Warden research thread

[Daemeat]

Seeing as there is a severe lack of information about Warden I decided to make this thread to share information I gathered and will continue to do so when I am able.

I hope that everybody will be able to grab bits and pieces of what I have to share and put them together to form something they can work with, any information you have is welcome as well.

I will also try to not explain too much detail.

Please keep trolling to yourself and keep the thread strictly to the subject: 'Warden research'

First off warden is loaded into the memory by Wow.exe
Wow allocated virtual memory with VirtualAlloc where the warden binary file will be placed.
Wow also calls VirtualProtect on the allocated memory.
When you figured out what memory block warden is placed at we can start with the packets it sends.

Every few seconds 'Warden__SendPacket' (refer to Apoc's Wow api dump) sends a packet encrypted by the following function I found:

(Take note of the base address!)

Code:

BASE: 0e9b0000
0E9B5FB0   55               PUSH EBP
0E9B5FB1   8BEC             MOV EBP,ESP
0E9B5FB3   56               PUSH ESI
0E9B5FB4   8BF1             MOV ESI,ECX
0E9B5FB6   83BE 2C040000 00 CMP DWORD PTR DS:[ESI+42C],0
0E9B5FBD   76 5C            JBE SHORT 0E9B601B
0E9B5FBF   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
0E9B5FC2   57               PUSH EDI
0E9B5FC3   50               PUSH EAX
0E9B5FC4   8D4D 0B          LEA ECX,DWORD PTR SS:[EBP+B]
0E9B5FC7   51               PUSH ECX
0E9B5FC8   8D96 34060000    LEA EDX,DWORD PTR DS:[ESI+634]
0E9B5FCE   52               PUSH EDX
0E9B5FCF   8DBE 4C060000    LEA EDI,DWORD PTR DS:[ESI+64C]
0E9B5FD5   57               PUSH EDI
0E9B5FD6   8BCE             MOV ECX,ESI
0E9B5FD8   E8 66CFFFFF      CALL 0E9B2F43
0E9B5FDD   807D 0B 00       CMP BYTE PTR SS:[EBP+B],0
0E9B5FE1   74 37            JE SHORT 0E9B601A
0E9B5FE3   53               PUSH EBX
0E9B5FE4   8BCF             MOV ECX,EDI
0E9B5FE6   C786 2C040000 00>MOV DWORD PTR DS:[ESI+42C],0
0E9B5FF0   E8 91040000      CALL 0E9B6486
0E9B5FF5   8B86 58060000    MOV EAX,DWORD PTR DS:[ESI+658]
0E9B5FFB   8B78 08          MOV EDI,DWORD PTR DS:[EAX+8]
0E9B5FFE   57               PUSH EDI                                 ; Length
0E9B5FFF   8D9E 34040000    LEA EBX,DWORD PTR DS:[ESI+434]
0E9B6005   53               PUSH EBX                                 ; DataPtr(Unencrypted data)
0E9B6006   8D4E 20          LEA ECX,DWORD PTR DS:[ESI+20]
(1)0E9B6009   E8 02ECFFFF      CALL 0E9B4C10                            ; Calls this function and encrypts Data
0E9B600E   8B4E 18          MOV ECX,DWORD PTR DS:[ESI+18]
0E9B6011   8B11             MOV EDX,DWORD PTR DS:[ECX]
0E9B6013   8B02             MOV EAX,DWORD PTR DS:[EDX]
0E9B6015   57               PUSH EDI
0E9B6016   53               PUSH EBX
0E9B6017   FFD0             CALL EAX
0E9B6019   5B               POP EBX
0E9B601A   5F               POP EDI
0E9B601B   8BCE             MOV ECX,ESI
0E9B601D   E8 9E090000      CALL 0E9B69C0
0E9B6022   5E               POP ESI
0E9B6023   5D               POP EBP
0E9B6024   C2 0400          RETN 4

(1)0E9B6009 E8 02ECFFFF CALL 0E9B4C10 ; Calls this function and encrypts Data

Code:

(1):
0E9B4C10   55               PUSH EBP
0E9B4C11   8BEC             MOV EBP,ESP
0E9B4C13   56               PUSH ESI
0E9B4C14   33F6             XOR ESI,ESI
0E9B4C16   3975 0C          CMP DWORD PTR SS:[EBP+C],ESI
0E9B4C19   76 5F            JBE SHORT 0E9B4C7A
0E9B4C1B   53               PUSH EBX
0E9B4C1C   57               PUSH EDI
0E9B4C1D   8D49 00          LEA ECX,DWORD PTR DS:[ECX]
0E9B4C20   8081 00010000 01 ADD BYTE PTR DS:[ECX+100],1
0E9B4C27   0FB681 00010000  MOVZX EAX,BYTE PTR DS:[ECX+100]
0E9B4C2E   0FB61408         MOVZX EDX,BYTE PTR DS:[EAX+ECX]
0E9B4C32   0091 01010000    ADD BYTE PTR DS:[ECX+101],DL
0E9B4C38   8A1408           MOV DL,BYTE PTR DS:[EAX+ECX]
0E9B4C3B   8D3C08           LEA EDI,DWORD PTR DS:[EAX+ECX]
0E9B4C3E   0FB681 01010000  MOVZX EAX,BYTE PTR DS:[ECX+101]
0E9B4C45   8A1C08           MOV BL,BYTE PTR DS:[EAX+ECX]
0E9B4C48   03C1             ADD EAX,ECX
0E9B4C4A   881F             MOV BYTE PTR DS:[EDI],BL
0E9B4C4C   8810             MOV BYTE PTR DS:[EAX],DL
0E9B4C4E   0FB681 01010000  MOVZX EAX,BYTE PTR DS:[ECX+101]
0E9B4C55   0FB691 00010000  MOVZX EDX,BYTE PTR DS:[ECX+100]
0E9B4C5C   8A0408           MOV AL,BYTE PTR DS:[EAX+ECX]
0E9B4C5F   02040A           ADD AL,BYTE PTR DS:[EDX+ECX]
0E9B4C62   83C6 01          ADD ESI,1
0E9B4C65   0FB6D0           MOVZX EDX,AL
0E9B4C68   0FB6140A         MOVZX EDX,BYTE PTR DS:[EDX+ECX]
0E9B4C6C   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
0E9B4C6F   305406 FF        XOR BYTE PTR DS:[ESI+EAX-1],DL           ; Writes encrypted byte back on [PacketPtr+Count-1]
0E9B4C73   3B75 0C          CMP ESI,DWORD PTR SS:[EBP+C]
0E9B4C76  ^72 A8            JB SHORT 0E9B4C20
0E9B4C78   5F               POP EDI
0E9B4C79   5B               POP EBX
0E9B4C7A   5E               POP ESI
0E9B4C7B   5D               POP EBP
0E9B4C7C   C2 0800          RETN 8

There is also a very large function called which constructs the packet although It is constructed in an odd way (perhaps a hash is created?)

I will post more on this later

[Cypher]

"Please keep trolling to yourself and keep the thread strictly to the subject: 'Warden research'"

Way to just encourage the trolls, lol.

[Daemeat]

I managed to get the binary part of the code Warden has, it is a DLL file with it's header removed.

I tried to reconstruct it's header but it is pretty much broken.
Only fixed to a certain extent where you can load it in a disassembler with errors but it works

Here is the link: (Look closely for the DL link I couldnt get it to upload on the forum :S)

http://www.2shared.com/file/12630988...n_rebuilt.html

[Daemeat]

Here is a list of functions that MAY be called from the warden dll code area
Just because they are imports doesnt mean they will get called.
Some are only called on special conditions

Functions with a '*' require some caution or attention

Code:

RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetModuleInformation
GetModuleBaseNameA
EnumProcessModules
Module32First
Module32Next
CreateToolhelp32Snapshot
*IsDebuggerPresent

lstrcmpA
Sleep
TlsFree
TlsGetValue
TlsSetValue
*RaiseException
TlsAlloc
GetProcAddress
GetModuleHandleA
*GetTickCount
GetVersionExA
GetSystemInfo
*QueryDosDeviceA (checks HideEx, Afdaa32 etc drivers)
VirtualQuery
CloseHandle
GetCurrentProcess
FreeLibrary
DuplicateHandle
LoadLibraryA
GetProcessHeap
HeapFree
*TerminateProcess
*UnhandledExceptionFilter
*SetUnhandledExceptionFilter
*QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
*GetSystemTimeAsFileTime
RtlUnwind

CharUpperBuffA
RegisterClassA

[Daemeat]

It seems that the warden loaded after logging in is actually a file cached called "Maiev.mod" which is named after Maiev the warden

The file seems to just be compressed

Apparantly it is possible for a "2nd" warden to load which is sent from serverside at any time.
Although this has not happend to me yet (which makes it all the trickier to analyze it right now)

Some comments from other people are welcome, I might become discouraged posting any further information if nobody else will bother to contribute

[kynox]

It seems that the warden loaded after logging in is actually a file cached called "Maiev.mod" which is named after Maiev the warden

The file seems to just be compressed

Apparantly it is possible for a "2nd" warden to load which is sent from serverside at any time.
Although this has not happend to me yet (which makes it all the trickier to analyze it right now)

Some comments from other people are welcome, I might become discouraged posting any further information if nobody else will bother to contribute

Warden is always streamed from the server, unless the warden server is offline - which is not the case right now.

Maiev.mod just acts as a bootstrapper for loading the streamed module from Blizzard. You have more than likely just not noticed the second module loading.

[abdula123]

Some comments from other people are welcome, I might become discouraged posting any further information if nobody else will bother to contribute

read Valhalla Legends forum "Battle net bot development" section.
Battle.net Bot Development

it mainly about Diablo2 bots, but wadren used in D2 is exactly same, as in WOW.