Some basic offsets to let you play offline

[ZeltMarv]

Are you sure that you don't have crashes with remapping only? I thought so too but it crashes after a random time of several minutes.

That's the thing. My programming experience is quite limited so I haven't been able to do any remapping.

I'm gonna try DLL injection to see if I can get around the CRC check like that.

[ex0d]

Are you sure that you don't have crashes with remapping only? I thought so too but it crashes after a random time of several minutes.

To be fair even several minutes is quite an achievement at this point. How did you do that? My process crashes immediately after remapping.

[MrNoble]

Thanks @ferib.

Your solution enables memory write access (and seems to be bypassing CRCs based on the output) but unfortunately the game process crashes straight away on 'NtResumeProcess(hProcess);'. I can see memory changes to write while the process is still suspended and I see the offsets @king48488 mentioned. Changing them doesn't change the outcome though and the process still crashes immediately on NtResumeProcess.

Edit: I forgot to add that even with CRC check section commented out it still crashes on Resume. It doesn't seem to like NtUnmapViewOfSection/ NtMapViewOfSection.

Hook the thread creation WinAPI (or even syscall) and keep an eye on the thread permissions.
There is a sneaky flag that prevents you from suspending threads.

[MrNoble]

To be fair even several minutes is quite an achievement at this point. How did you do that? My process crashes immediately after remapping.

it's not, you just get an instant crash when you fuck up the assembly, but when your assembly is fine (but not 100% working) it wont crash, instead, the crc32 checks detects you.

[Zagorim]

This is all to patch the game in memory right ? Excuse the noob question but would it be a lot more complicated to make a patched .exe ?

[dclone]

Hook the thread creation WinAPI (or even syscall) and keep an eye on the thread permissions.
There is a sneaky flag that prevents you from suspending threads.

You mean thread suspension returns no error code but in reality threads are not suspended?

[ex0d]

Hook the thread creation WinAPI (or even syscall) and keep an eye on the thread permissions.
There is a sneaky flag that prevents you from suspending threads.

Thanks again @ferib

I tried to find the thread causing the crash and I believe I found it. It's just one. It seems to have the same permissions as the others which resume just fine though. I should add that suspending and resuming the process without remapping (including the thread I am talking about) works fine without crashing the whole process.

After running remapping, I can resume all threads in the process but one:
threadSearch.jpg

Please ignore different TIDs on the right. Screenshots are from different runs but it's the same thread 'Game.exe+0xafde0'.

Since it seems to have the same permissions like the rest, I am not sure what I can do from here. This is the thread that resumed brings the process back to life and I can navigate things in game (unless remapped, then it crashes).

[MrNoble]

Thanks again @ferib

I tried to find the thread causing the crash and I believe I found it. It's just one. It seems to have the same permissions as the others which resume just fine though. I should add that suspending and resuming the process (including the thread I am talking about) works fine without crashing the whole process.

After running remapping, I can resume all threads in the process but one:
threadSearch.jpg

Please ignore different TIDs on the right. Screenshots are from different runs but it's the same thread 'Game.exe+0xafde0'.

Since it seems to have the same permissions like the rest, I am not sure what I can do from here. This is the thread that resumed brings the process back to life and I can navigate things in game (unless remapped, then it crashes).

the "120+" thread should be equal to 'MAXIMUM_SUSPEND_COUNT', it's a trap that's probably used to detect suspending of the game.

[dclone]

the "120+" thread should be equal to 'MAXIMUM_SUSPEND_COUNT', it's a trap that's probably used to detect suspending of the game.

Haha nice just found that blog post explaining how thread suspension works and thought of that trick to set suspend count to max.

[ex0d]

the "120+" thread should be equal to 'MAXIMUM_SUSPEND_COUNT', it's a trap that's probably used to detect suspending of the game.

Thanks @ferib

I had high hopes for this one as sounded quite likely to be the source of the problem. So I suspended all threads but that one (which has a suspend count at 127), ran the remapping (even without crc section) and resumed all threads but that particular one. That way the suspend count never changed and always stayed as 127. Unfortunately the process is still crashing.

[dclone]

Since I built a loader I am pretty sure that I do the remap before all but main thread and 2 other threads even exist. Both get suspended with previous suspend count == 0. I.e. I am pretty sure that while I am doing the remapping nobody is watching me. But even though I remap again back to original protection the game will crash after a few mins. So there must be some way how later on the remapping is detected. I have not applied any patches so it can't be that. And it can't be the hooks or such of the loader because when I do not remap at all then it runs forever.

[MrNoble]

Since I built a loader I am pretty sure that I do the remap before all but main thread and 2 other threads even exist. Both get suspended with previous suspend count == 0. I.e. I am pretty sure that while I am doing the remapping nobody is watching me. But even though I remap again back to original protection the game will crash after a few mins. So there must be some way how later on the remapping is detected. I have not applied any patches so it can't be that. And it can't be the hooks or such of the loader because when I do not remap at all then it runs forever.

On wow there are logfiles to indicate if its a 'security' crash or not, im not seeing any useful log files on D2R ;/

[ZeltMarv]

I managed to get the CRC bypass to work, but the game crashes a few seconds after it's launched :/ I'm guessing I'm hitting the same roadblocks as some people here

[dclone]

Those delayed randomised crashes are pretty smart by Blizzard - hard to reverse the origin and demoralising at the same time.

[MrNoble]

Can confirm, the crc32 checks are the same as the ones I'm used to.
Big thanks, @king48488 for poking my interests, was a fun challenge to get it working!