[Starcraft] Overcoming DLL Injection Issues

[LCSBSSRHXXX]

Ok I posted this all in GS, but dt asked me why not post this for the public, so here it is, enjoy hacking!
BTW please give me credit if you use this.

Code:

004DF090     55             PUSH EBP
004DF091     8BEC           MOV EBP,ESP
004DF093     81EC 1C020000  SUB ESP,21C
004DF099     53             PUSH EBX
004DF09A     33DB           XOR EBX,EBX
004DF09C     56             PUSH ESI
004DF09D     57             PUSH EDI
004DF09E     885D F4        MOV BYTE PTR SS:[EBP-C],BL
004DF0A1     885D F5        MOV BYTE PTR SS:[EBP-B],BL
004DF0A4     885D F6        MOV BYTE PTR SS:[EBP-A],BL
004DF0A7     885D F7        MOV BYTE PTR SS:[EBP-9],BL
004DF0AA     885D F8        MOV BYTE PTR SS:[EBP-8],BL
004DF0AD     C645 F9 01     MOV BYTE PTR SS:[EBP-7],1
004DF0B1     FF15 38D24F00  CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; [GetCurrentProcess
004DF0B7     8BF0           MOV ESI,EAX
004DF0B9     8D45 EC        LEA EAX,DWORD PTR SS:[EBP-14]
004DF0BC     50             PUSH EAX
004DF0BD     53             PUSH EBX
004DF0BE     53             PUSH EBX
004DF0BF     53             PUSH EBX
004DF0C0     53             PUSH EBX
004DF0C1     53             PUSH EBX
004DF0C2     53             PUSH EBX
004DF0C3     53             PUSH EBX
004DF0C4     53             PUSH EBX
004DF0C5     6A 01          PUSH 1
004DF0C7     8D4D F4        LEA ECX,DWORD PTR SS:[EBP-C]
004DF0CA     51             PUSH ECX
004DF0CB     8975 E4        MOV DWORD PTR SS:[EBP-1C],ESI
004DF0CE     895D EC        MOV DWORD PTR SS:[EBP-14],EBX
004DF0D1     895D FC        MOV DWORD PTR SS:[EBP-4],EBX
004DF0D4     895D E8        MOV DWORD PTR SS:[EBP-18],EBX
004DF0D7     895D F0        MOV DWORD PTR SS:[EBP-10],EBX
004DF0DA     FF15 14D04F00  CALL DWORD PTR DS:[<&ADVAPI32.AllocateAn>;  ADVAPI32.AllocateAndInitializeSid
004DF0E0     85C0           TEST EAX,EAX
004DF0E2     0F84 EF000000  JE starcraf.004DF1D7
004DF0E8     8D55 FC        LEA EDX,DWORD PTR SS:[EBP-4]
004DF0EB     52             PUSH EDX                                 ; /phToken
004DF0EC     6A 08          PUSH 8                                   ; |DesiredAccess = TOKEN_QUERY
004DF0EE     56             PUSH ESI                                 ; |hProcess
004DF0EF     FF15 24D04F00  CALL DWORD PTR DS:[<&ADVAPI32.OpenProces>; \OpenProcessToken
004DF0F5     85C0           TEST EAX,EAX
004DF0F7     0F84 DA000000  JE starcraf.004DF1D7
004DF0FD     8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
004DF100     8D45 E8        LEA EAX,DWORD PTR SS:[EBP-18]
004DF103     50             PUSH EAX                                 ; /pRetLen
004DF104     53             PUSH EBX                                 ; |BufSize
004DF105     53             PUSH EBX                                 ; |Buffer
004DF106     6A 01          PUSH 1                                   ; |InfoClass = TokenUser
004DF108     51             PUSH ECX                                 ; |hToken
004DF109     FF15 20D04F00  CALL DWORD PTR DS:[<&ADVAPI32.GetTokenIn>; \GetTokenInformation
004DF10F     8B75 E8        MOV ESI,DWORD PTR SS:[EBP-18]
004DF112     81FE 00040000  CMP ESI,400
004DF118     0F87 B9000000  JA starcraf.004DF1D7
004DF11E     8BC6           MOV EAX,ESI
004DF120     83C0 03        ADD EAX,3
004DF123     83E0 FC        AND EAX,FFFFFFFC
004DF126     E8 556DF2FF    CALL starcraf.00405E80
004DF12B     8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
004DF12E     8BFC           MOV EDI,ESP
004DF130     8D55 E8        LEA EDX,DWORD PTR SS:[EBP-18]
004DF133     52             PUSH EDX                                 ; /pRetLen
004DF134     56             PUSH ESI                                 ; |BufSize
004DF135     57             PUSH EDI                                 ; |Buffer
004DF136     6A 01          PUSH 1                                   ; |InfoClass = TokenUser
004DF138     50             PUSH EAX                                 ; |hToken
004DF139     FF15 20D04F00  CALL DWORD PTR DS:[<&ADVAPI32.GetTokenIn>; \GetTokenInformation
004DF13F     85C0           TEST EAX,EAX
004DF141     0F84 90000000  JE starcraf.004DF1D7
004DF147     6A 02          PUSH 2
004DF149     68 00020000    PUSH 200
004DF14E     8D8D E4FDFFFF  LEA ECX,DWORD PTR SS:[EBP-21C]
004DF154     51             PUSH ECX
004DF155     FF15 18D04F00  CALL DWORD PTR DS:[<&ADVAPI32.Initialize>;  ADVAPI32.InitializeAcl
004DF15B     85C0           TEST EAX,EAX
004DF15D     74 78          JE SHORT starcraf.004DF1D7
004DF15F     8B55 EC        MOV EDX,DWORD PTR SS:[EBP-14]
004DF162     52             PUSH EDX
004DF163     68 FA000000    PUSH 0FA
004DF168     6A 02          PUSH 2
004DF16A     8D85 E4FDFFFF  LEA EAX,DWORD PTR SS:[EBP-21C]
004DF170     50             PUSH EAX
004DF171     FF15 1CD04F00  CALL DWORD PTR DS:[<&ADVAPI32.AddAccessD>;  ADVAPI32.AddAccessDeniedAce
004DF177     85C0           TEST EAX,EAX
004DF179     74 5C          JE SHORT starcraf.004DF1D7
004DF17B     8B0F           MOV ECX,DWORD PTR DS:[EDI]
004DF17D     51             PUSH ECX
004DF17E     68 01071000    PUSH 100701
004DF183     6A 02          PUSH 2
004DF185     8D95 E4FDFFFF  LEA EDX,DWORD PTR SS:[EBP-21C]
004DF18B     52             PUSH EDX
004DF18C     FF15 10D04F00  CALL DWORD PTR DS:[<&ADVAPI32.AddAccessA>;  ADVAPI32.AddAccessAllowedAce
004DF192     85C0           TEST EAX,EAX
004DF194     74 41          JE SHORT starcraf.004DF1D7
004DF196     68 44E84F00    PUSH starcraf.004FE844                   ; /pModule = "advapi32.dll"
004DF19B     FF15 40D24F00  CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
004DF1A1     3BC3           CMP EAX,EBX
004DF1A3     74 32          JE SHORT starcraf.004DF1D7
004DF1A5     68 34E84F00    PUSH starcraf.004FE834                   ; /ProcNameOrOrdinal = "SetSecurityInfo"
004DF1AA     50             PUSH EAX                                 ; |hModule
004DF1AB     FF15 44D24F00  CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
004DF1B1     3BC3           CMP EAX,EBX
004DF1B3     74 22          JE SHORT starcraf.004DF1D7
004DF1B5     8B55 E4        MOV EDX,DWORD PTR SS:[EBP-1C]
004DF1B8     53             PUSH EBX
004DF1B9     8D8D E4FDFFFF  LEA ECX,DWORD PTR SS:[EBP-21C]
004DF1BF     51             PUSH ECX
004DF1C0     53             PUSH EBX
004DF1C1     53             PUSH EBX
004DF1C2     68 04000080    PUSH 80000004
004DF1C7     6A 06          PUSH 6
004DF1C9     52             PUSH EDX
004DF1CA     FFD0           CALL EAX
004DF1CC     85C0           TEST EAX,EAX
004DF1CE     75 07          JNZ SHORT starcraf.004DF1D7
004DF1D0     C745 F0 010000>MOV DWORD PTR SS:[EBP-10],1
004DF1D7     8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
004DF1DA     3BC3           CMP EAX,EBX
004DF1DC     74 07          JE SHORT starcraf.004DF1E5
004DF1DE     50             PUSH EAX                                 ; /hObject
004DF1DF     FF15 18D14F00  CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004DF1E5     8B45 EC        MOV EAX,DWORD PTR SS:[EBP-14]
004DF1E8     3BC3           CMP EAX,EBX
004DF1EA     74 07          JE SHORT starcraf.004DF1F3
004DF1EC     50             PUSH EAX                                 ; /pSID
004DF1ED     FF15 0CD04F00  CALL DWORD PTR DS:[<&ADVAPI32.FreeSid>]  ; \FreeSid
004DF1F3     8B45 F0        MOV EAX,DWORD PTR SS:[EBP-10]
004DF1F6     8DA5 D8FDFFFF  LEA ESP,DWORD PTR SS:[EBP-228]
004DF1FC     5F             POP EDI
004DF1FD     5E             POP ESI
004DF1FE     5B             POP EBX
004DF1FF     8BE5           MOV ESP,EBP
004DF201     5D             POP EBP
004DF202     C3             RETN

Above in the first post is the protection I found yesterday, I figured out how to remove it today.

Code:

004DF0EB     52             PUSH EDX                                 ; /phToken
004DF0EC     6A 08          PUSH 8                                   ; |DesiredAccess = TOKEN_QUERY
004DF0EE     56             PUSH ESI                                 ; |hProcess
004DF0EF     FF15 24D04F00  CALL DWORD PTR DS:[<&ADVAPI32.OpenProces>; \OpenProcessToken

These lines above is where its restricting us, it's setting it to query, we want to enable that so I got my handy little API guide out and looked some constants up.

Code:

Const TOKEN_QUERY As Long = &H8
Const SE_PRIVILEGE_ENABLED As Long = &H2

To remove the security change

Code:

004DF0EC     6A 08          PUSH 8                                   ; |DesiredAccess = TOKEN_QUERY

to

Code:

004DF0EC     6A 08          PUSH 2

This will change it from TOKEN_QUERY to SE_PRIVILEGE_ENABLED allowing you to use a memory searcher with out creating the process, open process and all that fun stuff.

[howardmeis]

W00t 1337. How can such a nub find this :P

[dt]

LCS, I made a new forum for this.

[LCSBSSRHXXX]

Sexy, I hope everyone enjoys this!

[gamepin126]

For a second I thought howard got in GS...gj LCS

[Vague]

okay we all know what a nub I am with game hacking, so basically,

wpm 004DF0ED &h2 and gg?

but...how do we wpm if we cant get the handle.

and could someone PLEASE post a vb6 DLL example for use w/ an injector. this example should include hotkeys, wpm/rpm, and timers. Im sure a lot of it is obvious but why waste a ton of time figuring it all out when some nice person could release an example in like 5 minutes.

[azn_snow]

LCSBSSRHXXX thanks for the patch info how ever if people are going to patch it might be better to make a dll patch or another form not just editing the main starcraft exe because then the software blizzard added will do hash check

[SC_Modder]

This is for people who plan to make Starcraft loaders. Someone could patch that code on startup in order to get the handle.

NOPing that after the game starts won't do anything at all btw, and just in case I would write what you NOPed back after it finishes executing that part of the code. Warden might take a look at that rite thurr.

[howardmeis]

Yea, this would have to be integrated int a loader for it to work, as you changing this after the game's loaded wouldn't do anything since it's already had protetion started.

[SC_Modder]

You dumbass, you just said like, the exact same thing I said.

[Gantznaught]

howard actually has a point.

[Vague]

Code:

004DF0EC     6A 08          PUSH 8                                   ; |DesiredAccess = TOKEN_QUERY

would be 000DF0EB in a standard hex editor,starcraft.exe

[K? Pŕo?ćtiόnŹ]

Lollerskates, heres a little loader I wipped up that implements this. After this loads starcraft you can run all your little WPM programs.

Messy SRC

Code:

.Data
ScProcess DD 0
ScPath DB 256 Dup (0)
hInst DD 0
.Code
FixProtection Proc Private
	Invoke WriteProcessMemory, ScProcess, 004DF0EDH, CTXT(02H), 1, 0
	Ret
FixProtection EndP

mainProcedure Proc Private hWnd:HWND, uMsg:ULONG, wParam:WPARAM, lParam:LPARAM
	Local STARTINFO:STARTUPINFO
	Local ProcessInfo:PROCESS_INFORMATION
	Local hUpdate:DWord
	.If uMsg == WM_CREATE
	.ElseIf uMsg == WM_COMMAND
		LoWord wParam
		.If Eax == IDC_MAIN_LAUNCH
			Invoke GetDlgItemText, hWnd, IDC_MAIN_PATH, Addr ScPath, 255
			Invoke CreateProcess, Addr ScPath, NULL, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS + CREATE_SUSPENDED, \
		    NULL, NULL, Addr STARTINFO, Addr ProcessInfo
		    Mov Eax, ProcessInfo.hProcess
		    .If Eax != 0
		       Mov ScProcess, Eax
		       Invoke FixProtection
		       Invoke ResumeThread, ProcessInfo.hThread
		       ;Invoke VirtualAllocEx, ProcessInfo.hProcess, 0
		       Invoke ExitProcess, 0
		    .EndIf

		.EndIf
	.ElseIf uMsg == WM_CLOSE
		Invoke IsModal, hWnd
		.If Eax
			Invoke EndModal, hWnd, IDCANCEL
			Return TRUE
		.EndIf
	.EndIf
	Return FALSE
mainProcedure EndP

EDIT: Also the executable is so large becuase I used EasyCode for the dialog and such.