Warden Dump + Maphack + More menu

User Tag List

Results 1 to 1 of 1
  1. #1
    Vuno's Avatar Member
    Reputation
    2
    Join Date
    May 2020
    Posts
    24
    Thanks G/R
    3/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Warden Dump + Maphack + More

    Most of this information is for developers.

    This function is what SC2 (not Warden) use to VirtualQuery specific parts of the module:
    Code:
    00007FF62853A110   | 4C:8BDC                         | mov r11,rsp                                                     |
    00007FF62853A113   | 53                              | push rbx                                                        |
    00007FF62853A114   | 48:83EC 50                      | sub rsp,0x50                                                    |
    00007FF62853A118   | 33C0                            | xor eax,eax                                                     |
    00007FF62853A11A   | 49:8D53 C8                      | lea rdx,qword ptr ds:[r11-0x38]                                 | [r11-38]:&"PE"
    00007FF62853A11E   | 48:8BD9                         | mov rbx,rcx                                                     |
    00007FF62853A121   | 48:8941 18                      | mov qword ptr ds:[rcx+0x18],rax                                 |
    00007FF62853A125   | 48:8941 20                      | mov qword ptr ds:[rcx+0x20],rax                                 |
    00007FF62853A129   | 48:8941 28                      | mov qword ptr ds:[rcx+0x28],rax                                 |
    00007FF62853A12D   | 48:8941 30                      | mov qword ptr ds:[rcx+0x30],rax                                 |
    00007FF62853A131   | 44:8D40 30                      | lea r8d,qword ptr ds:[rax+0x30]                                 |
    00007FF62853A135   | 48:8941 38                      | mov qword ptr ds:[rcx+0x38],rax                                 |
    00007FF62853A139   | 48:8941 40                      | mov qword ptr ds:[rcx+0x40],rax                                 |
    00007FF62853A13D   | 48:8941 48                      | mov qword ptr ds:[rcx+0x48],rax                                 |
    00007FF62853A141   | 48:8941 50                      | mov qword ptr ds:[rcx+0x50],rax                                 |
    00007FF62853A145   | 33C9                            | xor ecx,ecx                                                     |
    00007FF62853A147   | 49:8943 C8                      | mov qword ptr ds:[r11-0x38],rax                                 | [r11-38]:&"PE"
    00007FF62853A14B   | 49:8943 D0                      | mov qword ptr ds:[r11-0x30],rax                                 |
    00007FF62853A14F   | 49:8943 D8                      | mov qword ptr ds:[r11-0x28],rax                                 |
    00007FF62853A153   | 49:8943 E0                      | mov qword ptr ds:[r11-0x20],rax                                 |
    00007FF62853A157   | 49:8943 E8                      | mov qword ptr ds:[r11-0x18],rax                                 |
    00007FF62853A15B   | 49:8943 F0                      | mov qword ptr ds:[r11-0x10],rax                                 |
    00007FF62853A15F   | FF15 3BF99C02                   | call qword ptr ds:[0x7FF62AF09AA0]                              |
    00007FF62853A165   | 48:85C0                         | test rax,rax                                                    |
    00007FF62853A168   | 0F84 DD000000                   | je sc2_x64.7FF62853A24B                                         |
    00007FF62853A16E   | 66:90                           | nop                                                             |
    00007FF62853A170   | 48:8B4424 40                    | mov rax,qword ptr ss:[rsp+0x40]                                 |
    00007FF62853A175   | 4C:8B4424 20                    | mov r8,qword ptr ss:[rsp+0x20]                                  |
    00007FF62853A17A   | 48:8B5424 38                    | mov rdx,qword ptr ss:[rsp+0x38]                                 |
    00007FF62853A17F   | 3D 00100000                     | cmp eax,0x1000                                                  |
    00007FF62853A184   | 74 64                           | je sc2_x64.7FF62853A1EA                                         |
    00007FF62853A186   | 3D 00200000                     | cmp eax,0x2000                                                  |
    00007FF62853A18B   | 74 2D                           | je sc2_x64.7FF62853A1BA                                         |
    00007FF62853A18D   | 3D 00000100                     | cmp eax,0x10000                                                 |
    00007FF62853A192   | 0F85 80000000                   | jne sc2_x64.7FF62853A218                                        |
    00007FF62853A198   | 6645:85C0                       | test r8w,r8w                                                    |
    00007FF62853A19C   | 74 07                           | je sc2_x64.7FF62853A1A5                                         |
    00007FF62853A19E   | 0FB7C2                          | movzx eax,dx                                                    |
    00007FF62853A1A1   | 48:0143 18                      | add qword ptr ds:[rbx+0x18],rax                                 |
    00007FF62853A1A5   | 48:0113                         | add qword ptr ds:[rbx],rdx                                      |
    00007FF62853A1A8   | 48:8BCA                         | mov rcx,rdx                                                     |
    00007FF62853A1AB   | 48:3953 20                      | cmp qword ptr ds:[rbx+0x20],rdx                                 |
    00007FF62853A1AF   | 48:0F474B 20                    | cmova rcx,qword ptr ds:[rbx+0x20]                               |
    00007FF62853A1B4   | 48:894B 20                      | mov qword ptr ds:[rbx+0x20],rcx                                 |
    00007FF62853A1B8   | EB 5E                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A1BA   | 48:0153 10                      | add qword ptr ds:[rbx+0x10],rdx                                 |
    00007FF62853A1BE   | 48:8B4424 48                    | mov rax,qword ptr ss:[rsp+0x48]                                 |
    00007FF62853A1C3   | 3D 00000200                     | cmp eax,0x20000                                                 |
    00007FF62853A1C8   | 74 1A                           | je sc2_x64.7FF62853A1E4                                         |
    00007FF62853A1CA   | 3D 00000400                     | cmp eax,0x40000                                                 |
    00007FF62853A1CF   | 74 0D                           | je sc2_x64.7FF62853A1DE                                         |
    00007FF62853A1D1   | 3D 00000001                     | cmp eax,0x1000000                                               |
    00007FF62853A1D6   | 75 40                           | jne sc2_x64.7FF62853A218                                        |
    00007FF62853A1D8   | 48:0153 40                      | add qword ptr ds:[rbx+0x40],rdx                                 |
    00007FF62853A1DC   | EB 3A                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A1DE   | 48:0153 48                      | add qword ptr ds:[rbx+0x48],rdx                                 |
    00007FF62853A1E2   | EB 34                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A1E4   | 48:0153 50                      | add qword ptr ds:[rbx+0x50],rdx                                 |
    00007FF62853A1E8   | EB 2E                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A1EA   | 48:0153 08                      | add qword ptr ds:[rbx+0x8],rdx                                  |
    00007FF62853A1EE   | 48:8B4424 48                    | mov rax,qword ptr ss:[rsp+0x48]                                 |
    00007FF62853A1F3   | 3D 00000200                     | cmp eax,0x20000                                                 |
    00007FF62853A1F8   | 74 1A                           | je sc2_x64.7FF62853A214                                         |
    00007FF62853A1FA   | 3D 00000400                     | cmp eax,0x40000                                                 |
    00007FF62853A1FF   | 74 0D                           | je sc2_x64.7FF62853A20E                                         |
    00007FF62853A201   | 3D 00000001                     | cmp eax,0x1000000                                               |
    00007FF62853A206   | 75 10                           | jne sc2_x64.7FF62853A218                                        |
    00007FF62853A208   | 48:0153 28                      | add qword ptr ds:[rbx+0x28],rdx                                 |
    00007FF62853A20C   | EB 0A                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A20E   | 48:0153 30                      | add qword ptr ds:[rbx+0x30],rdx                                 |
    00007FF62853A212   | EB 04                           | jmp sc2_x64.7FF62853A218                                        |
    00007FF62853A214   | 48:0153 38                      | add qword ptr ds:[rbx+0x38],rdx                                 |
    00007FF62853A218   | 48:85D2                         | test rdx,rdx                                                    |
    00007FF62853A21B   | 74 2E                           | je sc2_x64.7FF62853A24B                                         |
    00007FF62853A21D   | 49:8BC0                         | mov rax,r8                                                      |
    00007FF62853A220   | 48:F7D8                         | neg rax                                                         |
    00007FF62853A223   | 48:3BC2                         | cmp rax,rdx                                                     |
    00007FF62853A226   | 73 05                           | jae sc2_x64.7FF62853A22D                                        |
    00007FF62853A228   | 4D:85C0                         | test r8,r8                                                      |
    00007FF62853A22B   | 75 1E                           | jne sc2_x64.7FF62853A24B                                        |
    00007FF62853A22D   | 49:8D0C10                       | lea rcx,qword ptr ds:[r8+rdx]                                   |
    00007FF62853A231   | 41:B8 30000000                  | mov r8d,0x30                                                    | 30:'0'
    00007FF62853A237   | 48:8D5424 20                    | lea rdx,qword ptr ss:[rsp+0x20]                                 |
    00007FF62853A23C   | FF15 5EF89C02                   | call qword ptr ds:[0x7FF62AF09AA0]                              |
    00007FF62853A242   | 48:85C0                         | test rax,rax                                                    |
    00007FF62853A245   | 0F85 25FFFFFF                   | jne sc2_x64.7FF62853A170                                        |
    00007FF62853A24B   | 48:83C4 50                      | add rsp,0x50                                                    |
    00007FF62853A24F   | 5B                              | pop rbx                                                         |
    00007FF62853A250   | C3                              | ret
    The naming conventions may be wrong because at first I thought the address was only for NtCreateSection. However, after further research, I discovered they use this one address to hold addresses for all their important secret API calls in the TLS Section. Since this is valuable, and I don't want Blizzard to be angry, I removed a few digits from the addresses. Originally I was using this to allow me to hack the game, but I found a more easier, and safer way to write my memory .

    Code:
    DWORD64 m_i64APIEncKey = m_i64GameBase + 0xF7#3 + 2;
    	DWORD64 m_i64NtCreateSection = m_i64GameBase + 0x37#143#;
    
    	DWORD64 encKey = 0;
    	DWORD64 tempData = 0;
    	ReadProcessMemory(m_hGame, (LPCVOID)m_i64APIEncKey, &encKey, sizeof(encKey), 0);
    
    	DWORD64 tempData2 = 0;
    	ReadProcessMemory(m_hGame, (LPCVOID)m_i64NtCreateSection, &tempData2, sizeof(tempData2), 0);
    
    	DWORD64 dwEncNtCreateSection = m_CShellcode.m_lpNtCreateSectionBase ^ encKey;
    	Core_WriteMemoryEx(m_hGame, (LPVOID)m_i64NtCreateSection, &dwEncNtCreateSection, sizeof(dwEncNtCreateSection));                                       |
    And for the thieves who reverse other people cheats to steal their addresses, I'm providing one here for Maphack. It makes enemy units visible through fog of war, shows invisible units, and prints them on the minimap. You'll discover a few issues with this though (not my problem). Also, same with the above, I've removed some digits from the addresses, so Blizzard won't be too mad. I don't use this in my personal cheats, but this is one of the first offsets I found for Maphack.

    Code:
    SC2_x64.exe+1#6#640 - 41 88 B4 3E ##080000   - mov [r14+REG+000008D8],sil 
    SC2_x64.exe+1#6F6#8 - 40 88 B7 ##080000      - mov [REG+000008E8],sil
    SC2_x64.exe+1#6F6#F - E9 ##000000            - jmp SC2_x64.exe+1#6F#2D

    Below is a recent dump of Warden I've did.
    wardendumpbyvuno.zip

    In conclusion, hacking SC2 requires much more effort. There are some vulnerable spots to modify, but of course those won't be released because they can be patched. I respect the developers because of their amazing anti-cheat methods.
    Last edited by Vuno; 05-18-2020 at 11:12 AM.

    Warden Dump + Maphack + More

Similar Threads

  1. WTT Account I have 2 Account Look For More Info
    By Noobcraft in forum Members Only Accounts And CD Keys Buy Sell
    Replies: 0
    Last Post: 03-25-2008, 10:25 PM
  2. [REQUEST]Warlock spells(read for more info.)
    By In00b in forum WoW ME Questions and Requests
    Replies: 0
    Last Post: 03-09-2008, 02:51 PM
  3. Replies: 11
    Last Post: 02-28-2008, 08:56 AM
  4. WTB EU Account (Read for more info)
    By Remahlól in forum Members Only Accounts And CD Keys Buy Sell
    Replies: 6
    Last Post: 01-06-2008, 06:42 PM
All times are GMT -5. The time now is 05:30 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search