Lame Way To Protect Against War3Map.j Hacking

[krille]

This is VERY EASY to reverse once you're aware of it. But it's interesting just the same.

Simply use this code somewhere in your game code (it shouldn't even ever have to be triggered to work):

Code: Select all

call CreateQuestBJ(0,"Something Here... irrelevant", "REPLACE THIS", "ReplaceableTextures\\CommandButtons\\BTNHolyBolt.blp")

"REPLACE THIS" should be replaced by a string literal (not a variable). If the length (the number of characters) of this string literal exceeds 1023 (if it's 1024 characters long or longer) WC3 will crash whenever the map is selected (in the "create game" or "custom game" screens). NOTE: Although I have only tested this for the CreateQuestBJ function, it probably works the same way for most (if not all) functions.
(Why 1023 characters? Most likely because "0x00" or "\0" or NULL is appended automatically to any string thus making it 1024 or 2^10 "under the hood".)

The trick here lies in how line breaks can be represented in many different ways and that WC3 reliably understands at the very least two of these representations: CR (carriage return, 0x0D, used most prominently in Mac environments) and CR+LF (carriage return + line feed, 0x0D0A, used most prominently in Windows environments). As you can see, CR occupies only 1 byte (one character) while CR+LF is 2 bytes long (two characters), yet they do the exact same thing (within WC3). So, what does this give?

Since the vast majority of WC3 users and modders use Windows, their line breaks will be saved as CR+LF (per default). But what if we previously, in our war3map.j source file, used CR for our line breaks, what happens then? It depends, but most often the file editor will load the file correctly, but later when saving it CR+LF will be used to encode any line breaks. (JassCraft, for instance, works this way. And I dare say it's the most popular Jass editor out there.) So, how do we exploit this?

All we have to do to exploit the above weakness is to make sure our string literal is less than 1024 characters in length when saved using CR to represent our line breaks (btw Jass has no problem handling line breaks within string literals in the war3map.j source file, so there’s no need to use "\n" or anything like that), yet exceeds 1023 characters in length when CR+LF is used to encode any line breaks. Thus the string literal should contain at the very least one CR, preferably lots of them, and be at least (1024 - [Number of CRs]) characters long. Just try to make the actual text make sense, as to hide its real intent.

You may have to use a hex editor (or an optimizer with this functionality) to assert those line breaks become only CRs and not CR+LFs in the file. If done correctly, when your average cheater/modder tries to hack your map by extracting, modifying and reimporting the war3map.j, even though his code works like a charm, your code will cause the map to crash because he introduced errors in it without even knowing it just by saving your war3map.j.

Easy as pie!

~ Kris

edit: Essentially rewrote the entire thing to improve comprehension.

[Ozzapoo]

Wtf.. That's confusing

[krille]

Wtf.. That's confusing

It is... "REPLACE THIS" should be something like "lalalalalalal
lalalalalala
lalalal
lalalalalalalala
lalalalal
lalalalalala"

And about 1023 characters long. The goal is to make it exceed 1024 characters when all Cr's (0x0D) turn into CrLf's (0x0D0A). A 1024 characters long or longer array of literals as the argument to this function (most likely to many other functions as well) will crash TFT. Why? I don't know. Poor programming? Bug introduced by optimizations? I really don't know.

Why do this? To confuse newbies (like myself) and prevent them from cheating your map, mainly. Observant users will notice this difference simply by comparing the original with the saved version in a hex editor.

What exactly is it that you don't understand?

[Ozzapoo]

How is that 1023 characters?

[Dekar]

Uhh nice find!
Linux, Mac and Windows have several ways to define a line break,
he does it the Linux way (maybe I'm wrong and it's the mac way... ask Wiki )
A Windows editor will convert it to the Windows linebreak (from 1 to 2 byte) so it'll grow and crash

greets Dekar

ps:
just had a look at wiki... it's the mac way!

* LF: Multics, Unix and Unix-like systems (GNU/Linux, AIX, Xenix, Mac OS X, etc.), BeOS, Amiga, RISC OS, and others
* CR+LF: DEC RT-11 and most other early non-Unix, non-IBM OSes, CP/M, MP/M, DOS, OS/2, Microsoft Windows
* CR: Commodore machines, Apple II family, Mac OS up to version 9 and OS-9

[Ozzapoo]

I see....

[Shamanno1]

Thx for sharing this:D

[Ozzapoo]

Hm... So what editor do we use to make sure it's 1023 chars long ?

[krille]

Hm... So what editor do we use to make sure it's 1023 chars long ?

I use a hex editor to make sure there are only Cr's and not CrLf's in that particular string of the war3map.j. If there are CrLf's, use space or something instead and manually change it using a hex editor to Cr. I think WarCraft's native Map Editor makes it only Cr by default, either that or an Optimizer should do it.

Thx for sharing this:D

np. I'm all against the corruption or "protection" of maps anyway. I want things to be as well-documented as possible, so I share in the hope that others will do the same. (Although I know certain people won't and wouldn't even share this.)

[Gloomfrost]

Hey if after adding the code, the map was optimized in any way, would it screw this protection up, or is it best to add it in AFTER the optimization?


Also as a side note: is widgetizer ment to be used BEFORE vex's opt? and if we're planning to use both, do settings need to change in either programs?
P.S: I'm not a noob, just haven't used the widgetizer before