DirectX/CEGUI hooking?

[lanman92]

That's why I need to hide from warden and i learned that movement state will be too hard, you have to spoof packets etc... that can wait

[Cypher]

lol, what DOESNT warden watch? I'm gonna do a basic wallhack and maybe movementstate hack... kynox posted some very friendly info about it so this shouldnt be too difficult.

Err. Warden hardly watches anything. Its a pretty basic anti-cheat tbh. Nothing hardcore like PB or GG. It watches maybe 0.1% of WoWs address space (basically for some obvious hacks/bots), a few other checks for known public hacks/bots, but nothing major.

Its not like it CRCs the entire .text and .rdata segments, checks for API hooks, does a stack trace, watches for unauthorized 3rd party modules, uses encryption, uses timing to check for debuggers, etc.

[Cypher]

two things.

1. your injecting a DLL just for a basic wallhack/movement state hack?

2. warden watches read only memory (mostly) as stated in the wiki which means it's rather useless for very basic memory editing, (*note: wallhack = watched, but their are other ways then the static address) and shouldn't bother you with movement state (now the server, on the other hand. will depending on what you do )

Actually for 'basic memory editing' editing the read only portions of memory can be quite useful. From NOPing/forcing jumps in the .text segment to modifying game constants in the .rdata segment. Theres shitloads you can do. Also, a DLL is pretty much required to do a 'movment state hack' on live if you don't want your code to be ugly as **** and a huge pain to maintain.

[lanman92]

I've been just NOPing an address space in the code segment, I dont think its the commonly used one. I'm not sure where i found it... It doesnt D/C or ban on a trial account, but i dont have the balls to try it on a real account. I believe that I have found the address where warden is loaded into, is it possible to just...overwrite warden's code?

[kynox]

I've been just NOPing an address space in the code segment, I dont think its the commonly used one. I'm not sure where i found it... It doesnt D/C or ban on a trial account, but i dont have the balls to try it on a real account. I believe that I have found the address where warden is loaded into, is it possible to just...overwrite warden's code?

No, the server expects responses from the loaded WardenModule.

[lanman92]

Sooooo, I guess im gonna have to study the hell out of warden to figure this out? It seems like a big secret around here, no one really shares their findings about warden lol. Only reveal is the warden wiki, only shows scanned offsets and basic anti-detection methods though.

[kynox]

Sooooo, I guess im gonna have to study the hell out of warden to figure this out? It seems like a big secret around here, no one really shares their findings about warden lol. Only reveal is the warden wiki, only shows scanned offsets and basic anti-detection methods though.

Because not many even know how it works, and for us that do; Why should we share it?

[Cypher]

Sooooo, I guess im gonna have to study the hell out of warden to figure this out? It seems like a big secret around here, no one really shares their findings about warden lol. Only reveal is the warden wiki, only shows scanned offsets and basic anti-detection methods though.

Err, I'd say its pretty reasonable that it's kept a secret. Otherwise if bypass methods were released publicly they'd be nerfed in the next patch for sure.

[lanman92]

Just out of curiousity, how long did it take you to reverse warden? Finding all of the scans and checksums.

[kynox]

Just out of curiousity, how long did it take you to reverse warden? Finding all of the scans and checksums.

Not very long.. maybe a day?

[lanman92]

Is microsoft detours hazardous to use? Or will warden not really notice it?

[Cypher]

Is microsoft detours hazardous to use? Or will warden not really notice it?

Not hazardous, it just sucks to use on its own.

[lanman92]

What do you mean sucks to use on it's own? lol. Can you set a Detour in a random place in the code using it alone? All i've seen it used in so far is writing a wrapper for DX9.

[Shynd]

Yeah, you can. Something stupid-easy like...

Code:

typedef void (__stdcall *SOMETHING)(DWORD, DWORD);

SOMETHING Something_Detour(DWORD, DWORD);
SOMETHING Something_Original = NULL;

SOMETHING Something_Detour(DWORD unk1, DWORD unk2)
{
    //do some shit here!
    return (SOMETHING)Something_Original(unk1, unk2);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
        Something_Original = (SOMETHING)DetourFunction((BYTE *)0x12345678, (BYTE *)Something_Detour);
}

...or something. 0x12345678 is the address of the function you want to detour, you have to typedef the function type and reinterpret_cast your ass off, but it should work. This is with Detours v1.5, mind you, not the more recent 2.1. I never learned how to use 2.1 before I started doing my own static detours.

Anyway, the above shows how to detour a function that gets two DWORDs as arguments. You can replace SOMETHING and Something_ with whatever description you want. For instance, my detour for a game called Dark Ages that intercepts received packets looks like this:

Code:

typedef DWORD (__stdcall *DARECV)(BYTE *packet, DWORD len);
DARECV DARecv_Detour(BYTE *packet, DWORD len);

DARECV DARecv_Original = NULL;

[lanman92]

Thank you so much shynd. This is just what I needed, some spoon feeding :P

The reason i needed help was there's not very much documentation on this library.