New Wow Anti-Debug

[DrGonzo]

Wow servers haven't come back up yet, so I've been unable to test it in game but the client appears to be checking for a debugger by throwing a hardware BP and then checking in the handler. If detected the client will silently crash. By using some ollydbg hider plugin's I've been able to get it to crash out with a WowError message - not much progress but some. Thoughts?

Edit:
ERROR #132 (0x85100084) Fatal Exception
Program: C:\Program Files (x86)\World of Warcraft\Wow.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 0023:00DCED40

The instruction at "0x00DCED40" referenced memory at "0x00DCED40".
0x00DCED40 appears to be an invalid location/code, then windows closes wow due to DEP.

Yes, I should've mentioned this is on login - attaching is fine until then.

[hayboy1213]

I don't really understand what your saying.
every server is down until approximatively 1 PDT Which is in about 9 minutes.

[tymezz]

I don't really understand what your saying.
every server is down until approximatively 1 PDT Which is in about 9 minutes.

Why the **** did you post?

[TOM_RUS]

That anti debug probably related to updated battle.net.dll and most likely works similar to SC2 anti debug...

[hayboy1213]

I figured he was asking about the server. So I answered.

[AfterMidnight]

He wasn't; He claims that aside from the 'new' warden - their debugging tool has also been updated.

[JuJuBoSc]

OllyDbg work fine on Seven 32 Bits, able set breakpoint ( Tried on EndScene call ), but crash on Seven 64 Bits.

EDIT : Crash the game while login.

[XTZGZoReX]

It's circular debugging, like in SC2.

[DrGonzo]

Removed URL, didn't realize a local copy of b.net.dll was created.

[-Ryuk-]

Just some more changes:

"push 009cdd8c" at 648066 in 3.3.3
"push assertandcrash+11ba3c" at 687C66 in 3.3.5

[Tanaris4]

I'm unable to start it via GDB on OS X too :/ GDit. Anyone find a solution via windows?

Edit: I was incorrect, apparently it would just fail if you hadn't accepted the license agreement, very strange indeed. Wasn't able to find any calls to sysctl anyways (http://developer.apple.com/mac/libra...04/qa1361.html )

[tymezz]

I'm unable to start it via GDB on OS X too :/ GDit. Anyone find a solution via windows?

info: 0x1337.org

[DrakeFish]

Just some more changes:

"push 009cdd8c" at 648066 in 3.3.3
"push assertandcrash+11ba3c" at 687C66 in 3.3.5

This isn't only for that line, it's for every constant I can see in CE.
Looks like assertandcrash = 8C53C0, and that this address isn't dynamic. This address is also the start of a function.

[DrGonzo]

FYI - Attaching a debugger to wow in game won't crash it but pausing it and resuming will.

[MaiN]

AssertAndCrash is a new export WoW has declared.