I had a few accounts banned last night. It is very vell possible they have been just too "suspicious"
So i was not surprised. I kind of pushed it.
i´m injected and just pulsing my main logic from an endscene hook.
But what was strange about it:
- they all got hit within the same second
- they all errored out with an assertion about jenkis slave and something beeing wrong wit m_ctx.
first i was like: wtf who is jenkins and what´s he got to do with my rendering stuff that is turned off restarted vms to see the accs banned. i never had crashes before. now all at the same time
it feels kind of strange. so i took a look the directx related stuff in the client.
At sub_A09720 they are actually pulling the endscene address from the vtable every frame. Checking if it changed and storing it here 0x1656B2C if so. I don´t know if this check is new, or they just did not log it in earlier versions.
Code:
int __thiscall sub_A09720(int this)
{
int v1; // esi@1
v1 = this;
if ( *(_DWORD *)(**(_DWORD **)(this + 1196) + 168) != dword_1656B2C )
{
dword_1656B2C = *(_DWORD *)(**(_DWORD **)(this + 1196) + 168);
D3::Log(2, 3, 0, "EndScene hooked to %08X\n", dword_1656B2C);
}
return (*(int (__stdcall **)(_DWORD))(**(_DWORD **)(v1 + 1196) + 168))(*(_DWORD *)(v1 + 1196));
}
While this actually doesn´t even affect most endscene hooks. And it would infact be stupid to log this. Could it be possible, they are just globally storing the endscene address, so they got it at hand if they want to scan the function itself for a hook?
I got no Idea about warden but a breakpoint on it that seems not to get hit since hours except from the check in sub_A09720.
So i would be glad, if anybody with knowledge about warden could comment if this is a possible scenario and check if 0x1656B2C is somehow related with wardens scan list.