Warcraft 3 full graph plug-in analysis Production Process

I used to find some ghost plug-in code on the Internet. It is easy to read the Warcraft process and modify the memory. But I have not mentioned any plug-in articles about how to modify the memory, why, and why.

In fact, the analysis process is the most important and most difficult plug-in.

Today, I also tried to analyze it myself, and I want to analyze it from the ground up. How can I create a plug-in.

Of course, I also refer to the only article on the Internet that mentions the analysis of Warcraft:

Fruit forest: http://blog.csdn.net/breeze356/article/details/4814685)

First, this plug-in is created to display all units on the map. I will record all the analysis processes.

My Warcraft version is 1.24e, and the system is XP (it is best to use XP. Many DLL files in win7 are relocated to other addresses, which is inconvenient for analysis)

I base my work on the basis of Guolin's article. I guess when the unit is 1, it is not 0. (This can only be determined by experience)

Open war3 and watch out for a strange guy. I guess there is such a memory address. When I can see it, it is 1 and it is 0 when I cannot see it.

Open war3 with cheat engine, set value to 1, value type to byte, and click first scan to start searching.

1. After the search is complete, switch to wc3, open the soldier to make the wild monster invisible, return ce, change the value to 0, and click Next scan.

2. After the search is complete, return to the game and move the soldier to make the wild monster visible. Return ce and search for 1.

At the end of step 2, you can find a memory address that represents whether the soldier is visible:

Enable OD and attach it.

Add the memory access breakpoint to memory 0x95206c8 obtained by Ce, and run

The address is read and written in two places:

6f2846f3 8996 64020000
MoV dword ptr ds: [ESI + 0x264], EDX; assigned to this address
And

6f284748 83be 64020000 0> cmp dword ptr ds: [ESI + 0x264], 0x0

After observing this assignment operation, I did not see any useful things, and the most important thing is to determine whether the unit displays the edX value, observe that the original parameter is passed through the first parameter of the function. The value of the noisy memory address is the value of the first parameter.

In this way, you can only look back. Which function calls it. It is easy to know who calls the stack.

0012f914
6f39a61b return to game.6f39a61b from game.6f2846e0

Finally, we found the call code here.

6f39a60f 0b5c24 44 or EBX, dword ptr ss: [esp + 0x44]
6f39a613 8bce mov ECx, ESI
6f39a615 53 push EBX
6f39a616 E8 c5a0eeff call game.6f2846e0

Here, we only need to modify EBX and change it to 1, so we can modify the Code as follows:

The values of these EBX values are changed to 1.

Running results:

The image is successfully opened !!! The wild monsters on the map can be seen, but the small map can be seen, but this is also an open map.

An error was found during the game of Warcraft:

Dizzy and thought the plug-in was ready. Fortunately, it prompts that the 6f4d5f35 location is wrong. Let's see what commands there are. Restart Warcraft and start the game. Open OD:

The error message above indicates that the EBP value is 0 and ECx is assigned to EBP.

When the value of ECx is 0, the conditional breakpoint is used to determine where an error occurs.

After the condition breakpoint is set, use the following method to modify the command to open the graph. After playing with Warcraft, you will find that it has been broken down:

Follow the data call stack to find the Caller:

We can see that ECx is passed in through the first parameter of this function. Then, the caller of the function traces back:

The caller was originally the function that was modified to open the graph code.

The important parameter that causes an error is passed through a local variable of the function. Check the function to read and write the local variable, and find it at the beginning of the function:

The result is stored in a local variable by calling the game.6f26c590 function. When an error occurs after opening the graph, the eax value returns 0 here to see what this function has done:

It is very easy to put a specific address value passed in by ECx and 1, which is different from the eax value based on the result.

I have observed a lot of data. I feel like the data structure of a certain unit is passed in, but I cannot see any rule. Then I will jump to NOP directly here.

 

Try running Warcraft and find no error!

After opening the chart, a new feature is added to show enemy buildings.

Another disadvantage is that the movement of the enemy's unit is a flash... Some strange game bugs ..

The dead of the fallen hero remains there until the hero is resurrected. After the birth of the hero, there is a return to the city, but it cannot be recovered. Indeed, there is a big gap with the Open Graph tools on the market.

Finally, write the code and use writeprocessmemory to change the modification location.

# Include <stdio. h> # include "windows. H "Void main () {hwnd hwar3 = findwarwa (null," Warcraft III "); dwordwar3pid = 0; getwindowthreadprocessid (hwar3, & war3pid); handlehprocess; hprocess = OpenProcess (timeout, false, war3pid); uchar Buf [] = {0x90,0x90}; uchar buf2 [] = {0x33, 0xdb, 0x43,0x90 }; writeprocessmemory (hprocess, (lpvoid) 0x6f26c594, Buf, 2, null); // modify the writeprocessmemory (hprocess, (lpvoid) 0x6f39a60f, buf2, 4, null ); // Open Graph}