About This File
t's very detectable, simply because of that fact (Warden can easily scan those locations, follow the relative call/jmp and signature BMPK's code to 100% identify the hack and ban you).
yodar
26 Dec 2006, 03:21
Netter Quote:
BMPK has exactly 7 patches:
Code:
d2client.6FACFF97
d2client.6F9E0DB3
d2client.6FB01BFD
d2client.6FB01BEB
d2client.6FB00398
d2client.6FB6B136
d2client.6FB16ED8
The same goes for D2Loader which has ~4-8 patches, depending on what parameter settings you use. Same goes for D2JSP incase you're wondering. Note: This doesn't mean that Blizzard "cares" to ban you, but Warden does not need to be updated to detect patches, signature code and report the results to the battle.net servers (especially *I* can speak from experience on this topic, hehehe) ...
Anyway, an interesting side-note: As I was recently reversing (and cracking, heh) the latest BMPK I came accross some funny code (pseudo):
Code:
CreateRemoteThread(GetCurrentProcessId(), NULL, 0, (LPTHREAD_START_ROUTINE)ThreadProc, GetCurrentProcess(), 0, NULL);
I was thinking: "Hm, weird, how come this newb is calling CreateRemoteThread and not CreateThread?" (Note: This code is from BMPK.dll in Diablo II's address space, so calling CreateREMOTEThread is totally unnecesssary and stupid). Well, turns out "ThreadProc" is this function:
Code:
039E0000 55 PUSH EBP
039E0001 8BEC MOV EBP,ESP
039E0003 51 PUSH ECX
039E0004 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
039E000A 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
039E000D 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
039E0010 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
039E0013 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
039E0016 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
039E0019 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]
039E001C 85C0 TEST EAX,EAX
039E001E 74 10 JE SHORT 039E0030
039E0020 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
039E0023 3BC1 CMP EAX,ECX
039E0025 74 09 JE SHORT 039E0030
039E0027 8B12 MOV EDX,DWORD PTR DS:[EDX]
039E0029 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]
039E002C 85C0 TEST EAX,EAX
039E002E ^ 75 F3 JNZ SHORT 039E0023
039E0030 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]
039E0033 85C0 TEST EAX,EAX
039E0035 75 06 JNZ SHORT 039E003D
039E0037 32C0 XOR AL,AL
039E0039 8BE5 MOV ESP,EBP
039E003B 5D POP EBP
039E003C C3 RETN
039E003D 8B4A 04 MOV ECX,DWORD PTR DS:[EDX+4]
039E0040 8B02 MOV EAX,DWORD PTR DS:[EDX]
039E0042 56 PUSH ESI
039E0043 57 PUSH EDI
039E0044 8901 MOV DWORD PTR DS:[ECX],EAX
039E0046 8B0A MOV ECX,DWORD PTR DS:[EDX]
039E0048 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
039E004B 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
039E004E 8B4A 0C MOV ECX,DWORD PTR DS:[EDX+C]
039E0051 8B42 08 MOV EAX,DWORD PTR DS:[EDX+8]
039E0054 8901 MOV DWORD PTR DS:[ECX],EAX
039E0056 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
039E0059 8B42 0C MOV EAX,DWORD PTR DS:[EDX+C]
039E005C 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
039E005F 8B4A 14 MOV ECX,DWORD PTR DS:[EDX+14]
039E0062 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10]
039E0065 8901 MOV DWORD PTR DS:[ECX],EAX
039E0067 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
039E006A 8B42 14 MOV EAX,DWORD PTR DS:[EDX+14]
039E006D 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
039E0070 8B4A 40 MOV ECX,DWORD PTR DS:[EDX+40]
039E0073 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]
039E0076 8901 MOV DWORD PTR DS:[ECX],EAX
039E0078 8B4A 3C MOV ECX,DWORD PTR DS:[EDX+3C]
039E007B 8B42 40 MOV EAX,DWORD PTR DS:[EDX+40]
039E007E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
039E0081 8B7A 28 MOV EDI,DWORD PTR DS:[EDX+28]
039E0084 33C9 XOR ECX,ECX
039E0086 33C0 XOR EAX,EAX
039E0088 66:8B4A 24 MOV CX,WORD PTR DS:[EDX+24]
039E008C 8BF1 MOV ESI,ECX
039E008E C1E9 02 SHR ECX,2
039E0091 F3:AB REP STOS DWORD PTR ES:[EDI]
039E0093 8BCE MOV ECX,ESI
039E0095 83E1 03 AND ECX,3
039E0098 F3:AA REP STOS BYTE PTR ES:[EDI]
039E009A B9 12000000 MOV ECX,12
039E009F 33C0 XOR EAX,EAX
039E00A1 8BFA MOV EDI,EDX
039E00A3 F3:AB REP STOS DWORD PTR ES:[EDI]
039E00A5 5F POP EDI
039E00A6 B0 01 MOV AL,1
039E00A8 5E POP ESI
039E00A9 8BE5 MOV ESP,EBP
039E00AB 5D POP EBP
039E00AC C3 RETN
.. and now the funny part: It turns out that the function above is 1:1 copy from Darawk's "CloackDll" code, which can be found here (and published on other sites I believe): http://www.darawk.com/Code/CloakDll.cpp
Anyway, credit to Darawk is nowhere to be found in the distributed binary package of BMPK, so that's really lame. Nevertheless, I hope you enjoyed this "gem" I found, it surely amused the hell out of me. Oh, and don't use BMPK if you care about your accounts!
Greetings,
-Jan