Page 28 of 30 FirstFirst ... 1824252627282930 LastLast
Results 406 to 420 of 437
  1. #406
    Banned luckruns0ut's Avatar
    Reputation
    20
    Join Date
    Dec 2014
    Posts
    33
    Thanks G/R
    5/8
    CoreCoins
    15
    Trade Feedback
    0 (0%)
    I don't have much knowledge of Warden so forgive the potentially naive question, but is it possible for them to execute any arbitrary code with Warden?

  2. #407
    Contributor CoreCoins User Corthezz's Avatar
    Reputation
    236
    Join Date
    Nov 2011
    Posts
    271
    Thanks G/R
    40/41
    CoreCoins
    305
    Trade Feedback
    0 (0%)
    Quote Originally Posted by luckruns0ut View Post
    I don't have much knowledge of Warden so forgive the potentially naive question, but is it possible for them to execute any arbitrary code with Warden?
    Quoting namreeb on this one:

    Quote Originally Posted by namreeb View Post
    Sorry to necro this, but it's actually possible to disable this RSA signature check by sending a certain packet from the server which does not have proper sanity checking in the client, and exploit a small arbitrary code execution.
    Check my blog: http://zzuks.blogspot.com

  3. #408
    Elite User CoreCoins User Authenticator enabled namreeb's Avatar
    Reputation
    352
    Join Date
    Sep 2008
    Posts
    827
    Thanks G/R
    2/53
    CoreCoins
    5853
    Trade Feedback
    0 (0%)
    Before anyone asks, no I will not give out the details of that. But suffice it to say the exploit I found is not usable in a production environment.

  4. #409
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    adding to culino2's post:

    1.12.1.5875 client references:
    Code:
    006CA190  WardenClient_Process
    006CA1E0  ActivateNextModule
    006CA250  Warden::RawModule::Destroy
    006CA290  WardenClient_Destroy2
    006CA2F0  WardenClient_Initialize
    006CA360  Warden::RawModule::DecryptAndCreate
    006CA5C0  WardenClient_HandlePacket
    006CA640  WardenClient_Destroy
    006CA6A0  Warden::Client::OurLibrary::Data
    006CA770  Warden::Client::OurLibrary::ModuleUse
    006CA840  Warden::Client::OurLibrary::ModuleCache
    006CA8C0  Warden::Client::OurLibrary::MemoryAlloc
    006CA8E0  Warden::Client::OurLibrary::MemoryFree
    006CA900  Warden::Client::OurLibrary::StateSave
    006CA960  Warden::Client::OurLibrary::StateLoad
    007A79D0  Warden::RawModule::Create
    007A7D80  UnloadWardenModule
    misc:

    Code:
    00811330  s_publicKeyModulus ( used for verification of the module during loading )
    00811430  s_publicKeyExponent
    00CE8954  s_interface ( pointer to the clients warden interface )
    00CE8958  s_wardenLock
    00CE8974  s_nextModule
    00CE8978  s_currentModule ( pointer to the warden module )
    00CE897C  s_moduleInterface ( pointer to the warden object )
    00CE8980  s_stateData ( used to store RC4 send/recv key states )
    00CE8984  s_stateSize ( size of the RC4 send/recv struct )
    00CE8988  s_lastTick
    warden:
    Code:
    functions:
    
    0000185F  Warden_Init
    00002707  Warden_MemAlloc ( calls Warden::Client::OurLibrary::MemoryAlloc )
    00002916  Warden_MemFree ( calls Warden::Client::OurLibrary::MemoryFree )
    0000563B  Warden_Sleep
    00005B22  Warden_Destroy ( called from WardenClient_Destroy )
    000073A6  Warden_SaveState ( calls Warden::Client::OurLibrary::StateSave saves the warden send/recv rc4 key states? )
    00007E83  Warden_LoadPacketHandlers
    
    packet handlers:
    
    00002B77  WARDEN_SMSG_MODULE_USE_handler
    000060AB  WARDEN_SMSG_MODULE_CACHE_handler
    00006590  WARDEN_SMSG_CHEAT_CHECKS_REQUEST_handler
    00005E1E  WARDEN_SMSG_MODULE_INITIALIZE_handler
    00001410  WARDEN_SMSG_MEM_CHECKS_REQUEST_handler
    00003812  WARDEN_SMSG_HASH_REQUEST_handler
    Last edited by danwins; 3 Weeks Ago at 04:12 AM.

  5. The Following 3 Members Gave Thanks To danwins For This Useful Post:

    culino2, alexsfx, tutrakan
  6. #410
    Member alexsfx's Avatar
    Reputation
    2
    Join Date
    Dec 2016
    Posts
    5
    Thanks G/R
    3/1
    CoreCoins
    5
    Trade Feedback
    0 (0%)
    UPDATE2: after 20 minutes of playing I recived 10 packets with request to check ( on Elysium PvE server) :
    Elysium PvE(MPQ checks during 20min playing session):
    Code:
     
    // so it probably checks dungeons doors
    World\Lordaeron\stratholme\Activedoodads\doors\nox_door_plague.m2
    World\Kalimdor\onyxiaslair\doors\OnyxiasGate01.m2
    World\Generic\Human\Activedoodads\doors\deadminedoor02.m2
    World\Kalimdor\silithus\activedoodads\ahnqirajdoor\ahnqirajdoor02.m2
    Kronos 1 (drivers checks during 10min playing session):
    Code:
    ndis_x86
     IPSect
    drvsys_mon
    Afd32uu
    UPDATE: I was wrong they check mpqs according this:
    PHP Code:
    +Warden Server package
    +-----------------------
    +
    Command2            
    +Lenght 484            
    +=======================
    +
    Payload:               

    0x02 0x41 0x57 0x6f 0x72 
    0x6c 0x64 0x5c 0x4c 0x6f 
    0x72 0x64 0x61 0x65 0x72 
    0x6f 0x6e 0x5c 0x73 0x74 
    0x72 0x61 0x74 0x68 0x6f 
    0x6c 0x6d 0x65 0x5c 0x41 
    0x63 0x74 0x69 0x76 0x65 
    0x64 0x6f 0x6f 0x64 0x61 
    0x64 0x73 0x5c 0x64 0x6f 
    0x6f 0x72 0x73 0x5c 0x6e 
    0x6f 0x78 0x5f 0x64 0x6f 
    0x6f 0x72 0x5f 0x70 0x6c 
    0x61 0x67 0x75 0x65 0x2e 
    0x6d 0x32 0x31 0x57 0x6f 
    0x72 0x6c 0x64 0x5c 0x4b 
    0x61 0x6c 0x69 0x6d 0x64 
    0x6f 0x72 0x5c 0x6f 0x6e 
    0x79 0x78 0x69 0x61 0x73 
    0x6c 0x61 0x69 0x72 0x5c 
    0x64 0x6f 0x6f 0x72 0x73 
    0x5c 0x4f 0x6e 0x79 0x78 
    0x69 0x61 0x73 0x47 0x61 
    0x74 0x65 0x30 0x31 0x2e 
    0x6d 0x32 0x39 0x57 0x6f 
    0x72 0x6c 0x64 0x5c 0x47 
    0x65 0x6e 0x65 0x72 0x69 
    0x63 0x5c 0x48 0x75 0x6d 
    0x61 0x6e 0x5c 0x41 0x63 
    0x74 0x69 0x76 0x65 0x64 
    0x6f 0x6f 0x64 0x61 0x64 
    0x73 0x5c 0x64 0x6f 0x6f 
    0x72 0x73 0x5c 0x64 0x65 
    0x61 0x64 0x6d 0x69 0x6e 
    0x65 0x64 0x6f 0x6f 0x72 
    0x30 0x32 0x2e 0x6d 0x32 
    0x44 0x57 0x6f 0x72 0x6c 
    0x64 0x5c 0x4b 0x61 0x6c 
    0x69 0x6d 0x64 0x6f 0x72 
    0x5c 0x73 0x69 0x6c 0x69 
    0x74 0x68 0x75 0x73 0x5c 
    0x61 0x63 0x74 0x69 0x76 
    0x65 0x64 0x6f 0x6f 0x64 
    0x61 0x64 0x73 0x5c 0x61 
    0x68 0x6e 0x71 0x69 0x72 
    0x61 0x6a 0x64 0x6f 0x6f 
    0x72 0x5c 0x61 0x68 0x6e 
    0x71 0x69 0x72 0x61 0x6a 
    0x64 0x6f 0x6f 0x72 0x30 
    0x32 0x2e 0x6d 0x32 0x00 
    0x28 0x8c 0x00 0x64 0x6f 
    0x84 0x00 0x06 0x8c 0x00 
    0x10 0x86 0x53 0x00 0x04 
    0x8c 0x00 0x2b 0x36 0x40 
    0x00 0x03 0x8c 0x00 0xb5 
    0xa1 0x6c 0x00 0x01 0x8c 
    0x00 0xe3 0x2b 0x48 0x00 
    0x01 0x8c 0x00 0x50 0xf6 
    0x60 0x00 0x06 0x8c 0x00 
    0x17 0x1c 0x4d 0x00 0x02 
    0xe7 0x01 0xe7 0x02 0xe7 
    0x03 0xe7 0x04 0xc0 0x82 
    0xd7 0xe5 0xcb 0xc8 0xd2 
    0xf7 0x8a 0x79 0x1e 0x18 
    0x9b 0xab 0x3f 0xd5 0xd4 
    0x34 0x2b 0xf7 0xeb 0x0c 
    0xa3 0xf1 0x29 0x3c 0x21 
    0x01 0x00 0x07 0xc0 0xa4 
    0x44 0x51 0x9c 0xc4 0x19 
    0x52 0x1b 0x6d 0x39 0x99 
    0x0c 0x1d 0x95 0x32 0x9c 
    0x8d 0x94 0xb5 0x92 0x26 
    0xcb 0xaa 0x98 0x7b 0x40 
    0x00 0x00 0x20 0xc0 0x3a 
    0x0f 0x89 0x85 0xe7 0x01 
    0x34 0x3e 0x43 0x9c 0x74 
    0xb6 0x75 0xc7 0x2b 0xbe 
    0x2d 0x88 0x10 0xa7 0x45 
    0x56 0x99 0x13 0x90 0xaf 
    0x05 0x00 0x0a 0xcd 0x55 
    0xd1 0x88 0x98 0x3a 0x33 
    0xc0 0x6f 0xb1 0xf3 0x87 
    0x2e 0x71 0x4c 0x9d 0xe1 
    0xcf 0x2f 0x41 0x65 0xea 
    0x95 0xde 0xe8 0x8e 0x2a 
    0x00 0x00 0x15 0xc0 0xda 
    0xf4 0xa6 0xd9 0xb1 0xf6 
    0x6a 0x35 0x2c 0xd9 0x20 
    0x35 0x54 0x77 0xd4 0x0b 
    0xac 0xef 0xf1 0xfc 0x7d 
    0xd1 0xcf 0x1c 0x80 0x5e 
    0x04 0x00 0x0b 0xcd 0xdb 
    0xa0 0xfb 0x45 0x2d 0x78 
    0x42 0x26 0x11 0x5e 0x8b 
    0x3e 0xcd 0xde 0x70 0xcd 
    0xca 0x8d 0x10 0x5f 0x77 
    0x82 0xf8 0x5f 0x9d 0x12 
    0x00 0x00 0x20 0x7f 
    +===============================
    +
    End of package                 
    +=============================== 


    Some warden server packets that I explored on Elysium. This is strange but on both servers Kronos and Elysium I havent seen any lua string,mpqs, and drivers checks. These are Elysium packets:

    PHP Code:
    // decrypted packets
    +==============================+
    +
    Warden Server packets
    ++-----------------------------+
    +
    Command2            
    +Lenght 261            
    +==============================+
    +
    Payload:               

    0x02 0x00 0x28 0x8c 0x00 
    0x64 0x6f 0x84 0x00 0x06 
    0x8c 0x00 0x72 0x62 0x7c 
    0x00 0x04 0x8c 0x00 0x5e 
    0x62 0x7c 0x00 0x02 0x8c 
    0x00 0xdb 0x63 0x61 0x00 
    0x02 0x8c 0x00 0xf5 0x5c 
    0x61 0x00 0x01 0x8c 0x00 
    0x5f 0x62 0x7c 0x00 0x01 
    0x8c 0x00 0xda 0x63 0x7c 
    0x00 0x04 0x8c 0x00 0xbc 
    0x41 0x63 0x00 0x02 0x8c 
    0x00 0x49 0x67 0x61 0x00 
    0x02 0x8c 0x00 0x4f 0xe5 
    0x5f 0x00 0x01 0x8c 0x00 
    0xe3 0x41 0x63 0x00 0x02 
    0xc0 0x82 0xd7 0xe5 0xcb 
    0xc8 0xd2 0xf7 0x8a 0x79 
    0x1e 0x18 0x9b 0xab 0x3f 
    0xd5 0xd4 0x34 0x2b 0xf7 
    0xeb 0x0c 0xa3 0xf1 0x29 
    0x3c 0x21 0x01 0x00 0x07 
    0xc0 0xa4 0x44 0x51 0x9c 
    0xc4 0x19 0x52 0x1b 0x6d 
    0x39 0x99 0x0c 0x1d 0x95 
    0x32 0x9c 0x8d 0x94 0xb5 
    0x92 0x26 0xcb 0xaa 0x98 
    0x7b 0x40 0x00 0x00 0x20 
    0xc0 0x3a 0x0f 0x89 0x85 
    0xe7 0x01 0x34 0x3e 0x43 
    0x9c 0x74 0xb6 0x75 0xc7 
    0x2b 0xbe 0x2d 0x88 0x10 
    0xa7 0x45 0x56 0x99 0x13 
    0x90 0xaf 0x05 0x00 0x0a 
    0xcd 0x55 0xd1 0x88 0x98 
    0x3a 0x33 0xc0 0x6f 0xb1 
    0xf3 0x87 0x2e 0x71 0x4c 
    0x9d 0xe1 0xcf 0x2f 0x41 
    0x65 0xea 0x95 0xde 0xe8 
    0x8e 0x2a 0x00 0x00 0x15 
    0xc0 0xda 0xf4 0xa6 0xd9 
    0xb1 0xf6 0x6a 0x35 0x2c 
    0xd9 0x20 0x35 0x54 0x77 
    0xd4 0x0b 0xac 0xef 0xf1 
    0xfc 0x7d 0xd1 0xcf 0x1c 
    0x80 0x5e 0x04 0x00 0x0b 
    0xcd 0xdb 0xa0 0xfb 0x45 
    0x2d 0x78 0x42 0x26 0x11 
    0x5e 0x8b 0x3e 0xcd 0xde 
    0x70 0xcd 0xca 0x8d 0x10 
    0x5f 0x77 0x82 0xf8 0x5f 
    0x9d 0x12 0x00 0x00 0x20 
    0x7f 
    +==============================+
    +
    End of packet                
    +==============================+

    +==============================+
    +
    Warden Server packet
    ++-----------------------------+
    +
    Command2            
    +Lenght 18            
    +==============================+
    +
    Payload:               

    0x02 0x00 0x28 0x8c 0x00          // memcheck
    0x10 0x2c 0x82 0x00 0x06          // 0x00822c10  reads 0x06 bytes at  wow .rdata section
    0x8c 0x00 0xd4 0xbc 0xc7          // 0x00c7bcd4  reads 0x04 bytes at  wow .data section
    0x00 0x04 0x7f 
    +===============================+
    +
    End of packet                 +
    +===============================+
    +===============================+
    +
    Warden Server packet
    ++------------------------------+
    +
    Command2            
    +Lenght 18            
    +===============================+
    +
    Payload:               

    0x02 0x00 0x28 0x8c 0x00          // another memcheck
    0x10 0x2c 0x82 0x00 0x06          // reads the same bytes as before
    0x8c 0x00 0xd4 0xbc 0xc7 
    0x00 0x04 0x7f 
    +===============================+
    +
    End of packet                 
    +===============================+

    // And so on 
    Last edited by alexsfx; 3 Weeks Ago at 09:10 AM. Reason: added kronos info

  7. The Following 1 Members Gave Thanks To alexsfx For This Useful Post:

    Alfalfa
  8. #411
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    I'm surprised you guys can even get on elysium, its perpetually down for me (ddos i guess?)

  9. #412
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    Are there any private servers that actually make use of the Lua string check in the 79c0768d657977d697e10bad956cced1 module?

    Elysium seem to leave the FrameScript::GetText unchanged from the warden implementation on tom_rus github here ( 0x00819D40 )

    the other functions are as expected:

    Code:
    006477A0  SFile::Open
    006487F0  SFile::GetFileSize
    00648460  SFile::Read
    00648730  SFile::Close
    00819D40  FrameScript::GetText     // offset from different binary
    0042C010  OsGetAsyncTimeMs

  10. #413
    Member alexsfx's Avatar
    Reputation
    2
    Join Date
    Dec 2016
    Posts
    5
    Thanks G/R
    3/1
    CoreCoins
    5
    Trade Feedback
    0 (0%)
    Quote Originally Posted by danwins View Post
    Are there any private servers that actually make use of the Lua string check in the 79c0768d657977d697e10bad956cced1 module?

    Elysium seem to leave the FrameScript::GetText unchanged from the warden implementation on tom_rus github here ( 0x00819D40 )

    the other functions are as expected:

    Code:
    006477A0  SFile::Open
    006487F0  SFile::GetFileSize
    00648460  SFile::Read
    00648730  SFile::Close
    00819D40  FrameScript::GetText     // offset from different binary
    0042C010  OsGetAsyncTimeMs
    Does Warden module use SFile::Open to open MPQs?

    Did I understand correctly?
    Via packet WARDEN_SMSG_MODULE_INITIALIZE server initializes warden's module functions that it uses to check mpq files, lua strings , time check and so on .
    And offsets of those functions depends on client version , right?
    Last edited by alexsfx; 3 Weeks Ago at 06:46 AM.

  11. #414
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    That is what it looks like to me.

    heres my warden struct so far ( pointed to by s_moduleInterface ):
    Code:
    struct Warden
    {
      int 		field_0;
      int		field_4;
      int 		field_8;
      int 		field_C;
      int 		field_10;
      int 		field_14;
      WardenLib*	m_WardenLib;		// pointer to s_interface
      void*		m_ModuleSomething;	// something to do with downloading the warden module from the server
      KeyStates	m_KeyStates;		// struct with the warden rc4 send/recv key states
      unk_vmt*	unkPointer1;		// points to the vmt at 0x8238
      char 		m_packetBuffer[516];
      int 		m_packetBufferSize;
      int 		field_434[226];
      unk1		fnFuncImports;		// array of function pointers inside the wow binary
    };
    
    struct unk1
    {
      int		field_0;
      int		field_4;
      int		field_8;
      int		field_C;
      int		SFile_Open;		// points to SFile::Open in the wow binary
      int		SFile_GetFileSize;	// points to SFile::GetFileSize in the wow binary
      int		SFile_Read;		// points to SFile::Read in the wow binary
      int		SFile_Close;		// points to SFile::Close in the wow binary
      int		field_20;
      int		field_24;
      int		field_28;
      int		FrameScript_GetText;	// should point to FrameScript_GetText but doesnt?
      int		OsGetAsyncTimeMs;	// points to OsGetAsyncTimeMs in the wow binary
    };
    
    struct KeyStates
    {
      rc4_state	m_RC4SendKey;		// RC4 send key state
      rc4_state	m_RC4RecvKey;		// RC4 recv key state
      int		m_index;		// some index counter
    };
    
    struct rc4_state
    {
      char		perm[256];
      char		index1;
      char		index2;
    };
    example of mpq check:

    1. Warden_ScanCase ( 0x2CFD ):

    Code:
    ...
    if ( checkType == MPQ_CHECK )
      {
        Warden_PacketGetInt8(v6, &pck);
        if ( *(v6 + 8) <= *(v6 + 4) )
        {
          if ( !Warden_PacketGetString(warden, index, &string) )
            return 4;
          a3a = &off_815C;
          sha1_init(&context);
          if ( !Warden_CheckMPQFile(&warden->fnFuncImports, &string, &a3a, warden != 0 ? &warden->field_14 : 0) )
            goto LABEL_67;
          sha1_finish(&context, &digest);
          v31 = v44;
          Warden_PacketPutInt8(*(v44 + 12), 0);
          v32 = *(v31 + 12);
          qmemcpy(&v39, &digest, 0x14u);
          Warden_PacketPutBytes(v32, 0x14u, &v39);
          return 0;
        }
        return 3;
      }
    ...
    2. inside the Warden_CheckMPQFile function:

    Code:
    char __userpurge Warden_CheckMPQFile@<al>(unk1 *fnFuncList@<edi>, int string, void (__stdcall ***a3)(_DWORD, _DWORD), int a4)
    {
      int v4; // [email protected]
      int v5; // [email protected]
      char v6; // [email protected]
      bool v7; // [email protected]
      int v8; // [email protected]
      int v9; // [email protected]
      int v10; // [email protected]
      signed int v12; // [email protected]
      bool v13; // [email protected]
      int v14; // [email protected]
      __int64 v15; // [sp+8h] [bp-18h]@13
      int v16; // [sp+14h] [bp-Ch]@22
      int v17; // [sp+18h] [bp-8h]@5
      int v18; // [sp+1Ch] [bp-4h]@1
    
      v4 = a4;
      v5 = (**a4)(a4, 0x4000);
      v6 = 0;
      v7 = LOBYTE(fnFuncList->field_24) == 0;
      v18 = v5;
      if ( v7 )
        goto LABEL_10;
      v8 = fnFuncList->field_20;
      if ( !v8 )
        goto LABEL_10;
      v9 = v8 - 1;
      if ( v9 )
      {
        if ( v9 != 1 )
        {
    LABEL_10:
          (*(*v4 + 4))(v4, v18);
          return 0;
        }
        v10 = (fnFuncList->SFile_Open)(string, &v17);
      }
      else
      {
        v10 = (fnFuncList->field_0)(string, &v17);
      }
      if ( !v10 )
        goto LABEL_10;
      if ( !sub_5C57(v17) )
      {
        (*(*a4 + 4))(v18);
        sub_7947(v17);
        return 0;
      }
      if ( HIDWORD(v15) > 0 )
        goto LABEL_17;
    LABEL_14:
      if ( v15 <= 0 )
      {
        v6 = 1;
      }
      else
      {
        while ( 1 )
        {
          if ( HIDWORD(v15) <= 0 && (v12 = v15, v15 <= 0x4000) )
          {
            if ( v15 > 0xFFFFFFFF )
              break;
          }
          else
          {
    LABEL_17:
            v12 = 0x4000;
          }
          if ( fnFuncList->field_20 == 1 )
          {
            v13 = (fnFuncList->field_8)(v17, v18, v12, &v16, 0) != 0;
            v14 = v13 != 0 ? v16 : 0;
          }
          else
          {
            if ( fnFuncList->field_20 != 2 )
              break;
            v13 = (fnFuncList->SFile_Read)(v17, v18, v12, &string, 0, 0) != 0;
            v14 = v13 != 0 ? string : 0;
          }
          if ( !v13 || v12 != v14 )
            break;
          (**a3)(v18, v12);
          v15 -= v12;
          if ( !HIDWORD(v15) )
            goto LABEL_14;
        }
      }
      (*(*a4 + 4))(v18);
      sub_7947(v17);
      return v6;
    }
    Last edited by danwins; 3 Weeks Ago at 12:06 PM. Reason: more

  12. The Following 2 Members Gave Thanks To danwins For This Useful Post:

    alexsfx, culino2
  13. #415
    Member alexsfx's Avatar
    Reputation
    2
    Join Date
    Dec 2016
    Posts
    5
    Thanks G/R
    3/1
    CoreCoins
    5
    Trade Feedback
    0 (0%)
    Quote Originally Posted by danwins View Post
    That is what it looks like to me.

    heres my warden struct so far ( pointed to by s_moduleInterface ):
    Code:
    struct Warden
    {
      int 		field_0;
      int		field_4;
      int 		field_8;
      int 		field_C;
      int 		field_10;
      int 		field_14;
      WardenLib*	m_WardenLib;		// pointer to s_interface
      void*		m_ModuleSomething;	// something to do with downloading the warden module from the server
      KeyStates	m_KeyStates;		// struct with the warden rc4 send/recv key states
      unk_vmt*	unkPointer1;		// points to the vmt at 0x8238
      char		pad[1424];
      unk1		fnFuncImports;		// array of function pointers inside the wow binary
    };
    
    struct unk1
    {
      int		field_0;
      int		field_4;
      int		field_8;
      int		field_C;
      int		SFile_Open;		// points to SFile::Open in the wow binary
      int		SFile_GetFileSize;	// points to SFile::GetFileSize in the wow binary
      int		SFile_Read;		// points to SFile::Read in the wow binary
      int		SFile_Close;		// points to SFile::Close in the wow binary
      int		field_20;
      int		field_24;
      int		field_28;
      int		FrameScript_GetText;	// should point to FrameScript_GetText but doesnt?
      int		OsGetAsyncTimeMs;	// points to OsGetAsyncTimeMs in the wow binary
    };
    
    struct KeyStates
    {
      rc4_state	m_RC4SendKey;		// RC4 send key state
      rc4_state	m_RC4RecvKey;		// RC4 recv key state
      int		m_index;		// some index counter
    };
    
    struct rc4_state
    {
      char		perm[256];
      char		index1;
      char		index2;
    };
    example of mpq check:

    1. Warden_ScanCase ( 0x2CFD ):

    Code:
    ...
    if ( checkType == MPQ_CHECK )
      {
        Warden_PacketGetInt8(v6, &pck);
        if ( *(v6 + 8) <= *(v6 + 4) )
        {
          if ( !Warden_PacketGetString(warden, pck, &string) )
            return 4;
          a3a = &off_815C;
          sha1_init(&context);
          if ( !Warden_CheckMPQFile(&warden->fnFuncImports, &string, &a3a, warden != 0 ? &warden->field_14 : 0) )
            goto LABEL_67;
          sha1_finish(&context, &digest);
          v31 = v44;
          Warden_PacketPutInt8(*(v44 + 12), 0);
          v32 = *(v31 + 12);
          qmemcpy(&v39, &digest, 0x14u);
          Warden_PacketPutBytes(v32, 0x14u, &v39);
          return 0;
        }
        return 3;
      }
    ...
    2. inside the Warden_CheckMPQFile function:

    Code:
    char __userpurge Warden_CheckMPQFile@<al>(unk1 *fnFuncList@<edi>, int string, void (__stdcall ***a3)(_DWORD, _DWORD), int a4)
    {
      int v4; // [email protected]
      int v5; // [email protected]
      char v6; // [email protected]
      bool v7; // [email protected]
      int v8; // [email protected]
      int v9; // [email protected]
      int v10; // [email protected]
      signed int v12; // [email protected]
      bool v13; // [email protected]
      int v14; // [email protected]
      __int64 v15; // [sp+8h] [bp-18h]@13
      int v16; // [sp+14h] [bp-Ch]@22
      int v17; // [sp+18h] [bp-8h]@5
      int v18; // [sp+1Ch] [bp-4h]@1
    
      v4 = a4;
      v5 = (**a4)(a4, 0x4000);
      v6 = 0;
      v7 = LOBYTE(fnFuncList->field_24) == 0;
      v18 = v5;
      if ( v7 )
        goto LABEL_10;
      v8 = fnFuncList->field_20;
      if ( !v8 )
        goto LABEL_10;
      v9 = v8 - 1;
      if ( v9 )
      {
        if ( v9 != 1 )
        {
    LABEL_10:
          (*(*v4 + 4))(v4, v18);
          return 0;
        }
        v10 = (fnFuncList->SFile_Open)(string, &v17);
      }
      else
      {
        v10 = (fnFuncList->field_0)(string, &v17);
      }
      if ( !v10 )
        goto LABEL_10;
      if ( !sub_5C57(v17) )
      {
        (*(*a4 + 4))(v18);
        sub_7947(v17);
        return 0;
      }
      if ( HIDWORD(v15) > 0 )
        goto LABEL_17;
    LABEL_14:
      if ( v15 <= 0 )
      {
        v6 = 1;
      }
      else
      {
        while ( 1 )
        {
          if ( HIDWORD(v15) <= 0 && (v12 = v15, v15 <= 0x4000) )
          {
            if ( v15 > 0xFFFFFFFF )
              break;
          }
          else
          {
    LABEL_17:
            v12 = 0x4000;
          }
          if ( fnFuncList->field_20 == 1 )
          {
            v13 = (fnFuncList->field_8)(v17, v18, v12, &v16, 0) != 0;
            v14 = v13 != 0 ? v16 : 0;
          }
          else
          {
            if ( fnFuncList->field_20 != 2 )
              break;
            v13 = (fnFuncList->SFile_Read)(v17, v18, v12, &string, 0, 0) != 0;
            v14 = v13 != 0 ? string : 0;
          }
          if ( !v13 || v12 != v14 )
            break;
          (**a3)(v18, v12);
          v15 -= v12;
          if ( !HIDWORD(v15) )
            goto LABEL_14;
        }
      }
      (*(*a4 + 4))(v18);
      sub_7947(v17);
      return v6;
    }
    Thank you man alot for your research

  14. #416
    Member alexsfx's Avatar
    Reputation
    2
    Join Date
    Dec 2016
    Posts
    5
    Thanks G/R
    3/1
    CoreCoins
    5
    Trade Feedback
    0 (0%)
    I think here :
    Quote Originally Posted by danwins View Post
    Code:
    ...
    
    if ( checkType == MPQ_CHECK )
    {
        Warden_PacketGetInt8(v6, &pck);
        if ( *(v6 + 8) <= *(v6 + 4) )
        {
          if ( !Warden_PacketGetString(warden, pck, &string) )
            return 4;
    ...
          return 0;
        }
        return 3;
      }
    ...
    should be :
    Code:
    ...
    
    if ( checkType == MPQ_CHECK )
      {
        Warden_PacketGetInt8(v6, &index);
        if ( *(v6 + 8) <= *(v6 + 4) )
        {
          if ( !Warden_PacketGetString(warden, index, &string) )
            return 4;
           ...
          return 0;
        }
        return 3;
      }
    ...
    according this:
    Code:
    ...
    void WardenWin::RequestData()
    {
        ...
        for (uint16 i = 0; i < sWorld.getConfig(CONFIG_UINT32_WARDEN_NUM_OTHER_CHECKS); ++i)
        {
             switch (wd->Type)
             {
                case MPQ_CHECK:
                case LUA_STR_CHECK:
                case DRIVER_CHECK:
                    buff << uint8(wd->Str.size());
                    buff.append(wd->Str.c_str(), wd->Str.size());
                    break;
                default:
                    break;
            }
        }
        ...
        for (std::list<uint16>::iterator itr = _currentChecks.begin(); itr != _currentChecks.end(); ++itr)
        {
            wd = sWardenCheckMgr->GetWardenDataById(build, *itr);
            type = wd->Type;
            buff << uint8(type ^ xorByte);
            if (wd)
            {
                   ....
                switch (wd->Type)
                {
                    ....
                    case MPQ_CHECK:
                    case LUA_STR_CHECK:
                    {
                        buff << uint8(index++);
                        break;
                    }
                    ...
                    default:
                        break;
                }
            }
        }
        ...
    
    }
    ..
    Last edited by alexsfx; 3 Weeks Ago at 11:04 AM.

  15. #417
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    this is correct, mine is just broken due to horrible calling conventions and lazyness

  16. #418
    Legendary CoreCoins User TOM_RUS's Avatar
    Reputation
    853
    Join Date
    May 2008
    Posts
    702
    Thanks G/R
    0/28
    CoreCoins
    4421
    Trade Feedback
    0 (0%)
    I see you guys are digging something I already did back in 2010, may be you can make some use of this stuff warden.zip.

  17. The Following 5 Members Gave Thanks To TOM_RUS For This Useful Post:

    greenthing, danwins, alexsfx, tutrakan, culino2
  18. #419
    Contributor CoreCoins User danwins's Avatar
    Reputation
    132
    Join Date
    Mar 2013
    Posts
    89
    Thanks G/R
    2/26
    CoreCoins
    609
    Trade Feedback
    1 (100%)
    @tom_rus what date/build did you dump the 79c0768d657977d697e10bad956cced1 module from?
    Last edited by danwins; 3 Weeks Ago at 10:58 PM.

  19. #420
    Legendary CoreCoins User TOM_RUS's Avatar
    Reputation
    853
    Join Date
    May 2008
    Posts
    702
    Thanks G/R
    0/28
    CoreCoins
    4421
    Trade Feedback
    0 (0%)
    Quote Originally Posted by danwins View Post
    @tom_rus what date/build did you dump the 79c0768d657977d697e10bad956cced1 module from?
    I don't remember exact date/build, but that was around 3.3.x time frame.

 

 

Similar Threads

  1. [WoW][3.3.5.12340] Info Dump Thread
    By Nesox in forum WoW Memory Editing
    Replies: 82
    Last Post: 11-02-2014, 05:11 PM
  2. [WoW][4.0.3.13329] Info Dump Thread
    By TOM_RUS in forum WoW Memory Editing
    Replies: 73
    Last Post: 02-06-2011, 06:37 AM
  3. [WoW][4.0.1.13164] Info Dump Thread
    By Seifer in forum WoW Memory Editing
    Replies: 29
    Last Post: 01-18-2011, 09:14 AM
  4. [WoW][4.0.1.13205] Info Dump Thread
    By DrGonzo in forum WoW Memory Editing
    Replies: 12
    Last Post: 11-11-2010, 02:34 PM
  5. [WoW][3.3.3.11723] Info Dump Thread
    By miceiken in forum WoW Memory Editing
    Replies: 2
    Last Post: 03-27-2010, 04:42 PM
All times are GMT -5. The time now is 01:16 PM. Powered by vBulletin® Version 4.2.2
Copyright © 2017 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search