Possible they started watching for enscene hooks?

[boredevil]

I had a few accounts banned last night. It is very vell possible they have been just too "suspicious"
So i was not surprised. I kind of pushed it.

i´m injected and just pulsing my main logic from an endscene hook.

But what was strange about it:
- they all got hit within the same second
- they all errored out with an assertion about jenkis slave and something beeing wrong wit m_ctx.
first i was like: wtf who is jenkins and what´s he got to do with my rendering stuff that is turned off restarted vms to see the accs banned. i never had crashes before. now all at the same time

it feels kind of strange. so i took a look the directx related stuff in the client.

At sub_A09720 they are actually pulling the endscene address from the vtable every frame. Checking if it changed and storing it here 0x1656B2C if so. I don´t know if this check is new, or they just did not log it in earlier versions.

Code:

int __thiscall sub_A09720(int this)
{
  int v1; // esi@1

  v1 = this;
  if ( *(_DWORD *)(**(_DWORD **)(this + 1196) + 168) != dword_1656B2C )
  {
    dword_1656B2C = *(_DWORD *)(**(_DWORD **)(this + 1196) + 168);
    D3::Log(2, 3, 0, "EndScene hooked to %08X\n", dword_1656B2C);
  }
  return (*(int (__stdcall **)(_DWORD))(**(_DWORD **)(v1 + 1196) + 168))(*(_DWORD *)(v1 + 1196));
}

While this actually doesn´t even affect most endscene hooks. And it would infact be stupid to log this. Could it be possible, they are just globally storing the endscene address, so they got it at hand if they want to scan the function itself for a hook?

I got no Idea about warden but a breakpoint on it that seems not to get hit since hours except from the check in sub_A09720.

So i would be glad, if anybody with knowledge about warden could comment if this is a possible scenario and check if 0x1656B2C is somehow related with wardens scan list.

[Valtharak]

glad i'm not hooking endscene :P

can't realy help you with warden i know even less then you

[_Mike]

That function is the only thing reading or writing to dword_1656B2C. Besides, that would be a stupid method of detecting endscene hooks because they have no way on knowing if the first vtable read is the original endscene or if it's been hooked already, or even if it's hooked by a legit application like fraps, xsplit or similar. And like you said, there are other ways of hooking that this function won't see at all.
Probably just some dev that thought this kind of log entry might be useful for the tech support guys.

[rootguy]

They made a statement recently that recording software and overlays could cause crashes and that using them was at your own risk.

[Beaving]

They still stream the very same module as in the beginning. Warden is not doing that. Although game client checks could've been added.

[boredevil]

looks like i have just overdone it a little bit. the breakpoint never gets hit except for the check that emits the log message. still got one char running with the old hookbase doing some reasonable breaks. seems to be fine till now.

thanks for all anwers