Author Topic: Lockdown  (Read 12026 times)

0 Members and 1 Guest are viewing this topic.

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Lockdown
« Reply #15 on: April 11, 2007, 04:38:37 pm »
Hm, if you replaced CreateFile, DeleteFile, etc, with stubs, couldn't you actually make your own lockdown DLL's that didn't check for the hacks?
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Lockdown
« Reply #16 on: April 11, 2007, 05:14:59 pm »
Hm, if you replaced CreateFile, DeleteFile, etc, with stubs, couldn't you actually make your own lockdown DLL's that didn't check for the hacks?
Assuming that the DLL does a checksum on memory (which I'm pretty sure it does), you'd have to fake the checksum, which would be identical to re-implementing it.


Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Lockdown
« Reply #17 on: April 11, 2007, 07:05:33 pm »
Right, but you could force StarCraft to use your DLL instead of the one from BNFTP, which does check for hacks, right?
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Lockdown
« Reply #18 on: April 11, 2007, 07:22:24 pm »
The one from Battle.net checks for exactly one hack.

The easier thing to do if you want to hack is to load your memory patches after the CheckRevision .dll is unloaded. You can hook LoadLibraryA() and FreeLibrary() safely, because Battle.net's .dll can't check those (kernel32.dll can't be guaranteed to have a consistent checksum).

Better yet, apply patches after the ExtraWork .dll has been unloaded. Then you're even safer.

Offline warz

  • Hero Member
  • *****
  • Posts: 1134
    • View Profile
    • chyea.org
Re: Lockdown
« Reply #19 on: April 12, 2007, 02:30:08 pm »
The one from Battle.net checks for exactly one hack.

Saying that is misleading. Checkrevision only checks for one hack's file name. Since most hacks deal with modifying memory, and the new Checkrevision routines check for that, I'd say it checks for a whole realm of hacks. :P
http://www.chyea.org/ - web based markup debugger

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Lockdown
« Reply #20 on: April 12, 2007, 02:57:09 pm »
The one from Battle.net checks for exactly one hack.

Saying that is misleading. Checkrevision only checks for one hack's file name. Since most hacks deal with modifying memory, and the new Checkrevision routines check for that, I'd say it checks for a whole realm of hacks. :P
I explained that in the previous post. But Joe is talking about checking for specific .dll's.

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Lockdown
« Reply #21 on: April 12, 2007, 05:25:26 pm »
No, I'm saying that we could write a DLL that has the same functionality as the BnFtp DLL's, but doesn't check for hacks. By patching StarCraft's CreateFile and DeleteFile, we can stick our own DLL in the folder and StarCraft *should* run it instead.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Lockdown
« Reply #22 on: April 12, 2007, 07:21:01 pm »
No, I'm saying that we could write a DLL that has the same functionality as the BnFtp DLL's, but doesn't check for hacks. By patching StarCraft's CreateFile and DeleteFile, we can stick our own DLL in the folder and StarCraft *should* run it instead.
Have you read my posts? The new CheckRevision does a checksum on your *memory*! The trick is to re-implement the checksum, which isn't an easy job.

The alternative, as I said, is to load hacks *after* the CheckRevision function runs. It's a whole lot easier than the alternatives.