8BCA MOV ECX,EDX 8BF8 MOV EDI,EAX C1E9 02 SHR ECX,2 If found a call hook is placed on these two functions (if not, it would close SC2). MOV EDX,DWORD PTR SS:[ESP+14] MOV ESI,DWORD PTR SS:[ESP+10] ESI keeps the pointer to the offset which Warden attempts to copy over into a buffer in order to hash it. The hack checks if the offset lays within SC2's base, it will alter the pointer to a clean copy of the SC2 module. . Conclusion I don't think you could call this Warden protection. It leaves many holes for Blizzard to attack. It barely defeats the offset scan routine. They could just put the pattern he looks for in the .data section of the Module. Zinf! Anti-Detection has been bypassed! Another way would be looking for one of the battle.net.dll modification. - a curious monkey.