Jump to content

BMTPPK

Sign in to follow this  

About This File

t's very detectable, simply because of that fact (Warden can easily scan those locations, follow the relative call/jmp and signature BMPK's code to 100% identify the hack and ban you).

 

yodar

26 Dec 2006, 03:21

Netter Quote:

BMPK has exactly 7 patches:

 

Code:

d2client.6FACFF97

d2client.6F9E0DB3

d2client.6FB01BFD

d2client.6FB01BEB

d2client.6FB00398

d2client.6FB6B136

d2client.6FB16ED8

 

 

The same goes for D2Loader which has ~4-8 patches, depending on what parameter settings you use. Same goes for D2JSP incase you're wondering. Note: This doesn't mean that Blizzard "cares" to ban you, but Warden does not need to be updated to detect patches, signature code and report the results to the battle.net servers (especially *I* can speak from experience on this topic, hehehe) ...

 

Anyway, an interesting side-note: As I was recently reversing (and cracking, heh) the latest BMPK I came accross some funny code (pseudo):

 

Code:

CreateRemoteThread(GetCurrentProcessId(), NULL, 0, (LPTHREAD_START_ROUTINE)ThreadProc, GetCurrentProcess(), 0, NULL);

 

 

I was thinking: "Hm, weird, how come this newb is calling CreateRemoteThread and not CreateThread?" (Note: This code is from BMPK.dll in Diablo II's address space, so calling CreateREMOTEThread is totally unnecesssary and stupid). Well, turns out "ThreadProc" is this function:

 

Code:

039E0000 55 PUSH EBP

039E0001 8BEC MOV EBP,ESP

039E0003 51 PUSH ECX

039E0004 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]

039E000A 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]

039E000D 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]

039E0010 8945 FC MOV DWORD PTR SS:[EBP-4],EAX

039E0013 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]

039E0016 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]

039E0019 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]

039E001C 85C0 TEST EAX,EAX

039E001E 74 10 JE SHORT 039E0030

039E0020 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]

039E0023 3BC1 CMP EAX,ECX

039E0025 74 09 JE SHORT 039E0030

039E0027 8B12 MOV EDX,DWORD PTR DS:[EDX]

039E0029 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]

039E002C 85C0 TEST EAX,EAX

039E002E ^ 75 F3 JNZ SHORT 039E0023

039E0030 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]

039E0033 85C0 TEST EAX,EAX

039E0035 75 06 JNZ SHORT 039E003D

039E0037 32C0 XOR AL,AL

039E0039 8BE5 MOV ESP,EBP

039E003B 5D POP EBP

039E003C C3 RETN

039E003D 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4]

039E0040 8B02 MOV EAX,DWORD PTR DS:[EDX]

039E0042 56 PUSH ESI

039E0043 57 PUSH EDI

039E0044 8901 MOV DWORD PTR DS:[ECX],EAX

039E0046 8B0A MOV ECX,DWORD PTR DS:[EDX]

039E0048 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]

039E004B 8941 04 MOV DWORD PTR DS:[ECX+4],EAX

039E004E 8B4A 0C MOV ECX,DWORD PTR DS:[EDX+C]

039E0051 8B42 08 MOV EAX,DWORD PTR DS:[EDX+8]

039E0054 8901 MOV DWORD PTR DS:[ECX],EAX

039E0056 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]

039E0059 8B42 0C MOV EAX,DWORD PTR DS:[EDX+C]

039E005C 8941 04 MOV DWORD PTR DS:[ECX+4],EAX

039E005F 8B4A 14 MOV ECX,DWORD PTR DS:[EDX+14]

039E0062 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10]

039E0065 8901 MOV DWORD PTR DS:[ECX],EAX

039E0067 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]

039E006A 8B42 14 MOV EAX,DWORD PTR DS:[EDX+14]

039E006D 8941 04 MOV DWORD PTR DS:[ECX+4],EAX

039E0070 8B4A 40 MOV ECX,DWORD PTR DS:[EDX+40]

039E0073 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]

039E0076 8901 MOV DWORD PTR DS:[ECX],EAX

039E0078 8B4A 3C MOV ECX,DWORD PTR DS:[EDX+3C]

039E007B 8B42 40 MOV EAX,DWORD PTR DS:[EDX+40]

039E007E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX

039E0081 8B7A 28 MOV EDI,DWORD PTR DS:[EDX+28]

039E0084 33C9 XOR ECX,ECX

039E0086 33C0 XOR EAX,EAX

039E0088 66:8B4A 24 MOV CX,WORD PTR DS:[EDX+24]

039E008C 8BF1 MOV ESI,ECX

039E008E C1E9 02 SHR ECX,2

039E0091 F3:AB REP STOS DWORD PTR ES:[EDI]

039E0093 8BCE MOV ECX,ESI

039E0095 83E1 03 AND ECX,3

039E0098 F3:AA REP STOS BYTE PTR ES:[EDI]

039E009A B9 12000000 MOV ECX,12

039E009F 33C0 XOR EAX,EAX

039E00A1 8BFA MOV EDI,EDX

039E00A3 F3:AB REP STOS DWORD PTR ES:[EDI]

039E00A5 5F POP EDI

039E00A6 B0 01 MOV AL,1

039E00A8 5E POP ESI

039E00A9 8BE5 MOV ESP,EBP

039E00AB 5D POP EBP

039E00AC C3 RETN

 

 

.. and now the funny part: It turns out that the function above is 1:1 copy from Darawk's "CloackDll" code, which can be found here (and published on other sites I believe): http://www.darawk.com/Code/CloakDll.cpp

 

Anyway, credit to Darawk is nowhere to be found in the distributed binary package of BMPK, so that's really lame. Nevertheless, I hope you enjoyed this "gem" I found, it surely amused the hell out of me. Oh, and don't use BMPK if you care about your accounts!

 

Greetings,

-Jan




×