Hearthstone Hack Thread

[Nightshadess]

Hello Everyone, I'm Making this Thread, so as you can see, the title say all.

So here some info:

You can change Cards (visual) change the amount of dust, change the amount of gold, change the amount of gold per quest*.
*Take note that the cards changed/gold/dust are only visual, it's needed to exploit the asm of the game, to trick the server with a good request so perhaps it will not be visual forever =D.

The Test that i've done:

If you go in your hearthstone install folder, most of you has notice that you have 2 file:

manifest-achieves.csv (quest rewards-Hero, achievement etc) (you can set 6000 gold a quest, and get them in game (only visual) the server will still grant you only +60 gold for exemple)

manifest-cards.csv (All Cards-ID)

For exemple you have "Ysera" in your deck, but you want to get "Death Wing" in your deck just to joke.
So what i've done is changing the ENUM_ID** of these 2 cards

**1186,EX1_572,1,4 //Ysera
**834,NEW1_030,1,4 //Death Wing

So in-game in your "collection" in your deck you will see ysera changed into death Wing, so the main idea was to remove the deathwing (ysera) to Request a packet to the server that you have removed the cards to get +1 DeathWing in your collection (while not owning the card),

But i think the server also do RequestLastDeckList to ensure that the server(player) is owner of the card.

And some fast research:

---[Craft]---
--[Read Access]--

20BF3978 - 8B 47 08 - mov eax,[edi+08] //Click on card to be crafted
20BF3BB2 - 8B 46 08 - mov eax,[esi+08] //Click on card to be crafted
20BF3998 - 8B 47 08 - mov eax,[edi+08] //After Clicking on CRAFT BUTTON
20BF9195 - 8B 52 08 - mov edx,[edx+08] //Valiate the craft* when you "click" after the craft

---[Dust]---
--[Read Access]--

mono.dll+10B385 - 8B 0E - mov ecx,[esi] //Click on card to be crafted (also executed doing nothing or in craft menu)
20BF15D4 - 89 86 A0000000 - mov [esi+000000A0],eax //Click on card to be crafted
20BF384C - 8B 89 A0000000 - mov ecx,[ecx+000000A0] //Click on card to be crafted
0482ED63 - 8B 89 A0000000 - mov ecx,[ecx+000000A0] //Click on card to be crafted
20BF375A - 8B 92 A0000000 - mov edx,[edx+000000A0] //Click on card to be crafted
20C06CBB - 8B 89 A0000000 - mov ecx,[ecx+000000A0] //After Clicking on Craft Button
20C06CE6 - 89 88 A0000000 - mov [eax+000000A0],ecx //After Clicking on Craft Button
20C1B9A6 - 8B 89 A0000000 - mov ecx,[ecx+000000A0] //After crafting, pressing "cancel button to refund dust"
20C1B9D1 - 89 88 A0000000 - mov [eax+000000A0],ecx //After crafting, pressing "cancel button to refund dust"

---[Dust]---
--[Write Access]--

20BF15D4 - 89 86 A0000000 - mov [esi+000000A0],eax //Click on card to be crafted
20C06CE6 - 89 88 A0000000 - mov [eax+000000A0],ecx //After Clicking on CRAFT BUTTON

/!\ These Adresses are useless, it's from non-static memory /!\

I need help with someone skilled in ASM because i can't get the static module of these addresses, even with backtracing the adresses, it's like Hearthstone.exe+(adresses)+ptr ...

Thanks <!<
~Nightshadess