Some warden question

[Valtharak]

hi guys

i would rather be able to share then ask for this but i have 0 experience with warden hiding.

i don't want handout but i would gladly enjoy some pointer where to start looking to deal with warden.

atm i'm not hooking anything and will keep my code private for myself and maybe some friends. so i guess i<m mostly safe from warden known detection method am i right?

i should be contributing a bit more again once the play rush enjoyment goes away.

[BitHacker]

Valtharak,

Warden isn't running on diablo III right now. Are you trying to do this on diablo 2? An emulator of some sorts?

-Bit_Hacker

[who knows]

Valtharak,

Warden isn't running on diablo III right now. Are you trying to do this on diablo 2? An emulator of some sorts?

-Bit_Hacker

http://www.ownedcore.com/forums/diab...take-care.html (New (updated) warden for Diablo III is now ACTIVE - Take Care!)

Apparently it is

[DrGonzo]

If you aren't modifying the .code section (hooks) you'll be mostly ok.

To find the warden loading code, put a break point on 'LoadLibrary' during login, will break somewhere in battle.net.dll
Warden modules are cached to "C:\ProgramData\Blizzard Entertainment\Battle.net\Cache\", then inside 2 more subfolders, with a .auth extension.

Code:

Call stack of thread 00001444
Address    Stack      Procedure / arguments                 Called from                   Frame
0D61FC3C   6A88D43C   kernel32.LoadLibraryW                 battle_n.6A88D436             0D61FC5C
0D61FC40   0EDAB560     FileName = "C:\ProgramData\Blizzar
0D61FC60   6A60B7BF   ? battle_n.6A88D340                   battle_n.6A60B7BA
0D61FE34   6A89E070   Includes battle_n.6A60B7BF            battle_n.6A89E06E             0D61FE30
0D61FE64   6A98733A   Includes battle_n.6A89E070            battle_n.6A987338             0D61FE60
0D61FEAC   6A988AD5   battle_n.6A987220                     battle_n.6A988AD0             0D61FEA8
0D61FEBC   6A5E3C34   Includes battle_n.6A988AD5            battle_n.6A5E3C32             0D61FEB8
0D61FEF0   6A5E650A   Includes battle_n.6A5E3C34            battle_n.6A5E6508             0D61FEEC
0D61FF08   6A5D0924   Includes battle_n.6A5E650A            battle_n.6A5D0922             0D61FF04
0D61FF2C   6A5D12CC   battle_n.6A5D08E0                     battle_n.6A5D12C7             0D61FF28
0D61FF6C   6A5D18C2   battle_n.6A5D1210                     battle_n.6A5D18BD             0D61FF68
0D61FFAC   6A5D1CFA   battle_n.6A5D1870                     battle_n.6A5D1CF5             0D61FFA8
0D61FFB8   75EA1012   Includes battle_n.6A5D1CFA            kernel32.75EA1010             0D61FFB4
0D61FFF0   75EA0FCA   ? kernel32.75EA0FD0                   kernel32.75EA0FC5             0D61FFEC

[MaiN]

Unless Warden has changed, what FearAndLawyering is saying is not correct.
I have one hint: FlushInstructionCache.

[DrGonzo]

Great hint. Is any of what I posted correct? lol.

[broomop]

Unless Warden has changed, what FearAndLawyering is saying is not correct.
I have one hint: FlushInstructionCache.

why this? thats to flush out cached memory how is that going to help... the only references to this was over 2 years ago.. anyway... anyone got any techinical information on warden. I want to know if it scans crc and how it scans this. i dont want to bot but i want to mess about with memory editing.

[MaiN]

Great hint. Is any of what I posted correct? lol.

I don't think so. I think those modules are the so-called thumbprint modules used during authentication, and not related to Warden.

[DrGonzo]

Thank you sir. I saw someone mention bp'ing LoadLibrary and ran with it

FlushInstructionCache is called after warden is loaded into memory IIRC, it's a great hint. The bad header message isn't in the app so finding it is a bit trickier.

[MaiN]

Thank you sir. I saw someone mention bp'ing LoadLibrary and ran with it

FlushInstructionCache is called after warden is loaded into memory IIRC, it's a great hint. The bad header message isn't in the app so finding it is a bit trickier.

Yeah, that message was removed several patches ago in WoW. They changed their Warden loader there (Warden module header also increased by 28 bytes).

[Valtharak]

So the warden checker that warn what address are scanned are from hooking VirtualQuery and dumping what they are called with?

also read that warden check if VirtualQuery is hooked now. (that was from SC2 warden)

[_Mike]

So the warden checker that warn what address are scanned are from hooking VirtualQuery and dumping what they are called with?

Can't comment on how others are doing it, but personally I hook warden's memcpy to see what addresses they scan.
It also allows me to redirect it to a copy of the original bytes in case they try to scan any addresses I've patched. Although I have done zero investigation if that's the only copy of the function or if it's inlined somewhere else so I might just have a false sense of security Haven't been banned yet though.

also read that warden check if VirtualQuery is hooked now. (that was from SC2 warden)

No idea. Haven't bothered looking

This is all from wow btw. I haven't looked at D3's warden yet.