Valhalla Legends Forums Archive | Battle.net Bot Development | [C++] Dynamic SCBW Verbyte Retrieval

AuthorMessageTime
devcode
http://www.bnetdocs.org/verbyte.html

Open source release motivated by Don Cullen, and you know what it is ;)

* Made a mistake, SEC_IMAGE from CreateFileMapping should be removed :o
October 17, 2007, 1:52 AM
Barabajagal
Well, that simplifies matters a bit, doesn't it?

Got bored and ported it to vb:
[code]Option Explicit
Private Declare Sub RtlMoveMemory Lib "kernel32" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As Long)
Private Sub Form_Load()
Dim sData  As String
Dim I      As Long
Dim FindStr As String
Dim RVal    As Long
    Open "C:\Path\To\STAR\Starcraft.exe" For Binary Access Read As #1
    sData = Space(LOF(1))
    Get #1, , sData
    Close #1
    FindStr = Chr$(&HC7) & Chr$(&H46) & Chr$(&H10) & "????" & Chr$(&HC7) & Chr$(&H46) & Chr$(&H18) & "????" & Chr$(&HC7) & Chr$(&H46)
    For I = 1 To Len(sData)
        If Mid$(sData, I, 16) Like FindStr Then
            RtlMoveMemory RVal, ByVal Mid$(sData, I + 3, 4), 4
        End If
    Next I
    Debug.Print "VerByte: " & RVal
End Sub[/code]

(And no, I'm not planning on using it or taking any credit)

Edit: Works for War2 as well.
October 17, 2007, 2:14 AM
LockesRabb
Thanks DevCode for releasing it, it is certainly much appreciated. :)
October 17, 2007, 2:28 AM
devcode
[quote author=devcode link=topic=17116.msg173918#msg173918 date=1192585962]
* Made a mistake, SEC_IMAGE from CreateFileMapping should be removed :o
[/quote]

and yea, guess it works for W2BN as well, not for any other games though, at least with the supplied pattern.
October 17, 2007, 3:01 AM
squiggly
[quote author=Andy link=topic=17116.msg173922#msg173922 date=1192587273]
Well, that simplifies matters a bit, doesn't it?

Got bored and ported it to vb:
[code]Option Explicit
Private Declare Sub RtlMoveMemory Lib "kernel32" (lpvDest As Any, lpvSource As Any, ByVal cbCopy As Long)
Private Sub Form_Load()
Dim sData  As String
Dim I      As Long
Dim FindStr As String
Dim RVal    As Long
    Open "C:\Path\To\STAR\Starcraft.exe" For Binary Access Read As #1
    sData = Space(LOF(1))
    Get #1, , sData
    Close #1
    FindStr = Chr$(&HC7) & Chr$(&H46) & Chr$(&H10) & "????" & Chr$(&HC7) & Chr$(&H46) & Chr$(&H18) & "????" & Chr$(&HC7) & Chr$(&H46)
    For I = 1 To Len(sData)
        If Mid$(sData, I, 16) Like FindStr Then
            RtlMoveMemory RVal, ByVal Mid$(sData, I + 3, 4), 4
        End If
    Next I
    Debug.Print "VerByte: " & RVal
End Sub[/code]

(And no, I'm not planning on using it or taking any credit)

Edit: Works for War2 as well.
[/quote]

What do you mean, got bored? You live on the side of a mountain in the middle of nowhere, what else do you have to do besides go on the internet and shoot squirrels for food?
October 17, 2007, 3:03 AM
LockesRabb
Lay off, squiggly. Don't flame him for his lifestyle preferences.
October 17, 2007, 3:05 AM
HdxBmx27
Anyone feel like finding the patterns for D2/WC3/JSTR and the like?
I would like to see how this stands up to a new patch. *sits down and waits for one*
But, What is the use? When it comes without a form of patching the files. You're pretty much not gunna find the hashes without finding the verbyte posted a long with it.
I can see where this would come in handy. (Working with stealthbot -.-) But I am merely concerned with it's reliability. But, We'll see.
~Hdx
October 17, 2007, 3:07 AM
LockesRabb
[quote author=Hdx link=topic=17116.msg173929#msg173929 date=1192590470]
Anyone feel like finding the patterns for D2/WC3/JSTR and the like?
I would like to see how this stands up to a new patch. *sits down and waits for one*
But, What is the use? When it comes without a form of patching the files. You're pretty much not gunna find the hashes without finding the verbyte posted a long with it.
I can see where this would come in handy. (Working with stealthbot -.-) But I am merely concerned with it's reliability. But, We'll see.
~Hdx
[/quote]

RealityRipple is working on it.

As for patches:

http://img148.imageshack.us/img148/6759/vbyteow4.png

DevCode tested it against various versions of Starcraft, and all of them apparently came up with the correct VerBytes. So I assume it would work for future patches.
October 17, 2007, 3:11 AM
Quarantine
[quote author=squiggly link=topic=17116.msg173927#msg173927 date=1192590233]
What do you mean, got bored? You live on the side of a mountain in the middle of nowhere, what else do you have to do besides go on the internet and shoot squirrels for food?
[/quote]

I want to be like you.
October 17, 2007, 3:14 AM
HdxBmx27
Would you mind e-mailing me any past hash files you have? (By any I mean any product, Any version)
Zip em on up.
~Hdx
October 17, 2007, 3:14 AM
LockesRabb
For StarCraft?

I don't have any past hashes, but I could ask DevCode to send them to me so I can host them on bnetdocs.
October 17, 2007, 3:16 AM
HdxBmx27
Well, Anyone with any old hashes. I would be interested in obtaining.
BUT, I would highly advise against hosting the files on Redux. Thats just asking for a DMCA.
~Hdx
October 17, 2007, 3:19 AM
devcode
[quote author=Warrior link=topic=17116.msg173931#msg173931 date=1192590851]
[quote author=squiggly link=topic=17116.msg173927#msg173927 date=1192590233]
What do you mean, got bored? You live on the side of a mountain in the middle of nowhere, what else do you have to do besides go on the internet and shoot squirrels for food?
[/quote]

I want to be like you.
[/quote]

You want to be like him and he wants to be like me, so I'm making the deduction here that you want to be like me??!?
October 17, 2007, 3:38 AM
Yegg
[quote author=Hdx link=topic=17116.msg173932#msg173932 date=1192590863]
Would you mind e-mailing me any past hash files you have? (By any I mean any product, Any version)
Zip em on up.
~Hdx
[/quote]

Just a thought, but when you first install the game client, it has the oldest possible hash files for that particular game. When you run the client for the first time it updates to the latest hash files. Is there really a need to see if the pattern matching code works with any hash files other than the oldest hash files and the newest, assuming they [Battle.net] didn't use pattern A for the oldest hash files, pattern B for anything inbetween, and pattern A again for the newest? Unless I missed something, I'm pretty sure you just need the oldest hash files and the newest.
October 17, 2007, 3:50 AM
Barabajagal
Yegg: that's only if you have the oldest cd.

Topaz: No.

Everyone else: I don't care enough to gather all the other values. It's not that big of a deal to me. Someone else can do it.
October 17, 2007, 3:54 AM
HdxBmx27
Not necessarily.
It isn't really a 'pattern'. Its more so how they do there code.
They could be doing something like:
SetConnectionInformation(something, something, verbyte, something, something)
They could just decide to change it to SetVerbyte(verbyte) instead.
Or, they could use different compiler optimizations resulting in a different pattern to search for. (EXA: how theres 2 different 'types' of lockdown dlls)

BUT, thats not the reason I want to have the hashes. I want them merely for shits an giggles.
~Hdx
October 17, 2007, 3:56 AM
devcode
[quote author=Hdx link=topic=17116.msg173938#msg173938 date=1192593394]
Not necessarily.
It isn't really a 'pattern'. Its more so how they do there code.
They could be doing something like:
SetConnectionInformation(something, something, verbyte, something, something)
They could just decide to change it to SetVerbyte(verbyte) instead.
Or, they could use different compiler optimizations resulting in a different pattern to search for. (EXA: how theres 2 different 'types' of lockdown dlls)

BUT, thats not the reason I want to have the hashes. I want them merely for shits an giggles.
~Hdx
[/quote]

Well, we know for a fact that there hasn't been any code changes in this section from atleast *version 1.08 for SC, and although pattern matching is obviously not a 100% fool proof method, it is reliable enough in this case.
October 17, 2007, 4:27 AM
LockesRabb
DevCode was so kind as to upload the old hashes, I've made them available at this location:

http://www.bnetdocs.org/archives/

Just navigate to the oldhashes directory, and then choose the version. All files have been scanned and verified clean.

I still need the old hashes from the oldest to the most current for:

w2bn, d2, d2lod, wc3, wc3 tft

if anyone can donate those, it'd be appreciated.

no wow hashes please, as wow is a paid subscription service and i'd rather not annoy blizzard too much.

As for a DCMA, if I get hit with one, well, I'll deal with it when it happens.
October 17, 2007, 5:33 AM
MysT_DooM
you could find some old bot that used hashs and see if those hashs are old enuff for you
October 17, 2007, 5:45 PM
Yegg
[quote author=MysT_DooM link=topic=17116.msg173950#msg173950 date=1192643100]
you could find some old bot that used hashs and see if those hashs are old enuff for you
[/quote]

I've got a copy of Warcraft II that is from 1999 or possibly 2000 if that is of any interest to anyone.
October 17, 2007, 6:12 PM
LockesRabb
[quote author=Yegg link=topic=17116.msg173952#msg173952 date=1192644731]
[quote author=MysT_DooM link=topic=17116.msg173950#msg173950 date=1192643100]
you could find some old bot that used hashs and see if those hashs are old enuff for you
[/quote]

I've got a copy of Warcraft II that is from 1999 or possibly 2000 if that is of any interest to anyone.
[/quote]

What version
October 17, 2007, 6:24 PM
l2k-Shadow
Hex$() returns a string.
November 18, 2007, 11:05 PM
Barabajagal
Ya... I was doing Debug.Print for it and forgot to remove the Hex$() bit. [s]Also, I found where D2 stores the verbyte (BNClient.dll), so I'll add that in a few.[/s]
Added D2 and War3 as well.
November 18, 2007, 11:07 PM
DDA-TriCk-E
Andy, you forgot to include the values for FindStr it will just error... :P
November 19, 2007, 7:16 AM
Barabajagal
No, KP deleted them.
November 19, 2007, 7:22 AM
HdxBmx27
Anyone using the default skin:
https://addons.mozilla.org/en-US/firefox/addon/2108
[code]@namespace url(http://www.w3.org/1999/xhtml);

@-moz-document domain("forum.valhallalegends.com") {
.code{
  overflow: auto;
  height: 200px;
}
}[/code]~Hdx
November 19, 2007, 7:50 AM
Barabajagal
Why the hell was my entire post deleted?

Edit: Whatever. I'll just post the patterns and you guys can write your own code:
(XX represents a "wildcard" byte)

DRTL/DSHR:
Read from - Diablo.exe / Diablo_s.exe
[code]C7 85 64 FF FF FF XX XX XX XX C7 85 68 FF FF FF XX XX XX XX[/code]
(First DWORD of X's is LTRD or RHSD. Second DWORD of X's is Version Byte.)

STAR/SEXP/W2BN:
Read from - Starcraft.exe / Warcraft II BNE.exe
[code]C7 46 10 XX XX XX XX C7 46 18 XX XX XX XX C7 46[/code]
(First DWORD of X's is Version Byte. Second DWORD of X's is currently 08 00 00 00.)

JSTR:
Read from - StarcraftJ.exe
[code]8B 4D F4 C7 41 0C XX XX XX XX 8B 55 F4 C7 42 10 XX XX XX XX[/code]
(First DWORD of X's is RTSJ. Second DWORD of X's is Version Byte.)

SSHR:
Read from - Starcraft.exe
[code]C7 46 0C XX XX XX XX C7 46 10 XX XX XX XX[/code]
(First DWORD of X's is RHSS. Second DWORD of X's is Version Byte.)

D2DV/D2XP:
Read from - Bnclient.dll
[code]56 44 32 44 89 44 24 58 6A 03 8D 44 24 64 50 C7 44 24 64 XX XX XX XX[/code]
(First 4 bytes are VD2D (in both D2DV and D2XP). DWORD of X's is Version Byte.)

WAR3/W3XP:
Read from - game.dll
[code]C7 85 4C FD FF FF XX XX XX XX 89 8D 50 FD FF FF[/code]
(DWORD of X's is Version Byte.)
November 20, 2007, 5:37 AM
FrOzeN
SC VerByte = Hex(179 + 2 x Version_Number)

Wouldn't the simple algorithm above be just as reliable as this pattern-finding code you guys have come up with?
November 20, 2007, 10:15 AM
Barabajagal
Except that the versioning system in SC just changed from letters to numbers, and revision number increases had no effect on the verbyte. The patterns above are more than patterns, they're searching for the code that compiles 0x50, which isn't likely to change.
November 20, 2007, 3:46 PM
FrOzeN
[quote author=Andy link=topic=17116.msg174939#msg174939 date=1195573574]Except that the versioning system in SC just changed from letters to numbers, and revision number increases had no effect on the verbyte.[/quote]In my post, Version_Number is ment to refer to the Major change. Hence it ignores the revision letters/numbers and the change doesn't effect it's correct output.
November 20, 2007, 5:27 PM
Barabajagal
If you want to hope that they'll not change the way they increment the verbyte, go ahead. I'll hope they don't change how they build AUTH_INFO. Not much difference, I suppose.
November 20, 2007, 6:18 PM
BreW
[quote author=Andy link=topic=17116.msg174939#msg174939 date=1195573574]
Except that the versioning system in SC just changed from letters to numbers, and revision number increases had no effect on the verbyte. The patterns above are more than patterns, they're searching for the code that compiles 0x50, which isn't likely to change.
[/quote]
¿que?
Do you mean the revision (1.15b, 1.15c, etc)? The verbyte changes with the minor version.

[quote]
I'll just post the patterns
[/quote]

How are they patterns? That's a set way of doing things.
http://pdos.csail.mit.edu/6.828/2006/readings/i386/MOV.htm
[quote]
C7       MOV r/m32,imm32   2/2           Move immediate dword to r/m dword
[/quote]
Although i wouldn't be suprised if they start using polymorphic code to form that mov that move's the verbyte value (as in iago's signature) to make drama..
November 20, 2007, 8:15 PM
Barabajagal
1.15b doesn't exist. They switched to numbers. And they're byte patterns. It doesn't matter what they actually are, they're still a pattern of bytes.
November 20, 2007, 10:27 PM
BreW
[quote author=Andy link=topic=17116.msg174952#msg174952 date=1195597635]
1.15b doesn't exist.
[/quote]

I was using it as an example.

[quote author=Andy link=topic=17116.msg174952#msg174952 date=1195597635]
They switched to numbers.
[/quote]

???
as opposed to: vegetables?
November 20, 2007, 11:12 PM
Barabajagal
As opposed to letters. It's 1.15.1 now, not 1.15b
November 20, 2007, 11:58 PM
BreW
[quote author=Andy link=topic=17116.msg174956#msg174956 date=1195603080]
As opposed to letters. It's 1.15.1 now, not 1.15b
[/quote]
Oh, i see now. I think that's pretty lame.
November 21, 2007, 12:17 AM
Leaky
follows proper versioning now tho....

major version . minor version . revision
November 21, 2007, 1:35 AM
Smarter
[code]public partial class Form1 : Form
    {
        [DllImport("kernel32.dll")]
        public static extern void RtlMoveMemory(object lpvDest, object lpvSource, long cbCopy);
          //VOID
          //RtlMoveMemory(
          //  IN VOID UNALIGNED  *Destination,
          //  IN CONST VOID UNALIGNED  *Source,
          //  IN SIZE_T  Length
          //  );
        public Form1()
        {
            InitializeComponent();
            string Data;
            long RVal = 0;
            StreamReader sr = new StreamReader("C:\\Program Files\\Starcraft\\Starcraft.exe");
            for (int I = 1; I < Data.Length - 16; I++)
            {
                Regex r = new Regex(Convert.ToChar(0xC7) + Convert.ToChar(0x46) + Convert.ToChar(0x10) + "[a-zA-Z]" + Convert.ToChar(0xC7) +
                Convert.ToChar(0x46) + Convert.ToChar(0x18) + "[a-zA-Z]" + Convert.ToChar(0xC7) + Convert.ToChar(0x46));
                if (r.IsMatch(Data.Substring(Convert.ToInt32(I), 16)))
                {
                    RtlMoveMemory(RVal, Data.Substring(Convert.ToInt32(I) + 3, 4), 4);
                }
            }
            MessageBox.Show("Verbyte: " + RVal);

        }
    }[/code]

I attempted to port Andy's code to C#, but it doesn't seem to find the string, although i'm reading it as text, so I belive that'd be why, meh it's a start if anyone wants to finish it? lol
November 29, 2007, 2:35 PM
Barabajagal
"[a-zA-Z]": don't use that. it can be any bytes, not just letters.
November 30, 2007, 1:03 AM
Hell-Lord
Smarter, have a look at the System.Runtime.InteropServices.Marshal class instead of using the rtlMoveMemory API in C# :)
November 30, 2007, 6:21 AM
Myndfyr
void* does not map to object in C#. Consider System.BitConverter or System.IO.BinaryReader.
November 30, 2007, 8:54 AM
Camel
I'm confused: why do people still think this is a good idea? Searching for the verbyte is only slightly less fallible than hardcoding the values.

If you want to offer forwards compatibility, add an option to support BNLS for verbyte/checkrevision.
December 2, 2007, 12:10 PM
Smarter
[code]
        public string getVersionByte()
        {
            byte[] data = File.ReadAllBytes(@"C:\Program Files\Starcraft\StarCraft.exe");
            StringBuilder sb = new StringBuilder();
            foreach (byte b in data)
            {
                sb.Append(Convert.ToChar(b));
            }
            Regex r = new Regex(Convert.ToChar(0xC7) + Convert.ToChar(0x46) + Convert.ToChar(0x10) + "...." + Convert.ToChar(0xC7) +
                Convert.ToChar(0x46) + Convert.ToChar(0x18) + "...." + Convert.ToChar(0xC7) + Convert.ToChar(0x46), RegexOptions.IgnoreCase);
            string s = sb.ToString();
            long rval;
            for (int i = 0; i < s.Length; i++)
            {
                if (r.IsMatch(s.Substring(Convert.ToInt32(i) + 3, 16)))
                {
                    rval = Convert.ToInt64(s.Substring(Convert.ToInt32(i) + 3, 4));
                }
            }
            return rval.ToString();
        }
[/code]

Hmmm, still not working any ideas?
December 5, 2007, 11:52 AM

Search