Add "Live Game Scanner" tool from MPQEditor

[speige]

MPQEditor's tool only works on old versions of WC3. Re-code it for reforged. It should attach to exe before map is loaded & then monitor for file names extracted from the MPQ file.

http://www.zezula.net/en/mpq/war3maps.html

[speige]

https://github.com/Squalr/Squalr

Use this to search memory for common file extensions like mdx, tga, blp, etc.

launch WC3 automatically & use in-memory copy of the w3x war3net variable to test if the file name resolves an unknown (addfilename function)

c:\Program Files (x86)\Warcraft III_retail_\x86_64\Warcraft III.exe -launch -loadfile "c:\users\devin\appdata\local\temp\WorldEditTestMap.w3x" -mapdiff 1 -testmapprofile WorldEdit -fixedseed 1

[speige]

Initial code attempt in d568d5d Found some strings, but not all of them. Need to test with different parameters or consider using different library Squalr doesn't seem to have any active support, but maybe I can fork it & fix the bugs.

CheatEngine appears to find the data I need, but it doesn't have an API (closest option is opening the gui & running a lua script) Old unmaintained option https://github.com/fenix01/cheatengine-library

[Luashine]

I had worked out a PoC that should be equivalent to manipulating game memory but not intrusive by using Process Monitor and logging I/O calls at OS level: https://web.archive.org/web/20231201201948/https://www.hiveworkshop.com/threads/poc-reforged-mpq-name-scanner.351760/ As I point out, that should work the same by using Wine's logging functionality under Linux.

The thread was deleted because of "discussion of map deprotection" which conveniently makes that not only my last but final contribution to Hive. And the warmer I feel about your beginnings.

Also it's possible to run single player at higher speeds which would be very welcome by people who'd need to play through the map just for the purpose of visiting every corner. There's a small scripted tool I made for WGC generation: https://www.hiveworkshop.com/threads/wgc-utility-test-maps-at-high-game-speed.341181/

[speige]

Actually recoded a 2nd time in d996c0e - Found that Squalr C# library doesn't work very well, so found an API version of CheatEngine (real CheatEngine is GUI only). It is able to read memory better, but it still seems to miss a lot of files. I think the issue is that I'm reading memory async, not actually attaching a debugger & stepping through, so by the time I read, the important variables may have been garbage collected. Because, the string variable with the MPQ embedded filename to extract will only be available during the hashing algorithm & available for garbage collection after the file is extracted.

I don't think I/O calls will be helpful, because we will only see that the MPQ itself is accessed, not the filename within the MPQ. The old version of WC3 used a dll called storm.dll to extract the MPQ, & MPQEditor replaced WC3 with a hacked version of storm.dll which added logging to the hash function call. That doesn't work anymore because newer versions of WC3 don't use storm.dll, their hashing code is embedded in "Warcraft III.exe" itself.

I think the best approach would be to use IDA and/or CheatEngine to decompile & analyze "Warcraft III.exe" & find the exact function call in memory which does the MPQ filename hashing. Then, using code similar to CheatEngine, inject new assembly code into that function to add additional logging. This can be done while the process is running, so it'll probably be undetected (Blizzard doesn't have good anti-cheat anyways) & so it doesn't affect the real game, only the "Live Scan" feature.

I agree, the anti-deprotection admins are annoying. I understand their perspective, but I think there is a good middle ground. My tool intentionally adds watermarks to show that the map has been deprotected, so that way people on Battle.Net don't get confused or cheated against. If someone deprotects they have to also go to the effort of removing the Watermarks, which hopefully deters those who only want to embed a cheat pack but don't want to maintain a map. (Of course, playing in single-player cheat packs are fine & you just leave the watermarks)

[speige]

Both of your tools in hive are very cool. Thanks for sharing!

If you can test out the PoC on the I/O calls from Process Monitor on Reforged, and it actually works, please let me know, I'd definitely try to code it into this tool. My assumption is that we need to do memory analyses like mentioned in my comment above, but I could be wrong :)

In fact, it looks like you just posted that tool a few weeks ago. So maybe it does work in Reforged?!? Very exciting if true! Please let me know.

[Luashine]

because we will only see that the MPQ itself is accessed, not the filename within the MPQ.

That's not true for Reforged. With "Allow Local Files" = 1 in Registry, Reforged will leak paths it attempts to load first to the I/O of file system and only if not found on the disk, try the MPQ paths. I don't know if there are any code paths/resources that DO NOT go to FS -- but most resources will be visible with ProcMon. So yes, this SHOULD work very well with Reforged. But it's a PoC for now :)

tldr: with Local Files, disk storage is higher priority than MPQ (CASC) storage.

At the same time this doesn't work well with pre-Reforged (see the thread for the version tested) because it really loaded most stuff straight from MPQs as you assumed (but not all).

[speige]

I didn't think about Local Files. You're a genius! I don't care about supporting pre-reforged. If someone cares about that, they can fork the repo, or use the old deprotection tools that already work on pre-reforged like MPQEditor W3X Live Game FileName Scanner.

[speige]

Tested LuaShine's scripts & they are working. However, they require manual steps & I'd prefer this to be fully built into the app. Last resort would be to call ProcMon using ShellExecute. Preference is to hijack WC3 to enforce LocalFiles & also to monitor file access.

Most promising library is https://github.com/microsoft/Detours Example for monitoring file access: https://github.com/microsoft/Detours/wiki/SampleTracebld Example for spoofing registry value: https://github.com/microsoft/Detours/wiki/SampleTracereg

[speige]

Fixed in b8dbbef Used Event Tracing For Windows Attempts with Detours (or alternatives like EasyHook) all failed either because the code was too old or because WC3 anti-cheat was preventing the hook from installing since they get injected directly into exe.