Warden Wiki Page

[kynox]

Protip: Hook warden like you would the login checksum.

Pseudocode

Code:

void WardenScan_Hook()
{
RemoveAllPatches();
oWardenScan();
ApplyAllPatches();
}

o.O

If you're going for that kind of hook, you're going to want to make sure warden is going to perform a scan by checking the last packet size. Otherwise that function is called after each frame.

Or, reverse warden and find the scan functions vtable ^__^.

[Xarg0]

I'd say doing some per byte scanns for the opcodes that load the bytes for the scanns out of memory and patching the Adress wouldn't consume as much cpu as dispatching before a warden scann and patching again afterwards, you'd just need an algorithm to find and patch those offsets dynamical and copy the bytes you want to patch before you do it.
Even if you'd use Wardens Vtable to find out when a function is called it'd still consume a lot of cpu if you did alot of patching.
But I'm shure it's easier to check if warden scanns than redirecting its' scanns to some faked bytes.

[kynox]

I'd say doing some per byte scanns for the opcodes that load the bytes for the scanns out of memory and patching the Adress wouldn't consume as much cpu as dispatching before a warden scann and patching again afterwards, you'd just need an algorithm to find and patch those offsets dynamical and copy the bytes you want to patch before you do it.
Even if you'd use Wardens Vtable to find out when a function is called it'd still consume a lot of cpu if you did alot of patching.
But I'm shure it's easier to check if warden scanns than redirecting its' scanns to some faked bytes.

What the ****? Can you please re-read that?

[Cypher]

I'd say doing some per byte scanns for the opcodes that load the bytes for the scanns out of memory and patching the Adress wouldn't consume as much cpu as dispatching before a warden scann and patching again afterwards, you'd just need an algorithm to find and patch those offsets dynamical and copy the bytes you want to patch before you do it.
Even if you'd use Wardens Vtable to find out when a function is called it'd still consume a lot of cpu if you did alot of patching.
But I'm shure it's easier to check if warden scanns than redirecting its' scanns to some faked bytes.

.....

WoW is compiled with heaps of debug info and no platform specific optimizations. Furthermore the ASM output the compiler generates is far from heavily optimized.

Modern CPUs perform millions of instructions per second (or more). The overhead generated from a few function hooks is for all points and purposes 0. I suggest you acquaint yourself with a book on IA-32 ASM and the x86 architecture in the context of high level languages and the output they generate because you obviously have no idea what you're on about.

Protip: 99.99999% of code in applications does not need to be optimized heavily to run as fast as possible. The only exceptions is things that are used VERY often (in games an example would be a Vector class) and code that executes every frame. Even then, WoW is so light on resources I wouldn't be worried about a page or two of assembly caused by a large function hook, as I said, overhead is zero. Always know when to optimize as most of the time it will just reduce code readability and maintainablilty for two or three clock cycles (about a millionth of a second worth of CPU time).

Quote from the wise:

"We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil." (Knuth, Donald. Structured Programming with go to Statements, ACM Journal Computing Surveys, Vol 6, No. 4, Dec. 1974. p.268.)

[Xarg0]

I guess I shouldn't try to think about programming and post something when I'm high :>
after re-reading my post I think I should stop using certain drugs ^.^

Anyways, there are some good Ideas on how to protect from warden, maybe I'll release a warden protected wallclimb and jumphack in the next few days

[Cypher]

I guess I shouldn't try to think about programming and post something when I'm high :>
after re-reading my post I think I should stop using certain drugs ^.^

Anyways, there are some good Ideas on how to protect from warden, maybe I'll release a warden protected wallclimb and jumphack in the next few days

Why would you reverse warden and work out a bypass just to release it publicly at which point it would probably get nerfed by the next patch. You don't need to hook warden to protect a wallclimb or jump hack, just modify the places in code where the constants are referenced to point to your new variable (which you can dynamically allocate or throw in a code cave somewhere).

[Xarg0]

just for poc

[schlumpf]

Isn't everything proof of concept only?

[Shynd]

Proof of concept != intended for use.

[Cypher]

Isn't everything proof of concept only?

o.O

Errrrr...... what?

Most certainly not.

[Xarg0]

Hi guys, I just found a link to a driver that enables you to do hidden memory modifications (to hide detours from beeing detected by crc) OpenRCE
I'm not shure if it's warden proof but it can do the stuff I suggested without hooking warden, it readirects scanns to faked bytes and it can do much more, yet it's only 32bit and WinXP

[Cypher]

Hi guys, I just found a link to a driver that enables you to do hidden memory modifications (to hide detours from beeing detected by crc) OpenRCE
I'm not shure if it's warden proof but it can do the stuff I suggested without hooking warden, it readirects scanns to faked bytes and it can do much more, yet it's only 32bit and WinXP

That won't work on multi-core processors afaik. (ie 99% of modern processors)

[Cypher]

Okay, just confirmed my suspicions. (Thank you Greyman!)

This will only work on single-core/single-processor systems unless you change WoW's process affinity mask to force it to run on a single processor/core.

[Xarg0]

Why does it only work on single core? I tought it changes the way Virtuall Adresses are calculated to physikal ones in the Kernel, so where's the problem with multicore?

[Namoknan]

Okay, just confirmed my suspicions. (Thank you Greyman!)

This will only work on single-core/single-processor systems unless you change WoW's process affinity mask to force it to run on a single processor/core.

In no means I want to attack your theory Cypher, I did not take a look at this specific driver memory modification thingy
But I guarantee you Ring 0 memory modification is possible on multi core systems. POC can be seen in "Memory Hacking Software by L.Spiro". BSOD is howeva likely, but chances are pretty low