• Welcome to Valhalla Legends Archive.
 

BNLS

Started by Denial, February 26, 2007, 11:21 PM

Previous topic - Next topic

brew

Quote from: [RealityRipple] on March 05, 2007, 05:07 PM
They've changed the DLLs easily before, they can do it again just as easily. What we need is not temporary fixes, but a reliable way to mimic the client, and update as it updates. I believe Blake and UL were discussing an idea I've also had, which is to make a memory save (store the memory values in some format or other) of the client for each new update, download and run the CheckRevision DLLs so that they perform the functions on the saved memory instead of real memory, and get the result that way. It's a bit complicated, but once you get a system done to save the memory well, and develop a DLL or something of the sort to run CheckRevision this way, we shouldn't have problems with future changes.

What if the added dll changes a part of starcraft's memory which is taken into account during hashing? theoretically all they need to do is change the filetime, and gfg. gone. you have to make a new memory dump.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Barabajagal

If they change the file time, you change the file time. Besides, Lockdown supposedly only reads memory values from the locations of the three main hash files and the DirectX buffer.

brew

Quote from: [RealityRipple] on March 05, 2007, 06:30 PM
If they change the file time, you change the file time. Besides, Lockdown supposedly only reads memory values from the locations of the three main hash files and the DirectX buffer.

Where did you get that information from? I heard that it reads memory values from all over (a byte here, a byte there etc.) from WarZ who, has solved lockdown twice.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

UserLoser

Quote from: [RealityRipple] on March 05, 2007, 06:30 PM
If they change the file time, you change the file time. Besides, Lockdown supposedly only reads memory values from the locations of the three main hash files and the DirectX buffer.

Wrong.

Mystical

Quote from: brew on March 05, 2007, 06:51 PM
Quote from: [RealityRipple] on March 05, 2007, 06:30 PM
If they change the file time, you change the file time. Besides, Lockdown supposedly only reads memory values from the locations of the three main hash files and the DirectX buffer.

Where did you get that information from? I heard that it reads memory values from all over (a byte here, a byte there etc.) from WarZ who, has solved lockdown twice.

Warz hasn't solved lockdown, his work is incomplelte.

Dale

He gave up on his work with lockdown due to lack of interest and no sense in continuing.

Barabajagal

I'm just relaying information. I said supposedly. I don't have any clue how it really works, my guess was a Broken SHA hash of certain sections of memory.

Side Note: I've re-released my DRTL and W2BN No-CD cracks that now work with lockdown. You can find them at http://realityripple.com/software/other . My attempts at making one for SC are temporarily on hold as I figure out how the hell to set memory permissions so I can actually edit SC's memory.

UL: Is my previous post (before the memory reading locations post) correct-ish?

brew

Quote from: Crafty Craft Mc Pot on March 05, 2007, 08:27 PM
Quote from: brew on March 05, 2007, 06:51 PM
Quote from: [RealityRipple] on March 05, 2007, 06:30 PM
If they change the file time, you change the file time. Besides, Lockdown supposedly only reads memory values from the locations of the three main hash files and the DirectX buffer.

Where did you get that information from? I heard that it reads memory values from all over (a byte here, a byte there etc.) from WarZ who, has solved lockdown twice.

Warz hasn't solved lockdown, his work is incomplelte.

He did solve it once, then his computer broke or something I forget the story But he ended up losing the work he did, then attempted to solve it again. and he lost intrest.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Mystical

its not hard to remeber how u did somthing, he didn't get to that part he didn't solve it. other wise he'd know by mind exaclty what needs to be done then work with code later. =P

warz

#54
Well, you're all wrong, sort of. The person closest to being correct is RealityRipple, in the sense that lockdown does hash data, selectively, ranging from the beginning to the end of the three main game files. Brew is also sort of correct, in the idea that it does skip data sections, somethings by a single byte, sometimes by an array of bytes, all the way to 1024 bytes (probably even larger gaps). Apparently brew thinks my computer broke? Nah. My computer is fine. I even still have access to all of my code, if I wanted it, but then again, so does everyone else. Crafty Mc Pot, you're right, the work I posted is incomplete - if you're talking about the conversion to C++. I posted a complete example of how to download, extract and call their checkrevision function out of a specific dll, and return a proper result. Although this method is not very practical, it seems people have over looked it while they look for a practical dll, ready for use. Crafty, you're also right about being able to remember things. I remember exactly how I did it, and could probably get back to where I was quick, hopefully even quicker. This is all by mind, mind you. I don't know what you mean by "getting to that part," or solving any certain part? It's probably better to look at this as a whole. Either you understand the new checkrevision, or you don't. For one, I understand it, which may be one reason why I feel that coding up a replacement isn't worth it, to me, considering I don't use bnet anymore. Like I've said a thousand times, I'd gladly help anyone that has questions, though. Hope this clears some things up.

Joe[x86]

Quote from: Kyro on March 04, 2007, 08:03 PM
Now the only move Blizzard needs to do is add another timer packet that'd be sent every say, 5 minutes to the game client requesting that it run a hash of game memory, and it'd disconnect the client after two minutes of lack of response, if the client failed to send a valid hash of game memory and got disconnected three times in a row, an ip-ban would occur.

This would drastically reduce the amount and efficiency of the hacks out there.

Nah. The hack can also hijack the sub that hashes the memory and hash a "known good" piece of memory, perhaps from a file. That way anyone who knows what they're doing can use a hack, and no idiots can. Let the people rejoyce, let the earth be glad, let the people of God sing his praise all over the land...
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

warz

Quote from: Joex86] link=topic=16403.msg166433#msg166433 date=1173337687]Nah. The hack can also hijack the sub that hashes the memory and hash a "known good" piece of memory, perhaps from a file. That way anyone who knows what they're doing can use a hack, and no idiots can. Let the people rejoyce, let the earth be glad, let the people of God sing his praise all over the land...

This would have to be done after logging in, of course. Seeing as that this is the type of thing the new checkrevision is aimed at stopping. :P

Joe[x86]

The hack could be applied before load and cause the call to LoadLibrary for the CheckRevision DLL to return the handle of your local hashing DLL. From there, if you have the same function declaration as the DLL itself, you're good to go and can spoof a non-hacked login.

Kludges, but they work.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

brew

Quote from: Joex86] link=topic=16403.msg166445#msg166445 date=1173391570]
The hack could be applied before load and cause the call to LoadLibrary for the CheckRevision DLL to return the handle of your local hashing DLL. From there, if you have the same function declaration as the DLL itself, you're good to go and can spoof a non-hacked login.

Kludges, but they work.
-.^? I don't really get what you mean.... and if it's that easy, why isn't there a solution for lockdown yet? Are you holding out on us.....!!
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

warz

Quote from: Joex86] link=topic=16403.msg166445#msg166445 date=1173391570]
The hack could be applied before load and cause the call to LoadLibrary for the CheckRevision DLL to return the handle of your local hashing DLL. From there, if you have the same function declaration as the DLL itself, you're good to go and can spoof a non-hacked login.

Kludges, but they work.

Well, this obviously assumes you've successfully created your own implementation of what checkrevision does.

|