Blizzard and hacker war 2: Blizzard's first blow

In the later stages of wow development, blizzard was able to free up manpower to upgrade the d2x 1.09d that lasted for two years. Due to the flood of hacks during the 1.09d period, blizzard felt it was necessary to crack down on such arrogance. Therefore, it joined the hacks detection mechanism, which was often mentioned in the 1.10 period.

What is packet? Packet is a network packet. In D2, the interaction between the server and the client is performed by sending packet to each other. The packet in D2 is divided into two types: Out-of-game (before entering the game) packet and in-game (in-game) packet. Here we mention in-game packet. The first byte of in-game packet is the packet ID, indicating the meaning of the packet, followed by the corresponding (variable length) parameter. For example, Id 01 represents the walk command. The length is 5 bytes. The ID is followed by two 16-bit parameters, indicating the target coordinate of the walk. The format is as follows: 01 [word x] [word y]. Note that the packet IDs of different patch versions in D2 have different meanings and cannot be used universally. A relatively complete in-game packet list in 1.10 can be found here: http://www.edgeofnowhere.cc/viewtopic.php? T = 303771

Packet 64 and 65 are related to hacks detection. The 64-bit packet length is 9 bytes in the format of 64 [DWORD address 1] [DWORD address 2]. The following two Dwords are the two memory addresses that the server wants to detect; packet 65 is 1 byte in length (No parameter). Check the four addresses most likely to be patched. After a simple obfuscation process (making sniffer capture and analysis difficult), the check result of packet 64/65 is sent back to the server. If the instruction or data in the detected address is changed, the detection results naturally do not match the original ones, so blizzard knows you are using hack. This detection method is the so-called memory probe, that is, the memory detection method. So how does blizzard know which addresses should be checked? The detour patch (bypass point) of hack is fixed. For example, the famous public release of hack such as maphack and d2jsp will certainly be used for research, so Blizzard will know where their patches are. Blizzard cannot know those who develop and entertain themselves, so it is relatively safe. However, if your patch points are the same as those of maphack and d2jsp, you may still be lucky to win the bid.

The following is a piece of code related to packet 64 detection. eax and ECx are two memory addresses to be detected. The detection results are saved to the local variables var_result1 and var_result2 and then sent back to the server:

Code
. Text: xxxxf362 $ check_result1:; Code xref: checkdetectionresult + 87j
. Text: xxxxf1_cmp eax, ESI; not zero
. Text: xxxxf364 JZ short $ clear_result1; jump if zero (ZF = 1)
. Text: xxxxf366 mov [EBP + arg1], ESI
. Text: xxxxf369 mov eax, [eax]
. Text: xxxxf36b mov [EBP + var_result1], eax
. Text: xxxxf36e mov [EBP + arg1],-1
. Text: xxxxf375 JMP short $ check_result2; jump

. Text: xxxxf39b $ check_result2:; Code xref: checkdetectionresult + a5j
. Text: xxxxf39b; checkdetectionresult + c4j
. Text: xxxxf39b CMP ECx, ESI; compare two operands
. Text: xxxxf39d JZ short $ clear_result2; jump if zero (ZF = 1)
. Text: xxxxf39f mov [EBP + arg1], 1
. Text: xxxxf3a6 mov ECx, [ECx]
. Text: xxxxf3a8 mov [EBP + var_result2], ECx
. Text: xxxxf3ab mov [EBP + arg1],-1
. Text: xxxxf3b2 JMP short $ send_detect_result; jump

The packet 65 Detection code is similar to packet 64, except that it detects several fixed addresses.

The memory probe mechanism of packet 64/65, combined with the existing version-checking.dll and extrawork. dll introduced in the previous article, constitutes the hacks detection mechanism used by blizzard in Diablo II 1.10 patch.

Shows some of the bypass points used in d2jsp 1.2.0 (d2jsp 1.2.0 is used for Diablo II 1.11b, but the meaning is the same ).