HowTo create a basic Maphack

 by：Chaotic

 

Requirements:

- Ollydbg
- A memory searcher (e.g. ArtMoney)
- ASM knowledge
- Warcraft III in window mode
-->Create a shortcut, right click anｄ “Properties“
Then add “ -window“

This is my first tutorial, so I hope it has no mistakes anｄ is understandable for everyone.
The main-idea is NOT to follow it step by step anｄ say “I’ll got it, I’m a uber-1337-Hax0r!” Wink
I just want to show you a little part of Warcraft III hacking. I hope this inspires you to learn more by yourself. To be a good hacker, you’ve to know much more anｄ you’ve to get those offsets alone, that’s one reason why I choose a method to get a detectable offset!
[SO DON’T USE IT IN LADDER!]


PART I Instruction

Well, first we’ve to think about a method how to find a offset which reveals the units..
There are many ways...use your brain anｄ try to think like blizzard did when they made this nice game Wink So we need to know how the game manages it if the unit is visible oｒ not.
*IDEA*
“Enemy unit visible” = TRUE = 1
“Enemy unit hidden in fog of war” = FALSE = 0
This makes any sense?
Yeah, let’s try it!


PART II Main Part

Now start Warcraft III anｄ enter a singleplayer game.
(In singleplayer games you won’t disc if you’re pausing the game too long anｄ you’re able to play alone)
Then start ArtMoney anｄ choose “kernel32.dll” as library for process viewer.
Now you should be able to selecｔ Warcraft III as process.
Back to Warcraft III
Just move your unit near a random creep so it’s in your sight range.

Switch to ArtMoney
Now press on Search anｄ search for “1” as Integer.
Wait until it’s finished anｄ you’ll see that
there are many addresses holding the
Value 1…
So we’ve to filter until there are only a
couple addresses left. So...



Switch back to Warcraft III
Now move away so that you can’t see your creep anymore.

Now back to Artmoney anｄ Filter [don't’ search again Wink ]
for “0” as Integer.
After it’s finished, move your unit in the creep’s sight rangeagain anｄ filter for “1” as integer….
After repeating this step ~15 times you should have ~7
addresses left.
Now you’ve to filter by hand:
Move your unit away again, so all rest addresses should be “0”.
Now set the first value to “1” anｄ “Freeze” it
And have a look at Warcraft III if anything changes…

Nothing happened?
So unfreeze the first value, set it to 0 anｄ remove the first value from your table.
Do the same steps until you notice this: (no pictures remember?)
This looks right (in my case it’s 0x12CD337.

So now the interesting part, that’s the time for Ollydbg! Smiley
Attach Warcraft III anｄ move to your address in dump.
Now do a “Memory breakpoint on access” onto the first 8 bytes!
You should reach this address:
6F2A3B91 |. 66:8B3C41 MOV DI,WORD PTR DS:[ECX+EAX*2]
Remove that memory breakpoint again anｄ try to change it like this :
MOV DI,1
And have a look at Warcraft III…
I can see every creep on the mainmap anｄ even buildings on the minimap!
Yeah, it looks like we’re finished!

But wait…!
If you join some custom games you’ll notice that sometimes there’s a bug…
You can’t click any unit, even not your own ones! Sad

So we’ve to look at 0x6F2A3B91 again in Ollydbg anｄ fix this problem.
Now we must understand how Warcraft III works…
MOV DI,WORD PTR DS:[ECX+EAX*2] is a simple part of the draw function which checks which player has the control about the unit.
So we need to change the part so, that it will reveal the unit for all players (1-16).
Well, the number “tells” this part for which players it should check.
MOV DI,

0x1=1. Player
0x2=1-2.Player
…
0xF=1-16. Player

So what we have to do is change our MOV DI,1 to MOV DI,0xF.
So that it will work every time even if we’re not player 1!



Part III The Coding

Now we have our offset + correct changes, but we don’t want to do this change every time we restart Warcraft III by hand with Ollydbg, do we ?!
So now we’ve to code a program which writes into Warcraft III’s memory
Code in C++:
/************************************************** *************** *Made by Chaotic * *Shoutouts to: Exzap, Alpha_Hacka & xliqz^ * *www.SkillHackerZ.com * *Remember: Don't use it in Laddergames because it is not allowed!* *Only with friends * ************************************************** ****************/#include <windows.h>void EnableDebugPriv();int main(){//We have to set debug privileges for our app to be allowed to OpenProcess (war3.exe)EnableDebugPriv();//Get a Handle on Warcraft III windowHWND hwar3 = FindWindow("Warcraft III",NULL);if (!hwar3) //If we can't find the window...{MessageBox(0, "Run Warcarft III First!", "", MB_OK);return false;}DWORD pid;GetWindowThreadProcessId(hwar3, &pid);HANDLE hopen = OpenProcess(PROCESS_ALL_ACCESS, false, pid);if (!hopen) //Can't open Warcarft III's process.. Must be a PID error.{MessageBox(0, "Your getting a PID error, use LoaderZ.", "", MB_OK);return false;}//Now we're ready to change the memory!//We remember: 6F2A3B91 66:BF 0F00 MOV DI,0x0FBYTE data[] = {0xBF,0x0F,0x00};bool success = WriteProcessMemory(hopen,(LPVOID)0x6F2A3B92, &data,3, NULL);if(success)//Everything workedMessageBox(NULL, "Hack Loaded - Remember to Vist www.SkillHackerZ.com", "", MB_OK);else//There was an error!MessageBox(NULL, "Couldn't load hack", "", MB_OK);// Remember to be cleanCloseHandle(hopen);//Done!return true;}void EnableDebugPriv(){HANDLE hToken;LUID sedebugnameValue;TOKEN_PRIVILEGES tkp;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue);tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = sedebugnameValue;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(hToken, false, &tkp, sizeof tkp, NULL, NULL);CloseHandle(hToken);}

---

当时Chaotic写这篇文章的时代距现在用遥远这样的形容词都不为过了，魔兽也更新换代，所以别再尝试Chaotic给出的那个地址...