Blizzard and hackers' War 1: Happy Time for plug-ins

As mentioned in the previous article, hacks development in d2x can be divided into three stages: the Development maturity of the first 1.10, the transition period of 1.10, and the recession period of 1.11.
Until 1.09d (the last version before 1.10), there was almost no cheating mechanism in d2x, which was the happiest period for hackers. Not because it does not have specific detection code, but it is hardly because it has some mechanisms that can be used for cheating detection.
One is its automatic upgrade mechanism. Players who have played on the network know that each time they connect to the network, there will be a dialog box indicating that the game version is being checked. If the user's local and server-side versions are inconsistent, upgrade automatically. Diablo's automatic upgrade function may be the first in the game industry, which greatly reduces the difficulty of getting started with the game. I have been in touch with many foreign players. Unlike Chinese players, many of them are children under the age of 15. It is almost impossible for them to download and upgrade the patch package from the Internet. The automatic upgrade process is as follows:
1. Players are connected to the war network;
2. the server sends a DLL dedicated for version check to the client;
3. The client saves the DLL on the local machine;
4. The client calls loadlibrary to load the DLL.
5. The client calls a function exported from the DLL. This function checks several important client game files to determine whether the version matches. if the version does not match, the function performs automatic upgrade.
6. After the Client Version is detected, call freelibrary to uninstall the DLL and delete the file.

In this process, because the version check DLL is saved on the server side, it is obvious that it may be modified at any time, adding some other functions, such as cheating detection. The Win32 API called by the version check code (see the end of this article) is loadlibrarya/getprocaddress/freelibrary/deletefilea.

Another unknown mechanism is that after a player connects to the war network, the server sometimes sends a DLL (extrawork. DLL) to the client, and then return the result to the server. The working principle is very similar to that of the version detection mechanism. Obviously, this mechanism can also be used for cheating tests. However, based on the results of many hacker observations, extrawork. dll is generally used to collect players' system configuration information, including CPU clock speed, memory capacity, and operating system version.

Although these two mechanisms may be used for fraud detection, there was no indication that blizzard had used this in the past 1.10, therefore, no anti-detection measures have been taken for hacks during this period.

Code for version check
Xxxx45a3 Lea ECx, [esp + 124 h]
Xxxx45aa push ECx; ix86ver0. dll
Xxxx45ab call DS: loadlibrarya
Xxxx45b1 mov EBP, eax
Xxxx45b3 test EBP, EBP
Xxxx45b5 JZ loc_6ff046f1
Xxxx45bb push offset acheckrevision; "checkrevision"
Xxxx45c0 push EBP; hmodule
Xxxx45c1 call DS: getprocaddress
Xxxx45c7 mov ESI, eax
Xxxx45c9 test ESI, ESI
Xxxx45cb jnz short loc_6ff045df
Xxxx45cd push offset aerrorfailedt_0; "<error: failed to execute versioning DL"
Xxxx45d2 call nullsub_1
Xxxx45d7 add ESP, 4
Xxxx45da JMP loc_6ff046ea
Xxxx45df loc_xxxx45df:
;
Xxxx46e6 call ESI; checkrevision
Xxxx46e8 mov EBX, eax
Xxxx46ea
Xxxx46ea loc_xxxx46ea:; Code xref: downloadandrunversioningdll + 15aj
Xxxx46ea push EBP; hlibmodule
Xxxx46eb call DS: freelibrary
Xxxx46f1
Xxxx46f1 loc_xxxx46f1:; Code xref: downloadandrunversioningdll + f3j
Xxxx46f1; downloadandrunversioningdll + 11ej
Xxxx46f1 mov eax, [esp + 430 H + harchive]
Xxxx46f5 pop EBP
Xxxx46f6 test eax, eax
Xxxx46f8 JZ short loc_xxxx4700
Xxxx46fa push eax; harchive
Xxxx46fb call storm_252_sfileclosearchive
Xxxx4700
Xxxx4700 loc_xxxx4700:; Code xref: downloadandrunversioningdll + 278j
Xxxx4700 push 32 h; dwmilliseconds
Xxxx4702 call DS: Sleep
Xxxx4708 mov ESI, DS: deletefilea
Xxxx470e push offset g_szversiondllname; lpfilename
Xxxx4713 call ESI; deletefilea
Xxxx4715 mov Al, [esp + 42ch + filename]
Xxxx471c test Al, Al
Xxxx471e JZ short loc_xxxx472a
Xxxx4720 Lea eax, [esp + 42ch + filename]
Xxxx4727 push eax; lpfilename
Xxxx4728 call ESI; deletefilea