Warden Scan Info menu

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Warden Scan Info

    Warden scan info for 1.0.2.9991 (Offset scan only):

    I will update them as I receive new ones, because it is very slow. EDIT: This should be the full list as of 14th June

    Alphabetically sorted

    "Warden only" scans are guaranteed now. Although only scans that scan in the game code are listed here, all others have been filtered out as most if not all of them are fake. EDIT: Or are hash/signature scans

    Code:
    0x802118 : 0x14
    0x802128 : 0x14
    0x8026F9 : 0x20
    0x803024 : 0xD
    0x803269 : 0x24
    0x8032B9 : 0x24
    0x8032E9 : 0x24
    0x804302 : 0xB
    0x804322 : 0xB
    0x804352 : 0xB
    0x804392 : 0xB
    0x8043B2 : 0xB
    0x804492 : 0xB
    0x8044E2 : 0xB
    0x8044F2 : 0xB
    0x804502 : 0xB
    0x804512 : 0xB
    0x804522 : 0xB
    0x804532 : 0xB
    0x804562 : 0xB
    0x8045F2 : 0xB
    0x8048F8 : 0x23
    0x80490C : 0x20
    0x805020 : 0x10
    0x805908 : 0x19
    0x80701C : 0x16
    0x807020 : 0x10
    0x8071C0 : 0x1F
    0x8071E4 : 0x17
    0x8071F8 : 0x13
    0x807234 : 0x13
    0x80749C : 0x14
    0x8074BC : 0x14
    0x807724 : 0xE
    0x807CB4 : 0x17
    0x8081E0 : 0x1B
    0x808EC0 : 0x37
    0x809084 : 0x1B
    0x809110 : 0x28
    0x80A140 : 0x10
    0x80A848 : 0x13
    0x80A854 : 0x13
    0x80A858 : 0x13
    0x80A864 : 0x1F
    0x80A864 : 0x27
    0x80A864 : 0x2F
    0x80B0D0 : 0xC
    0x80DF80 : 0x6
    0x80E102 : 0x2A
    0x80E8E4 : 0xD
    0x80F1B2 : 0x2A
    0x812A40 : 0x9
    0x81605A : 0xD
    0x816740 : 0x23
    0x81A9C0 : 0x25
    0x81C03C : 0x1A
    0x81CA68 : 0x22
    0x81DA40 : 0x25
    0x81DA50 : 0x27
    0x81FD4C : 0xE
    0x82B028 : 0xD
    0x82B038 : 0xD
    0x84972D : 0x8
    0x85803C : 0xD
    0x85C14F : 0x8
    0x85E410 : 0x9
    0x862248 : 0xE
    0x869C10 : 0x30
    0x86D4F8 : 0x30
    0x86D7C8 : 0x30
    0x86D7EC : 0x30
    0x86D7F4 : 0x30
    0x86D7F8 : 0x30
    0x87A82C : 0x16
    0x87A8C4 : 0x30
    0x87B944 : 0x16
    0x87EA74 : 0x16
    0x880A2C : 0x16
    0x8B46B0 : 0x8
    0x94F336 : 0x8
    0x94F700 : 0x8
    0x97AFE0 : 0xA
    0x981BB2 : 0xA
    0x9E4E73 : 0xB
    0x9E4E83 : 0xC
    0xA020FC : 0x2E
    0xA020FC : 0x36
    0xA05AED : 0xB
    0xA09D80 : 0xC
    0xA5DD20 : 0x8
    0xAA8768 : 0xA
    0xACC40D : 0x7
    0xACC4B2 : 0x7
    0xACC4D0 : 0x9
    0xACFC14 : 0x8
    0xAD0045 : 0x8
    0xAD0191 : 0x9
    0xB170D3 : 0xA
    0xB1B5B0 : 0xF
    0xB1EE0F : 0xF
    0xB1EE66 : 0xD
    0xB1F9E8 : 0x8
    0xB3A2CB : 0xC
    0xB3A389 : 0x7
    0xB43450 : 0xA
    0xBB18B9 : 0x8
    0xC47590 : 0xA
    0xC88580 : 0x7
    0xF26F87 : 0xE
    Last edited by Beaving; 06-14-2012 at 01:35 PM.

    Warden Scan Info
  2. #2
    _Mike's Avatar Contributor
    Reputation
    310
    Join Date
    Apr 2008
    Posts
    531
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What do you mean by fake scans?

  3. #3
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Scans like this:

    Code:
    Offset: 0x1000A858 : 0x13
    Offset: 0x4A80A858 : 0x13
    Offset: 0x4AD0A858 : 0x13
    Offset: 0x6000A858 : 0x13
    Offset: 0x695CA858 : 0x13
    Offset: 0x695EA858 : 0x13
    Offset: 0x69D4A858 : 0x13
    Offset: 0x6A4DA858 : 0x13
    Offset: 0x6BEAA858 : 0x13
    Offset: 0x6BEDA858 : 0x13
    Offset: 0x6D51A858 : 0x13
    Offset: 0x6D65A858 : 0x13
    Offset: 0x6D67A858 : 0x13
    Offset: 0x6D84A858 : 0x13
    Offset: 0x6EA6A858 : 0x13
    Offset: 0x6EABA858 : 0x13
    Offset: 0x712CA858 : 0x13
    Offset: 0x7136A858 : 0x13
    Offset: 0x7146A858 : 0x13
    Offset: 0x714AA858 : 0x13
    Offset: 0x7159A858 : 0x13
    Offset: 0x715BA858 : 0x13
    Offset: 0x715CA858 : 0x13
    Offset: 0x715EA858 : 0x13
    Offset: 0x7160A858 : 0x13
    Offset: 0x7166A858 : 0x13
    Offset: 0x7178A858 : 0x13
    Offset: 0x71B5A858 : 0x13
    Offset: 0x71C8A858 : 0x13
    Offset: 0x71CCA858 : 0x13
    Offset: 0x71CEA858 : 0x13
    Offset: 0x71DDA858 : 0x13
    Offset: 0x72DFA858 : 0x13
    Offset: 0x72E5A858 : 0x13
    Offset: 0x72E8A858 : 0x13
    Offset: 0x7345A858 : 0x13
    Offset: 0x7349A858 : 0x13
    Offset: 0x734CA858 : 0x13
    Offset: 0x734DA858 : 0x13
    Offset: 0x7351A858 : 0x13
    Offset: 0x7357A858 : 0x13
    Offset: 0x7467A858 : 0x13
    Offset: 0x7468A858 : 0x13
    Offset: 0x746EA858 : 0x13
    Offset: 0x7472A858 : 0x13
    Offset: 0x7478A858 : 0x13
    Offset: 0x7483A858 : 0x13
    Offset: 0x749DA858 : 0x13
    Offset: 0x74A7A858 : 0x13
    Offset: 0x74A9A858 : 0x13
    Offset: 0x74BAA858 : 0x13
    Offset: 0x74C3A858 : 0x13
    Offset: 0x74CDA858 : 0x13
    Offset: 0x74D3A858 : 0x13
    Offset: 0x74F0A858 : 0x13
    Offset: 0x7502A858 : 0x13
    Offset: 0x7508A858 : 0x13
    Offset: 0x7517A858 : 0x13
    Offset: 0x7524A858 : 0x13
    Offset: 0x75ECA858 : 0x13
    Offset: 0x75EFA858 : 0x13
    Offset: 0x75F8A858 : 0x13
    Offset: 0x7609A858 : 0x13
    Offset: 0x761BA858 : 0x13
    Offset: 0x763AA858 : 0x13
    Offset: 0x764CA858 : 0x13
    Offset: 0x764EA858 : 0x13
    Offset: 0x7669A858 : 0x13
    Offset: 0x76DCA858 : 0x13
    Offset: 0x76F7A858 : 0x13
    Offset: 0x76FAA858 : 0x13
    Offset: 0x1001C03C : 0x1A
    Offset: 0x4A81C03C : 0x1A
    Offset: 0x4AD1C03C : 0x1A
    Offset: 0x6001C03C : 0x1A
    Offset: 0x695FC03C : 0x1A
    Offset: 0x69D5C03C : 0x1A
    Offset: 0x6A4EC03C : 0x1A
    Offset: 0x6BEBC03C : 0x1A
    Offset: 0x6BEEC03C : 0x1A
    Offset: 0x6D52C03C : 0x1A
    Offset: 0x6D85C03C : 0x1A
    Offset: 0x6EA7C03C : 0x1A
    Offset: 0x6EACC03C : 0x1A
    Offset: 0x712DC03C : 0x1A
    Offset: 0x7137C03C : 0x1A
    Offset: 0x7147C03C : 0x1A
    Offset: 0x714BC03C : 0x1A
    Offset: 0x7161C03C : 0x1A
    Offset: 0x7167C03C : 0x1A
    Offset: 0x7179C03C : 0x1A
    Offset: 0x71B6C03C : 0x1A
    Offset: 0x71C9C03C : 0x1A
    Offset: 0x71DEC03C : 0x1A
    Offset: 0x72E0C03C : 0x1A
    Offset: 0x72E6C03C : 0x1A
    Offset: 0x72E9C03C : 0x1A
    Offset: 0x7346C03C : 0x1A
    Offset: 0x7352C03C : 0x1A
    Offset: 0x7358C03C : 0x1A
    Offset: 0x7469C03C : 0x1A
    Offset: 0x746FC03C : 0x1A
    Offset: 0x7473C03C : 0x1A
    Offset: 0x7479C03C : 0x1A
    Offset: 0x7484C03C : 0x1A
    Offset: 0x749EC03C : 0x1A
    Offset: 0x74AAC03C : 0x1A
    Offset: 0x74BBC03C : 0x1A
    Offset: 0x74C4C03C : 0x1A
    Offset: 0x74CEC03C : 0x1A
    Offset: 0x74D4C03C : 0x1A
    Offset: 0x74F1C03C : 0x1A
    Offset: 0x7503C03C : 0x1A
    Offset: 0x7509C03C : 0x1A
    Offset: 0x7518C03C : 0x1A
    Offset: 0x7525C03C : 0x1A
    Offset: 0x75EDC03C : 0x1A
    Offset: 0x75F0C03C : 0x1A
    Offset: 0x75F9C03C : 0x1A
    Offset: 0x760AC03C : 0x1A
    Offset: 0x761CC03C : 0x1A
    Offset: 0x763BC03C : 0x1A
    Offset: 0x764FC03C : 0x1A
    Offset: 0x766AC03C : 0x1A
    Offset: 0x76DDC03C : 0x1A
    Offset: 0x76FBC03C : 0x1A
    There are ten thousands of them. If you want them or think they're important, just use my Wardenlogger I posted.

  4. #4
    _Mike's Avatar Contributor
    Reputation
    310
    Join Date
    Apr 2008
    Posts
    531
    Thanks G/R
    0/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nah, I know how to get them on my own I was just wondering what makes you think they're fake?
    I haven't looked at the scan functions, but given the offset alignments and warden's history in wow I think it's safe to assume that they are searching allocated pages for known patterns/hashes.

  5. #5
    st0724's Avatar Member
    Reputation
    2
    Join Date
    Feb 2007
    Posts
    60
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by _Mike View Post
    Nah, I know how to get them on my own I was just wondering what makes you think they're fake?
    I haven't looked at the scan functions, but given the offset alignments and warden's history in wow I think it's safe to assume that they are searching allocated pages for known patterns/hashes.
    Hearts go out to all the public bot maintainers.

  6. #6
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by _Mike View Post
    Nah, I know how to get them on my own I was just wondering what makes you think they're fake?
    I haven't looked at the scan functions, but given the offset alignments and warden's history in wow I think it's safe to assume that they are searching allocated pages for known patterns/hashes.
    I had only experience with SC2's Warden and there they're using just VirtualQuery. Now D3 uses VirtualQueryEx and probaly even what you mentioned.

  7. #7
    TheArkanaProject's Avatar Private
    Reputation
    1
    Join Date
    Jun 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So, assuming that these are all of the addresses, warden won't detect our bots as long as we do not modify the memory at these locations, correct?

    Also, what's the best way to intercept these scans in real-time? In other words, to shut down our bot if a modified location is being scanned? Or would this be information you're not willing to release?

    I'd love to see the source of your warden logger.

  8. #8
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Signature scans are still there, I didn't list these scans.

    In order to make your hack/bot proof, it should be enough to just hook RPM and VQEx.

    To track warden another way, hook FlushInstructionCache, HeapCreate...
    Last edited by Beaving; 06-14-2012 at 01:35 PM.

  9. #9
    TheArkanaProject's Avatar Private
    Reputation
    1
    Join Date
    Jun 2012
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alright, thanks for the info!

    I've never really dealt with client-side anti-botting before, so I'm a bit of a noob. I'll probably ask quite a few stupid questions. XD

    I should be able to hook VQEx, and watch for my modified memory locations to be scanned. If they are, shut down. Correct?

    Are signature scans only used for identifying other processes on the computer, or are hashes of memory blocks checked as well?
    Last edited by TheArkanaProject; 06-26-2012 at 09:45 PM.

  10. #10
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hashes are checked as well.

    I recommend using system DLL IAT Hooks to hook the API's, otherwise it's very easy to detect.

    For VQEx, just check if your modified locations AND your module are scanned, if they are, return an empty block

    Code:
    			lpBuffer->AllocationBase = 0;
    			lpBuffer->AllocationProtect = 0;
    			lpBuffer->State = MEM_FREE;
    			lpBuffer->Protect = PAGE_NOACCESS;
    			lpBuffer->Type = 0;
    For RPM, you can also just hook it with an IAT hook.

    Do a memory copy of D3 game code (starting at 0x800k), and just redirect all scans to there, so it always scans clean code. Although you have to check if they scan outside of the game code and take appropriate actions. You would need to reverse Warden and hook there to see what hashes are checked.

    EDIT: Oh lol btw, there are at least 2 exploits/bugs in the Warden code that will **** it up and disable it. Keep searching guys :P
    Last edited by Beaving; 06-14-2012 at 02:07 PM.

  11. #11
    Valtharak's Avatar Master Sergeant
    Reputation
    51
    Join Date
    Feb 2011
    Posts
    105
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    doesn't warden disconnect you if it doesn't get an answer from you? refering to your disablign warden?

  12. #12
    Jens's Avatar Contributor
    Reputation
    179
    Join Date
    Sep 2006
    Posts
    251
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valtharak View Post
    doesn't warden disconnect you if it doesn't get an answer from you? refering to your disablign warden?

    not if it unloads itself because it exploded, sounds weird though.

  13. #13
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's correct.

  14. #14
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1356
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/4
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Beaving View Post
    Hashes are checked as well.

    I recommend using system DLL IAT Hooks to hook the API's, otherwise it's very easy to detect.

    For VQEx, just check if your modified locations AND your module are scanned, if they are, return an empty block

    Code:
                lpBuffer->AllocationBase = 0;
                lpBuffer->AllocationProtect = 0;
                lpBuffer->State = MEM_FREE;
                lpBuffer->Protect = PAGE_NOACCESS;
                lpBuffer->Type = 0;
    For RPM, you can also just hook it with an IAT hook.

    Do a memory copy of D3 game code (starting at 0x800k), and just redirect all scans to there, so it always scans clean code. Although you have to check if they scan outside of the game code and take appropriate actions. You would need to reverse Warden and hook there to see what hashes are checked.

    EDIT: Oh lol btw, there are at least 2 exploits/bugs in the Warden code that will **** it up and disable it. Keep searching guys :P

    Fyi I hooked VirtualQuery (well, actually NtQueryVirtualMemory) in a public free WoW hack once, and Blizzard just said 'screw you' and embedded code into the actual WoW client (as part of a patch, not as part of Warden) to manually load NTDLL off-disk into memory (using the NT API for memory mapping files), and then call the original bytes of the function (effectively doing a manual syscall) to detect me, so I'd be careful relying on anything that uses Windows API hooks.

    I'd be careful even if you're 'private', as Blizzard may use the technique to combat a public hack, and then there's a chance private hacks may get caught in the crossfire.
    Last edited by Cypher; 06-14-2012 at 11:05 PM.

  15. #15
    Beaving's Avatar Sergeant
    Reputation
    21
    Join Date
    Apr 2010
    Posts
    67
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I know theyve done that. Tho they didnt even care once for Sc2 doing this, and it seems that they wont care for D3 as well. Currently the warden is poorly written (at least related to security). We will see what co.es out.

Page 1 of 2 12 LastLast

Similar Threads

  1. What does warden scan for?
    By Dovah in forum World of Warcraft General
    Replies: 1
    Last Post: 04-08-2014, 07:16 PM
  2. Hook Warden Scan
    By demonguy in forum WoW Memory Editing
    Replies: 15
    Last Post: 02-28-2013, 11:03 AM
  3. Warden Scan Info 1.0.3
    By Beaving in forum Diablo 3 Memory Editing
    Replies: 11
    Last Post: 07-15-2012, 06:31 AM
  4. Warden Scanning for Viruses???
    By GliderPro in forum WoW Memory Editing
    Replies: 6
    Last Post: 09-05-2009, 08:25 AM
All times are GMT -5. The time now is 05:48 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search