So recently, I a heard from a few friends that the Starcraft II had some pretty interesting anti-cheating methods in place. I figured I’d try to check them out - though I only have a mac now. So after firing up the game, getting distracted and playing about half way through the single player — I remember why I actually installed it, to check out the anti-cheating protection. Sadly, but not surprisingly, it doesn’t appear that there is any anti-cheating protection on the mac client. It’s not really surprising because to implement something like the Warden they would need root, or some sony style rootlet for the mac ;)

Any who, it reminded me of the good old days of using ReadProcessMemory and WriteProcessMemory making quick and dirty memory hacks for Windows games. Making stuff for Diablo 2 consumed a lot of my free periods back in high school - great times! Back on topic though, it got me thinking of just dumping some sc2 memory and doing some quick memory hacks, though I never really did any of this on a mac before.

Turns out it’s also pretty easy to do some memory hacking in Mac OS X - you just need to know where to look. First of, if you found this site by googling “mac starcraft2 hacks”, then stop read — just go download “The Cheat” and use that, since it’d be easier than compiling your own program. Though basically The Cheat uses these same functions I stumbled upon.

Basically we’re going to use vm_write instead of the old WriteProcessMemory and vm_read_overwrite (or vm_read) instead of ReadProcessMemory. There’s some documentation out there but it’s pretty simple stuff to use. Below I’ve pasted an example of how easy a sc2 trainer would actually be to make;

/*
 * [ s2trainer.c ]
 * strazz@gmail.com
 * 2010
 */

#include <mach/mach.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>

#define MINERALS 0x03200D80

int main(int ac, char **av) {
  mach_port_t sc2_task;
  kern_return_t err;
  long value = 0;

  if(ac != 2)
    return 0;

  // Make sure we're root
  if(getuid() && geteuid())
    printf("error: requires root.");

  value = atoi(av[1]);
  err = task_for_pid(mach_task_self(), value, &sc2_task); 

  if ((err != KERN_SUCCESS) || !MACH_PORT_VALID(sc2_task))
    printf("error: getting sc2 task.");

  // Write values to stack.
  if(vm_write(sc2_task, (vm_address_t) MINERALS, (vm_address_t)&value, sizeof(value)))
    printf("error writing new mineral value");

  printf("done!\n");
  return 0;
}

Is this pretty? No - it could be much prettier than this. Is this safe? For the latest patch as of today, yes - it works fine. I wouldn’t recommend running it on any other version since the offset will change and it could lead to bad things. Will it work on a window machine? Heck no - the title says MAC OS X.

Also, yes I could have tossed SC2 into vm fusion, but thats far to much work just to mess around with a game :)

It’s been quiet a while since I’ve posted anything on my blog. It’s hard to always post information, though I felt I’ve done a good job posting relevant information I’ve researched over the past two years. It’s about time I start getting back into it - though in the mean time it’s time for a little life update. So if your here for a technical blurb - read no further since this won’t have any source code embedded in it, or post-mortems of any applications.

For the past year I’ve had an awesome job at Amadeus North America, working on an excellent new cutting edge product for the travel industry. It was a great learning experience, getting to delve into the world of rapid agile development and learn new tools such a Google Web Toolkit (GWT). I developed countless strong relationships with many coworkers, picking up plenty of coding ’style’ and quirks. Things that I directly contribute to my coding style today, and definitely something that I’m proud of. Most importantly, I have a real issue making code without writing unit tests (Thanks @RyanNorris!) and feel sick to my stomach if I ever try to check in code without JavaDocs. Looking back, I can honestly say I loved my time at Amadeus. The long days, even the stressful ones, helped me prepare for being a real software engineer - learning more than I ever had in school.

Then I meet the Lookout team…

“Lookout” is right, because these guys were insane. I grabbed some food with them while at a conference in San Francisco. Never in my life had I had such an awesome nerd-fest day. Conventions where always interesting, and you always meet interesting people - but these guys where real. They didn’t just talk the talk - they actually did very impressive things day in and day out. Much to my surprise, I had things to actually add to the many interesting talks the evolved through the night. Even more shocking to me, I was asked if I’d ever considered relocating to the west coast for a job.

I remember thinking, “Yikes, these guys are just being nice, it’d never happen”. I talked it over with my girlfriend the next morning after arriving on the red-eye. Lots of words where thrown back and forth using with “it’s probably never going to happen, but…” We agreed I’d go along with the process, like the many other times I’d been approached by companies. It never worked out before, so I wasn’t going to make a big deal of it, or even think of it as anything but a remote possibility.

Then came the phone interview… I always hated these things, they’re worse than face to face interviews because you can’t see the other person expressions. Are you talking to in-depth? Not in-depth enough? Does this person just not believe you? It’s just hard sometimes to gauge peoples reactions without being in the same room. I remember walking away from the phone interview thinking, “Damn… That either really sucked, or went really well.” Luckily, it went well and I got an email asking if I could come out to San Francisco for an interview. This is when everything really started to him me, could I really be getting the dream job I’ve always wanted?

To shorten this post, since I’ve already babbled along for too long - I came in for the interview and ended up doing well. Some of the most interesting interview questions I’ve ever heard where asked, like “How would you exploit this code?” from Anthony Lineberry. After the interview, I actually ended up getting an offer that blew my mind away. It was settled, there was no question in my mind that I wanted this job. My family kept reminding me, sometimes your favorite hobby isn’t the best job… Thank god that didn’t hold true :)

So I up and moved to San Francisco, got an awesome apartment with some killer roommates. Now i’ve been a part of the Lookout Mobile Security team for almost a month now. Officially I’m a “Security Response Engineer” (I know, that’s bad ass, never thought I’d have that title..) and getting to learn more and do more thing with Android and other mobile systems than I thought I’d get too. I know get to do for work, what I did in my off hours, it’s quiet possibly the greatest adventure I’ve gotten a chance to take on yet. In the short time I’ve been here I got to even goto Defcon for my first hacker convention. I got to take in tons of great talks with many smart people, and even help with some of my coworkers presentations; “App Attack: Surviving the mobile application explosion”, “These aren’t the permissions you’re looking for”.

Anyway, just figured I’d use this as a kick off post as I get back into the gear with blogging again. For now though, I’m going to get back to doing my part with this awesome team in keeping mobile safe and developers smart.

Much similar to a previous post I had, “Brutal” Google coding humor…, I was perusing over some code in the AOSP and found an interesting comment:

// XXX: PROTECT FROM VIKING KILLER

Below is the full snippet from the file, logwrapper.c.

void child(int argc, char* argv[]) {
    // create null terminated argv_child array
    char* argv_child[argc + 1];
    memcpy(argv_child, argv, argc * sizeof(char *));
    argv_child[argc] = NULL;

    // XXX: PROTECT FROM VIKING KILLER
    if (execvp(argv_child[0], argv_child)) {
        LOG(LOG_ERROR, "logwrapper",
            "executing %s failed: %s", argv_child[0], strerror(errno));
        exit(-1);
    }
}

I’m not sure if “Viking Killer” is an inside joke, an actual good comment or what. Though read allowed - it sounds like a badly named european adult film…