HotS unpack - Removing HotS' binary encryption statically menu

User Tag List

Results 1 to 14 of 14
  1. #1
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HotS unpack - Removing HotS' binary encryption statically

    Cheers,

    HotS unpack is a little static unpacker for HotS game binaries. It takes an encrypted binary as input and creates a decrypted one as output. The output binaries are not runnable, but intended only for analysis purposes. Adjusting the entry point would probably make binaries runnable, however this is currently not a goal of this tool (it would also be pretty easy to detect by the AC due to me not XORing the AES input key with some random constant after decryption e.g.).

    Example output of a successful decryption:


    GitHub:
    https://github.com/athre0z/hots-unpack

    Link to the latest binary distribution:
    https://github.com/athre0z/hots-unpack/releases/latest

    The tool is written in the Rust language which is still pretty young and so is the crypto library I'm using. This library seems to only work if compiled without any kind of optimizations which results in huge and pretty slow binaries. I already reported the issue and will recompile the tool with -O3 as soon as the issue in the crypto library is resolved.

    Greets,
    athre0z
    Attached Thumbnails Attached Thumbnails HotS unpack - Removing HotS' binary encryption statically-wnuj1-png  
    Last edited by athre0z; 02-19-2016 at 11:02 AM.

    HotS unpack - Removing HotS' binary encryption statically
  2. #2
    malloc84's Avatar Member
    Reputation
    7
    Join Date
    Mar 2012
    Posts
    61
    Thanks G/R
    9/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tested, confirmed xmass is WAY early ^^

    It was "easy" to get the HotS binary code via various methods but this trumps all of them.

    Top tool, top code! I finally managed to find the last component needed for my desyncer.

    +rep
    Last edited by malloc84; 04-11-2015 at 11:06 AM.

  3. #3
    MileP's Avatar Member
    Reputation
    1
    Join Date
    Apr 2015
    Posts
    39
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is this works with replays ? can you read or change your replays ?

  4. #4
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by MileP View Post
    Is this works with replays ? can you read or change your replays ?
    Ehm .. nope ..

  5. #5
    Midi12's Avatar Contributor
    Reputation
    90
    Join Date
    Sep 2012
    Posts
    182
    Thanks G/R
    6/13
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by MileP View Post
    Is this works with replays ? can you read or change your replays ?
    It is intended to be used with shipped game executable, not for encrypted data.
    92izii !

  6. #6
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So I woke up today and thought... today is a good day to reverse Heroes. Went ahead and loaded up the binary only to watch it fail. Having limited experience I frantically began searching for guides which would help me overcome the protection. An hour later I come across this and boy does it work beautifully. Thanks for all your amazing hard work, I can't wait to start seeing the hacks roll out. For those interested make sure you have Rust installed, otherwise this isn't going to work.

  7. #7
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, thanks for pointing that out. I didn't realize that rust generated binaries have any dependencies, but it seems like they require some gcc library (rust uses gcc for linkage). I updated the zip with the precompiled binary to also come with the required DLL.

  8. #8
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One of the things I'm noticing is some parts are still obfuscated. For instance, I'm trying to look at some GalaxyScript functions like UnitGetPosition (10D4E50) but it ends up looking like this. Functions like AISetDifficulty are fine though. I could just be doing something wrong but you got any thoughts on this?

    EDIT: I may just need to define the functions myself via Edit -> Functions -> Create Function. Early tests look promising.
    Last edited by Torpedoes; 05-13-2015 at 06:10 PM.

  9. #9
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can also just press "C" and then "P", by the way. "C" makes the data code, "P" defines a function. If the data under the cursor is already undefined, just pressing "P" does the trick.

  10. #10
    h42's Avatar Contributor CoreCoins Purchaser
    Reputation
    130
    Join Date
    Oct 2006
    Posts
    108
    Thanks G/R
    139/52
    Trade Feedback
    12 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, some parts of the code are falsely identified by the IDA disassembler.
    I'd recommend making a script that loops over each galaxyscript function and Undefines it, then define it as code and finally as function.
    For any other part that seems "obfuscated", just remember that even IDA makes mistakes and track it down, undefine and then re-define as code and you're set.

  11. #11
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by athre0z View Post
    You can also just press "C" and then "P", by the way. "C" makes the data code, "P" defines a function. If the data under the cursor is already undefined, just pressing "P" does the trick.
    Thanks for your help!!

    Originally Posted by h42 View Post
    I'd recommend making a script that loops over each galaxyscript function and Undefines it, then define it as code and finally as function.
    For any other part that seems "obfuscated", just remember that even IDA makes mistakes and track it down, undefine and then re-define as code and you're set.
    Definitely something I'll be looking at doing. I'm just poking around, trying to practice my reversing skills, learning a lot in the process too!

  12. #12
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    v1.1.0 released!

    Changelog:
    - Support for new chunk table format (>= 37117 builds)
    - Heavily improved performance using a fork of rust-crypto that works with optimizations enabled
    - Binary release now targets x86_64 architecture

    Download link in original post.

  13. #13
    athre0z's Avatar Active Member
    Reputation
    17
    Join Date
    Apr 2015
    Posts
    11
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    v1.2.0 released!

    Changelog:
    - added support for 64-bit game clients

    Download link in original post.

  14. #14
    picknicker's Avatar Member
    Reputation
    1
    Join Date
    Nov 2008
    Posts
    2
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hiho!

    This looks great, howoever it does not work anymore with the current client version.
    Do you guys know any other way to disassemble the game at this point?
    I'm currently trying to decrypt the network traffic.
    I figured it may be the same as done for the Blizzard MoPaQ format (see _decrypt function in https://github.com/Blizzard/heroprot...r/mpyq/mpyq.py) but I wasn't able to find a working key so far.

    Any help would be greatly appreciated.

Similar Threads

  1. [Tool] ow_unpack - remove overwatch encryption statically
    By Midi12 in forum Overwatch Exploits|Hacks
    Replies: 16
    Last Post: 04-22-2016, 08:45 PM
  2. [Tool] HotS unpack - Removing HotS' binary encryption statically
    By athre0z in forum Heroes of the Storm General
    Replies: 3
    Last Post: 04-13-2015, 05:07 PM
  3. [Hack] WoWplus hot fix - Teleport and Running cast removed.
    By devvbot in forum World of Warcraft Bots and Programs
    Replies: 1
    Last Post: 10-31-2012, 08:33 AM
  4. Could any1 tell me farming hot spots for Alliance? thx
    By dennisboys in forum World of Warcraft General
    Replies: 1
    Last Post: 02-06-2007, 11:00 PM
  5. Hot fishing spots & fishing tips
    By Matt in forum World of Warcraft Guides
    Replies: 1
    Last Post: 03-15-2006, 02:40 AM
All times are GMT -5. The time now is 06:56 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search