Hello there friend. I love this game. I remember Zynastor aka Valiant Chaos who made the BEST cheat for sc1 and sc2.
Also, I have dew's source code for sc2's map hack... This method became detected, and it's for wings of liberty. The engine changed alot since.
Back in the day, people launched the game in 32 bits (option inside of b.net launcher), and they loaded the game with Ollydbg. Ollydbg is by far the best debugger in the planet, when it comes to being able to change cpu instructions on the fly while the process is running. Also, they used to use scylla hide plugin to hide the debugger.
Then we used to share warden dumps in d3scene (real website is long gone, the current site is all spam crap for cheats)... Today, you can use Vuno's software to hack if you wish, and there are a few other external ones, like Aina's ... Vuno has a website, but the rest are just obscure hard to find... Vuno is the current best by far, and I have the feeling vuno is valiantChaos with another name, dont quote me on that though.
The code below cam be used with MASM, I hope it helps you to find how the maphack is done, it might help you on what you are looking for when you are able to debug the game:
Code: Select all
.486
.model flat, stdcall
option casemap: none
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
include \masm32\include\debug.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\debug.lib
include Tools.inc
include Game.inc
thread_Hotkeys proto :DWORD, :DWORD, :DWORD
thread_Callback proto :DWORD, :DWORD, :DWORD
thread_Hook proto
.data
szWindow db "StarCraft II", 0
.data?
thread_HookID dd ?
thread_HotkeysID dd ?
.code
DllEntryPoint proc hInstDLL:DWORD, lpReason:DWORD, lpReserved:DWORD
; This code is executed when our DLL is loaded.
mov eax, lpReason
.if (eax == DLL_PROCESS_ATTACH)
; Check that the game version is correct.
mov eax, hook_Maphack_01
mov al, byte ptr [eax]
mov bl, byte ptr [h01_Reset]
.if (al != bl)
ret
.endif
; Set up the hooking thread.
invoke CreateThread, NULL, 0, addr thread_Hook, 0, 0, addr thread_HookID
.endif
ret
DllEntryPoint endp
thread_Hotkeys proc nCode:DWORD, wParam:DWORD, lParam:DWORD
; Hotkey callback thread.
push eax
mov eax, lParam
or eax, 00FFFFFFh
.if (nCode == HC_ACTION && eax != 0C0FFFFFFh)
.if (wParam == VK_F5)
.if (mState == 00h)
; Change to full mode.
invoke Tools_PatchMemory, hook_Maphack_01, addr h01_Reset, 6
invoke Tools_PatchMemory, hook_Maphack_02, addr h02_Full, 2
mov mState, 01h
.elseif (mState == 01h)
; Change to shared vision mode.
invoke Tools_PatchMemory, hook_Maphack_01, addr h01_Shared, 6
invoke Tools_PatchMemory, hook_Maphack_02, addr h02_Reset, 2
mov mState, 02h
.elseif (mState == 02h)
; Change to enemy vision mode.
invoke Tools_PatchMemory, hook_Maphack_01, addr h01_Enemy, 6
invoke Tools_PatchMemory, hook_Maphack_02, addr h02_Reset, 2
mov mState, 03h
.elseif (mState == 03h)
; Turn off the maphack.
invoke Tools_PatchMemory, hook_Maphack_01, addr h01_Reset, 6
invoke Tools_PatchMemory, hook_Maphack_02, addr h02_Reset, 2
mov mState, 00h
.endif
.endif
.endif
pop eax
invoke CallNextHookEx, thread_HotkeysID, nCode, wParam, lParam
ret
thread_Hotkeys endp
thread_Hook proc
; Hook setting thread.
; Show the ad.
invoke MessageBox, NULL, CTEXT("CLOSE THIS WINDOW FIRST--Press F5 to activate after closing this window,/"), CTEXT("CLOSE THIS WINDOW TO ACTIVATE"), MB_OK
; Get the device context.
invoke Tools_GetDeviceContext, addr szWindow
; Get the process ID.
invoke FindWindow, 0, addr szWindow
.if (eax == 0)
invoke FindWindow, addr szWindow, 0 ;korean/taiwan client fix
.endif
invoke GetWindowThreadProcessId, eax, 0
.if (eax != 0)
; Set the hotkey hook.
invoke SetWindowsHookEx, WH_KEYBOARD, addr thread_Hotkeys, NULL, eax
; Save our thread handle and sleep.
mov thread_HotkeysID, eax
invoke Sleep, -1
.endif
thread_Hook endp
End DllEntryPoint
Code: Select all
Game_TextOut proto :DWORD, :DWORD, :DWORD, :DWORD
.data
; Maphack state.
mState db 00h
; Maphack hooks.
hook_Maphack_01 dd 00A5C6D9h
hook_Maphack_02 dd 00A5C6DFh
; Maphack data.
h01_Shared db 0B3h, 02h, 90h, 90h, 90h, 90h
h01_Enemy db 0B3h, 03h, 90h, 90h, 90h, 90h
h01_Reset db 8Ah, 1Dh, 0Ch, 2Dh, 5Ah, 01h
h02_Full db 0EBh, 09h
h02_Reset db 3Ah, 1Dh
.code
Game_TextOut proc lpX:DWORD, lpY:DWORD, lpText:DWORD, lpLen:DWORD
; Displays text at specific coordinates in-game.
pushad
mov ebx, hdcDevice
invoke TextOut, ebx, lpX, lpY, lpText, lpLen
popad
ret
Game_TextOut endp
Code: Select all
Tools_PatchMemory proto :DWORD, :DWORD, :DWORD
Tools_SetHook proto :DWORD, :DWORD
Tools_MoveString proto :DWORD, :DWORD
Tools_GetDeviceContext proto :DWORD
.data?
hdcDevice dd ?
hWindow dd ?
.code
Tools_PatchMemory proc lpOffset:DWORD, lpData:DWORD, lpLen:DWORD
; Patches specific memory locations of variable length.
LOCAL lpOld:DWORD
; Give write permissions to the memory location.
invoke VirtualProtect, lpOffset, lpLen, PAGE_EXECUTE_READWRITE, addr lpOld
.if (eax != 0)
; Write our data and return to the old permissions.
invoke RtlMoveMemory, lpOffset, lpData, lpLen
invoke VirtualProtect, lpOffset, lpLen, lpOld, addr lpOld
.endif
ret
Tools_PatchMemory endp
Tools_SetHook proc lpFrom:DWORD, lpTo:DWORD
; Sets up a jump to our internal code.
LOCAL lpJump:DWORD
push ecx
push ebx
mov ecx, lpFrom
mov ebx, lpTo
add ecx, 05h
sub ebx, ecx
lea ecx, lpJump
mov byte ptr [ecx], 0E9h
mov dword ptr [ecx+1], ebx
invoke Tools_PatchMemory, lpFrom, addr lpJump, 5
pop ebx
pop ecx
ret
Tools_SetHook endp
Tools_MoveString proc lpDest:DWORD, lpSource:DWORD
; Moves and terminates a string in memory.
push ecx
push ebx
push edx
mov ebx, lpDest
mov ecx, lpSource
.while (byte ptr [ecx] != 00h)
mov dl, byte ptr [ecx]
mov byte ptr [ebx], dl
inc ecx
inc ebx
.endw
mov byte ptr [ebx], 00h
pop edx
pop ebx
pop ecx
ret
Tools_MoveString endp
Tools_GetDeviceContext proc szWindow:DWORD
; Returns and stores a device context.
push eax
mov eax, szWindow
invoke FindWindow, 0, eax
invoke GetDC, eax
mov hdcDevice, eax
pop eax
ret
Tools_GetDeviceContext endp
If you want to work together, we are working on Battleye Bypass, EAC Bypass, etc...
Discord: Xetal#8135
I am an not an extreme expert neither... Ever since the ring0 anti cheats came about, the whole hobby became not fun, and very time consuming...