Valhalla Legends Archive

I didn't... I'm trying to figure out the same problem.

In the registry ( regedit.exe )

HKEY_CURRENT_USER\Software\Blizzard Entertainment\Warcraft III\String\userbnet

Doesn't hook ReadFileEx, but ReadFile might be the one.

After logging on battle.net, then ALT+F4 to leave... I was given this nice message from ReadFile

Quote[NOTE TO HACKERS -- Changing this file may be hazardous to your progress]
Magic1=-704524704

In an attempt to receive data come to the Warcraft 3 client before it the game handles it ( which is a feat in itself ), I am wondering how to actually get at the data?  I've been researching how IO Completion Ports work and can't seem to find the data.

Here is a typical GetQueuedCompletionStatus call

// BOOL GetQueuedCompletionStatus( CompletionPortHandle, lpNumberOfBytes, lpCompletionKey, lpOverlapped, dwMilliseconds );
ret = GetQueuedCompletionStatus( 9464, 67501932, 67501944, 67501928, -1 ); // -1 == INFINITE
// ret == 1

Here is some debug output ( value from the lpNumberOfBytes pointer ... as well as the data inside the OVERLAPPED structure )

Quote
Bytes Read = 154
hEvent = 142868656 == 0x088400B0
Internal = 142870244 == 0x088406E4
InternalHigh = 154
Offset = 67501952 == 0x0405FF80
OffsetHigh = 4282464 == 0x00415860
Pointer = 67501952 == 0x0405FF80

I was hoping I could simply ReadProcessMemory the address Pointer is set to... for the InternalHigh worth of bytes (since it is identical to the supposed bytes read), however it doesn't give me the data I was expected.  My tests so far have been going to an empty chatroom, chatting, and trying to find the text I had typed "XXXXXXXXXXX".  I've also debugged and stepped through it
00415800  |. FF15 10CF4E00  |CALL DWORD PTR DS:[4ECF10] ... is the call that soon after calls GetQueuedCompletionStatus.  Even debugging and looking around, I couldn't find how it looked up the data that it was receiving ( or how it was receiving it ).

I am hoping that someone could help me this.  Does GetQueuedCompletionStatus OVERLAPPED structure give me the information I need to find the data received?  I've seen that typically a programmer would wrap that structure and add additional data ( perhaps the received buffer )... but this is not the case as far as I can tell.  I still see no calls to WSARecv... is this not even used?  Is there a better way I should be approaching this? Any support would be great 

Here is some debug output I created to show what is happening with the hooked calls I have setup.


This is what happens when war3.exe is loaded and a user clicks the Battle.NET button and the sits at the login screen for about 5 minutes or so ( the last sitting CreateIoCompletionPort calls are from idleing ).

Quote
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8824
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=9424
Accept Connection on socket 957
ntohs ret=0
CreateIoCompletionPort ret=9424
Send Data ( 1 bytes )
Send Data ( 58 bytes )
GetQueuedCompletionStatus ret=1
Send Data ( 8 bytes )
GetQueuedCompletionStatus ret=1
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
Send Data ( 147 bytes )
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
Send Data ( 30 bytes )
Send Data ( 36 bytes )
Send Data ( 32 bytes )
Send Data ( 35 bytes )
Send Data ( 4 bytes )
GetQueuedCompletionStatus ret=1
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
CreateIoCompletionPort ret=8820
GetQueuedCompletionStatus ret=1
Send Data ( 30 bytes )
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1
GetQueuedCompletionStatus ret=1

Here are all the hooks I have in place

API_HOOK_INFO hookTable[ ] =
  {
  { "ws2_32.dll", "socket", 0x17, 0 },
  { "ws2_32.dll", "recv", 0x10, 0 },
  { "ws2_32.dll", "send", 0x13, 0 },
  { "ws2_32.dll", "closesocket", 0x03, 0 },
  { "ws2_32.dll", "accept", 0x01, 0 },
  { "ws2_32.dll", "WSASocketA", 0x4E, 0 },
  { "ws2_32.dll", "WSASocketW", 0x4F, 0 },
  { "ws2_32.dll", "WSASend", 0x48, 0 },
  { "ws2_32.dll", "WSAAccept", 0x1A, 0 },
  { "ws2_32.dll", "WSARecv", 0x47, 0 },
 
  { "wsock32.dll", "accept", 0x01, 0 },
  { "wsock32.dll", "closesocket", 0x03, 0 },
  { "wsock32.dll", "recv", 0x10, 0 },
  { "wsock32.dll", "send", 0x13 ,0 },
  { "wsock32.dll", "socket", 0x17, 0 },
  { "wsock32.dll", "recvfrom", 0x11, 0 },
   
  { "ws2_32.dll", "WSARecvFrom", 0x49, 0 },
  { "ws2_32.dll", "getsockopt", 0x07, 0 },
  { "ws2_32.dll", "ntohs", 0x15, 0 },

    { "kernel32.dll", "CreateIoCompletionPort", 0x56, 0 },
    { "kernel32.dll", "GetQueuedCompletionStatus", 0x1AA, 0 },
    { "kernel32.dll", "OutputDebugStringA", 0x27C, 0 }
     
  };


I handle the connect, close, send, recv functions with callback functions.  The other oddball functions i've hooked ( as an afterthought ) simply output the functionname and the return value ( EAX ).

Woops... just found this thread ( http://forum.valhallalegends.com/index.php?topic=15438.0 ) and also realized that maybe I should have had this topic posted in General Programming.

Edit: I also just found this article by the great company Sysinternals ( http://www.sysinternals.com/Information/IoCompletionPorts.html )

Hrmm... I still can't figure out why my hook to receive Warcraft 3 data isn't working.  I hook on all the receive functions from wsock32.dll as well as ws2_32.dll which seem to be the only ones that would make sense.

"Examining" happens when a LoadLibrary call is made
"importing" happens as I iterate through the import table
"hooking" happens when I match an import with one in my list-to-hook ( by name or ordinal )

Quote
Examining C:\WINDOWS\system32\wsock32.dll
... importing WS2_32.dll : (null) ( ordinal 0x21 )
... hooking WS2_32.dll : ntohs ( ordinal 0x21 )
... importing WS2_32.dll : (null) ( ordinal 0x7 )
... hooking WS2_32.dll : getsockopt ( ordinal 0x7 )
... importing WS2_32.dll : WSARecvFrom ( ordinal 0x0 )
... hooking WS2_32.dll : WSARecvFrom ( ordinal 0x73 )
... importing WS2_32.dll : WSARecv ( ordinal 0x0 )
... hooking WS2_32.dll : WSARecv ( ordinal 0x71 )

Quote
Examining C:\Program Files\Warcraft III\war3.exe
... importing wsock32.dll : (null) ( ordinal 0x13 )
... importing wsock32.dll : (null) ( ordinal 0x57 )
... importing wsock32.dll : (null) ( ordinal 0x14 )
... importing wsock32.dll : (null) ( ordinal 0x11 )
... importing wsock32.dll : (null) ( ordinal 0x15 )
... importing wsock32.dll : (null) ( ordinal 0x10 )
... importing wsock32.dll : (null) ( ordinal 0x16 )
... hooking wsock32.dll : recv ( ordinal 0x16 )
... importing wsock32.dll : (null) ( ordinal 0x19 )
... hooking wsock32.dll : send ( ordinal 0x19 )
... importing wsock32.dll : (null) ( ordinal 0x17 )
... hooking wsock32.dll : recvfrom ( ordinal 0x17 )
... importing wsock32.dll : (null) ( ordinal 0x20 )
... importing wsock32.dll : (null) ( ordinal 0x52 )
... importing wsock32.dll : (null) ( ordinal 0x4 )
... importing wsock32.dll : (null) ( ordinal 0x116 )
... importing wsock32.dll : (null) ( ordinal 0x115 )
... importing wsock32.dll : (null) ( ordinal 0x12 )
... importing wsock32.dll : (null) ( ordinal 0x2 )
... importing wsock32.dll : (null) ( ordinal 0x5 )
... importing wsock32.dll : (null) ( ordinal 0x9 )
... importing wsock32.dll : (null) ( ordinal 0x1 )
... hooking wsock32.dll : accept ( ordinal 0x1 )
... importing wsock32.dll : (null) ( ordinal 0x6 )
... importing wsock32.dll : (null) ( ordinal 0x21 )
... importing wsock32.dll : (null) ( ordinal 0x23 )
... hooking wsock32.dll : socket ( ordinal 0x23 )
... importing wsock32.dll : (null) ( ordinal 0x111 )
... importing wsock32.dll : (null) ( ordinal 0x3 )
... hooking wsock32.dll : closesocket ( ordinal 0x3 )
... importing wsock32.dll : (null) ( ordinal 0x18 )

Any other suggestions for me?  Perhaps you could explain how IO Completion Ports work more ( if you think this is the reason ).  My hooking works with other network applications.. so it's gotta be a quirk with Warcraft 3 that I just haven't found yet.

How come when I do:

C:\Program Files\Warcraft III>dumpbin /imports war3.exe

It only shows imports on wsock32.dll and none on ws2_32.dll?

Also, I was able to place the hook on WSARecv, but it was never called.  Will hooking that function call not work?

I am looking to hook the winsock calls that war3 uses but am having a few problems.  This seems like the most technical forum of the ones I've found, so I'm hoping someone here might have some info for me.

Here is what I am hooking so far

Quote
Examining C:\Program Files\Warcraft III\war3.exe
... hooking wsock32.dll : recv ( ordinal 0x16 )
... hooking wsock32.dll : send ( ordinal 0x19 )
... hooking wsock32.dll : recvfrom ( ordinal 0x17 )
... hooking wsock32.dll : accept ( ordinal 0x1 )
... hooking wsock32.dll : socket ( ordinal 0x23 )
... hooking wsock32.dll : closesocket ( ordinal 0x3 )

I successfully hook accept and send, however never get any recv data.  Does anyone have any suggestions why this is?  I am thinking that war3 might use a different function to receive data ( which doesn't really make sense ).  I am also thinking that the real receive function is done through a different dll import ( not in war3.exe ).  I am pretty confident that my hooking system is working properly ( as I am hooking accept and send fine ) and would rather not post code for it.  I'm hoping someone knows a little more about which imports are used.

Here are thewinsock imports war3.exe is using.

wsock32.dll
            56E1E4 Import Address Table
            56D94C Import Name Table
                 0 time date stamp
                 0 Index of first forwarder reference

                  Ordinal    13 listen (forwarded to ws2_32.listen)
                  Ordinal    57 gethostname (forwarded to ws2_32.gethostname)
                  Ordinal    14 ntohl (forwarded to ws2_32.ntohl)
                  Ordinal    11 inet_ntoa (forwarded to ws2_32.inet_ntoa)
                  Ordinal    15 ntohs (forwarded to ws2_32.ntohs)
                  Ordinal    10 inet_addr (forwarded to ws2_32.inet_addr)
                  Ordinal    16 recv
                  Ordinal    19 send (forwarded to ws2_32.send)
                  Ordinal    17 recvfrom
                  Ordinal    20 sendto (forwarded to ws2_32.sendto)
                  Ordinal    52 gethostbyname (forwarded to ws2_32.gethostbyname)
                  Ordinal     4 connect (forwarded to ws2_32.connect)
                  Ordinal   116 WSACleanup (forwarded to ws2_32.WSACleanup)
                  Ordinal   115 WSAStartup (forwarded to ws2_32.WSAStartup)
                  Ordinal    12 ioctlsocket (forwarded to ws2_32.ioctlsocket)
                  Ordinal     2 bind (forwarded to ws2_32.bind)
                  Ordinal     5 getpeername (forwarded to ws2_32.getpeername)
                  Ordinal     9 htons (forwarded to ws2_32.htons)
                  Ordinal     1 accept (forwarded to ws2_32.accept)
                  Ordinal     6 getsockname (forwarded to ws2_32.getsockname)
                  Ordinal    21 setsockopt
                  Ordinal    23 socket (forwarded to ws2_32.socket)
                  Ordinal   111 WSAGetLastError (forwarded to ws2_32.WSAGetLastError)
                  Ordinal     3 closesocket (forwarded to ws2_32.closesocket)
                  Ordinal    18 select (forwarded to ws2_32.select)


Does anyone know how many connections are made to the server?  I believe it just has one socket clientside and serverside per connection.

Any discussion would be great, hopefully I don't get flamed too much for being new. 

Although it was mentioned in a post up above, their has been some additional "fixes" that this dll makes ( to fix latest exploits ).


Call WriteProcessMemory( -1, Game.6F5A5403, ix86Blue.082D2044, 0x0D, NULL );
// Writing     : 85 C0 0F 84 1F 01 00 00 8B 48 50 EB 22
// TEST EAX,EAX
// JE Game.6F5A552A
// MOV ECX,DWORD PTR DS:[EAX+50]
// JMP SHORT Game.6F5A5432

// Previously : 90 90 90 90 90 90 90 90 90 90 90 90 90

----

Call WriteProcessMemory( -1, Game.6F5A542F, ix86Blue.082D2040, 0x02, NULL );
// Writing     : EB D2
// JMP SHORT Game.6F5A5403

// Previously : 8B 48
// MOV ECX,DWORD PTR DS:[EAX+50]

----

Call WriteProcessMemory( -1, Game.6F704C00, ix86Blue.082D2018, 0x26, NULL );
// Writing     : E8 DB FE AE FF 8B D8 85 C0 74 16 8B 08 FF 51 1C 91 BA 75 33 77 2B E8 75 C9 97 FF 85 C0 75 02 33 DB E9 F3 91 DA FF
// CALL Game.6F1F4AE0
// MOV EBX,EAX
// TEST EAX,EAX
// JE SHORT Game.6F704C21
// MOV ECX,DWORD PTR DS:[EAX]
// CALL DWORD PTR DS:[ECX+1C]
// XCHG EAX,ECX
// MOV EDX,2B773375
// CALL Game.6F081590
// TEST EAX,EAX
// JNZ SHORT Game.6F704C21
// XOR EBX,EBX
// JMP Game.6F4ADE19

// Previously : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

----

Call WriteProcessMemory( -1, Game.6F4ADE12, ix86Blue.082D2010, 0x05, NULL );
// Writing     : E9 E9 6D 25 00
// JMP Game.6F704C00

// Previously : E8 C9 6C D4 FF
// Call Game.6F1F4AE0