[Warcraft III] Game State Checking 1.22 - Page 2

Dyndrilliac · 07-25-2008, 01:40 AM

So it is, I stand corrected.

kolkoo · 09-15-2008, 06:15 PM

As I discovered today this is not real game state checking. The real game state checking in warcraft is stored in a class or structure that is obtained through TLS. It can tell you things like 0 - nowhere 1 - in game lobby waiting for players 3 - loading screen 4 - ingame, these are the values i've encountered so far there maybe more :P

Shimano · 09-19-2008, 01:28 AM

so can you explain more about it?

kolkoo · 09-19-2008, 02:33 PM

Yes, yes I can. Basically Warcraft III 's game processing threads use a pointer in their TLS (Thread Local Storage) records at index 0x1F. Of course this pointer is 0 for your thread because TLS records are unique for each thread and this is why when you call a W3 function even with perfect parameters and stack it may crash because it won't find the needed pointer when it tries to retrieve it from your thread's TLS records at index 0x1F. There are ways ( I won't mention here but there a few ) to retrieve another thread's tls value for a given index. After you've done that you can call any function in w3 you like and also check the current game state which is stored there.

Shimano · 09-20-2008, 04:48 AM

that's pretty interesting, never heard of TLS before. good work

kolkoo · 09-20-2008, 12:31 PM

Well I couldn't figure it out either until I saw this thread -> Problems with Commanding Units which made me look into it and realise why my function calls were crashing and when I was trying to find the gamestate change function I saw where it changed the current gamestate. So it's basically Sheppard's credit that I found this in the first place :P

EDIT: Oh and it seems that TLS was introduced into warcraft III in patch 1.22

Sheppard · 09-24-2008, 02:18 PM

Quote:

Originally Posted by kolkoo

Well I couldn't figure it out either until I saw this thread -> Problems with Commanding Units which made me look into it and realise why my function calls were crashing and when I was trying to find the gamestate change function I saw where it changed the current gamestate. So it's basically Sheppard's credit that I found this in the first place :P

EDIT: Oh and it seems that TLS was introduced into warcraft III in patch 1.22

Warcraft 3 always used the Thread Local Storage, what makes you thinking it was introduced into Warcraft with the Patch 1.22?

/EDIT:

You can access other Threads Local Storage with this code:

Code:

__declspec(naked) DWORD GetCurrentTEB()
{
	__asm
	{
		mov eax,fs:[0x18]
		retn
	}
}

DWORD WINAPI TestThread(LPVOID pParam)
{
	printf("TEB of this Thread 0x%x\n", GetCurrentTEB());

	bPrinted = TRUE;

	while(TRUE)
		Sleep(1000);

	return TRUE;
}

INT main()
{
	CreateThread(NULL, NULL, TestThread, 0,0,0);
	
	while(!bPrinted)
		Sleep(1);

	// Enumerate all Threads in this Process ..!
	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId());
	
	THREADENTRY32 tEntry;
	tEntry.dwSize = sizeof(tEntry);

	if(Thread32First(hSnap, &tEntry))
		do {
			if(tEntry.th32OwnerProcessID != GetCurrentProcessId())
				continue;

			HANDLE hThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, tEntry.th32ThreadID);

			if(hThreadHandle == INVALID_HANDLE_VALUE)
				continue;

			printf("Thread-Id 0x%x, TEB 0x%x\n", tEntry.th32ThreadID, GetTEBFromThread(hThreadHandle));
		} while(Thread32Next(hSnap, &tEntry));

	CloseHandle(hSnap);

	return NULL;
}

TEB* GetTEBFromThread(HANDLE hThread)
{
	pfnNtQueryInformationThread NtQueryInformationThread = (pfnNtQueryInformationThread) GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryInformationThread");
    THREAD_BASIC_INFORMATION tbi;
    THREAD_INFORMATION_CLASS tic = ThreadBasicInformation;

	if (NtQueryInformationThread == NULL)
        return NULL;	

	if (NtQueryInformationThread(hThread, tic, &tbi, sizeof(tbi), NULL) == NULL)
		return (TEB*)tbi.TebBaseAddress;

	return NULL;
}

Hope this helps

kolkoo · 09-25-2008, 10:36 AM

Well this is how I get the TLS Index and Value from W3.

Code:

DWORD GetIndex()
{
    return *(DWORD*)(0x6FAA45E4);
}
DWORD GetW3TlsForIndex(DWORD index)
{
    DWORD pid = GetCurrentProcessId();
    THREADENTRY32 te32;
    HANDLE hSnap=CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, pid );
    te32.dwSize = sizeof(THREADENTRY32);
    if ( Thread32First( hSnap, &te32 ) )
    {
        do 
        {
            if ( te32.th32OwnerProcessID == pid )
            {
                HANDLE hThread = OpenThread( THREAD_ALL_ACCESS, false, te32.th32ThreadID );
                CONTEXT ctx = { CONTEXT_SEGMENTS };
                LDT_ENTRY ldt;
                GetThreadContext( hThread, &ctx );
                GetThreadSelectorEntry( hThread, ctx.SegFs, &ldt );
                DWORD dwThreadBase = ldt.BaseLow|(ldt.HighWord.Bytes.BaseMid<<16)|(ldt.HighWord.Bytes.BaseHi<<24);
                CloseHandle( hThread );
                if ( dwThreadBase == NULL )
                    continue;
                DWORD *dwTLS = *(DWORD**)(dwThreadBase+0xE10+4*index);
                printf("Thread: %X , TLS for index %X : %X\n",te32.th32ThreadID,index,(DWORD)dwTLS);
                if ( dwTLS == NULL )
                    continue;
                return (DWORD)dwTLS;
                
            }
        } while( Thread32Next( hSnap, &te32 ) );
    }
    return NULL;
}

And this is how I get the current game state value after having already retrieved the TlsValue:

Code:

DWORD GetGameStateValue()
{
	DWORD rt;
	__asm
	{
		MOV ESI,0x0D;
		MOV EAX,TlsValue;
		MOV EAX, DWORD PTR DS:[EAX+ESI*4];
		MOV EAX,DWORD PTR DS:[EAX+0x10]
		MOV ECX,DWORD PTR DS:[EAX+0x8]
		MOV EAX, DWORD PTR DS:[ECX+0x278];
		MOV rt,EAX;
	}
	return rt;
}

And what made me think it wasn't used prior to patch 1.22 is that I didn't find any calls to TlsGetValue/TlsSetValue in 1.21b game.dll intermodular calls.

GayPimp · 11-29-2008, 06:43 AM

If anyone is interested, here is a simple program (c++) I wrote to check if you're in game or not using Rufus' offset:

Quote:

#include <windows.h>
#include <iostream>
#include <Tlhelp32.h>

using namespace std;

void EnableDebugPriv();
DWORD GetPID (char* proc);
DWORD GetDLL (char* DllName, DWORD tPid);
void ClearConsole();

int main()
{
SetConsoleTitle("Gamestate");
EnableDebugPriv();
TCHAR War3Name[32] = TEXT("Warcraft III");
HWND hWar3 = FindWindow(War3Name, NULL);

if(!hWar3)
{
cout << "Please open Warcraft III first." << endl;
system( "pause" );
return 1;
}

DWORD pid;
GetWindowThreadProcessId( hWar3, &pid );
HANDLE hOpen = OpenProcess( PROCESS_ALL_ACCESS, false, pid );
if( !hOpen )
{
cout << "Can't open Warcraft III." << endl;
system( "pause" );
return 1;
}

DWORD Address = 11147656;
DWORD Buffer;
DWORD WINAPI GetLastError(void);
DWORD GameDLL = GetDLL("Game.dll",GetPID("war3.exe"));
SIZE_T BytesRead = 0;

for (;;)

{

/* Notice the GameDLL+Address: we are adding our address to the base, AA1988h, because while the base is 6F 95 % of the time, it may change for specific reasons.*/

ReadProcessMemory(hOpen, (LPCVOID)(GameDLL+Address), &Buffer, 4, &BytesRead);

// If our address has value(buffer) 0, then we are not in-game:

if(Buffer == 0)
{
cout << "Not in game" <<endl;;
Sleep(2000);
ClearConsole();
}

else
{
cout << "In game" <<endl;
Sleep(1000);
ClearConsole();
}
}
}

// Priviledges

void EnableDebugPriv( )
{HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
OpenProcessToken( GetCurrentProcess( ), TOKEN_ADJUST_PRIVILEGES |TOKEN_QUERY, &hToken );
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue );
tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );
CloseHandle( hToken );
}

// Get PID for process.
DWORD GetPID (char* proc)
{
BOOL working=0;
PROCESSENTRY32 lppe= {0};
DWORD targetPid=0;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROC ESS ,0);

if (hSnapshot)
{
lppe.dwSize=sizeof(lppe);
working=Process32First(hSnapshot,&lppe);
while (working)
{
if (_stricmp(lppe.szExeFile,proc)==0)
{
targetPid=lppe.th32ProcessID;
break;
}
working=Process32Next(hSnapshot,&lppe);
}
}

CloseHandle( hSnapshot );
return targetPid;
}

//Base (6F).
DWORD GetDLL(char* DllName, DWORD tPid)
{
HANDLE snapMod;
MODULEENTRY32 me32;

if (tPid == 0) return 0;
snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, tPid);
me32.dwSize = sizeof(MODULEENTRY32);

if (Module32First(snapMod, &me32)){
do{
if (strcmp(DllName,me32.szModule) == 0){
CloseHandle(snapMod);
return (DWORD) me32.modBaseAddr;
}
}while(Module32Next(snapMod,&me32));
}

CloseHandle(snapMod);
return 0;

}

void ClearConsole()
{
HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
COORD coord = {0, 0};
DWORD count;
CONSOLE_SCREEN_BUFFER_INFO csbi;
if(GetConsoleScreenBufferInfo(hStdOut, &csbi))
{
FillConsoleOutputCharacter(hStdOut, (TCHAR) 32, csbi.dwSize.X * csbi.dwSize.Y, coord, &count);
FillConsoleOutputAttribute(hStdOut, csbi.wAttributes, csbi.dwSize.X * csbi.dwSize.Y, coord, &count );
SetConsoleCursorPosition(hStdOut, coord);
}
return;
}

Iron_Man · 11-29-2008, 06:52 AM

Kinda bumped the thread....

09-15-2008, 06:15 PM	#22 (permalink)
kolkoo Mortal Join Date: Jun 2008 Posts: 9	As I discovered today this is not real game state checking. The real game state checking in warcraft is stored in a class or structure that is obtained through TLS. It can tell you things like 0 - nowhere 1 - in game lobby waiting for players 3 - loading screen 4 - ingame, these are the values i've encountered so far there maybe more :P
$kolkoo 15 0FF11\|\\|3$

09-19-2008, 01:28 AM	#23 (permalink)
Shimano Advocate Join Date: Jan 2007 Location: Boise, ID Posts: 259	so can you explain more about it? __________________
$Shimano 15 0FF11\|\\|3$

09-19-2008, 02:33 PM	#24 (permalink)
kolkoo Mortal Join Date: Jun 2008 Posts: 9	Yes, yes I can. Basically Warcraft III 's game processing threads use a pointer in their TLS (Thread Local Storage) records at index 0x1F. Of course this pointer is 0 for your thread because TLS records are unique for each thread and this is why when you call a W3 function even with perfect parameters and stack it may crash because it won't find the needed pointer when it tries to retrieve it from your thread's TLS records at index 0x1F. There are ways ( I won't mention here but there a few ) to retrieve another thread's tls value for a given index. After you've done that you can call any function in w3 you like and also check the current game state which is stored there.
$kolkoo 15 0FF11\|\\|3$

09-20-2008, 04:48 AM	#25 (permalink)
Shimano Advocate Join Date: Jan 2007 Location: Boise, ID Posts: 259	that's pretty interesting, never heard of TLS before. good work __________________
$Shimano 15 0FF11\|\\|3$

09-20-2008, 12:31 PM	#26 (permalink)
kolkoo Mortal Join Date: Jun 2008 Posts: 9	Well I couldn't figure it out either until I saw this thread -> Problems with Commanding Units which made me look into it and realise why my function calls were crashing and when I was trying to find the gamestate change function I saw where it changed the current gamestate. So it's basically Sheppard's credit that I found this in the first place :P EDIT: Oh and it seems that TLS was introduced into warcraft III in patch 1.22 Last edited by kolkoo : 09-20-2008 at 04:33 PM.
$kolkoo 15 0FF11\|\\|3$

Remove advertisements Sponsored links
BWHacks Advertisement

11-29-2008, 06:52 AM	#30 (permalink)
Iron_Man Banned (NOT! LOL!) Advocate Join Date: Jul 2006 Location: In Hell Posts: 293	Kinda bumped the thread.... __________________
$Iron_Man 15 0FF11\|\\|3$

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Game State Checking in mASM	Perma	Starcraft Hacking Related	32	06-08-2005 12:45 PM
Gameboy Advance, agian.	Element	General Gaming	1	05-18-2005 07:26 AM
Lobby Ops Address.......	~^CuLo^~	Starcraft Hacking Related	22	12-18-2004 08:46 PM
D2 Rollbacking	Dr. Silence	General Chat	6	10-01-2004 07:42 AM