[INFO][11.0.5.57534] Warden::LoadModule menu

Shout-Out

User Tag List

Results 1 to 15 of 15
  1. #1
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [INFO][11.0.5.57534] Warden::LoadModule

    Code:
    void __fastcall sub_143348150(__int64 a1)
    {
      int v1; // ebx
      int v2; // esi
      __int64 v3; // r15
      __int64 (__fastcall *v5)(__int64, __int64, __int128 *, __int64 *); // r14
      __int64 v6; // rsi
      __int64 v7; // rdx
      __int64 v8; // rcx
      unsigned int v9; // ebx
      __int64 v10; // rcx
      __int64 v11; // rax
      __int64 v12; // r9
      char v13; // al
      unsigned __int16 *v14; // rsi
      unsigned int v15; // ebx
      __int64 v16; // r8
      __int64 v17; // r9
      __int64 v18; // rcx
      char v19; // al
      unsigned __int16 *v20; // rdx
      char v21; // dh
      __int64 v22; // rdx
      __int64 v23; // rbx
      __int64 v24; // rcx
      _QWORD *v25; // rcx
      int v26; // ecx
      __m128i *v27; // rcx
      __int64 v28; // rdx
      unsigned __int64 v29; // r8
      char v30; // al
      bool v31; // cf
      bool v32; // cc
      char v33; // al
      bool v34; // tt
      __int64 v35; // [rsp-8h] [rbp-88h]
      __int128 v36; // [rsp+20h] [rbp-60h] BYREF
      __int128 v37; // [rsp+30h] [rbp-50h]
      __int128 v38; // [rsp+40h] [rbp-40h]
      __int64 v39; // [rsp+50h] [rbp-30h]
      __int64 v40; // [rsp+60h] [rbp-20h]
      __int64 vars0; // [rsp+80h] [rbp+0h]
      unsigned int v42; // [rsp+A0h] [rbp+20h]
      __int64 v43; // [rsp+A8h] [rbp+28h] BYREF
      unsigned __int16 *v44; // [rsp+B0h] [rbp+30h]
      __int64 v45; // [rsp+B8h] [rbp+38h]
    
      v40 = v3;
      v43 = 0LL;
      v5 = 0LL;
      v44 = 0LL;
      v39 = 0LL;
      v36 = 0LL;
      v37 = 0LL;
      v38 = 0LL;
      v31 = __CFADD__(v2, 1094393241);
      v6 = (unsigned int)(v2 + 1094393241);
      if ( v31 )
        JUMPOUT(0x14335DE61LL);
      ((void (__fastcall *)(__int64))loc_14335AF02)(a1);
      BYTE1(v7) += 107;
      ((void (__fastcall *)(__int64, __int64))((char *)&loc_14335D1A3 + 2))(v8, v7);
      v9 = v1 + 1792002396;
      if ( (unsigned __int64)*(unsigned int *)(v9 + 4LL) + 268 <= *(_QWORD *)(v10 + 8) )
      {
        v42 = *(_DWORD *)(v9 + 8LL);
        sub_143347FA0();
        if ( !v13 )
        {
          LOBYTE(v11) = 3;
          v45 = 2051LL;
          goto LABEL_26;
        }
        if ( !(unsigned __int8)sub_1433492C0(v9 + 12LL, v44, v42, v12) )
        {
          LOBYTE(v11) = 4;
          v45 = 2052LL;
          goto LABEL_26;
        }
        vars0 = v6;
        (*(void (__fastcall **)(__int64, __int64))(*(_QWORD *)qword_1461802A8 + 16LL))(qword_1461802A8, a1);
        v14 = v44;
        if ( *v44 > v42 || *((_DWORD *)v44 + 1) > 0x100000u )
        {
          v45 = -3565LL;
        }
        else
        {
          if ( *((_BYTE *)v44 + 3) != 2 )
          {
            v45 = 3716LL;
            v11 = 2054LL;
    LABEL_25:
            v45 = v11;
            goto LABEL_26;
          }
          if ( *((_BYTE *)v44 + 2) != 1 )
          {
            v45 = 2055LL;
            v11 = 2055LL;
            goto LABEL_25;
          }
          v15 = *((_DWORD *)v44 + 1) + *v44;
          v5 = (__int64 (__fastcall *)(__int64, __int64, __int128 *, __int64 *))VirtualAlloc(v15);
          if ( !v5 )
          {
            v45 = 1646LL;
            v11 = 2056LL;
            goto LABEL_25;
          }
          sub_143348B30((__int64)&v36, v15, v16, v17, *((__int64 *)&v36 + 1), v37);
          if ( !v19 )
          {
            v45 = 81LL;
            v11 = 2057LL;
            goto LABEL_25;
          }
          qword_1461802B8 = (__int64)v44;
          v44 = 0LL;
          v20 = v14 + 4;
          v23 = (__int64)v14 + *v14 + 8;
          BYTE1(v20) = ((unsigned __int16)((_WORD)v14 + 8) >> 8) - 69;
          ((void (__fastcall *)(__int64, unsigned __int16 *))((char *)&loc_1433643E7 + 3))(v18, v20);
          ((void (*)(void))((char *)&loc_14334A34A + 5))();
          BYTE1(v22) = -v21;
          BYTE1(v23) = 80;
          ((void (__fastcall *)(__int64, __int64))((char *)&loc_14335E33B + 5))(v24, v22);
          ((void (*)(void))((char *)&loc_14335D6ED + 2))();
          sub_143351EB7(v25);
          v27 = (__m128i *)(unsigned int)(v26 + 86045097);
          LOBYTE(v27) = -49;
          sub_143347C00(v27, (const __m128i *)(0x8B4906B7 * *(_DWORD *)(v28 + 0xF4453BC)), v29);
          if ( v30 )
          {
            LODWORD(v11) = v5(v23, v35, &v36, &v43);
            if ( !(_DWORD)v11 )
              goto LABEL_26;
            v45 = 3196LL;
            v11 = 2059LL;
            goto LABEL_25;
          }
          v45 = -3544LL;
        }
        v11 = (v45 ^ 0xE4C) + 2982;
        goto LABEL_25;
      }
      LOBYTE(v11) = 2;
      v45 = 2050LL;
    LABEL_26:
      v31 = 0;
      do
      {
        v34 = v31;
        v31 = __CFADD__(v31, (_BYTE)v11);
        v33 = v34 + v11;
        v31 |= __CFADD__(v33, 4);
        v32 = v31 || v33 == -4;
        LOBYTE(v11) = v33 + 4;
      }
      while ( !v32 );
      if ( (_DWORD)v44 )
        (*(void (__fastcall **)(__int64))(*(_QWORD *)qword_1461802A8 + 16LL))(qword_1461802A8);
      if ( v5 )
        VirtualFree(v5);
      if ( qword_1461802B8 )
      {
        (*(void (__fastcall **)(__int64))(*(_QWORD *)qword_1461802A8 + 16LL))(qword_1461802A8);
        qword_1461802B8 = 0LL;
      }
    }
    Obfuscated VirtualAlloc call `void *__fastcall sub_1433478B0(SIZE_T a1)`
    Obfuscated VirtualFree call `BOOL __fastcall sub_143347970(void *a1)`

    From the module loaded it continues to load future modules from `AllocatedAddr + 0x10BCA`
    Last edited by numerbo; 3 Weeks Ago at 10:25 PM.

    [INFO][11.0.5.57534] Warden::LoadModule
  2. Thanks MrFade (1 members gave Thanks to numerbo for this useful post)
  3. #2
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    De-obfuscated IAT

    Code:
    0x37af000 - ADVAPI32.RegCloseKey
    0x37af008 - ADVAPI32.RegCreateKeyExA
    0x37af010 - ADVAPI32.RegCreateKeyExW
    0x37af018 - ADVAPI32.RegDeleteKeyExA
    0x37af020 - ADVAPI32.RegDeleteValueA
    0x37af028 - ADVAPI32.RegEnumKeyExA
    0x37af030 - ADVAPI32.RegEnumValueA
    0x37af038 - ADVAPI32.RegFlushKey
    0x37af040 - ADVAPI32.RegOpenKeyExA
    0x37af048 - ADVAPI32.RegOpenKeyExW
    0x37af050 - ADVAPI32.RegQueryInfoKeyA
    0x37af058 - ADVAPI32.RegQueryValueExA
    0x37af060 - ADVAPI32.RegQueryValueExW
    0x37af068 - ADVAPI32.RegSetValueExA
    0x37af070 - ADVAPI32.RegSetValueExW
    0x37af078 - ADVAPI32.RegQueryMultipleValuesW
    0x37af080 - ADVAPI32.RegGetValueW
    0x37af088 - ADVAPI32.GetUserNameW
    0x37af090 - ADVAPI32.RegEnumKeyA
    0x37af098 - ADVAPI32.RegOpenKeyA
    0x37af0a0 - ADVAPI32.CryptAcquireContextW
    0x37af0a8 - ADVAPI32.CryptReleaseContext
    0x37af0b0 - ADVAPI32.CryptGenRandom
    0x37af0b8 - ADVAPI32.CryptAcquireContextA
    0x37af0c0 - ADVAPI32.ConvertStringSecurityDescriptorToSecurityDescriptorW
    0x37af0c8 - ADVAPI32.AllocateLocallyUniqueId
    0x37af0d0 - ADVAPI32.CryptGetHashParam
    0x37af0d8 - ADVAPI32.CryptCreateHash
    0x37af0e0 - ADVAPI32.CryptHashData
    0x37af0e8 - ADVAPI32.CryptDestroyHash
    0x37af0f0 - ADVAPI32.CryptDestroyKey
    0x37af0f8 - ADVAPI32.CryptImportKey
    0x37af100 - ADVAPI32.CryptEncrypt
    0x37af108 - ntdll.EtwEventRegister
    0x37af110 - ntdll.EtwEventUnregister
    0x37af118 - ntdll.EtwEventWriteTransfer
    0x37af128 - COMCTL32.InitCommonControlsEx
    0x37af138 - CRYPT32.CryptMemFree
    0x37af140 - CRYPT32.CertVerifyTimeValidity
    0x37af148 - CRYPT32.CertAddCertificateContextToStore
    0x37af150 - CRYPT32.CertGetCertificateContextProperty
    0x37af158 - CRYPT32.CertCreateCertificateContext
    0x37af160 - CRYPT32.CertOpenStore
    0x37af168 - CRYPT32.CryptDecodeObjectEx
    0x37af170 - CRYPT32.CertFreeCertificateChain
    0x37af178 - CRYPT32.CertGetNameStringA
    0x37af180 - CRYPT32.CryptUnprotectData
    0x37af188 - CRYPT32.CertNameToStrA
    0x37af190 - CRYPT32.CryptQueryObject
    0x37af198 - CRYPT32.CertGetNameStringW
    0x37af1a0 - CRYPT32.CertFreeCertificateContext
    0x37af1a8 - CRYPT32.CertFindCertificateInStore
    0x37af1b0 - CRYPT32.CertCloseStore
    0x37af1b8 - CRYPT32.CryptMsgGetParam
    0x37af1c0 - CRYPT32.CertGetIssuerCertificateFromStore
    0x37af1c8 - CRYPT32.CertFindExtension
    0x37af1d0 - CRYPT32.CertGetCertificateChain
    0x37af1d8 - CRYPT32.CertVerifyCertificateChainPolicy
    0x37af1e0 - CRYPT32.CryptStringToBinaryA
    0x37af1e8 - CRYPT32.CertEnumCertificatesInStore
    0x37af1f0 - CRYPT32.CryptStringToBinaryW
    0x37af1f8 - CRYPT32.PFXImportCertStore
    0x37af200 - CRYPT32.CertCreateCertificateChainEngine
    0x37af208 - CRYPT32.CertFreeCertificateChainEngine
    0x37af210 - CRYPT32.CryptMsgClose
    0x37af220 - GDI32.DeleteObject
    0x37af228 - GDI32.CreateDIBSection
    0x37af230 - GDI32.GetDeviceCaps
    0x37af238 - GDI32.CreateRectRgn
    0x37af240 - GDI32.CombineRgn
    0x37af248 - GDI32.BitBlt
    0x37af250 - GDI32.CreateBitmap
    0x37af258 - GDI32.CreateDCW
    0x37af260 - GDI32.DeleteDC
    0x37af268 - GDI32.GetICMProfileW
    0x37af270 - GDI32.GetDeviceGammaRamp
    0x37af278 - GDI32.SetDeviceGammaRamp
    0x37af280 - GDI32.CreateCompatibleDC
    0x37af288 - GDI32.CreateFontIndirectW
    0x37af290 - GDI32.GetTextExtentPoint32A
    0x37af298 - GDI32.SelectObject
    0x37af2a0 - GDI32.GetTextMetricsW
    0x37af2a8 - GDI32.CreateSolidBrush
    0x37af2b0 - GDI32.CreateCompatibleBitmap
    0x37af2b8 - GDI32.GetDIBits
    0x37af2c8 - IMM32.ImmNotifyIME
    0x37af2d0 - IMM32.ImmAssociateContextEx
    0x37af2d8 - IMM32.ImmAssociateContext
    0x37af2e0 - IMM32.ImmGetIMEFileNameW
    0x37af2e8 - IMM32.ImmGetCompositionStringW
    0x37af2f0 - IMM32.ImmReleaseContext
    0x37af2f8 - IMM32.ImmSetCandidateWindow
    0x37af300 - IMM32.ImmGetContext
    0x37af308 - IMM32.ImmGetIMEFileNameA
    0x37af310 - IMM32.ImmSetCompositionStringW
    0x37af318 - IMM32.ImmGetCandidateListW
    0x37af320 - IMM32.ImmSetCompositionWindow
    0x37af330 - IPHLPAPI.GetAdaptersInfo
    0x37af340 - KERNEL32.VirtualQueryEx
    0x37af348 - KERNEL32.ReadProcessMemory
    0x37af350 - KERNEL32.SwitchToFiber
    0x37af358 - KERNEL32.DeleteFiber
    0x37af360 - KERNEL32.CreateFiberEx
    0x37af368 - KERNEL32.CreateFiber
    0x37af370 - KERNEL32.ConvertThreadToFiber
    0x37af378 - KERNEL32.K32EnumProcessModules
    0x37af380 - KERNEL32.K32GetModuleFileNameExW
    0x37af388 - KERNEL32.CreateToolhelp32Snapshot
    0x37af390 - KERNEL32.Thread32First
    0x37af398 - KERNEL32.Thread32Next
    0x37af3a0 - KERNEL32.Module32FirstW
    0x37af3a8 - KERNEL32.Module32NextW
    0x37af3b0 - KERNEL32.RtlCaptureContext
    0x37af3b8 - ntdll.RtlAddVectoredExceptionHandler
    0x37af3c0 - KERNEL32.ConvertThreadToFiberEx
    0x37af3c8 - KERNEL32.GetCommandLineW
    0x37af3d0 - KERNEL32.DeleteFileA
    0x37af3d8 - KERNEL32.GetTempPathA
    0x37af3e0 - KERNEL32.GetProcessTimes
    0x37af3e8 - KERNEL32.OpenProcess
    0x37af3f0 - KERNEL32.GetSystemInfo
    0x37af3f8 - KERNEL32.GetTickCount64
    0x37af400 - KERNEL32.QueryFullProcessImageNameW
    0x37af408 - KERNEL32.Process32FirstW
    0x37af410 - KERNEL32.Process32NextW
    0x37af418 - KERNEL32.GetUserDefaultLangID
    0x37af420 - KERNEL32.GetUserDefaultLocaleName
    0x37af428 - KERNEL32.GetFullPathNameW
    0x37af430 - KERNEL32.CreateFileW
    0x37af438 - KERNEL32.GetDiskFreeSpaceExW
    0x37af440 - KERNEL32.QueryPerformanceCounter
    0x37af448 - KERNEL32.QueryPerformanceFrequency
    0x37af450 - KERNEL32.SetPriorityClass
    0x37af458 - KERNEL32.GetPriorityClass
    0x37af460 - KERNEL32.GetProcessAffinityMask
    0x37af468 - KERNEL32.SetThreadAffinityMask
    0x37af470 - KERNEL32.GetSystemTimeAsFileTime
    0x37af478 - KERNEL32.FileTimeToSystemTime
    0x37af480 - KERNEL32.GetTimeZoneInformation
    0x37af488 - KERNEL32.WerRegisterRuntimeExceptionModule
    0x37af490 - KERNEL32.WerUnregisterRuntimeExceptionModule
    0x37af498 - KERNEL32.Sleep
    0x37af4a0 - KERNEL32.LocalFree
    0x37af4a8 - ntdll.RtlInitializeSRWLock
    0x37af4b0 - ntdll.RtlReleaseSRWLockExclusive
    0x37af4b8 - ntdll.RtlAcquireSRWLockExclusive
    0x37af4c0 - ntdll.RtlTryAcquireSRWLockExclusive
    0x37af4c8 - KERNEL32.GetStdHandle
    0x37af4d0 - KERNEL32.SetHandleInformation
    0x37af4d8 - KERNEL32.CreatePipe
    0x37af4e0 - KERNEL32.SetNamedPipeHandleState
    0x37af4e8 - KERNEL32.CreateJobObjectW
    0x37af4f0 - KERNEL32.AssignProcessToJobObject
    0x37af4f8 - KERNEL32.SetInformationJobObject
    0x37af500 - KERNEL32.GetFileAttributesW
    0x37af508 - KERNEL32.CreateActCtxW
    0x37af510 - KERNEL32.ActivateActCtx
    0x37af518 - KERNEL32.DeactivateActCtx
    0x37af520 - KERNEL32.VirtualProtect
    0x37af528 - KERNEL32.CreateFileMappingW
    0x37af530 - KERNEL32.OpenFileMappingW
    0x37af538 - KERNEL32.MapViewOfFile
    0x37af540 - KERNEL32.UnmapViewOfFile
    0x37af548 - ntdll.RtlReleaseSRWLockShared
    0x37af550 - ntdll.RtlAcquireSRWLockShared
    0x37af558 - ntdll.RtlTryAcquireSRWLockShared
    0x37af560 - KERNELBASE.GetLogicalProcessorInformationEx
    0x37af568 - KERNEL32.GetNativeSystemInfo
    0x37af570 - KERNEL32.GetEnvironmentVariableW
    0x37af578 - KERNEL32.SetEnvironmentVariableW
    0x37af580 - KERNEL32.ProcessIdToSessionId
    0x37af588 - KERNEL32.GetVersionExW
    0x37af590 - KERNEL32.SetThreadExecutionState
    0x37af598 - KERNEL32.FormatMessageW
    0x37af5a0 - KERNEL32.GetSystemPowerStatus
    0x37af5a8 - KERNEL32.SetCurrentDirectoryW
    0x37af5b0 - KERNEL32.GetCurrentDirectoryW
    0x37af5b8 - KERNEL32.CreateDirectoryW
    0x37af5c0 - KERNEL32.FindClose
    0x37af5c8 - KERNEL32.FindFirstFileW
    0x37af5d0 - KERNEL32.FindNextFileW
    0x37af5d8 - KERNEL32.RemoveDirectoryW
    0x37af5e0 - KERNEL32.MoveFileW
    0x37af5e8 - KERNEL32.DeleteFileW
    0x37af5f0 - KERNEL32.FlushFileBuffers
    0x37af5f8 - KERNEL32.GetFileAttributesExW
    0x37af600 - KERNEL32.GetFileSizeEx
    0x37af608 - KERNEL32.GetFinalPathNameByHandleW
    0x37af610 - KERNEL32.ReadFile
    0x37af618 - KERNEL32.SetEndOfFile
    0x37af620 - KERNEL32.SetFileAttributesW
    0x37af628 - KERNEL32.SetFilePointer
    0x37af630 - KERNEL32.SetFilePointerEx
    0x37af638 - KERNEL32.DeviceIoControl
    0x37af640 - KERNEL32.CopyFileW
    0x37af648 - KERNEL32.MoveFileExW
    0x37af650 - KERNEL32.OutputDebugStringW
    0x37af658 - KERNEL32.GetOverlappedResult
    0x37af660 - ntdll.RtlWakeConditionVariable
    0x37af668 - KERNELBASE.SleepConditionVariableSRW
    0x37af670 - KERNEL32.LoadLibraryExW
    0x37af678 - KERNEL32.GetThreadContext
    0x37af680 - KERNEL32.GetThreadId
    0x37af688 - KERNEL32.LocalAlloc
    0x37af690 - KERNEL32.CreateFileMappingA
    0x37af698 - KERNEL32.FlushViewOfFile
    0x37af6a0 - KERNEL32.CreateMutexA
    0x37af6a8 - KERNEL32.GetLocaleInfoA
    0x37af6b0 - KERNEL32.SleepEx
    0x37af6b8 - KERNEL32.CancelIoEx
    0x37af6c0 - KERNEL32.PostQueuedCompletionStatus
    0x37af6c8 - KERNEL32.GetQueuedCompletionStatusEx
    0x37af6d0 - KERNEL32.CreateIoCompletionPort
    0x37af6d8 - KERNEL32.QueryFullProcessImageNameA
    0x37af6e0 - KERNEL32.GetVolumePathNameW
    0x37af6e8 - KERNEL32.GetDriveTypeW
    0x37af6f0 - ntdll.RtlGetCurrentProcessorNumberEx
    0x37af6f8 - KERNEL32.CompareStringA
    0x37af700 - KERNEL32.CreateSemaphoreW
    0x37af708 - KERNEL32.MulDiv
    0x37af710 - KERNEL32.GetEnvironmentVariableA
    0x37af718 - KERNEL32.SetErrorMode
    0x37af720 - KERNEL32.GetSystemDefaultLangID
    0x37af728 - KERNEL32.FlushInstructionCache
    0x37af730 - KERNEL32.SetThreadContext
    0x37af738 - KERNEL32.HeapCreate
    0x37af740 - KERNEL32.WaitForMultipleObjectsEx
    0x37af748 - KERNEL32.WaitForSingleObjectEx
    0x37af750 - KERNEL32.CancelIo
    0x37af758 - KERNEL32.WriteFileEx
    0x37af760 - KERNEL32.ReadFileEx
    0x37af768 - KERNEL32.GetUserDefaultUILanguage
    0x37af770 - KERNEL32.GetVersionExA
    0x37af778 - KERNEL32.InitializeCriticalSectionEx
    0x37af780 - KERNEL32.OpenFile
    0x37af788 - KERNEL32.GetSystemDirectoryA
    0x37af790 - KERNEL32.CreateWaitableTimerA
    0x37af798 - KERNEL32.SetWaitableTimer
    0x37af7a0 - KERNEL32.LoadLibraryA
    0x37af7a8 - KERNEL32.GetFileSize
    0x37af7b0 - KERNEL32.GetWindowsDirectoryW
    0x37af7b8 - KERNEL32.GetSystemDirectoryW
    0x37af7c0 - KERNEL32.VerifyVersionInfoW
    0x37af7c8 - ntdll.VerSetConditionMask
    0x37af7d0 - KERNEL32.GetVolumeInformationW
    0x37af7d8 - KERNEL32.WriteConsoleW
    0x37af7e0 - KERNEL32.SetStdHandle
    0x37af7e8 - KERNEL32.FreeEnvironmentStringsW
    0x37af7f0 - KERNEL32.GetEnvironmentStringsW
    0x37af7f8 - KERNEL32.FindFirstFileExW
    0x37af800 - KERNEL32.GetOEMCP
    0x37af808 - KERNEL32.CreateSemaphoreExW
    0x37af810 - KERNEL32.GetACP
    0x37af818 - KERNEL32.IsValidCodePage
    0x37af820 - KERNEL32.GetStringTypeW
    0x37af828 - KERNEL32.GetCPInfo
    0x37af830 - KERNEL32.EnumSystemLocalesW
    0x37af838 - KERNEL32.GetUserDefaultLCID
    0x37af840 - KERNEL32.IsValidLocale
    0x37af848 - KERNEL32.GetLocaleInfoW
    0x37af850 - KERNEL32.LCMapStringW
    0x37af858 - KERNEL32.CompareStringW
    0x37af860 - KERNEL32.GetTimeFormatW
    0x37af868 - KERNEL32.GetDateFormatW
    0x37af870 - KERNEL32.SetConsoleCtrlHandler
    0x37af878 - ntdll.RtlReAllocateHeap
    0x37af880 - KERNEL32.GetFileType
    0x37af888 - KERNEL32.ReadConsoleW
    0x37af890 - KERNEL32.GetConsoleMode
    0x37af898 - KERNEL32.GetConsoleOutputCP
    0x37af8a0 - ntdll.RtlSizeHeap
    0x37af8a8 - KERNEL32.GetCommandLineA
    0x37af8b0 - KERNEL32.FreeLibraryAndExitThread
    0x37af8b8 - KERNEL32.GetModuleHandleExW
    0x37af8c0 - KERNEL32.ExitProcess
    0x37af8c8 - KERNEL32.TlsFree
    0x37af8d0 - KERNEL32.TlsSetValue
    0x37af8d8 - KERNEL32.TlsGetValue
    0x37af8e0 - KERNEL32.TlsAlloc
    0x37af8e8 - KERNEL32.InitializeCriticalSectionAndSpinCount
    0x37af8f0 - ntdll.RtlInterlockedPushEntrySList
    0x37af8f8 - KERNEL32.RtlPcToFileHeader
    0x37af900 - KERNEL32.RtlUnwindEx
    0x37af908 - KERNEL32.GetStartupInfoW
    0x37af910 - ntdll.RtlInitializeSListHead
    0x37af918 - ntdll.RtlWakeAllConditionVariable
    0x37af920 - KERNEL32.GetProcessId
    0x37af928 - KERNEL32.SuspendThread
    0x37af930 - KERNEL32.OpenThread
    0x37af938 - KERNEL32.CreateThread
    0x37af940 - KERNEL32.CreateEventW
    0x37af948 - KERNEL32.GetLastError
    0x37af950 - KERNEL32.RtlVirtualUnwind
    0x37af958 - KERNEL32.RtlLookupFunctionEntry
    0x37af960 - ntdll.RtlCaptureStackBackTrace
    0x37af968 - KERNEL32.CreateSemaphoreA
    0x37af970 - KERNEL32.CreateEventA
    0x37af978 - KERNEL32.OpenMutexW
    0x37af980 - KERNEL32.CreateMutexW
    0x37af988 - KERNEL32.ReleaseMutex
    0x37af990 - KERNEL32.ReleaseSemaphore
    0x37af998 - KERNEL32.ResetEvent
    0x37af9a0 - KERNEL32.SetEvent
    0x37af9a8 - ntdll.RtlTryEnterCriticalSection
    0x37af9b0 - KERNEL32.SetProcessAffinityMask
    0x37af9b8 - KERNEL32.CreateProcessW
    0x37af9c0 - KERNEL32.ResumeThread
    0x37af9c8 - KERNEL32.GetThreadPriority
    0x37af9d0 - KERNEL32.SetThreadPriority
    0x37af9d8 - KERNEL32.GetCurrentThreadId
    0x37af9e0 - KERNEL32.GetCurrentThread
    0x37af9e8 - KERNEL32.GetCurrentProcessId
    0x37af9f0 - KERNEL32.WaitForSingleObject
    0x37af9f8 - KERNEL32.RaiseException
    0x37afa00 - KERNEL32.FormatMessageA
    0x37afa08 - KERNEL32.GetModuleFileNameW
    0x37afa10 - KERNEL32.VirtualQuery
    0x37afa18 - KERNEL32.GlobalMemoryStatusEx
    0x37afa20 - ntdll.RtlExitUserThread
    0x37afa28 - KERNEL32.TerminateProcess
    0x37afa30 - KERNEL32.GetCurrentProcess
    0x37afa38 - KERNEL32.GetProcessHeap
    0x37afa40 - KERNEL32.HeapFree
    0x37afa48 - ntdll.RtlAllocateHeap
    0x37afa50 - KERNEL32.SetLastError
    0x37afa58 - KERNEL32.CloseHandle
    0x37afa60 - KERNEL32.OutputDebugStringA
    0x37afa68 - KERNEL32.WriteFile
    0x37afa70 - KERNEL32.CreateFileA
    0x37afa78 - KERNEL32.GlobalFree
    0x37afa80 - KERNEL32.GlobalLock
    0x37afa88 - KERNEL32.GlobalUnWire
    0x37afa90 - KERNEL32.GlobalAlloc
    0x37afa98 - KERNEL32.WideCharToMultiByte
    0x37afaa0 - KERNEL32.MultiByteToWideChar
    0x37afaa8 - KERNEL32.FreeLibrary
    0x37afab0 - KERNEL32.TerminateThread
    0x37afab8 - KERNEL32.IsValidLanguageGroup
    0x37afac0 - KERNEL32.LoadLibraryW
    0x37afac8 - KERNEL32.GetTickCount
    0x37afad0 - KERNEL32.GetProcAddress
    0x37afad8 - KERNEL32.GetModuleHandleW
    0x37afae0 - KERNEL32.DuplicateHandle
    0x37afae8 - KERNEL32.IsDebuggerPresent
    0x37afaf0 - KERNEL32.GetModuleHandleA
    0x37afaf8 - KERNEL32.GetModuleFileNameA
    0x37afb00 - KERNEL32.VirtualFree
    0x37afb08 - KERNEL32.VirtualAlloc
    0x37afb10 - KERNEL32.GetLocalTime
    0x37afb18 - ntdll.RtlDeleteCriticalSection
    0x37afb20 - ntdll.RtlLeaveCriticalSection
    0x37afb28 - ntdll.RtlEnterCriticalSection
    0x37afb30 - ntdll.RtlInitializeCriticalSection
    0x37afb38 - KERNEL32.CreateDirectoryA
    0x37afb40 - KERNEL32.K32GetProcessMemoryInfo
    0x37afb48 - KERNEL32.RtlUnwind
    0x37afb50 - KERNEL32.GetFileInformationByHandle
    0x37afb58 - KERNEL32.PeekNamedPipe
    0x37afb60 - KERNEL32.SystemTimeToTzSpecificLocalTime
    0x37afb68 - ntdll.RtlInitializeConditionVariable
    0x37afb70 - KERNEL32.GetComputerNameW
    0x37afb78 - ntdll.NtFlushProcessWriteBuffers
    0x37afb88 - MSACM32.acmStreamConvert
    0x37afb90 - MSACM32.acmStreamPrepareHeader
    0x37afb98 - MSACM32.acmStreamUnprepareHeader
    0x37afba0 - MSACM32.acmStreamSize
    0x37afba8 - MSACM32.acmStreamOpen
    0x37afbb0 - MSACM32.acmFormatSuggest
    0x37afbc0 - SETUPAPI.SetupDiEnumDeviceInterfaces
    0x37afbc8 - cfgmgr32.CM_Get_Device_IDA
    0x37afbd0 - cfgmgr32.CM_Get_Parent
    0x37afbd8 - cfgmgr32.CM_Locate_DevNodeA
    0x37afbe0 - SETUPAPI.SetupDiEnumDeviceInfo
    0x37afbe8 - SETUPAPI.SetupDiDestroyDeviceInfoList
    0x37afbf0 - SETUPAPI.SetupDiGetDeviceRegistryPropertyA
    0x37afbf8 - SETUPAPI.SetupDiGetClassDevsA
    0x37afc00 - SETUPAPI.SetupDiGetDeviceInterfaceDetailA
    0x37afc10 - SHELL32.CommandLineToArgvW
    0x37afc18 - SHELL32.DragAcceptFiles
    0x37afc20 - SHELL32.DragFinish
    0x37afc28 - SHELL32.ExtractIconExW
    0x37afc30 - SHELL32.SHGetFolderPathW
    0x37afc38 - SHELL32.SHGetKnownFolderPath
    0x37afc40 - SHELL32.FindExecutableA
    0x37afc48 - SHELL32.ShellExecuteA
    0x37afc50 - SHELL32.DragQueryFileW
    0x37afc58 - SHELL32.ShellExecuteW
    0x37afc68 - USER32.UnregisterClassA
    0x37afc70 - USER32.PostThreadMessageW
    0x37afc78 - USER32.SetTimer
    0x37afc80 - USER32.KillTimer
    0x37afc88 - USER32.AttachThreadInput
    0x37afc90 - USER32.RegisterClassW
    0x37afc98 - USER32.GetFocus
    0x37afca0 - USER32.GetKeyboardState
    0x37afca8 - USER32.GetMenu
    0x37afcb0 - USER32.SetPropW
    0x37afcb8 - USER32.RemovePropW
    0x37afcc0 - USER32.GetWindowTextLengthW
    0x37afcc8 - USER32.GetClipCursor
    0x37afcd0 - USER32.IntersectRect
    0x37afcd8 - USER32.IsRectEmpty
    0x37afce0 - USER32.PtInRect
    0x37afce8 - USER32.GetWindowThreadProcessId
    0x37afcf0 - USER32.CreateIconFromResource
    0x37afcf8 - USER32.RegisterClassExA
    0x37afd00 - USER32.CreateWindowExA
    0x37afd08 - USER32.RegisterClipboardFormatA
    0x37afd10 - USER32.DialogBoxIndirectParamW
    0x37afd18 - USER32.DrawTextW
    0x37afd20 - USER32.SystemParametersInfoA
    0x37afd28 - USER32.GetMessageExtraInfo
    0x37afd30 - USER32.GetClassInfoExW
    0x37afd38 - USER32.GetAsyncKeyState
    0x37afd40 - USER32.GetUpdateRect
    0x37afd48 - USER32.ValidateRect
    0x37afd50 - USER32.GetPropW
    0x37afd58 - USER32.GetWindow
    0x37afd60 - USER32.EnumThreadWindows
    0x37afd68 - USER32.SetActiveWindow
    0x37afd70 - USER32.wsprintfA
    0x37afd78 - USER32.LoadStringA
    0x37afd80 - USER32.LoadCursorA
    0x37afd88 - USER32.SetClassLongPtrW
    0x37afd90 - USER32.InflateRect
    0x37afd98 - USER32.SetCursor
    0x37afda0 - USER32.SetPhysicalCursorPos
    0x37afda8 - USER32.ShowCursor
    0x37afdb0 - USER32.GetActiveWindow
    0x37afdb8 - USER32.MonitorFromWindow
    0x37afdc0 - USER32.MonitorFromRect
    0x37afdc8 - USER32.MonitorFromPoint
    0x37afdd0 - USER32.GetParent
    0x37afdd8 - USER32.SetWindowLongW
    0x37afde0 - USER32.SetRectEmpty
    0x37afde8 - USER32.AdjustWindowRectEx
    0x37afdf0 - USER32.SetForegroundWindow
    0x37afdf8 - USER32.EmptyClipboard
    0x37afe00 - USER32.GetClipboardData
    0x37afe08 - USER32.SetClipboardData
    0x37afe10 - USER32.CloseClipboard
    0x37afe18 - USER32.PostMessageA
    0x37afe20 - USER32.BringWindowToTop
    0x37afe28 - USER32.SetWindowPlacement
    0x37afe30 - USER32.GetWindowPlacement
    0x37afe38 - USER32.FlashWindowEx
    0x37afe40 - USER32.SetLayeredWindowAttributes
    0x37afe48 - USER32.GetLayeredWindowAttributes
    0x37afe50 - USER32.CreateWindowExW
    0x37afe58 - USER32.CharNextW
    0x37afe60 - USER32.InvalidateRect
    0x37afe68 - USER32.ReleaseCapture
    0x37afe70 - USER32.SetCapture
    0x37afe78 - USER32.RegisterRawInputDevices
    0x37afe80 - USER32.GetRawInputData
    0x37afe88 - USER32.EnumDisplayMonitors
    0x37afe90 - USER32.GetMonitorInfoW
    0x37afe98 - USER32.SystemParametersInfoW
    0x37afea0 - USER32.EnumDisplayDevicesW
    0x37afea8 - USER32.EnumDisplaySettingsW
    0x37afeb0 - USER32.CreateIconIndirect
    0x37afeb8 - USER32.LoadIconW
    0x37afec0 - USER32.DestroyCursor
    0x37afec8 - USER32.LoadCursorW
    0x37afed0 - USER32.CallNextHookEx
    0x37afed8 - USER32.UnhookWindowsHookEx
    0x37afee0 - USER32.SetWindowsHookExW
    0x37afee8 - USER32.GetWindowLongPtrW
    0x37afef0 - USER32.GetWindowLongW
    0x37afef8 - USER32.ClipCursor
    0x37aff00 - USER32.WindowFromPoint
    0x37aff08 - USER32.ScreenToClient
    0x37aff10 - USER32.ClientToScreen
    0x37aff18 - USER32.GetPhysicalCursorPos
    0x37aff20 - USER32.ReleaseDC
    0x37aff28 - USER32.GetDC
    0x37aff30 - USER32.GetForegroundWindow
    0x37aff38 - USER32.GetKeyNameTextW
    0x37aff40 - USER32.GetKeyState
    0x37aff48 - USER32.IsZoomed
    0x37aff50 - USER32.RegisterClassExW
    0x37aff58 - USER32.UnregisterClassW
    0x37aff60 - ntdll.NtdllDefWindowProc_W
    0x37aff68 - USER32.GetMessagePos
    0x37aff70 - USER32.TrackMouseEvent
    0x37aff78 - USER32.MapVirtualKeyW
    0x37aff80 - USER32.RegisterClipboardFormatW
    0x37aff88 - USER32.IsDialogMessageW
    0x37aff90 - USER32.LoadImageW
    0x37aff98 - USER32.DestroyCursor
    0x37affa0 - USER32.GetDesktopWindow
    0x37affa8 - USER32.SetWindowLongPtrW
    0x37affb0 - USER32.GetSysColor
    0x37affb8 - USER32.MessageBoxW
    0x37affc0 - USER32.GetWindowRect
    0x37affc8 - USER32.GetClientRect
    0x37affd0 - USER32.GetWindowTextW
    0x37affd8 - USER32.SetWindowTextW
    0x37affe0 - USER32.GetSystemMetrics
    0x37affe8 - USER32.EnableWindow
    0x37afff0 - USER32.SetFocus
    0x37afff8 - USER32.SetDlgItemTextW
    0x37b0000 - USER32.GetDlgItem
    0x37b0008 - USER32.EndDialog
    0x37b0010 - USER32.DialogBoxParamW
    0x37b0018 - USER32.CreateDialogParamW
    0x37b0020 - USER32.IsWindowVisible
    0x37b0028 - USER32.SetWindowPos
    0x37b0030 - USER32.ShowWindow
    0x37b0038 - USER32.DestroyWindow
    0x37b0040 - USER32.IsWindow
    0x37b0048 - USER32.PostQuitMessage
    0x37b0050 - USER32.PostMessageW
    0x37b0058 - USER32.SendMessageW
    0x37b0060 - USER32.SendMessageA
    0x37b0068 - USER32.PeekMessageW
    0x37b0070 - USER32.DispatchMessageW
    0x37b0078 - USER32.TranslateMessage
    0x37b0080 - USER32.GetMessageW
    0x37b0088 - USER32.LoadStringW
    0x37b0090 - USER32.CharLowerBuffA
    0x37b0098 - USER32.CallWindowProcW
    0x37b00a0 - USER32.GetRawInputDeviceInfoA
    0x37b00a8 - USER32.GetRawInputDeviceList
    0x37b00b0 - USER32.RegisterDeviceNotificationW
    0x37b00b8 - USER32.OpenClipboard
    0x37b00c0 - USER32.FillRect
    0x37b00c8 - USER32.ChangeDisplaySettingsExW
    0x37b00d0 - USER32.GetClipboardSequenceNumber
    0x37b00d8 - USER32.IsClipboardFormatAvailable
    0x37b00e0 - USER32.GetKeyboardLayout
    0x37b00e8 - USER32.ToUnicode
    0x37b00f0 - USER32.CopyImage
    0x37b00f8 - USER32.SetWindowRgn
    0x37b0100 - USER32.UnregisterDeviceNotification
    0x37b0108 - USER32.EnumDisplayDevicesA
    0x37b0110 - USER32.IsIconic
    0x37b0120 - VERSION.GetFileVersionInfoA
    0x37b0128 - VERSION.GetFileVersionInfoSizeA
    0x37b0130 - VERSION.VerQueryValueW
    0x37b0138 - VERSION.GetFileVersionInfoW
    0x37b0140 - VERSION.GetFileVersionInfoSizeW
    0x37b0148 - VERSION.VerQueryValueA
    0x37b0158 - WINHTTP.WinHttpCrackUrl
    0x37b0160 - WINHTTP.WinHttpOpen
    0x37b0168 - WINHTTP.WinHttpGetProxyForUrl
    0x37b0170 - WINHTTP.WinHttpGetIEProxyConfigForCurrentUser
    0x37b0178 - WINHTTP.WinHttpCloseHandle
    0x37b0180 - WINHTTP.WinHttpGetDefaultProxyConfiguration
    0x37b0190 - WINMM.waveInGetDevCapsA
    0x37b0198 - WINMM.waveOutGetPosition
    0x37b01a0 - WINMM.waveOutReset
    0x37b01a8 - WINMM.waveInReset
    0x37b01b0 - WINMM.waveOutUnprepareHeader
    0x37b01b8 - WINMM.waveOutPrepareHeader
    0x37b01c0 - WINMM.waveInOpen
    0x37b01c8 - WINMM.waveOutOpen
    0x37b01d0 - WINMM.waveOutGetDevCapsW
    0x37b01d8 - WINMM.waveOutGetDevCapsA
    0x37b01e0 - WINMM.timeGetTime
    0x37b01e8 - WINMM.waveInGetNumDevs
    0x37b01f0 - WINMM.waveOutGetNumDevs
    0x37b01f8 - WINMM.waveInGetDevCapsW
    0x37b0200 - WINMM.waveInClose
    0x37b0208 - WINMM.waveInPrepareHeader
    0x37b0210 - WINMM.waveInUnprepareHeader
    0x37b0218 - WINMM.waveInAddBuffer
    0x37b0220 - WINMM.waveOutClose
    0x37b0228 - WINMM.waveInStart
    0x37b0230 - WINMM.waveOutWrite
    0x37b0238 - WINMM.timeBeginPeriod
    0x37b0240 - WINMM.timeEndPeriod
    0x37b0250 - WINTRUST.WinVerifyTrust
    0x37b0260 - WS2_32.gethostname
    0x37b0268 - WS2_32.socket
    0x37b0270 - WS2_32.setsockopt
    0x37b0278 - WS2_32.send
    0x37b0280 - WS2_32.select
    0x37b0288 - WS2_32.recv
    0x37b0290 - WS2_32.listen
    0x37b0298 - WS2_32.getsockopt
    0x37b02a0 - WS2_32.getsockname
    0x37b02a8 - WS2_32.getpeername
    0x37b02b0 - WS2_32.WSADuplicateSocketW
    0x37b02b8 - WS2_32.connect
    0x37b02c0 - WS2_32.closesocket
    0x37b02c8 - WS2_32.bind
    0x37b02d0 - WS2_32.accept
    0x37b02d8 - WS2_32._WSAFDIsSet
    0x37b02e0 - WS2_32.WSAGetLastError
    0x37b02e8 - WS2_32.htonl
    0x37b02f0 - WS2_32.WSAIoctl
    0x37b02f8 - WS2_32.WSASend
    0x37b0300 - WS2_32.WSASocketW
    0x37b0308 - WS2_32.WSAAddressToStringA
    0x37b0310 - WS2_32.ntohs
    0x37b0318 - WS2_32.htonl
    0x37b0320 - WS2_32.ntohs
    0x37b0328 - WS2_32.WSASetLastError
    0x37b0330 - WS2_32.ioctlsocket
    0x37b0338 - WS2_32.getaddrinfo
    0x37b0340 - WS2_32.freeaddrinfo
    0x37b0348 - WS2_32.WSAStartup
    0x37b0350 - WS2_32.WSACleanup
    0x37b0358 - WS2_32.inet_addr
    0x37b0360 - WS2_32.WSAAsyncGetHostByName
    0x37b0368 - WS2_32.WSACancelAsyncRequest
    0x37b0370 - WS2_32.WSACloseEvent
    0x37b0378 - WS2_32.WSACreateEvent
    0x37b0380 - WS2_32.WSAEnumNetworkEvents
    0x37b0388 - WS2_32.WSAEventSelect
    0x37b0390 - WS2_32.WSAResetEvent
    0x37b0398 - WS2_32.WSAWaitForMultipleEvents
    0x37b03a0 - WS2_32.inet_ntop
    0x37b03a8 - WS2_32.inet_pton
    0x37b03b0 - WS2_32.inet_ntoa
    0x37b03c0 - combase.StringFromGUID2
    0x37b03d0 - bcrypt.BCryptGenRandom
    0x37b03e0 - dwmapi.DwmGetCompositionTimingInfo
    0x37b03e8 - dwmapi.DwmSetWindowAttribute
    0x37b03f0 - dwmapi.DwmGetWindowAttribute
    0x37b0400 - combase.CoCreateInstance
    0x37b0408 - ole32.RegisterDragDrop
    0x37b0410 - ole32.RevokeDragDrop
    0x37b0418 - ole32.OleInitialize
    0x37b0420 - ole32.ReleaseStgMedium
    0x37b0428 - combase.CoUninitialize
    0x37b0430 - combase.CoInitializeEx
    0x37b0438 - combase.CoTaskMemFree
    0x37b0440 - ole32.CoInitialize
    0x37b0448 - ole32.OleUninitialize
    0x37b0450 - combase.CoTaskMemAlloc
    0x37b0458 - combase.CLSIDFromString
    0x37b0460 - combase.PropVariantClear
    0x37b0468 - combase.CoCreateFreeThreadedMarshaler

  4. #3
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some more information about this loader.

    // Inside of WoW (latest release 11.0.5.57534) (this functions just a bit under the initial VirtualAlloc in the OP
    wardenFunctionHolder = 0LL; // This contains information _about_ wow? It also gives warden functions from wows memory that it can call. __int64 __fastcall sub_B80C(char *a1)

    sub_143348B30((__int64)&wardenFunctionHolder, v15, v16, v17, *((__int64 *)&wardenFunctionHolder + 1), v37);// warden calls functions defined inside this

    Code:
    void __fastcall sub_143348B30(__int64 a1, int a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6)
    {
      *(_WORD *)a1 = 0xBEEF;
      *(_WORD *)(a1 + 2) = 1;
      *(_QWORD *)(a1 + 0x18) = sub_14334B960;
      *(_QWORD *)(a1 + 0x10) = sub_14334BE80;
      *(_QWORD *)(a1 + 0x20) = sub_14334BFF0;
      *(_QWORD *)(a1 + 0x28) = byte_14334BFA0;
      *(_DWORD *)(a1 + 48) = a2;
    }
    Warden function calls look like this.

    Code:
    __int64 __fastcall sub_7140(char *a1, __int64 a2, __int64 a3)
    {
      __int64 v3; // rsi
      __int64 v4; // rdx
    
      sub_2200(a1, a2, a3, sub_B7E0);
      v3 = (unsigned int)sub_B7E0(a1);
      sub_4D10(a1, v3, v4, sub_B7E0);
      return (unsigned int)v3;
    }
    It appears to be that sub_2200 Decrypts sub_b7e0, then it is called, and then sub_4d10 encrypts it again.

    Code:
    __int64 __fastcall sub_2200(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
    {
      int v4; // r9d
      __int64 v5; // r11
      __int64 v6; // r8
      __int64 v7; // r10
      _BYTE *v8; // rdi
      unsigned __int64 v9; // r15
      _BYTE *v10; // rsi
      __int64 v11; // rbx
      __int64 result; // rax
      int v13; // r14d
      int v14; // esi
      __int64 v15; // rdx
      __int64 v16; // rdi
      __int64 v17; // r11
      unsigned __int8 *v18; // rbx
      __int64 v19; // rdx
      char v20; // r9
      unsigned __int8 *v21; // rbx
      unsigned __int8 v22; // dl
    
      if ( !a4 )
        __halt();
      v4 = *(_DWORD *)(a4 + 1);
      v5 = *(unsigned int *)(a4 + 15);
      v6 = (unsigned int)(v4 - 15);
      if ( *(_BYTE *)(a4 + 19) )
      {
        v7 = a4 + 5;
        if ( (_DWORD)v5 )
        {
          v8 = (_BYTE *)(a4 + v6 + 20);
          v9 = v5 + a4 + v6 + 20;
          v10 = v8;
          do
          {
            *v10 ^= byte_14390[*(unsigned __int8 *)(v7 + (unsigned __int8)((__int64)(v9 - (_QWORD)v10) % v6) + 15)];
            ++v10;
          }
          while ( (unsigned __int64)v10 < v9 );
          v11 = v5;
          do
          {
            result = *((unsigned __int8 *)sub_145C0
                     + *(unsigned __int8 *)(v7 + (unsigned __int8)((__int64)(v9 - (_QWORD)v8) % v6) + 15));
            *v8++ ^= result;
            --v11;
          }
          while ( v11 );
        }
        v13 = (*(_DWORD *)(a4 + 11) | *(_DWORD *)(a4 + 20)) - (*(_DWORD *)(a4 + 11) & *(_DWORD *)(a4 + 20));
        v14 = 732807390;
        if ( (_DWORD)v5 )
        {
          v15 = v5 & 3;
          v16 = 0LL;
          if ( (unsigned __int64)(v5 - 1) >= 3 )
          {
            v17 = v5 - v15;
            v14 = -2128831035;
            v16 = 0LL;
            do
            {
              v14 = 16777619
                  * ((16777619
                    * ((16777619
                      * ((16777619 * (v14 ^ *(unsigned __int8 *)(a4 + v6 + 23 + v16 - 3))) ^ *(unsigned __int8 *)(a4 + v6 + 23 + v16 - 2))) ^ *(unsigned __int8 *)(a4 + v6 + 23 + v16 - 1))) ^ *(unsigned __int8 *)(a4 + v6 + 23 + v16));
              v16 += 4LL;
            }
            while ( v17 != v16 );
          }
          else
          {
            v14 = -2128831035;
          }
          if ( v15 )
          {
            v18 = (unsigned __int8 *)(a4 + v6 + v16 + 20);
            v19 = -v15;
            do
            {
              v14 = 16777619 * (v14 ^ *v18++);
              ++v19;
            }
            while ( v19 );
          }
        }
        if ( v14 != v13 )
          __halt();
        *(_BYTE *)(a4 + 19) = 0;
        v20 = *(_BYTE *)(a4 + (unsigned int)(v4 - 16) + 20);
        if ( (unsigned int)v6 >= 2 )
        {
          v21 = (unsigned __int8 *)(a4 + 21);
          v22 = *(_BYTE *)(a4 + 20);
          do
          {
            result = *v21;
            *v21++ = v22;
            v22 = result;
          }
          while ( (unsigned __int64)v21 < v7 + v6 + 15 );
        }
        *(_BYTE *)(a4 + 20) = v20;
        *(_DWORD *)(a4 + 11) = *(_DWORD *)(a4 + 20) ^ v13;
      }
      return result;
    }
    Code:
    void __fastcall sub_4D10(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
    {
      __int64 v4; // r11
      __int64 v5; // r8
      int v6; // edx
      __int64 v7; // rax
      __int64 v8; // rdi
      unsigned __int8 *v9; // rbx
      __int64 v10; // rax
      _BYTE *v11; // r9
      unsigned __int64 v12; // r10
      _BYTE *v13; // rsi
      __int64 v14; // rbx
    
      if ( !a4 )
        __halt();
      v4 = *(unsigned int *)(a4 + 15);
      v5 = (unsigned int)(*(_DWORD *)(a4 + 1) - 15);
      if ( *(_BYTE *)(a4 + 19) != 1 )
      {
        v6 = 732807390;
        if ( (_DWORD)v4 )
        {
          v7 = v4 & 3;
          v8 = 0LL;
          if ( (unsigned __int64)(v4 - 1) >= 3 )
          {
            v6 = -2128831035;
            v8 = 0LL;
            do
            {
              v6 = 16777619
                 * ((16777619
                   * ((16777619
                     * ((16777619 * (v6 ^ *(unsigned __int8 *)(a4 + v5 + 23 + v8 - 3))) ^ *(unsigned __int8 *)(a4 + v5 + 23 + v8 - 2))) ^ *(unsigned __int8 *)(a4 + v5 + 23 + v8 - 1))) ^ *(unsigned __int8 *)(a4 + v5 + 23 + v8));
              v8 += 4LL;
            }
            while ( v4 - v7 != v8 );
          }
          else
          {
            v6 = -2128831035;
          }
          if ( (v4 & 3) != 0 )
          {
            v9 = (unsigned __int8 *)(a4 + v5 + v8 + 20);
            v10 = -v7;
            do
            {
              v6 = 16777619 * (v6 ^ *v9++);
              ++v10;
            }
            while ( v10 );
          }
        }
        if ( v6 != (*(_DWORD *)(a4 + 11) ^ *(_DWORD *)(a4 + 20)) )
          __halt();
        if ( (_DWORD)v4 )
        {
          v11 = (_BYTE *)(a4 + v5 + 20);
          v12 = v4 + a4 + v5 + 20;
          v13 = v11;
          if ( (_DWORD)v4 != 1 )
          {
            v14 = (v4 & 1) - v4;
            v13 = (_BYTE *)(a4 + v5 + 20);
            do
            {
              *v13 ^= *((_BYTE *)sub_145C0
                      + *(unsigned __int8 *)(a4 + (unsigned __int8)((__int64)(v12 - (_QWORD)v13) % v5) + 20));
              v13[1] ^= *((_BYTE *)sub_145C0
                        + *(unsigned __int8 *)(a4 + (unsigned __int8)((__int64)(v12 - (_QWORD)(v13 + 1)) % v5) + 20));
              v13 += 2;
              v14 += 2LL;
            }
            while ( v14 );
          }
          if ( (v4 & 1) != 0 )
            *v13 ^= *((_BYTE *)sub_145C0
                    + *(unsigned __int8 *)(a4 + (unsigned __int8)((__int64)(v12 - (_QWORD)v13) % v5) + 20));
          do
          {
            *v11 ^= byte_14390[*(unsigned __int8 *)(a4 + (unsigned __int8)((__int64)(v12 - (_QWORD)v11) % v5) + 20)];
            ++v11;
          }
          while ( (unsigned __int64)v11 < v12 );
        }
        *(_BYTE *)(a4 + 19) = 1;
      }
    }
    This is the function that subsequently calls VirtualAlloc from the WardenLoader buffer _after_ warden is loaded. So this is what I was seeing as 0x10BCA, but this address is not consistent the warden module seems to have some variation.

    Code:
    __int64 __fastcall sub_125EC(__int64 a1, unsigned __int64 a2, __int64 a3, _DWORD *a4)
    {
      unsigned int v5; // ecx
      unsigned int v6; // eax
      __int64 v7; // rdx
      _WORD *v8; // r14
      unsigned int v9; // eax
      unsigned __int64 v10; // r12
      unsigned __int64 v11; // rcx
      unsigned __int64 v12; // r12
      char *v13; // r13
      __int64 result; // rax
      __int64 v15; // rdx
      char *v16; // rax
      __int64 v17; // rdx
      int v18; // edx
      char *v19; // r8
      unsigned int v20; // r9d
      _DWORD *v21; // rcx
      unsigned int v22; // [rsp+2Ch] [rbp-5FCh] BYREF
      unsigned int v23; // [rsp+30h] [rbp-5F8h] BYREF
      int v24; // [rsp+34h] [rbp-5F4h] BYREF
      unsigned __int64 v25; // [rsp+38h] [rbp-5F0h] BYREF
      int v26; // [rsp+44h] [rbp-5E4h] BYREF
      __int64 v27; // [rsp+48h] [rbp-5E0h]
      __int64 v28; // [rsp+50h] [rbp-5D8h]
      __int64 v29; // [rsp+58h] [rbp-5D0h]
      __int64 v30; // [rsp+60h] [rbp-5C8h]
      _DWORD v31[2]; // [rsp+68h] [rbp-5C0h] BYREF
      _BYTE v32[32]; // [rsp+70h] [rbp-5B8h] BYREF
      _BYTE v33[1024]; // [rsp+90h] [rbp-598h] BYREF
      _BYTE v34[160]; // [rsp+490h] [rbp-198h] BYREF
      __int64 v35; // [rsp+530h] [rbp-F8h] BYREF
      _BYTE v36[32]; // [rsp+538h] [rbp-F0h] BYREF
      __int64 v37; // [rsp+558h] [rbp-D0h]
      __int64 v38; // [rsp+560h] [rbp-C8h]
      __int64 v39; // [rsp+568h] [rbp-C0h]
      __int64 v40; // [rsp+570h] [rbp-B8h]
      __int64 v41; // [rsp+578h] [rbp-B0h]
      __int64 v42; // [rsp+580h] [rbp-A8h]
      __int64 v43; // [rsp+588h] [rbp-A0h]
      __int64 v44; // [rsp+590h] [rbp-98h]
      __int64 v45; // [rsp+598h] [rbp-90h]
      __int64 v46; // [rsp+5A0h] [rbp-88h]
      __int64 v47; // [rsp+5A8h] [rbp-80h]
      __int64 v48; // [rsp+5B0h] [rbp-78h]
      __int64 v49; // [rsp+5B8h] [rbp-70h]
      __int64 v50; // [rsp+5C0h] [rbp-68h]
      __int64 v51; // [rsp+5C8h] [rbp-60h]
      __int64 v52; // [rsp+5D0h] [rbp-58h]
      __int64 v53; // [rsp+5D8h] [rbp-50h]
      __int64 v54; // [rsp+5E0h] [rbp-48h]
      __int64 v55; // [rsp+5E8h] [rbp-40h]
    
      v22 = 0;
      v25 = 0LL;
      v26 = 0;
      v5 = a4[4];
      v23 = v5;
      v6 = a4[2];
      v7 = 256LL;
      v8 = 0LL;
      if ( v6 >= 0x11 )
      {
        a1 = (unsigned int)a4[5];
        v8 = 0LL;
        v7 = 257LL;
        if ( v6 >= (unsigned int)a1 )
        {
          a1 = (unsigned int)(a1 + 17);
          if ( v6 == (_DWORD)a1 )
          {
            v9 = sub_71B0(a1, a2, (__int64)&v25, v5, (__int64)&v26);
            v7 = v9;
            v8 = 0LL;
            if ( !v9 )
            {
              v10 = (unsigned int)(a4[7] + a4[5] + 156);
              v8 = (_WORD *)MEMORY[0x27ECA3C6F90](a1, a2, 0LL, v10);
              v7 = 128LL;
              if ( v8 )
              {
                memset(v8, 0, v10);
                *v8 = 3;
                v8[1] = 30;
                v11 = (unsigned int)a4[5];
                *((_DWORD *)v8 + 37) = v11;
                *((_DWORD *)v8 + 26) = a4[6];
                v27 = 1LL;
                v28 = 0LL;
                v29 = 0LL;
                v30 = 1LL;
                *(_QWORD *)(v8 + 54) = 0x7FF7727FBFA0LL;
                *((_DWORD *)v8 + 23) = a4[7];
                *((_QWORD *)v8 + 10) = (char *)v8 + v11 + 156;
                *((_QWORD *)v8 + 12) = 0LL;
                *(_QWORD *)(v8 + 58) = &dword_16250;
                *(_QWORD *)(v8 + 66) = 0x27ECA3C6F90LL;
                *(_QWORD *)(v8 + 70) = 0x27ECA3C7AF0LL;
                *(_QWORD *)(v8 + 62) = 0x27ECA3D6CB0LL;
                qmemcpy(v8 + 76, (char *)a4 + 33, v11);
                a1 = (__int64)v8 + v11 + 152;
                a2 = v25;
                v7 = 517LL;
                if ( v25 )
                {
                  if ( *(_DWORD *)v25 == 0x8B08EB && *(_WORD *)(v25 + 4) == 1 )
                  {
                    v12 = *(unsigned int *)(v25 + 16);
                    v13 = (char *)VirtualAlloc(a1, v25, v12, 0LL, 0x1000LL, 0x40LL);
                    v7 = 128LL;
                    if ( v13 )
                    {
                      a2 = (unsigned int)sub_6C50(a1, a2, (_DWORD)v13, a2, (_DWORD)v8, (unsigned int)&v22);
                      v25 = 0LL;
                      memset(v13, 0, v12);
                      a1 = (__int64)&v13[v12];
                      VirtualFree(&v13[v12], a2, 0LL, v13, 0x8000LL);
                      if ( !(_WORD)a2 )
                      {
                        v16 = (char *)(*((_QWORD *)v8 + 10) - 4LL);
                        qmemcpy(v16, &v23, 4uLL);
                        a2 = (unsigned __int64)&v24;
                        a1 = (__int64)(v16 + 4);
                        v17 = v22;
                        if ( v22 == 4 )
                        {
                          v18 = a4[4];
                          v19 = (char *)v31;
                          qmemcpy(v32, qword_167C8, sizeof(v32));
                          qmemcpy(v33, qword_167E8, sizeof(v33));
                          qmemcpy(v36, qword_16270, sizeof(v36));
                          qmemcpy(v34, qword_16BE8, sizeof(v34));
                          a2 = (unsigned __int64)&qword_16BE8[20];
                          a1 = (__int64)&v35;
                          v31[1] = 0;
                          v35 = 0LL;
                          v37 = 0LL;
                          v31[0] = v18;
                          v38 = 0LL;
                          v39 = 0LL;
                          v40 = 0LL;
                          v41 = 0LL;
                          v42 = 0LL;
                          v43 = 0LL;
                          v44 = 0LL;
                          v45 = 0LL;
                          v46 = 0LL;
                          v47 = 0LL;
                          v48 = 0LL;
                          v49 = 0LL;
                          v50 = 0LL;
                          v51 = 0LL;
                          v52 = 0LL;
                          v53 = 0LL;
                          v54 = 0LL;
                          v55 = 0LL;
                          v17 = 4LL;
                          v20 = 1416;
                          v21 = a4;
                        }
                        else
                        {
                          v20 = *((_DWORD *)v8 + 22) + 4;
                          v21 = a4;
                          v19 = v16;
                        }
                        sub_80F0(a1, a2, v17, (__int64)v21, (__int64)v19, v20);
                        return MEMORY[0x27ECA3C7AF0](a1, a2, v15, v8);
                      }
                      v7 = 515LL;
                    }
                  }
                }
              }
            }
          }
        }
      }
      result = sub_80F0(a1, a2, v7, (__int64)a4, (__int64)&v23, 4u);
      if ( v25 )
        result = MEMORY[0x27ECA3C7AF0]();
      if ( v8 )
        return MEMORY[0x27ECA3C7AF0](a1, a2, v15, v8);
      return result;
    }
    [code]


    I need to update my module dumper to map IAT addresses properly. But I mapped some of them.
    Last edited by numerbo; 3 Weeks Ago at 12:21 PM.

  5. #4
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Code:
     
    void Decrypt(uint64_t address)
    {
        int32_t dataSize = *(int32_t *)(address + 1);
        int32_t v4 = *(int32_t *)(address + 15);
        uint8_t isEncrypted = *(uint8_t *)(address + 19);
    
        if (isEncrypted)
        {
            printf("Encrypted, v4: 0x%x, dataSize: 0x%x\n", v4, dataSize);
    
            uintptr_t v6 = address + 5;
            int32_t v7 = *(int32_t *)(address + 11);
            int32_t v8 = *(int32_t *)(address + 20);
    
            int32_t v5 = dataSize - 15;
    
            if (v4 != 0)
            {
                uint8_t *decryptPtr = (uint8_t *)(address + v5 + 20);
                uintptr_t decryptEnd = v4 + address + v5 + 20;
    
                do
                {
                    *decryptPtr ^= *(uint8_t *)(v6 + ((decryptEnd - (uintptr_t)decryptPtr) % v5) + 15);
                    ++decryptPtr;
                } while ((uintptr_t)decryptPtr < decryptEnd);
    
                int32_t checksum = v7 ^ v8;
                uintptr_t remaining = v4 & 3;
                uintptr_t processed = 0;
                int32_t hash;
    
                if (v4 >= 4)
                {
                    uintptr_t bytesToProcess = v4 - remaining;
                    hash = 0x811C9DC5;
    
                    processed = 0;
    
                    do
                    {
                        // Compute FNV-1a hash over 4-byte chunks
                        hash = 0x1000193 * ((0x1000193 * ((0x1000193 * ((0x1000193 * (hash ^ *(uint8_t *)(address + v5 + 23 + processed - 3))) ^ *(uint8_t *)(address + v5 + 23 + processed - 2))) ^ *(uint8_t *)(address + v5 + 23 + processed - 1))) ^ *(uint8_t *)(address + v5 + 23 + processed));
                        processed += 4;
                    } while (bytesToProcess != processed);
                }
                else
                {
                    hash = 0x811C9DC5;
                }
    
                if (remaining)
                {
                    uint8_t *remainingPtr = (uint8_t *)(address + v5 + processed + 20);
                    uintptr_t count = -remaining;
    
                    do
                    {
                        hash = 0x1000193 * (hash ^ *remainingPtr++);
                        ++count;
                    } while (count);
                }
    
                if (hash != (v7 ^ v8))
                {
                    printf("Checksum mismatch, halting\n");
                    exit(1);
                }
            }
            else
            {
                int32_t checksum = v7 ^ v8;
                int32_t hash = 0x2BADC0DE;
    
                if (hash != checksum)
                {
                    printf("Checksum mismatch, halting\n");
                    exit(1);
                }
            }
    
            *(uint8_t *)(address + 19) = 0;
    
            uint8_t lastByte = *(uint8_t *)(address + v5 - 1 + 20);
    
            if (v5 >= 2)
            {
                char *swapPtr = (char *)(address + 21);
                char temp = *(uint8_t *)(address + 20);
    
                do
                {
                    char nextTemp = *swapPtr;
                    *swapPtr++ = temp;
                    temp = nextTemp;
                } while ((uintptr_t)swapPtr < v6 + v5 + 15);
            }
    
            *(uint8_t *)(address + 20) = lastByte;
    
            int32_t v11 = v7 ^ v8;
            *(int32_t *)(address + 11) = (v11 & (*(int32_t *)(address + 20) - 1 - 2 * *(int32_t *)(address + 20))) | (*(int32_t *)(address + 20) & -(v11 + 1));
        }
        else
        {
            printf("Not Encrypted\n");
        }
    }
    Here's a variant of the inline decryption that is runnable. It can be used to decrypt (some) methods in wardens loader module.

    For example here is the function invoked by ` a2 = (unsigned int)sub_6C50(a1, a2, (_DWORD)v13, a2, (_DWORD)v8, (unsigned int)&v22); // decrypts and runs the module.
    `

    Code:
    __int16 __fastcall sub_E214(
            char *a1,
            char *a2,
            __int64 a3,
            __int64 a4,
            __int64 a5,
            _DWORD *a6,
            int a7,
            int a8,
            int a9,
            int a10,
            void (__fastcall *a11)(__int64, __int64, __int64, __int64))
    {
      __int16 result; // ax
      _DWORD *v16; // rdx
      unsigned int v17; // ebx
      unsigned __int64 v18; // rcx
      char *v19; // rdi
      unsigned __int64 v20; // rcx
      char *v21; // rsi
      char *v22; // rdi
      __int64 v23; // rdi
      unsigned int v24; // eax
      unsigned int *v25; // rdx
      unsigned int i; // ebx
      char v27; // cl
      __int64 v28; // rdx
      __int64 v29; // rsi
      int v30; // eax
      __int64 v31[8]; // [rsp+28h] [rbp-40h] BYREF
    
      result = 1;
      if ( a4 )
      {
        if ( a3 )
        {
          if ( *(_DWORD *)a4 == 0x8B08EB || (result = 2, *(_WORD *)(a4 + 4) == 1) )
          {
            result = 3;
            if ( *(_WORD *)(a4 + 6) == 523 )
            {
              if ( *(_DWORD *)(a4 + 44) )
              {
                v16 = (_DWORD *)(a4 + *(unsigned int *)(a4 + 40) + 12);
                v17 = 0;
                do
                {
                  v18 = (unsigned int)*(v16 - 2);
                  v19 = (char *)(a3 + (unsigned int)*(v16 - 3));
                  memset(v19, 0, v18);
                  a1 = &v19[v18];
                  v20 = (unsigned int)*v16;
                  if ( *v16 )
                  {
                    v21 = (char *)(a4 + (unsigned int)*(v16 - 1));
                    v22 = (char *)(a3 + (unsigned int)*(v16 - 3));
                    qmemcpy(v22, v21, v20);
                    a2 = &v21[v20];
                    a1 = &v22[v20];
                  }
                  ++v17;
                  v16 += 4;
                }
                while ( v17 < *(_DWORD *)(a4 + 44) );
              }
              result = sub_77F0(a1, a2, a3, a4, a4);
              if ( !result )
              {
                v23 = a3 - *(_QWORD *)(a4 + 8);
                if ( a3 != *(_QWORD *)(a4 + 8) )
                {
                  v24 = *(_DWORD *)(a4 + 28);
                  if ( v24 )
                  {
                    v25 = (unsigned int *)(a4 + *(unsigned int *)(a4 + 24) + 1);
                    for ( i = 0; i < v24; ++i )
                    {
                      v27 = *((_BYTE *)v25 - 1);
                      if ( v27 == 10 )
                      {
                        *(_QWORD *)(a3 + *v25) += v23;
                      }
                      else
                      {
                        result = 6;
                        if ( v27 != 3 )
                          return result;
                        *(_DWORD *)(a3 + *v25) += v23;
                        v24 = *(_DWORD *)(a4 + 28);
                      }
                      v25 = (unsigned int *)((char *)v25 + 5);
                    }
                  }
                }
                v31[0] = 0LL;
                result = sub_7EC0(v23, (__int64)a2, a3, a4, a4, (__int64)v31);
                if ( !result )
                {
                  v29 = *(unsigned int *)(a4 + 20);
                  if ( a11 )
                    a11(v23, v29, v28, a4);
                  v30 = ((__int64 (__fastcall *)(__int64, __int64, __int64, __int64))(v29 + a3))(v23, v29, v28, a5);
                  if ( a6 )
                    *a6 = v30;
                  if ( v31[0] )
                    sub_7A70();
                  return 0;
                }
              }
            }
          }
        }
      }
      return result;
    }
    Need to finish rewriting other decryption methods in this dump to go further into the load and run logic.

  6. #5
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's an IDA script to decrypt some warden methods. IDA 9.0

    Run at cursor, follow the JMP, press p. You may need to (make code) (c)

    Code:
    # IDA Python script to decrypt warden functions
    
    # - numerbo
    
    import idc
    import ida_bytes
    
    def Decrypt(address):
        dataSize = idc.get_wide_dword(address + 1)
        v4 = idc.get_wide_dword(address + 15)
        isEncrypted = idc.get_wide_byte(address + 19)
    
        if isEncrypted:
            print("Encrypted, v4: 0x%x, dataSize: 0x%x" % (v4, dataSize))
    
            v6 = address + 5
            v7 = idc.get_wide_dword(address + 11)
            v8 = idc.get_wide_dword(address + 20)
    
            v5 = dataSize - 15
    
            if v4 != 0:
                decryptPtr = address + v5 + 20
                decryptEnd = v4 + address + v5 + 20
    
                while decryptPtr < decryptEnd:
                    key_index = ((decryptEnd - decryptPtr) % v5)
                    key_byte_addr = v6 + key_index + 15
                    key_byte = ida_bytes.get_wide_byte(key_byte_addr)
                    decrypted_byte = ida_bytes.get_wide_byte(decryptPtr) ^ key_byte
                    ida_bytes.patch_byte(decryptPtr, decrypted_byte)
                    decryptPtr += 1
    
                # Compute checksum
                checksum = v7 ^ v8
                remaining = v4 & 3
                processed = 0
                hash = 0x811C9DC5
    
                if v4 >= 4:
                    bytesToProcess = v4 - remaining
    
                    while processed != bytesToProcess:
                        # Compute FNV-1a hash over 4-byte chunks
                        for i in range(4):
                            byte_addr = address + v5 + 23 + processed - (3 - i)
                            byte = ida_bytes.get_wide_byte(byte_addr)
                            hash = (hash ^ byte) & 0xFFFFFFFF
                            hash = (hash * 0x1000193) & 0xFFFFFFFF
                        processed += 4
    
                if remaining:
                    remainingPtr = address + v5 + processed + 20
                    count = remaining
                    while count > 0:
                        byte = ida_bytes.get_wide_byte(remainingPtr)
                        hash = (hash ^ byte) & 0xFFFFFFFF
                        hash = (hash * 0x1000193) & 0xFFFFFFFF
                        remainingPtr += 1
                        count -= 1
    
                if hash != (v7 ^ v8):
                    print("Checksum mismatch, halting")
                    return
            else:
                checksum = v7 ^ v8
                hash = 0x2BADC0DE
    
                if hash != checksum:
                    print("Checksum mismatch, halting")
                    return
    
            ida_bytes.patch_byte(address + 19, 0)
    
            lastByte = ida_bytes.get_wide_byte(address + v5 - 1 + 20)
    
            if v5 >= 2:
                swapPtr = address + 21
                temp = ida_bytes.get_wide_byte(address + 20)
                end_ptr = v6 + v5 + 15
    
                while swapPtr < end_ptr:
                    nextTemp = ida_bytes.get_wide_byte(swapPtr)
                    ida_bytes.patch_byte(swapPtr, temp)
                    temp = nextTemp
                    swapPtr += 1
    
            ida_bytes.patch_byte(address + 20, lastByte)
    
            v11 = v7 ^ v8
            temp_val = idc.get_wide_dword(address + 20)
            new_val = (v11 & (temp_val - 1 - 2 * temp_val)) | (temp_val & (-(v11 + 1) & 0xFFFFFFFF))
            ida_bytes.patch_dword(address + 11, new_val & 0xFFFFFFFF)
    
            decrypt_base = address + 20
            decrypt_end = address + v5 + 20
            
            print("Function head at %X - you may need to define some undefined codes" % (decrypt_end))
        else:
            print("Not Encrypted")
    
    # Run the function at the current cursor address
    current_address = idc.get_screen_ea()
    Decrypt(current_address)

  7. #6
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's another variant to patch them all (doesnt auto make code/function)

    Code:
    # IDA Python script to decrypt warden functions
    
    # - numerbo
    
    from idaapi import *
    from idc import *
    
    import ida_funcs
    import idautils
    import ida_segment
    import ida_search
    import idaapi
    
    def find_binary(address, end, search, format, flags):
    
        if idaapi.IDA_SDK_VERSION > 760:
            binpat = idaapi.compiled_binpat_vec_t()
            idaapi.parse_binpat_str(binpat, address, search, format)
            address, a = idaapi.bin_search3(address, end, binpat, flags)
        else:
            address = idaapi.find_binary(address, end, search, format, flags)
    
        return address
    
    def find_all_binary(address, end, search, format, flags):
    
        addresses = []
        start = address
    
        while True:
            next = find_binary(start, end, search, format, flags)
            if next == idaapi.BADADDR:
                break
            addresses.append(next)
            print("Found at %X" % next)
            start = next + len(search)
    
        return addresses
    
    def Decrypt(address):
        dataSize = idc.get_wide_dword(address + 1)
        v4 = idc.get_wide_dword(address + 15)
        isEncrypted = idc.get_wide_byte(address + 19) == 1
    
        if isEncrypted:
            print("Encrypted, v4: 0x%x, dataSize: 0x%x" % (v4, dataSize))
    
            v6 = address + 5
            v7 = idc.get_wide_dword(address + 11)
            v8 = idc.get_wide_dword(address + 20)
    
            v5 = dataSize - 15
    
            if v4 != 0:
                decryptPtr = address + v5 + 20
                decryptEnd = v4 + address + v5 + 20
    
                while decryptPtr < decryptEnd:
                    key_index = ((decryptEnd - decryptPtr) % v5)
                    key_byte_addr = v6 + key_index + 15
                    key_byte = ida_bytes.get_wide_byte(key_byte_addr)
                    decrypted_byte = ida_bytes.get_wide_byte(decryptPtr) ^ key_byte
                    ida_bytes.patch_byte(decryptPtr, decrypted_byte)
                    decryptPtr += 1
    
                # Compute checksum
                checksum = v7 ^ v8
                remaining = v4 & 3
                processed = 0
                hash = 0x811C9DC5
    
                if v4 >= 4:
                    bytesToProcess = v4 - remaining
    
                    while processed != bytesToProcess:
                        # Compute FNV-1a hash over 4-byte chunks
                        for i in range(4):
                            byte_addr = address + v5 + 23 + processed - (3 - i)
                            byte = ida_bytes.get_wide_byte(byte_addr)
                            hash = (hash ^ byte) & 0xFFFFFFFF
                            hash = (hash * 0x1000193) & 0xFFFFFFFF
                        processed += 4
    
                if remaining:
                    remainingPtr = address + v5 + processed + 20
                    count = remaining
                    while count > 0:
                        byte = ida_bytes.get_wide_byte(remainingPtr)
                        hash = (hash ^ byte) & 0xFFFFFFFF
                        hash = (hash * 0x1000193) & 0xFFFFFFFF
                        remainingPtr += 1
                        count -= 1
    
                if hash != (v7 ^ v8):
                    print("Checksum mismatch, halting")
                    return
            else:
                checksum = v7 ^ v8
                hash = 0x2BADC0DE
    
                if hash != checksum:
                    print("Checksum mismatch, halting")
                    return
    
            ida_bytes.patch_byte(address + 19, 0)
    
            lastByte = ida_bytes.get_wide_byte(address + v5 - 1 + 20)
    
            if v5 >= 2:
                swapPtr = address + 21
                temp = ida_bytes.get_wide_byte(address + 20)
                end_ptr = v6 + v5 + 15
    
                while swapPtr < end_ptr:
                    nextTemp = ida_bytes.get_wide_byte(swapPtr)
                    ida_bytes.patch_byte(swapPtr, temp)
                    temp = nextTemp
                    swapPtr += 1
    
            ida_bytes.patch_byte(address + 20, lastByte)
    
            v11 = v7 ^ v8
            temp_val = idc.get_wide_dword(address + 20)
            new_val = (v11 & (temp_val - 1 - 2 * temp_val)) | (temp_val & (-(v11 + 1) & 0xFFFFFFFF))
            ida_bytes.patch_dword(address + 11, new_val & 0xFFFFFFFF)
    
            decrypt_base = address + 20
            decrypt_end = address + v5 + 20
            
            print("Function head at %X - you may need to define some undefined codes" % (decrypt_end))
        else:
            print("Not Encrypted")
    
    addresses = find_all_binary(0, 0xFFFFFFFF, "E9 ? 00 00 00 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 01", 16, SEARCH_DOWN) # The end of the pattern can (maybe should?) be "01 0 0 01"
    
    for address in addresses:
        print("Decrypting function at %X" % address)
        Decrypt(address)
        
    print("Done")
    Last edited by numerbo; 2 Weeks Ago at 12:34 PM.

  8. #7
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here's a helper utility to decrypt/encrypt the loader module. It should set the checksum properly meaning the Encrypt/Decrypt methods should be able to encrypt and decrypt functions at runtime. With some tweaking you should be able to patch or hook functions to further dump the actual cheat modules.

    Code:
    #include  <iostream>
    #include  <fstream>
    #include  <cstdint>
    #include  <cstdlib>
    #include  <vector>
    #include  <string>
    #include  <sstream>
    
    void Decrypt(uint64_t address)
    {
        int32_t dataSize = *(int32_t *)(address + 1);
        int32_t v4 = *(int32_t *)(address + 15);
        uint8_t isEncrypted = *(uint8_t *)(address + 19) == 1;
    
        if (isEncrypted)
        {
            printf("Encrypted, v4: 0x%x, dataSize: 0x%x\n", v4, dataSize);
    
            uintptr_t v6 = address + 5;
            int32_t v7 = *(int32_t *)(address + 11);
            int32_t v8 = *(int32_t *)(address + 20);
    
            int32_t v5 = dataSize - 15;
    
            if (v4 != 0)
            {
                uint8_t *decryptPtr = (uint8_t *)(address + v5 + 20);
                uintptr_t decryptEnd = v4 + address + v5 + 20;
    
                do
                {
                    *decryptPtr ^= *(uint8_t *)(v6 + ((decryptEnd - (uintptr_t)decryptPtr) % v5) + 15);
                    ++decryptPtr;
                } while ((uintptr_t)decryptPtr < decryptEnd);
    
                int32_t checksum = v7 ^ v8;
                uintptr_t remaining = v4 & 3;
                uintptr_t processed = 0;
                int32_t hash;
    
                if (v4 >= 4)
                {
                    uintptr_t bytesToProcess = v4 - remaining;
                    hash = 0x811C9DC5;
    
                    processed = 0;
    
                    do
                    {
                        hash = 0x1000193 * ((0x1000193 * ((0x1000193 * ((0x1000193 * (hash ^ *(uint8_t *)(address + v5 + 23 + processed - 3))) ^ *(uint8_t *)(address + v5 + 23 + processed - 2))) ^ *(uint8_t *)(address + v5 + 23 + processed - 1))) ^ *(uint8_t *)(address + v5 + 23 + processed));
                        processed += 4;
                    } while (bytesToProcess != processed);
                }
                else
                {
                    hash = 0x811C9DC5;
                }
    
                if (remaining)
                {
                    uint8_t *remainingPtr = (uint8_t *)(address + v5 + processed + 20);
                    uintptr_t count = -remaining;
    
                    do
                    {
                        hash = 0x1000193 * (hash ^ *remainingPtr++);
                        ++count;
                    } while (count);
                }
    
                if (hash != (v7 ^ v8))
                {
                    printf("Checksum mismatch, halting\n");
                    exit(1);
                }
            }
            else
            {
                int32_t checksum = v7 ^ v8;
                int32_t hash = 0x2BADC0DE;
    
                if (hash != checksum)
                {
                    printf("Checksum mismatch, halting\n");
                    exit(1);
                }
            }
    
            *(uint8_t *)(address + 19) = 0;
    
            uint8_t lastByte = *(uint8_t *)(address + v5 - 1 + 20);
    
            if (v5 >= 2)
            {
                char *swapPtr = (char *)(address + 21);
                char temp = *(uint8_t *)(address + 20);
    
                do
                {
                    char nextTemp = *swapPtr;
                    *swapPtr++ = temp;
                    temp = nextTemp;
                } while ((uintptr_t)swapPtr < v6 + v5 + 15);
            }
    
            *(uint8_t *)(address + 20) = lastByte;
    
            int32_t v11 = v7 ^ v8;
            *(int32_t *)(address + 11) = (v11 & (*(int32_t *)(address + 20) - 1 - 2 * *(int32_t *)(address + 20))) | (*(int32_t *)(address + 20) & -(v11 + 1));
        }
        else
        {
            printf("Not Encrypted\n");
        }
    }
    
    void Encrypt(uint64_t address)
    {
        int32_t dataSize = *(int32_t *)(address + 1);
        int32_t v4 = *(int32_t *)(address + 15);
        uint8_t isEncrypted = *(uint8_t *)(address + 19) == 1;
    
        if (!isEncrypted)
        {
            printf("Encrypting, v4: 0x%x, dataSize: 0x%x\n", v4, dataSize);
    
            uintptr_t v6 = address + 5;
            int32_t v7 = *(int32_t *)(address + 11);
            int32_t v8 = *(int32_t *)(address + 20);
    
            int32_t v5 = dataSize - 15;
    
            int32_t hash;
    
            if (v4 != 0)
            {
                uintptr_t remaining = v4 & 3;
                uintptr_t processed = 0;
    
                if (v4 >= 4)
                {
                    uintptr_t bytesToProcess = v4 - remaining;
                    hash = 0x811C9DC5;
    
                    processed = 0;
    
                    do
                    {
                        hash = 0x1000193 * ((0x1000193 * ((0x1000193 * ((0x1000193 * (hash ^ *(uint8_t *)(address + v5 + 23 + processed - 3))) ^ *(uint8_t *)(address + v5 + 23 + processed - 2))) ^ *(uint8_t *)(address + v5 + 23 + processed - 1))) ^ *(uint8_t *)(address + v5 + 23 + processed));
                        processed += 4;
                    } while (bytesToProcess != processed);
                }
                else
                {
                    hash = 0x811C9DC5;
                }
    
                if (remaining)
                {
                    uint8_t *remainingPtr = (uint8_t *)(address + v5 + processed + 20);
                    uintptr_t count = -remaining;
    
                    do
                    {
                        hash = 0x1000193 * (hash ^ *remainingPtr++);
                        ++count;
                    } while (count);
                }
            }
            else
            {
                hash = 0x2BADC0DE;
            }
    
            *(int32_t *)(address + 11) = hash ^ v8;
    
            if (v4 != 0)
            {
                uint8_t *encryptPtr = (uint8_t *)(address + v5 + 20);
                uintptr_t encryptEnd = v4 + address + v5 + 20;
    
                do
                {
                    *encryptPtr ^= *(uint8_t *)(address + ((encryptEnd - (uintptr_t)encryptPtr) % v5) + 20);
                    ++encryptPtr;
                } while ((uintptr_t)encryptPtr < encryptEnd);
            }
    
            *(uint8_t *)(address + 19) = 1;
            printf("Encryption complete.\n");
        }
        else
        {
            printf("Already encrypted, skipping.\n");
        }
    }
    
    std::vector<uint64_t> FindPattern(const std::string &pattern, void *start, size_t size)
    {
        std::vector<uint8_t> patternBytes;
        std::vector<bool> mask;
    
        std::istringstream patternStream(pattern);
        std::string token;
        while (patternStream >> token)
        {
            if (token == "?")
            {
                patternBytes.push_back(0);
                mask.push_back(false);
            }
            else
            {
                patternBytes.push_back(static_cast<uint8_t>(std::stoi(token, nullptr, 16)));
                mask.push_back(true);
            }
        }
    
        uint8_t *base = static_cast<uint8_t *>(start);
        std::vector<uint64_t> results;
    
        for (size_t i = 0; i <= size - patternBytes.size(); ++i)
        {
            bool matched = true;
    
            for (size_t j = 0; j < patternBytes.size(); ++j)
            {
                if (mask[j] && base[i + j] != patternBytes[j])
                {
                    matched = false;
                    break;
                }
            }
    
            if (matched)
            {
                results.push_back(reinterpret_cast<uint64_t>(base + i));
            }
        }
    
        return results;
    }
    
    int main(int argc, char **argv)
    {
        void *fileBuffer = nullptr;
        int fileSize = 0;
    
        if (argc <= 1)
        {
            std::cerr << "Usage: " << argv[0] << " <file>" << std::endl;
            return 1;
        }
    
        std::string fileName = argv[1];
    
        std::ifstream file(fileName.c_str(), std::ios::binary | std::ios::ate);
    
        if (file.is_open())
        {
            fileSize = file.tellg();
            fileBuffer = new char[fileSize];
            file.seekg(0, std::ios::beg);
            file.read(static_cast<char *>(fileBuffer), fileSize);
            file.close();
        }
        else
        {
            std::cerr << "Failed to open file." << std::endl;
            return 1;
        }
    
        std::vector<uint64_t> addresses = FindPattern("E9 ? 00 00 00 ? ? ? ? ? ? ? ? ? ? ? 01 ? ? 01", fileBuffer, fileSize); // find encrypted pattern
        // std::vector<uint64_t> addresses = FindPattern("E9 ? 00 00 00 ? ? ? ? ? ? ? ? ? ? ? 01 ? ? 00", fileBuffer, fileSize); // find decrypted pattern
    
        for (uint64_t address : addresses)
        {
            printf("Found pattern at 0x%llx - 0x%llx\n", address, address - (uintptr_t)fileBuffer);
            // Decrypt(address); // testing decryption
            // Encrypt(address); // testing re-encryption
            Decrypt(address); // decrypt the file
        }
    
        std::ofstream outFile(fileName + ".decrypted", std::ios::binary);
        outFile.write((char *)fileBuffer, fileSize);
        outFile.close();
    
        printf("Done\n");
    
        delete[] static_cast<char *>(fileBuffer);
        return 0;
    }
    I haven't tested it too much, nor did I look into how it would interact if the methods were patched and then re-encrypted. It may crash when it challenges the checksums. However, note, that there are probably self integrity checks running on the entire loader module / other modules (it would be stupid for there not to be? but maybe the self encryption/decryption makes that not very consistent)

    Code:
    void Decrypt(uint8_t *fileBase, uint64_t functionAddress)
    {
        if (!fileBase || !functionAddress)
        {
            printf("Invalid arguments\n");
            return;
        }
    
        uint32_t v4 = *reinterpret_cast<uint32_t *>(functionAddress + 1);
        uint64_t v5 = *reinterpret_cast<uint32_t *>(functionAddress + 15);
        uint64_t v6 = static_cast<uint32_t>(v4 - 15);
    
        uint8_t *byte_2F1B0 = (uint8_t *)((uint64_t)fileBase + 0x2f1b0);
        uint8_t *byte_2F090 = (uint8_t *)((uint64_t)fileBase + 0x2f090);
    
        if (*reinterpret_cast<uint8_t *>(functionAddress + 19))
        {
            uint64_t v7 = functionAddress + 5;
            if (v5)
            {
                uint64_t v8 = v5 + functionAddress + v6 + 20;
                uint8_t *v9 = reinterpret_cast<uint8_t *>(functionAddress + v6 + 20);
    
                for (uint64_t i = 0; i < v5; ++i)
                {
                    uint64_t index = static_cast<uint8_t>((v8 - reinterpret_cast<uint64_t>(v9)) % v6);
                    *v9 ^= byte_2F1B0[*(reinterpret_cast<uint8_t *>(v7 + index) + 15)];
                    ++v9;
                }
    
                uint8_t *v11 = reinterpret_cast<uint8_t *>(functionAddress + v6 + 20);
                for (uint64_t i = 0; i < v5; ++i)
                {
                    int64_t offset = static_cast<int64_t>((v8 - reinterpret_cast<uint64_t>(v11)) % v6 - 1 - 2 * ((v8 - reinterpret_cast<uint64_t>(v11)) % v6));
                    uint8_t v12 = byte_2F090[*(reinterpret_cast<uint8_t *>(v7 - offset - 1 + 15))];
                    *v11 = (v12 | *v11) & ((-*v11 - 1) | -(static_cast<char>(v12) + 1));
                    ++v11;
                }
            }
    
            uint32_t v13 = *reinterpret_cast<uint32_t *>(functionAddress + 11) ^ *reinterpret_cast<uint32_t *>(functionAddress + 20);
            uint32_t v14 = 0x2BADBABE;
    
            if (v5)
            {
                const uint32_t fnv_prime = 0x1000193;
                v14 = 0x811C9DC5;
                uint8_t *data = reinterpret_cast<uint8_t *>(functionAddress + v6 + 20);
                for (uint64_t i = 0; i < v5; ++i)
                {
                    v14 ^= data[i];
                    v14 *= fnv_prime;
                }
            }
    
            if (v14 != v13)
            {
                throw std::runtime_error("Decryption validation failed.");
            }
    
            *reinterpret_cast<uint8_t *>(functionAddress + 19) = 0;
            uint8_t v19 = *reinterpret_cast<uint8_t *>(functionAddress + v4 - 16 + 20);
    
            if (v6 >= 2)
            {
                uint8_t *v20 = reinterpret_cast<uint8_t *>(functionAddress + 21);
                uint8_t v21 = *reinterpret_cast<uint8_t *>(functionAddress + 20);
    
                for (uint64_t i = 0; i < v6 - 1; ++i)
                {
                    uint8_t v22 = *v20;
                    *v20++ = v21;
                    v21 = v22;
                }
            }
    
            *reinterpret_cast<uint8_t *>(functionAddress + 20) = v19;
            *reinterpret_cast<uint32_t *>(functionAddress + 11) = *reinterpret_cast<uint32_t *>(functionAddress + 20) ^ v13;
    
            printf("Decryption complete and validated.\n");
        }
    }
    Some warden modules have xor tables in their decryption logic. These offsets are HARD CODED, and will need to be changed if you come across them. Here's a working decrypt.

  9. Thanks MrFade (1 members gave Thanks to numerbo for this useful post)
  10. #8
    aeo's Avatar Contributor
    Reputation
    132
    Join Date
    Apr 2007
    Posts
    277
    Thanks G/R
    90/66
    Trade Feedback
    7 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I glanced over this, interesting work. Good job.

  11. #9
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This (disgusting) code / process can be used to dump warden modules over time as they load in and out. This is AFTER execution, and you will probably be banned by this point. (Not sure)

    Code:
    typedef LPVOID(WINAPI* VirtualAlloc_t)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
    typedef BOOL(WINAPI* VirtualFree_t)(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType);
    
    VirtualAlloc_t oVirtualAlloc = nullptr;
    VirtualFree_t oVirtualFree = nullptr;
    
    uintptr_t wardenLoaderBase = 0;
    size_t wardenLoaderSize = 0;
    LPVOID moduleAddress = 0;
    size_t moduleSize = 0;
    
    uintptr_t patchedBytes = 0;
    uint8_t dumpedLoader = 0;
    int wardenModuleCount = 0;
    
    bool Between(size_t search, size_t min, size_t max) {
    	return search >= min && search <= max;
    }
    
    std::vector<uint64_t> FindPattern(const std::string& pattern, void* start, size_t size)
    {
    	std::vector<uint8_t> patternBytes;
    	std::vector<bool> mask;
    
    	std::istringstream patternStream(pattern);
    	std::string token;
    	while (patternStream >> token)
    	{
    		if (token == "?")
    		{
    			patternBytes.push_back(0);
    			mask.push_back(false);
    		}
    		else
    		{
    			patternBytes.push_back(static_cast<uint8_t>(std::stoi(token, nullptr, 16)));
    			mask.push_back(true);
    		}
    	}
    
    	uint8_t* base = static_cast<uint8_t*>(start);
    	std::vector<uint64_t> results;
    
    	for (size_t i = 0; i <= size - patternBytes.size(); ++i)
    	{
    		bool matched = true;
    
    		for (size_t j = 0; j < patternBytes.size(); ++j)
    		{
    			if (mask[j] && base[i + j] != patternBytes[j])
    			{
    				matched = false;
    				break;
    			}
    		}
    
    		if (matched)
    		{
    			results.push_back(reinterpret_cast<uint64_t>(base + i));
    		}
    	}
    
    	return results;
    }
    
    LPVOID WINAPI hVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {
    	LPVOID retAddr = oVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
    
    	if (flProtect == 0x40 && wardenLoaderBase == 0 && Between(dwSize, 0x10000, 0x3C400)) {
    		wardenLoaderBase = (uintptr_t)retAddr;
    		wardenLoaderSize = dwSize;
    		printf("Warden loader base: %llx\n", wardenLoaderBase);
    	}
    
    	const int maxFrames = 10;
    	PVOID stack[maxFrames];
    	USHORT frames = RtlCaptureStackBackTrace(0, maxFrames, stack, NULL);
    
    	for (USHORT i = 0; i < frames; ++i) {
    
    		if (flProtect == 0x40 && wardenLoaderBase != 0 && (uintptr_t)stack[i] >= wardenLoaderBase && (uintptr_t)stack[i] <= wardenLoaderBase + wardenLoaderSize) {
    			uintptr_t relativeOffset = (uintptr_t)stack[i] - wardenLoaderBase;
    
    			std::vector<uintptr_t> bytes = FindPattern("F3 AA", (void*)stack[i], 0x200);
    			if (bytes.size()) {
    				printf("Found pattern at %p\n", bytes[0]);
    
    				memset((void*)bytes[0], 0x90, 2);
    				printf("Patched out memset\n");
    
    				patchedBytes = bytes[0];
    			}
    
    			if (dumpedLoader == 0) {
    				std::string fileName = "warden_loader.bin";
    				SDK::Memory::DumpMemoryToFile(fileName.c_str(), (const char*)wardenLoaderBase, wardenLoaderSize);
    
    				dumpedLoader = 1;
    			}
    
    			moduleAddress = retAddr;
    			moduleSize = dwSize;
    		}
    	}
    
    	return retAddr;
    }
    
    BOOL WINAPI hVirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType) {
    	if (lpAddress == moduleAddress) {
    		printf("Unloading module\n");
    
    		std::string fileName = "module_" + std::to_string(wardenModuleCount) + ".bin";
    
    		SDK::Memory::DumpMemoryToFile(fileName.c_str(), (const char*)moduleAddress, moduleSize);
    		wardenModuleCount++;
    
    		uint8_t* bytes = (uint8_t*)patchedBytes;
    		bytes[0] = 0xF3;
    		bytes[1] = 0xAA;
    
    		printf("Restored memset\n");
    
    	}
    
    	BOOL ret = oVirtualFree(lpAddress, dwSize, dwFreeType);
    	return ret;
    }
    You will need to repair imports and create fake headers for modules and just in general reverse how warden works more to understand how to actually figure out how detections work..
    Last edited by numerbo; 2 Weeks Ago at 01:41 PM.

  12. #10
    aeo's Avatar Contributor
    Reputation
    132
    Join Date
    Apr 2007
    Posts
    277
    Thanks G/R
    90/66
    Trade Feedback
    7 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    What's the function of the F3 AA patch?

  13. #11
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by aeo View Post
    What's the function of the F3 AA patch?
    nop'ing F3 AA removes the memset before VirtualFree, the buffer still contains the warden module in a meaningful state before the memset is done.

    Without restoring the bytes the warden loader crashes or unloads itself (probably just need to patch more than the F3 AA bytes or there is something I overlooked in the re-encrypt function (some type of integrity check done with a checksum mismatch happening from the patched bytes)

    Code:
                    v13 = (char *)VirtualAlloc(a1, v25, v12, 0LL, 0x1000LL, 0x40LL);
                    v7 = 128LL;
                    if ( v13 )
                    {
                      a2 = (unsigned int)sub_6C50(a1, a2, (_DWORD)v13, a2, (_DWORD)v8, (unsigned int)&v22);
                      v25 = 0LL;              
    ->>>>>>>>         memset(v13, 0, v12);
                      a1 = (__int64)&v13[v12];
                      VirtualFree(&v13[v12], a2, 0LL, v13, 0x8000LL);

  14. #12
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    11.0.5.57637

    .text:00000000031C6FB0 sub_0031C6FB0 proc near
    ...
    .text:00000000031C74D9 VirtualAlloc

  15. #13
    charles420's Avatar Elite User
    Reputation
    330
    Join Date
    Jun 2009
    Posts
    334
    Thanks G/R
    25/119
    Trade Feedback
    0 (0%)
    Mentioned
    10 Post(s)
    Tagged
    0 Thread(s)
    def have to patch more are you fixing the timing check etc

  16. #14
    numerbo's Avatar Active Member
    Reputation
    49
    Join Date
    Nov 2024
    Posts
    13
    Thanks G/R
    1/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by charles420 View Post
    def have to patch more are you fixing the timing check etc
    This has nothing to do with the anti debug in the client, this is to dump the actual warden anti-cheat modules / decrypt their function calling mechanisms.

  17. #15
    jmrr's Avatar Member
    Reputation
    2
    Join Date
    Nov 2022
    Posts
    2
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One of their game debug builds had this.

    Adjusted function names to reflect the log lines signifying what they do.
    It doesn't look like there is any encryption, just compression?

    (However, I can't find the same code in retail, so perhaps encryption is just retail?)

    Code:
    __int64 __fastcall WARDEN_ExecuteCore(__int64 a1)
    {
      unsigned __int16 *v2; // [rsp+20h] [rbp-C8h]
      unsigned int v3; // [rsp+28h] [rbp-C0h] BYREF
      unsigned int v4; // [rsp+2Ch] [rbp-BCh]
      unsigned int v5; // [rsp+30h] [rbp-B8h] BYREF
      unsigned int v6; // [rsp+34h] [rbp-B4h]
      _DWORD *v7; // [rsp+38h] [rbp-B0h]
      unsigned __int16 *v8; // [rsp+40h] [rbp-A8h] BYREF
      unsigned int v9; // [rsp+48h] [rbp-A0h]
      int v10; // [rsp+4Ch] [rbp-9Ch]
      char *module; // [rsp+50h] [rbp-98h]
      char *v12; // [rsp+58h] [rbp-90h]
      unsigned __int16 *v13; // [rsp+60h] [rbp-88h]
      void (__fastcall *v14)(__int64, __int64); // [rsp+68h] [rbp-80h]
      char *v15; // [rsp+70h] [rbp-78h]
      char *v16; // [rsp+78h] [rbp-70h]
      __int64 v17; // [rsp+80h] [rbp-68h]
      char *v18; // [rsp+88h] [rbp-60h]
      void (__fastcall *v19)(__int64, __int64); // [rsp+90h] [rbp-58h]
      void (__fastcall *v20)(__int64, unsigned __int16 *); // [rsp+98h] [rbp-50h]
      void (__fastcall *v21)(__int64, __int64); // [rsp+A0h] [rbp-48h]
      _BYTE v22[64]; // [rsp+A8h] [rbp-40h] BYREF
      __int64 v23; // [rsp+F0h] [rbp+8h]
    
      v23 = a1;
      v6 = -1;
      v8 = 0LL;
      v3 = 0;
      module = 0LL;
      v4 = 0;
      memset(v22, 0, 0x38uLL);
      v5 = 0;
      v7 = *(_DWORD **)(a1 + 24);
      if ( *v7 == 0x504D57 )
      {
        if ( (unsigned __int64)(unsigned int)v7[1] + 268 <= *(_QWORD *)(a1 + 8) )
        {
          j_WARDEN_Log("Validated core\n");
          v3 = v7[2];
          v9 = j_WARDEN_DecompressCore((__int64)&v8, (__int64)&v3, (__int64)(v7 + 67), (unsigned int)v7[1]);
          if ( v9 )
          {
            j_WARDEN_Log("Decompress core failed\n");
            v6 = v9;
          }
          else
          {
            j_WARDEN_Log("Decompressed core (0x%X bytes)\n", v7[2]);
            if ( (unsigned __int8)j_WARDEN_ValidateSignature((__int64)(v7 + 3), (__int64)v8, v3) )
            {
              j_WARDEN_Log("Core signature validated\n");
              v14 = *(void (__fastcall **)(__int64, __int64))(*(_QWORD *)qword_7FF623161D78 + 16LL);
              v14(qword_7FF623161D78, v23);
              v23 = 0LL;
              v2 = v8;
              j_WARDEN_Log("Self-Load core: LoaderSize: 0x%X VirtualSize: 0x%X\n", *v8, *((_DWORD *)v8 + 1));
              if ( *v2 <= v3 && *((_DWORD *)v2 + 1) <= 0x100000u )
              {
                if ( *((_BYTE *)v2 + 3) == 2 )
                {
                  if ( *((_BYTE *)v2 + 2) == 1 )
                  {
                    v4 = *((_DWORD *)v2 + 1) + *v2;
                    module = (char *)j_WARDEN_AllocateMemory(v4);
                    if ( module )
                    {
                      if ( j_WARDEN_PrepareParameters((__int64)v22, v4) )
                      {
                        qword_7FF623161D88 = (__int64)v8;
                        v8 = 0LL;
                        j_WARDEN_Log("Invoking core\n");
                        v13 = v2 + 4;
                        v17 = (__int64)v2 + *v2 + 8;
                        v12 = module;
                        v16 = &module[*v2];
                        v15 = module;
                        if ( j_WARDEN_WriteExecMemory(module, v2 + 4, *v2) )
                        {
                          v18 = v15;
                          v10 = ((__int64 (__fastcall *)(__int64, char *, _BYTE *, unsigned int *))v15)(v17, v16, v22, &v5);
                          if ( v10 )
                          {
                            j_WARDEN_Log("WMF Self-Loader failed: %u\n", v10);
                          }
                          else
                          {
                            j_WARDEN_Log("Core exited with code %u\n", v5);
                            v6 = v5;
                          }
                        }
                        else
                        {
                          j_WARDEN_Log("Failed to write exec memory!\n");
                        }
                      }
                      else
                      {
                        j_WARDEN_Log("Failed to prepare parameters\n");
                      }
                    }
                    else
                    {
                      j_WARDEN_Log("Failed to allocate executable mem\n");
                    }
                  }
                  else
                  {
                    j_WARDEN_Log("Invalid loader platform for this client: %d\n", *((unsigned __int8 *)v2 + 2));
                  }
                }
                else
                {
                  j_WARDEN_Log("Invalid loader architecture for this client: %d\n", *((unsigned __int8 *)v2 + 3));
                }
              }
              else
              {
                j_WARDEN_Log("Loader specifications invalid\n");
              }
            }
            else
            {
              j_WARDEN_Log("Validate core signature failed\n");
            }
          }
        }
        else
        {
          j_WARDEN_Log("Invalid size for core\n");
        }
      }
      else
      {
        j_WARDEN_Log("Invalid magic for core\n");
      }
      if ( v23 )
      {
        v19 = *(void (__fastcall **)(__int64, __int64))(*(_QWORD *)qword_7FF623161D78 + 16LL);
        v19(qword_7FF623161D78, v23);
      }
      if ( v8 )
      {
        v20 = *(void (__fastcall **)(__int64, unsigned __int16 *))(*(_QWORD *)qword_7FF623161D78 + 16LL);
        v20(qword_7FF623161D78, v8);
      }
      if ( module )
        WARDEN_FreeMemory((__int64)module);
      if ( qword_7FF623161D88 )
      {
        v21 = *(void (__fastcall **)(__int64, __int64))(*(_QWORD *)qword_7FF623161D78 + 16LL);
        v21(qword_7FF623161D78, qword_7FF623161D88);
        qword_7FF623161D88 = 0LL;
      }
      return v6;
    Last edited by jmrr; 2 Weeks Ago at 03:39 PM. Reason: More details

Similar Threads

  1. Some Warden Info
    By MartyT in forum WoW Memory Editing
    Replies: 6
    Last Post: 05-17-2009, 09:21 AM
  2. Warden info?
    By amadmonk in forum WoW Memory Editing
    Replies: 1
    Last Post: 05-01-2009, 12:54 PM
  3. Beat Warden! Info on Warden, and how to beat Waren.
    By Zeltraz500 in forum World of Warcraft Guides
    Replies: 21
    Last Post: 09-22-2008, 05:45 PM
  4. [info] Warden
    By SKeptical in forum World of Warcraft Guides
    Replies: 8
    Last Post: 04-12-2008, 06:04 AM
All times are GMT -5. The time now is 10:30 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search