Demo Map Hidden Script

[saw792]

Hidden Script​

I just thought I'd share this snippet I discovered. The demo map below shows how it is possible to hide code within other files in the map. In the example within the map, an admin password has been hidden within the model file imported in the map and retrieved through the use of gamecache.

You can see in the map script that at no stage is the comparison string set, yet when the correct password is typed the matching message appears.

Map Code:

scope AdminPassword initializer Init
  
  globals
    private gamecache g = InitGameCache("preload.w3v")
  endglobals
  
  private function Conditions takes nothing returns boolean
    local string s = GetStoredString(g, "password", GetPlayerName(GetTriggerPlayer()))
    if GetEventPlayerChatString() == s and s != null then
      call DisplayTextToPlayer(GetTriggerPlayer(), 0, 0, "|cff00ff00Welcome, admin|r")
    else
      call DisplayTextToPlayer(GetTriggerPlayer(), 0, 0, "|cffff0000Incorrect admin code|r")
    endif
    return false
  endfunction
  
  private function Init takes nothing returns nothing
    local trigger t = CreateTrigger()
    call TriggerRegisterPlayerChatEvent(t, Player(0), "-", false)
    call TriggerAddCondition(t, Condition(function Conditions))
    call Preloader("war3mapimported\\model.mdx")
  endfunction
  
endscope

As I said above, this is the only code contained within the map script. It should always return the Incorrect Code message then, should it not? But it doesn't... Set your in game name to WorldEdit and type the correct code "-password1" to see the correct message.

Code inside 'model' file:

Spoiler

globals
    gamecache g = InitGameCache("preload.w3v")
endglobals

function main takes nothing returns nothing
  call StoreString(g, "password", "WorldEdit", "-password1")
  call StoreString(g, "password", "saw792", "-24947341")
endfunction

function PreloadFiles takes nothing returns nothing
  call main()
endfunction

Further explanation:

Spoiler

The model file within the map is not actually a model file at all, it is just disguised as such. Inside is a simple JASS script. The Preloader() native called from the map script points to this file and automatically executes the PreloadFiles() function within the file. This then saves the password to the gamecache where it can be reloaded within the map script.

Limitations of this method:

Spoiler

Things that can't be used within the hidden script:
BJs
Timers
Triggers
TriggerExecute/Evaluate
TriggerSleepAction
I2S (and R2S I assume)
StringHash (GetHandleId?)
<probably lots more, this is all I have tested>

Things that can be used:
Function calls
Gamecache
Global variables
ExecuteFunc (calls function from the MAIN MAP SCRIPT ONLY, not the hidden script)
CreateUnit
UnitAddAbility
Issuing orders
<probably lots more, this is all I have tested>

Perhaps somebody can find a use for this beyond hiding variable setting and such. As it stands, getting the admin code from my example doesn't actually require you to open the file since you can just modify the map to display the stored string, but I believe that is beside the point right now.

Some Examples of Use:

Spoiler

Inside Map:

scope Display initializer Init
  
  globals
    private string Code = "-"
  endglobals
  
  //! textmacro Code takes NUMBER, INTEGER
  function $NUMBER$ takes nothing returns nothing
    set Code = Code + I2S($INTEGER$)
  endfunction
  //! endtextmacro
  
  //! runtextmacro Code("Zero", "0")
  //! runtextmacro Code("One", "1")
  //! runtextmacro Code("Two", "2")
  //! runtextmacro Code("Three", "3")
  //! runtextmacro Code("Four", "4")
  //! runtextmacro Code("Five", "5")
  //! runtextmacro Code("Six", "6")
  //! runtextmacro Code("Seven", "7")
  //! runtextmacro Code("Eight", "8")
  //! runtextmacro Code("Nine", "9")
  
  private function Conds takes nothing returns boolean
    return GetEventPlayerChatString() == Code
  endfunction
  
  private function Acts takes nothing returns nothing
    call BJDebugMsg("Input successful")
  endfunction
  
  private function Init takes nothing returns nothing
    local trigger t = CreateTrigger()
    call Preloader("war3mapimported\\model.mdx") //Or whatever the path is
    call TriggerRegisterPlayerChatEvent(t, Player(0), "-", false)
    call TriggerAddCondition(t, Condition(function Conds))
    call TriggerAddAction(t, function Acts)
  endfunction
  
endscope

Inside Script:

function PreloadFiles takes nothing returns nothing
  call ExecuteFunc("Seven")
  call ExecuteFunc("Nine")
  call ExecuteFunc("Two")
endfunction

This will allow you to set your input command code from outside the script without the use of gamecache. In this example the code is "-792"

Enjoy:

 

[WilliamPa]

Thanks :O This is extremely cool thing, thank god i know it now ^^ It cannot be opened with magos, which makes it pretty easy to allocate, and gives me easy method to find these triggers

+rep

E: Text within the model:

globals
    gamecache g = InitGameCache("preload.w3v")
endglobals

function main takes nothing returns nothing
  call StoreString(g, "password", "WorldEdit", "-password1")
  call StoreString(g, "password", "saw792", "-24947341")
endfunction

function PreloadFiles takes nothing returns nothing
  call main()
endfunction

 

[saw792]

It actually works with any file type. I chose a model because it is the most 'innocent' type of file to be within a map that isn't just a text file... usually.

 

[Azlier]

Bravo. However, doesn't this open another way to put a virus in a map, now?

 

[kingkingyyk3]

Virus in Jass?

 

[Azlier]

Do the called contents necessarily have to be Jass :nuts:?

 

[lovexylitol]

This is great!

Now the cheaters have to check all the imports!

I'll have to implement this right away.

Also, It does not look like it runs win32 executables, libraries, lua scripts, but who knows? Just tried several times.

 

[UndeadDragon]

Nice find :thup:

 

[black.sheep]

Secrect items anyone?
And i'm guessing this is hard to find if you deprotect the map?
So, how exactly do you make this 'hidden' script?

 

[kingkingyyk3]

If it can load c/c++ script, Blizzard has a nightmare again.

 

[TriggerHappy]

If it can load c/c++ script, Blizzard has a nightmare again.

Is C++ special or something?

 

[saw792]

Calm down guys, it only searches the text for a specific block of text, the PreloadFiles function. If that doesn't exist within the file, it doesn't do anything. It is executed as JASS code, not as other script types.

To make your own, open up a text file and type in your code, then save it as a .mdx file, import it into your map and call Preloader("filepath") in your script when you want the actions executed.

 

[Jesus4Lyf]

Can I just ask...?

How the hell did you figure this out?

 

[saw792]

By reading about 12 slightly related threads here and on wc3c. The Preloader() native is used in melee scripts to run .pld files, which have a PreloadFiles function that calls Preload() on heaps of icons, units and all sorts of things. I found that other things could be done inside the .pld file, and then tried it on a .j file, then a .mdx file. That was about it.

 

[Jesus4Lyf]

Typecasting works just fine.

globals
    integer hax=1
	trigger trig=CreateTrigger()
endglobals
function DebugMsg takes string s returns nothing
	call DisplayTimedTextToPlayer(GetLocalPlayer(),0,0,60,s)
endfunction

function GetTimer takes nothing returns timer
	return CreateTimer()
endfunction

function ImCool takes nothing returns nothing
	call DebugMsg("I'm Cool")
endfunction

function Problem takes nothing returns boolean
	call ImCool()
	return false
endfunction

function NotBool takes nothing returns boolean
	return 1
	call ImCool()
	return false
endfunction

function main takes nothing returns nothing
call DebugMsg("Executing main")
call TimerStart(GetTimer(),0.0,false,function ImCool)
call ExecuteFunc("HitMe")
call DebugMsg(I2S(StringHash("hiya")))
call TriggerAddCondition(trig,Condition(function Problem))
call TriggerEvaluate(trig)
call GroupEnumUnitsInRange(CreateGroup(),0,0,5000,Filter(function Problem))
call DebugMsg("H2I-0x100000 of trig: "+I2S(GetHandleId(trig)))
call DebugMsg("H2I-0x100000 of filter: "+I2S(GetHandleId(Filter(function Problem))))
if NotBool() then
	call DebugMsg("Typecast")
endif
call DebugMsg("Finished executing main")
endfunction

function PreloadFiles takes nothing returns nothing
  call main()
endfunction

My tests indicate (sadly for all hackers) that it uses the same syntax engine as normal script.

StringHash fails, GetHandleId fails?... Hmm.

Edit: No, I2S fails. Returns (null) for everything.

Edit: Some freebies for people hacking away at this! (Will probably get updated.)

Spoiler

Map side:

library PreloadHacks
    globals
        private gamecache cache=InitGameCache("preload.w3v")
    endglobals
    public function WriteInt takes nothing returns nothing
        call BJDebugMsg(I2S(GetStoredInteger(cache,"globals","int")))
    endfunction
    public function WriteLabelInt takes nothing returns nothing
        call BJDebugMsg(GetStoredString(cache,"globals","string")+": "+I2S(GetStoredInteger(cache,"globals","int")))
    endfunction
endlibrary

Script side:

globals
    gamecache cache=InitGameCache("preload.w3v")
endglobals
function Msg takes string s returns nothing
	call DisplayTimedTextToPlayer(GetLocalPlayer(),0,0,60,s)
endfunction
function Int takes integer i returns nothing
	call StoreInteger(cache,"globals","int",i)
	call ExecuteFunc("PreloadHacks_WriteInt")
endfunction
function LabelInt takes string label, integer i returns nothing
	call StoreString(cache,"globals","string",label)
	call StoreInteger(cache,"globals","int",i)
	call ExecuteFunc("PreloadHacks_WriteLabelInt")
endfunction

 

[Tru_Power22]

Is C++ special or something?

Yes. Seeing as you can write Viruses/Other malicious code with it.

 

[TriggerHappy]

Yes. Seeing as you can write Viruses/Other malicious code with it.

And you can't do that in other languages :nuts:

 

[Tru_Power22]

You can, it's just really easy do do it in C. Seeing as quite a few people know that language.

(You can't make viruses directly with jass. Just FYI).

 

[saw792]

Ah right, it was the I2S that ruined my typecasting before. I only discovered I2S didn't work after trying basic typecasting.

 

[Jesus4Lyf]

Any more posts saying things like "you can write viruses in programming languages" will be -repped and deleted. It is completely irrelevant, you can't and never could execute C++/C in JASS anyway, only machine code (which of course could be used to execute C++/C, but that's a really stupid argument). It is all off topic.

I've been trying to exploit this to come up with a way to execute arbitrary code again. It doesn't seem to work. It seems the code that exists inside the dummy file only exists for during map initialisation, which suggests to me that you could, from the map, create a trigger, save its handle id to gamecache, load it from the hidden script, use unsafe typecasting to typecast back to a trigger, attach a condition function, then evaluate it from the map after a second and it may be pointing to some random place in memory (which you could fill with an array, if what Cohadar says is right about them extending dynamically) - and then a TriggerEvaluate call should execute the contents. However, this doesn't seem to work.

And if it does, it will be fixed next patch with unsafe typecasting being removed... So I don't think this poses risks in terms of viruses and other arbitrary bytecode execution...