ZoneText Pointer messed up?

[jockel]

Heya guys,

normally I do find the pointer to the ZoneText via looking at the "GetZoneText" function.

I marked the offsets I'm normally using red and bold.

This is what it looks like in 3.1.2

Code:

.text:006E0780                 push    ebp
.text:006E0781                 mov     ebp, esp
.text:006E0783                 mov     eax, dword_11D3F3C
.text:006E0788                 test    eax, eax
.text:006E078A                 jnz     short loc_6E0791
.text:006E078C                 mov     eax, offset unk_981B4F

And this from 3.1.1

Code:

.text:006DDC50                 push    ebp
.text:006DDC51                 mov     ebp, esp
.text:006DDC53                 mov     eax, dword_11CCF14
.text:006DDC58                 test    eax, eax
.text:006DDC5A                 jnz     short loc_6DDC61
.text:006DDC5C                 mov     eax, offset unk_97CB47

Reading the pointer to the string from that address was working flawlessly in 3.1.1 but using this address with 3.1.2 is totally messed up.

Sometimes I have to restart WoW 5 times until the pointer points to the zone text, otherwise it points to some random crap.

Any idea on this guys? Can someone verify that behaviour?

[amadmonk]

Well I'm at work so I can't look at the context around this snippet, but from the asm it doesn't look like the static is being accessed any differently. I reckon it's being stored differently, so you'll have to track references to this static in IDA to see where/when/how it's being stored. Frankly, I'd start from the packet recv for zone enter (or whatever it is) and step down from there, but -- I'm NOT an exert in the internals of WoW (yet).

[lanman92]

Slap a BP on that bitch and /run it in-game. See what's going on through Olly. Do it on a trial though, seems as if Blizz has stepped up their game a bit.

[amadmonk]

Ah crap, are they detecting debuggers now? I'm usually confident that I can get one hard breakpoint even with good old Windbg (after I've done an int3, I assume that WoW is compromised so I just kill the process after I'm done hacking at it).

EDIT: actually, that begs a bigger question I've been wondering for a bit. What's the safest way (short of running against an emulator) to sandbox WoW while hacking away? Run as trial, obviously, but do you guys do anything like socksify your net connection to dis***** your IP?

[Nesox]

I use a trial account and a VPN and a modified ollydbg. But i use it on my normal account too sometimes

[lanman92]

Well. You could patch the TLS so that when they call IsBeingDebugged() it always returns zero. Either that or hook the func... Rather patch the address... They can detect H/W bp's pretty easily. And obviously software BPs as you can see at the login screen, but that's just hashing.

[Barnzy]

Just fill it with NULL's the (IsBeingDebugged and IsDebbugerActive

[amadmonk]

Yeah, I can patch the PEB flags out, but I assumed that they are checking for running processes named [whatever Ollydbg's proc name is] or [whatever IDA's proc name is], etc. Meaning that unless I do the whole stealth package, I'm still a tad paranoid. Of course, I can always break in and leave it frozen (which is what I normally do), but that's really not much better than a memory dump.

Running through trial and VPN is probably good enough for me; if there's no way for them to link my trial to my "real" toons, I'm happy (and, in fact, bans can be instructive )

Thanks for the protips.

[lanman92]

I guess that's an option, but a little bit ugly imo.

[Bobbysing]

Works perfectly fine for me, you must be doing something wrong.

Here are the steps I did:
Start WoW and log in
Attach OllyDbg
Press CTRL+G and enter "[11D3F3C]" ( goes to the address that 11D3F3C points to )
Right click -> Follow in dump -> selection

You should be able to see the name of the zone there ( window in the bottom-left )


Also, the debugger detection you are talking about doesn't exist in WoW and Blizzard only bans the accounts that were detected by warden, they don't ban accounts that run with them on the same IP but did nothing wrong.

[lanman92]

Eh, never hurts to be safe It's not a big deal anyway, just a patch or two.

[jockel]

Works perfectly fine for me, you must be doing something wrong.

Thanks for verifying that stuff, I don't know what was going on, but after I restarted my computer my program displayed the zone correctly.

Even CheatEngine was displaying the ZoneText pointer wrong before I went to restart, so I have no guess what was going on.

Ty @all

[amadmonk]

Also, the debugger detection you are talking about doesn't exist in WoW and Blizzard only bans the accounts that were detected by warden, they don't ban accounts that run with them on the same IP but did nothing wrong.

Useful to know. I'd heard somewhere that Blizz did blanket-bans on an IP after Warden flags an account. I guess that with the prevalence of NAT's, that wouldn't work so well; I should have thought it out a bit further.

So, just trial accounts then... nice. Probably still doesn't hurt to patch the PEB, as lanman says -- it's easy.

[kynox]

There are a plethora of anti-debug plugins out there for ollydbg. I personally use Stealth64 as i'm on a x64 platform. For x86, i would suggest Olly Advanced.

[amadmonk]

I'm using x64, so I'll look into Stealth64. Frankly, I've been using Windbg (as it's been fine for me), but I may load Olly tonight to see why all the heavyweights recommend it...