Memory Hacking Software

[g3nuin3]

I was blindly trying to help a friend who was hacking warcraft 3 get by some issues and had him dl MHS for the work, being confident it would give him his results, but there seems to be something wrong either with some debugging implementations of MHS or its just not cut out for anti hack securities, heres a cut down version of the irc conversation:

[13:40] <[genuine]> write is what u want
[13:40] <[genuine]> u wanna know when it gets written into
[13:41] <[genuine]> access will probably break a katrillion times
[13:41] <k> hahaa
[13:41] <k> 3 times actually
[13:41] <k>
[13:41] <k> but they are all after a call
[13:41] <[genuine]> and this is a bp on ur pointer riht?
[13:41] <[genuine]> right
[13:41] <k> nope
[13:41] <k> lol
[13:41] <k> that's the thing
[13:41] <k> LOL
[13:42] <[genuine]> whats the thing
[13:42] <k> the reg != pointer/offset
[13:43] <[genuine]> sec, fighting ff boss
[13:44] <k> i set a break on the code
[13:44] <k> but it doesn't break :/
[13:45] <[genuine]> What kind of breakpoint
[13:45] <k> tried
[13:45] <k> on exec
[13:45] <k> soft
[13:45] <k> and hard
[13:45] <k> which should it be?
[13:45] <[genuine]> Maybe it doesnt exec, try something else
[13:45] <[genuine]> i dont have mhs open
[13:45] <[genuine]> so i cant fully remmeber the options
................................
[13:45] <k> one instruction
[13:45] <k> for on write
[13:47] <k> wtf
[13:47] <k> this negro
[13:47] <k> wont' breka
[13:47] <[genuine]> choose
[13:47] <[genuine]> add breakpoint
[13:48] <[genuine]> a dialog comes up
[13:48] <k> did
[13:48] <k> that
[13:48] <k> k
[13:48] <k> H Read 6F4634C7
[13:48] <k> break on
[13:48] <k> exec / acc / writ?
[13:48] <k> hardware?
[13:48] <[genuine]> yea
[13:48] <k> breakpoint functionality?
[13:48] <[genuine]> what address r u trying to breakpoint?
[13:48] <[genuine]> whats it do
[13:49] <k> mov dwrd tpr:eax+78,edx
[13:50] <[genuine]> u said u tried on write?
[13:50] <[genuine]> hardware?
[13:50] <k> ya
[13:50] <k> i've actually
[13:50] <[genuine]> nothing?
[13:50] <k> tried them all
[13:50] <k> nothing
[13:50] <[genuine]> tried software bp?
[13:50] <k> Address: 6F4634C7
[13:50] <k> EAX (after): 0C290118 ESP (after): 0012E514
[13:50] <k> ECX (after): 0C290118 EBP (after): 0BDE2BFC
[13:50] <k> EDX (after): 0000109A ESI (after): 0BDE2C4C
[13:50] <k> EBX (after): 00000001 EDI (after): FFFFFD12
[13:50] <k> Move EDX (109Ah) to [C290190h]
[13:50] <k> ya tried them all mate
[13:51] <[genuine]> Also in the disassembler, looked at the auto hack windows?
[13:51] <[genuine]> window*
[13:51] <k> ya
[13:51] <[genuine]> skrange
......................
[13:59] <k> [genuine]: i can break the instruction
[13:59] <k> from CE
[13:59] <k> and .NET
[13:59] <k> just not MHS
.............
[14:00] <[genuine]> MHS has antidebug and anti hack features
[14:00] <[genuine]> did u try setting them too
[14:00] <[genuine]> under options
[14:00] <[genuine]> ACC
[14:00] <[genuine]> Kernel
................
[14:05] <k> [genuine]: ya i did that

And thats where i was BAFFLED!..I dont have warden to verify this but what could be the issue?

[mezzo]

Aside from reallocating stuff in memory all the time, they read data out of all your running processes... ALL OF THEM. + they download and update the warden code while you play. So the only real way to work with the warden is by dissecting all the traffic and finding the 'magic' packet (it used to be 0xAE, which triggered the warden to do it's dirty.. that used to be the moment that you had to do major cleanup to avoid detection/general overhaul of all WoW's ram and after the warden's reply, you could reinstate all hacks.)

Read "Exploiting online games" by Gary McGraw, it gives an insight on the wardens actions... the book was written some time ago, the warden has gotten much smarter in the meantime.

But as I said, that was more then a year ago.. Pretty sure Blizzard learns from their mistakes too.

(It's seriously doubtful that the bp's that did trigger from CE and .NET are the location/state you wanted.. the warden is messing with you.. )

UPDATE: Just found this here