Author Topic: Easycompany  (Read 43364 times)

Offline Lambchops

  • Ogre Mage
  • ********
  • Posts: 1541
    • View Profile
Re: Easycompany
« Reply #15 on: March 09, 2017, 05:50:22 PM »
Sounds like great idea! How possible would that be without corruption? Also we would still need to give out new war2 exe.


I write too much lol. I dont blame you all for not reading all of it.


You can add as many sections as you like into a PUD file.

I exploited that to make combination PUD/EXE files.

The attached file is a playable mini-bgh pud. The blizz editor won't like it but you can host and play it as per normal. If you rename it from .PUD to .EXE it's a working copy of my build hack detector (the original version - won't run on 64bit machines).

... and yeah the mod thing could be included in a new CE release and/or distributed as a seperate app





its gooder to hax hard and NEVER get caught!

Offline shesycompany

  • Death Knight
  • *********
  • Posts: 3587
  • retired, be in music section
    • View Profile
Re: Easycompany
« Reply #16 on: March 09, 2017, 06:09:06 PM »
ahh war2 file sharing! a exe that is a pud my mind is blown...
« Last Edit: March 09, 2017, 06:11:52 PM by easycompany »

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Easycompany
« Reply #17 on: March 09, 2017, 06:23:39 PM »
Sounds like great idea! How possible would that be without corruption? Also we would still need to give out new war2 exe.


I write too much lol. I dont blame you all for not reading all of it.


You can add as many sections as you like into a PUD file.

I exploited that to make combination PUD/EXE files.

The attached file is a playable mini-bgh pud. The blizz editor won't like it but you can host and play it as per normal. If you rename it from .PUD to .EXE it's a working copy of my build hack detector (the original version - won't run on 64bit machines).

... and yeah the mod thing could be included in a new CE release and/or distributed as a seperate app








Wow so .pud files are a security risk! This is a missing part! So we can technically add code to the pud.... now if you are a host you can make people download the map automatically on join with hidden code in the pud... Then use an exploit i know that will save the game as exe for anyone who clicks save when prompted.... boom exe is now in your war2 directory. I haven't found no way to auto execute it hmmm. We might have to disable save feature totally! Especially if we can get it auto execute.

So bad example part is.
You join a game and map downloads you start playing host clicks save with the exploit I know. Everybody is prompted to save... if you click no or cancel it will just ask you over and over!!! When you click save you just saved a exe in your war2 directory!

So too bad war2 is dead or we can maybe be bounty from blizzard LOOOL!!!!! If we can get out of of sav dir we replace a war2 file next time they load war2 it would automatically execute our code.... my exploit can change .pud to any file extentions.

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Easycompany
« Reply #18 on: March 09, 2017, 06:27:23 PM »
Sounds like great idea! How possible would that be without corruption? Also we would still need to give out new war2 exe.


I write too much lol. I dont blame you all for not reading all of it.


You can add as many sections as you like into a PUD file.

I exploited that to make combination PUD/EXE files.

The attached file is a playable mini-bgh pud. The blizz editor won't like it but you can host and play it as per normal. If you rename it from .PUD to .EXE it's a working copy of my build hack detector (the original version - won't run on 64bit machines).

... and yeah the mod thing could be included in a new CE release and/or distributed as a seperate app








Make me a sample of hello world hidden in pud. I will make a video of the rest of ur exploit and mine together demonstrating the risk!

Offline Lambchops

  • Ogre Mage
  • ********
  • Posts: 1541
    • View Profile
Re: Easycompany
« Reply #19 on: March 10, 2017, 04:09:32 AM »
hehe ok.
Maybe a full network or device path \\drive\partiton would do it.

so i guess convincing the local client to look for an EXE causes the remote client to use the same filename?
its gooder to hax hard and NEVER get caught!

Offline Lambchops

  • Ogre Mage
  • ********
  • Posts: 1541
    • View Profile
Re: Easycompany
« Reply #20 on: March 10, 2017, 05:28:00 AM »
here's one hf  ;)

its gooder to hax hard and NEVER get caught!

Offline Lambchops

  • Ogre Mage
  • ********
  • Posts: 1541
    • View Profile
Re: Easycompany
« Reply #21 on: March 10, 2017, 08:04:41 AM »
Anyway... such silliness aside, for custom mods if you write a mod editor that produces a custom section, I can write a mod app that will impliment them.
Just have it produce a file like this
Code: [Select]
4 BYTES "MODS"
DWORD  size of mods (file size-8)
DWORD  NumberOfMods

   then a list of mods like this:

DWORD  memory offset
BYTE    number of bytes
N*BYTE  data to write at offset

obviously it will be restricted from writing to executable sections otherwise this could be use to inject malicious code - so that won't be happening  :)
its gooder to hax hard and NEVER get caught!

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Easycompany
« Reply #22 on: March 10, 2017, 08:14:21 PM »
here's one hf  ;)



Going to try to find this weekend to set up my VM on a lan! I will try to make a good quality video of this nasty risk. I would recommend we remove the save feature from multiplayer! We said too much in public I know a few people who are not trust worthy who can pull this off. It might not auto execute but still we should remove save because it will drop the exe in their war2 map sav folder.....

Anyway... such silliness aside, for custom mods if you write a mod editor that produces a custom section, I can write a mod app that will impliment them.
Just have it produce a file like this
Code: [Select]
4 BYTES "MODS"
DWORD  size of mods (file size-8)
DWORD  NumberOfMods

   then a list of mods like this:

DWORD  memory offset
BYTE    number of bytes
N*BYTE  data to write at offset

obviously it will be restricted from writing to executable sections otherwise this could be use to inject malicious code - so that won't be happening  :)

I understand about 80 percent of that code. Is that how asm is setup? What does Number of Mods means a variable? Or is it like a sub name? How does the data look that I want to write in hex??? Sorry me and many people here have 0 knowledge in such low level programming.

Offline shesycompany

  • Death Knight
  • *********
  • Posts: 3587
  • retired, be in music section
    • View Profile
Re: Easycompany
« Reply #23 on: March 11, 2017, 09:14:51 AM »
how i do it incos.... get a sprite sheet, resize add the war2 pal ...give them team colors and edit the pal if they are errors in game.(flashing colors)

ur just making a war2 sprite sheet with the sprites so just use the ones u want..
like if u got 100 sprites  ur just gonna use like 60 of them :P

https://www.spriters-resource.com/pc_computer/warcraft2/sheet/29477/

something like that order

take asu ..click in order or it will dump in incorrect order.

now take another paint program that u can macro to self center and resize...allow retro grp to build the grp walla  :D u should be working!

theres other ways to doit im sure ..just the centering is difficult without a program
« Last Edit: March 11, 2017, 11:24:30 AM by easycompany »

Offline Lambchops

  • Ogre Mage
  • ********
  • Posts: 1541
    • View Profile
Re: Easycompany
« Reply #24 on: March 12, 2017, 03:58:15 PM »
here's one hf  ;)



Going to try to find this weekend to set up my VM on a lan! I will try to make a good quality video of this nasty risk. I would recommend we remove the save feature from multiplayer! We said too much in public I know a few people who are not trust worthy who can pull this off. It might not auto execute but still we should remove save because it will drop the exe in their war2 map sav folder.....

Cool, just remember your old mate Lamby when they start handing out briefcases full of cash  ;D

... and yeah if you can just make an exe appear on someones puter - can you imagine back when there was 50K players on bnet every day? You would have had hundreds of people randomly clicking ok it...     Hey! now I think about it, I should make one with a .PUD file icon :P that would be really tricky.... give it some interesting name that stands out so people want to look at it. hehe.. then OMG they will see my HELLO WORLD MESSAGE! AAARRRRGGHHHH!!  ;D


Anyway... such silliness aside, for custom mods if you write a mod editor that produces a custom section, I can write a mod app that will impliment them.
Just have it produce a file like this
Code: [Select]
4 BYTES "MODS"
DWORD  size of mods (file size-8)
DWORD  NumberOfMods

   then a list of mods like this:

DWORD  memory offset
BYTE    number of bytes
N*BYTE  data to write at offset

obviously it will be restricted from writing to executable sections otherwise this could be use to inject malicious code - so that won't be happening  :)

I understand about 80 percent of that code. Is that how asm is setup? What does Number of Mods means a variable? Or is it like a sub name? How does the data look that I want to write in hex??? Sorry me and many people here have 0 knowledge in such low level programming.

Well it's kinda pseudocode.
its just a description of how I suggest the file (which would end up as a PUD section) be laid out.

A "DWORD" or double-word is a 4 byte number
A BYTE is a byte

so for example if you make and app that allows you to change spell MP costs and some other stuff... the app would have to know the EXE offsets that correspond to each spell or whatever, and what the appropriate format is to write the values, so the user changes some stuff and saves their work, then the app has decided it needs to do this:

(just makin stuff up for example)

     it needs to write a 0xFF byte at offset 0x444555

and these: 0x01, 0x02, 0x03, 0xAB, 0xBA at offset 0x432100

and 0xC0, 0xDE at offset 0x439991


then if you were using the file format I suggested you would create a file and wite this to it:

"MODS" ... the signature, which ends up as 0x4D, 0x4F, 0x44, 0x53
... not that u really need to know that - just write the 'M' 'O' 'D' 'S', it all ends up the same.

next is a DWORD (4 bytes) for the size of the data (this combination of a  4CC and a Section size is for the PUD format)

so we dont know the data size yet - you could pre-calculate it, but in this situation it's much easier to just write the data, see how big it is then go back and fill in the size at the end.

so...

"MODS"
(skip 4 bytes)

then DWORD number of mods,
which in ths case is 3, so it would end up
03:00:00:00

then we write the 3 mods, each one is like this:
    DWORD  memory offset
    BYTE    number of bytes
    N*BYTE  data to write at offset

so the first one is:

55:45:44:00
01
FF

the second one is
00:21:43:00
05
01:02:03:AB:BA

and the last one is

91:99:43:00
02
C0:DE

so at this stage we have:
Code: [Select]
4D:4F:44:53:00:00:00:00:
03:00:00:00:55:45:44:00:
FF:00:21:43:00:01:02:03:
AB:BA:91:99:43:00:C0:DE:
and we can see that the file is 32 bytes long.

Those 4 zeros at the end of the first line there is where we need to write our DWORD size value.

But we just want the length of the data, not the the "MODS" and the size DWORD itself - they are 4 bytes each so we subtract 8 from the total size (32-8=24) so now we just need to write a DWORD 24 (0x00000018) there
so seek to file offset 4 then write 18:00:00:00 and we're done:

4D:4F:44:53:18:00:00:00:
03:00:00:00:55:45:44:00:
FF:00:21:43:00:01:02:03:
AB:BA:91:99:43:00:C0:DE:


In a hex editor it might look something like this
Code: [Select]
4D:4F:44:53:18:00:00:00:03:00|MODS↑.....
00:00:55:45:44:00:FF:00:21:43|..UED. .!C
00:01:02:03:AB:BA:91:99:43:00|....½║æÖC.
C0:DE:                       |└▐

of course the actual values would depend on what offsets you can track down in the exe, and what you wanted to change them to. All the normall PUD stuff is there, but you can just set them in the .PUD anyway.

Swagier had some interesting ideas a while back like:
edit spells(for example change that orge got heal not lust)
mission objective
edit upgarde( u can change dmg +2 -> +4)
changing side train knights as orc

the mission objective I have no clue about, but this sort of stuff should be do-able.

Then the app at the other end would be locating the WC2 process, monitoring its status and waiting for you to enter a game, then when a game starts it would check the PUD for a "MODS" section and if it finds one, write the changes to the WC2 process, and back up the previous values to be restred after the game.

I would also want to include some kind of safeguard so that players couldnt shut down the app half way through a game then leave mods in place for other games on normal maps. In most cases this would probably just cause desync/drop but no doubt if there is some sneaky little exploit some gremlin will find it... so I would want to prevent this, probably by diverting part of the WC2 program flow through the app so if its terminated unexpectedly then WC2 would crash... or if you just shut it down normally it would remove it's hook and exit gracefully.

Probably this project would be an excellent candidate for dll injection.  8)


« Last Edit: March 12, 2017, 04:00:07 PM by Lambchops »
its gooder to hax hard and NEVER get caught!

Offline shesycompany

  • Death Knight
  • *********
  • Posts: 3587
  • retired, be in music section
    • View Profile
Re: Easycompany
« Reply #25 on: March 16, 2017, 06:50:47 PM »
heres the orc troll incos. just rename, put in patch mpq in orc orge spot.

Offline Delete mine too

  • Death Knight
  • *********
  • Posts: 2652
  • http://meatspin.com
    • View Profile
    • http://meatspin.com
Re: Easycompany
« Reply #26 on: March 16, 2017, 07:25:25 PM »
heres the orc troll incos. just rename, put in patch mpq in orc orge spot.
I forgot who made that! We should get em to make more..

Offline Incos

  • Axe Thrower
  • ****
  • Posts: 253
    • View Profile
Re: Easycompany
« Reply #27 on: May 10, 2017, 05:50:35 AM »
Easy, I have been using 116 for the amt for frames for grp for portrait.grp and war 2 keeps crashing with unknown error, when I do 117 it is fine but he portraits are off. Do you j is what this is from?
https://www.twitch.tv/incoswc - my twitch. Streaming 9:30pm - 11pm est most days!!

Offline shesycompany

  • Death Knight
  • *********
  • Posts: 3587
  • retired, be in music section
    • View Profile
Re: Easycompany
« Reply #28 on: May 10, 2017, 04:08:27 PM »
the portrait file in war2bnet is 196 frames.

ive crashed in a game before making a to big of a unit sprite, but idk why the portrait would.

maybe by numbers also..it has to have all them images cause its still coded in.

i still use retrogrp.

u would dump all of them...edit one and rebuild the grp and place in patchmpq.

im still working with asu cause sprite sheets are fast! its problem.. bmp format is not correct from it or my paint program..it will be distorted

ill mess with it again and hopefully its my paintshop pro causing this error.
« Last Edit: May 10, 2017, 04:23:44 PM by easycompany »

Offline Incos

  • Axe Thrower
  • ****
  • Posts: 253
    • View Profile
Re: Easycompany
« Reply #29 on: May 10, 2017, 04:50:30 PM »
Yes your right, I'm meant 196. It might be running ok now. Your asu fast because of your macro. I Tarik manually do photoshop and psp for editing colors.
https://www.twitch.tv/incoswc - my twitch. Streaming 9:30pm - 11pm est most days!!