Finding memory values?

[veronikas]

so because i want to start writing a mock game server for hs, i decided it would be a good time to start documenting the packets:

#8640908 - Pastie

each default packet is handled by the respective class and is handled like so:

Code:

packet is p
byte[] data = (byte[]) p.Body;
TBuilder builder = new TBuilder();
p.Body = (object) builder.MergeFrom(data).Build();
return p;

now to write the game server, i need a way to edit the server the client connects to so that it can connect to my server at localhost...

Code:

IPEndPoint ipEndPoint = new IPEndPoint(IPAddress.Any, 1226);
    try
    {
      this.m_socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
      this.m_socket.Bind((EndPoint) ipEndPoint);
      this.m_socket.Listen(16);
    }

is it possible to use cecil to edit the parameter from IPAddress.Any to localhost? or should I go about it a different way?

[phyte]

Not sure if this will work but it's what I would try first. You should be able to find all the code for the function you want to replace using dotPeek. Then you can use cecil to replace the function entirely with your own code instead of injecting it before or after.

Btw has anyone thought of a good way to make these hacks more deployable? Like eliminating the need to copy junk into your HS folder every time you want to run something? The most annoying part is you can only launch the game through the bnet launcher right now and it overwrites the hooked dll every time you close the game.

[wubbel]

well, i am not versed on the field of reverse engeneering, but this (chinese) video shows, that it actually is possible to get all important memory readings from the game, does'nt it?
Chinese gamer makes Hearthstone battles 3D by editing in WoW animations

but i'm just guessing ... plus, i don't really understand how far the progress of this thread is, maybe some1 is keen enough to summerize it quickly. thx in advance

[Maddin1803]

@veronikas, yes you would be able to use cecil for this kind of work. I would use hosts file for the start, this way you dont have to worry about pieces of code you have missed while developing, you should have a look at my first post in this thread. You need to take care of the SSL Keys tho..

@phyte For developing i made a tool which simply checks the Assembly-Csharp for the Original Hash, if it is the Original Hash it overwrites the file with the file in my output directory. Not realy a nice solution, but good enough for the moment. If anyone feels like reversing the Launcher it would be better

@Wubbel, mh not sure what you mean exactly, had a quick look at the video, i can only guess, but i would say he used pretty much the same approach that we use atm, simply because its the easiest solution, and quiet convienient, especial if you like to rewrite bigger parts of the code. Reading the Memory directly is ofcourse doable, but you can thinking about the unity engine as some VM, to read values, you will first need to understand how exactly the engine works, which would involve a good amount of reversing.

After a bit of thinking about it, we should look into a Proxy Framework, like Castle or Linfu, with properly done basework we should be able to get the ability to hook every function with one or two lines code then. At this point, more people should be able to develope.

[overture2112]

Does Hearthstone not scan for hooks or even verify checksums?

[wubbel]

@Wubbel, mh not sure what you mean exactly, had a quick look at the video, i can only guess, but i would say he used pretty much the same approach that we use atm, simply because its the easiest solution, and quiet convienient, especial if you like to rewrite bigger parts of the code. Reading the Memory directly is ofcourse doable, but you can thinking about the unity engine as some VM, to read values, you will first need to understand how exactly the engine works, which would involve a good amount of reversing.

I see, very interesting! thanks man.

[evilme73]

well, i am not versed on the field of reverse engeneering, but this (chinese) video shows, that it actually is possible to get all important memory readings from the game, does'nt it?
Chinese gamer makes Hearthstone battles 3D by editing in WoW animations

but i'm just guessing ... plus, i don't really understand how far the progress of this thread is, maybe some1 is keen enough to summerize it quickly. thx in advance

I'm pretty sure that video is just someone recording animations with a wow modelviewer and overlaying them on pre-recorded hearthstone footage.

[hankerspace]

Hi,

I have some issues while DLL injection :

1. Code in my injected dll (currently create a .txt file) isnt executed when my game starts.
2. I cant use buttons on HS startscreen ...

I have checked my framework version, its 4.0 for my both projects.

Do you have some ideas ?

Thx.

[Maddin1803]

1. Check the Function Bytecode, if this doesent help post your injected dll code

2. Create a new Thread, otherwise the Function never returns, freezing Heartstone

[hankerspace]

Thanks for your reply,

I have followed the instructions in this post : http://www.ownedcore.com/forums/mmo/...ml#post2945553 (Finding memory values?)

I have used exactly the same samples of code.

Where am i suposed to create a thread ? In the injected dll ?

[overture2112]

Btw has anyone thought of a good way to make these hacks more deployable? Like eliminating the need to copy junk into your HS folder every time you want to run something? The most annoying part is you can only launch the game through the bnet launcher right now and it overwrites the hooked dll every time you close the game.

Maddin1803's idea of an external tool managing this is probably nicer in the long run, but if you want an easy/fast solution, just add a post-build event to always copy the file.

[Maddin1803]

@hankerspace exaclty, let init create a new thread with a mainloop for your code.

like

Code:

        
             public static void init()
        {
            Console.WriteLine("starting thread");
            Thread thread = new Thread(new ThreadStart(WorkThreadFunction));
            thread.Start();
        }

  public static void WorkThreadFunction()
        {
                while (true)
                {
                    Thread.Sleep(5000);
                    Console.Write("Ping");
                }
            }

[hankerspace]

@Maddin1803 ok, i didt it but i still have the same problem : buttons are unusable.

However i can duel a friend via friend list but i can't go for normal game...

My DLL weight 4933Ko it seems fine (such as phyte).

To summarize : injector is a console program which modify original Assembly-CSharp.dll to inject a custom dll.

Custom dll is a Visual Studio project in which i am starting the thread and doing some custom actions.

Both project are compilated with .NET Framework 4. Once my custom dll created and injector executed, i copy new Assembly-CSharp.dll to Heartstone folder.

Am i right ?

[Maddin1803]

Yes as far as iam aware this is right,
take a look at the debuglog of unity, maybe this will shed some light on your problem

[hankerspace]

Can you explain me how to take a look at these logs please ?