Warden Private Server

[Makkah]

Hello,

If you're trying to hide your .dll module, your best approach would be to inject it using manual mapping. Alternatively, you can hook both Module32First and Module32Next, and if the iteration lands on the DLL you want to spoof, simply skip it by redirecting to the next module.

Pattern -> 55 8B EC 81 EC ? ? ? ? A1 ? ? ? ? 33 C5 89 45 FC 83 A5 ? ? ? ? ? 8B C1 83 78 38 00

Code:

int __thiscall Warden::ModuleCheck(_DWORD *this, const void *a2, int a3)
{
    int result; // eax
    int v4; // ebx
    char v5[4]; // [esp+4h] [ebp-204h] BYREF
    int v6; // [esp+8h] [ebp-200h]
    int v7; // [esp+Ch] [ebp-1FCh] BYREF
    char v8[224]; // [esp+10h] [ebp-1F8h] BYREF
    char v9[20]; // [esp+F0h] [ebp-118h] BYREF
    char v10[256]; // [esp+104h] [ebp-104h] BYREF

    v6 = 0;
    if ( !this[14] )
        return 0;
    result = (**(int (__thiscall ***)(_DWORD))this[14])(this[14]);
    v4 = result;
    if ( result )
    {
        if ( (*(unsigned __int8 (__thiscall **)(int, int *, char *, char *, int))(*(_DWORD *)result + 4))(result, &v7, v5, v10, 255) )
        {
            while ( 1 )
            {
                user32_CharUpperBuffA(v10, strlen(v10));
                ((void (__thiscall *)(char *, int, int))unk_1CEA367B)(v8, a3, 4);
                ((void (__thiscall *)(char *, char *))unk_1CEA1450)(v8, v10);
                ((void (__thiscall *)(char *, char *))unk_1CEA16F2)(v8, v9);
                if ( !memcmp(v9, a2, 0x14u) )
                    break;
                if ( !(*(unsigned __int8 (__thiscall **)(int, int *, char *, char *, int))(*(_DWORD *)v4 + 4))(v4, &v7, v5, v10, 255) )
                    goto LABEL_9;
            }
            v6 = v7;
        }
LABEL_9:
        (**(void (__thiscall ***)(int))v4)(v4);
        result = v6;
    }
    return result;
}

[Cush]

Thanks - I managed to get Module32First/Next detoured to skip my dll.

I'll probably want to patch protected lua and maybe some other 'known' hack methods - I can find the memory scan function in memory and have a working pattern which I can probably use to try and hook/detour as well, but I was just wondering after coming across this thread if there is a cleaner/nicer way to do this on injection/load than scanning for it...

My difficulty is that playing around with the enums in OP I can't seem to match up the method I'm finding via watching scanned addresses with anything I'm able to find by poking around the enum - Do these point to some sort of dispatcher? I'm having a hard time trying to work out the structure of the ptr/offsets.

[Makkah]

Use reclass, put in the warden structure poiinter, once you have the structure address from dereferencibg, you can view the all the information you need