General
Results 1 to 1 of 1
-
12-02-2010 #1New Member
- Join Date
- Dec 2010
- Gender
- Posts
- 6
- Reputation
10- Thanks
- 2
- My Mood
-
StarCraft II ASM DLL MapHack Explained
ASM DLL MapHack Example:
Source Code:
ASMMapHackExample_A.inc
ASMMapHackExample_B.incCode:.Data mhToggle dd 0h mhToggle2 dd 0h mh1 db 0??h mh2 db 0??h .Data? HndHook dd ? .Code HotKeys proc nCode:DWORD, wParam:DWORD, lParam:DWORD .if nCode != HC_ACTION jmp HotKeys_End .endif mov ebx, lParam or ebx, 00FFFFFFh .if ebx == 0C0FFFFFFh jmp HotKeys_End .endif .if wParam == VK_F5 .if mhToggle == 0 mov mhToggle, 1 invoke WriteMem, RANDOMEOFFSETh, addr mh1, 1 ;ON .else mov mhToggle, 0 invoke WriteMem, RANDOMEOFFSETh, addr mh2, 1 ;OFF .endif .endif .if wParam == VK_F6 ;Quickly exit StarCraft II invoke ExitProcess, 0 .endif HotKeys_End: invoke CallNextHookEx, HndHook, nCode, wParam, lParam ret HotKeys endp DLLProc proc invoke FindWindow, CTEXT ("StarCraft II"), 0 invoke GetWindowThreadProcessId, eax, 0 invoke SetWindowsHookEx, WH_KEYBOARD, addr HotKeys, NULL, eax mov HndHook, eax Events: invoke Sleep, 2 jmp Events DLLProc endp
ASMMapHackExample.asmCode:.Data PPEB_LDR_DATA dd 0 .Data? lgJmp db 5 dup(?) .Code WriteMem proc MemOffset:DWORD, DataPtr:DWORD, dataLen:DWORD LOCAL OldProt:DWORD pushad invoke VirtualProtect, MemOffset, dataLen, PAGE_EXECUTE_READWRITE, addr OldProt invoke RtlMoveMemory, MemOffset, DataPtr, dataLen invoke VirtualProtect, MemOffset, dataLen, OldProt, addr OldProt popad ret WriteMem endp JmpPatch proc uses ecx ebx from:DWORD, to:DWORD mov ebx, to mov ecx, from add ecx, 05h sub ebx, ecx lea ecx, lgJmp mov byte ptr [ecx], 0E9h mov dword ptr [ecx+1], ebx invoke WriteMem, from, addr lgJmp, 5 ret JmpPatch endp CallPatch proc uses ecx ebx from:DWORD, to:DWORD mov ebx, to mov ecx, from add ecx, 05h sub ebx, ecx lea ecx, lgJmp mov byte ptr [ecx], 0E8h mov dword ptr [ecx+1], ebx invoke WriteMem, from, addr lgJmp, 5 ret CallPatch endp HideModule proc pushad assume fs:nothing mov eax, fs:[30h] mov eax, [eax+0Ch] mov PPEB_LDR_DATA, eax @InLoadOrderModuleList: mov esi, [eax+0Ch] mov edx, [eax+10h] @LoopInLoadOrderModuleList: lodsd mov esi, eax mov ecx, [eax+18h] cmp ecx, hModule jne @f mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp @InMemoryOrderModuleList @@: cmp edx, esi jne @LoopInLoadOrderModuleList @InMemoryOrderModuleList: mov eax, PPEB_LDR_DATA mov esi, [eax+14h] mov edx, [eax+18h] @LoopInMemoryOrderModuleList: lodsd mov esi, eax mov ecx, [eax+10h] cmp ecx, hModule jne @f mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp @InInitializationOrderModuleList @@: cmp edx, esi jne @LoopInMemoryOrderModuleList @InInitializationOrderModuleList: mov eax, PPEB_LDR_DATA mov esi, [eax+1Ch] mov edx, [eax+20h] @LoopInInitializationOrderModuleList: lodsd mov esi, eax mov ecx, [eax+08h] cmp ecx, hModule jne @f mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp @Finished @@: cmp edx, esi jne @LoopInInitializationOrderModuleList @Finished: popad ret HideModule endp
ASM Source Code Explained:Code:.386 .Model Flat, StdCall OPTION CASEMAP :NONE include \masm32\include\windows.inc include \masm32\include\masm32.inc include \masm32\include\kernel32.inc include \masm32\include\debug.inc include \masm32\include\masm32rt.inc includelib \masm32\lib\shell32.lib includelib \masm32\lib\masm32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\debug.lib include ASMMapHackExample_A.inc include ASMMapHackExample_B.inc .Data JmpByte db 0EBh .Data? hThread dd ? ThreadID dd ? hModule dd ? .code DllEntryPoint proc hInstDLL:DWORD, reason:DWORD, unused:DWORD mov eax,reason .if eax == DLL_PROCESS_ATTACH mov eax, hInstDLL mov hModule, eax invoke HideModule invoke CreateThread, NULL, 0, addr DLLProc, 0, 0, addr ThreadID call DLLStartup mov hThread, eax .endif ret DllEntryPoint endp DLLStartup proc ret DLLStartup endp End DllEntryPoint
Just replace RANDOMEOFFSETh with an offset in this format "00000000h". mh1 is the value for turning the hack on, mh2 is off.
Here are the values to write to the appointed offsets. For turning the maphack on set mh1's value by replacing the ?? below, for example "mh1 db 03Dh" for ON & "mh2 db 03Ah" for OFF.Code:invoke WriteMem, RANDOMEOFFSETh, addr mh1, 1 ;ON invoke WriteMem, RANDOMEOFFSETh, addr mh2, 1 ;OFF
This is where you target the process you want to hack, which is "StarCraft II".Code:mh1 db 0??h mh2 db 0??h
To make more hotkeys just copy this selected code and rename "VK_F5" to any F key you want, then change the offsets and values accordingly.Code:invoke FindWindow, CTEXT ("StarCraft II"), 0
When making new hacking functions you have to add the new value names & values to the .Data section of ASMMapHackExample_A.inc, so for example here are two appointed values for a new hacking function. Replace ?? with the value you would like to write to that offset.Code:.if wParam == VK_F? .if mhToggle == 0 mov mhToggle, 1 invoke WriteMem, RANDOMEOFFSETh, addr mh1, 1 .else mov mhToggle, 0 invoke WriteMem, RANDOMEOFFSETh, addr mh2, 1 .endif .endif
The hide module function in this dll is a little out dated for an updated version google "PizzaPan Hide Module"Code:NewhackValues_1 db 0??h NewhackValues_2 db 0??h
For my own personal maphack for StarCraft II & more on hacking this game you can visit us @ SC2HackDev
