[mac][3.3.2] Getting started w/Warden

[Tanaris4]

So this post is meant to go through what I've discovered (thanks to the post by Knyox: Warden’s existence on the Mac Dribble ) as well as ask a few questions. Hopefully I won't get banned

Basically warden starts to load shortly after you've logged in (but before the character selection screen). Discovered this by hooking 0x2B4660 (which starts the warden load process - tanaris4 private pastebin - collaborative debugging tool ). Here is the process as I understand it:

1. 0xEFDD20 is locked (and unlocked when the function call completes)
2. sub_2B4560 - tanaris4 private pastebin - collaborative debugging tool
   
   In this function we basically are just unlinking a module IF it exists. Two locations in memory are checked: 0xEFDDD4 and 0xEFDDDC
   +0x0 = of type (NSModule *)
   +0x4 = of type (NSObjectFileImage *)
3. Now that any previous modules are unlinked, we know call the actual warden load function (0x2B3AF0) which will load the module into memory tanaris4 private pastebin - collaborative debugging tool
   
   Now I feel like at this point, I've actually gotten somewhere and could *potentially* "extract" the module from memory so I could take a peak in IDA + see what it does. Basically if I hook the "allocate_memory" function (0x935C0) I could determine where the module is stored + dump it.

Do I seem to be going on the right track? Feel free to flame, but I'm trying to better understand what is going on.

Edit: The 3.3.2 mac binary: http://dump.ifeedr.com/WoWBinaries/W...ft%203.3.2.zip

[kynox]

You're on the right track, yes. Don't expect to find anything spectacular though; the module is tiny.

[Tanaris4]

Thanks kynox appreciate it :-)

I'll dig a little deeper. Was everything I said above "correct"?

[dwomac]

If you dig a little more into the format of the modules you can convert them to dlls which makes it easier to analyze in IDA. Assuming they look similar on Mac and havn't structually changed since I looked at them, which was quite some time ago.

[BoogieManTM]

You're on the right track, yes. Don't expect to find anything spectacular though; the module is tiny.

but it gets the job done :rofl:

P.S., the module is cached in wowcache.wdb (if i recall correctly). I'm pretty sure someone made a dumper (look on GD) that will rip it out of that file once you figure out the encryption.

[BoogieManTM]

If you dig a little more into the format of the modules you can convert them to dlls which makes it easier to analyze in IDA. Assuming they look similar on Mac and havn't structually changed since I looked at them, which was quite some time ago.

I think it's a standard MachO library on mac, not a "BLL" as on windows.