Disable ASLR in World of Warcraft (patch)

[Flowerew]

Just use GetModuleHandle + adress ...

Did you even read the thread?

[ddebug]

Maybe if you have sensible data on your development system...I don't. And this: "there for a reason" is the same argument Cypher gave you two with your method, think about it.


p.s.: And what he says V

There is a big difference between disabling ASLR for one file (which is not system critical) to disabling it globally. But, yes, if it is on a development box that has no sensitive data, who cares?

[Azzie2k8]

Age/Sex/Location/Race?

Address/space/layout/randomization

[Lecht]

When warden goes to check the addresses it's sent from the wow server, you're in trouble. Don't disable aslr.

[Azzie2k8]

When warden goes to check the addresses it's sent from the wow server, you're in trouble. Don't disable aslr.

I am an idiot when it comes to warden but if there is the option to disable ASLR on a systemwide level this can only raise a flag but not give you bans directly.
If I remember correctly mac doesnt support ASLR except for libs so I dunno but would wow really check for this ?

[ddebug]

I am an idiot when it comes to warden but if there is the option to disable ASLR on a systemwide level this can only raise a flag but not give you bans directly.
If I remember correctly mac doesnt support ASLR except for libs so I dunno but would wow really check for this ?

Don't pay attention to Lecht. He doesn't know what he is talking about. Because this, really, makes no sense:

When warden goes to check the addresses it's sent from the wow server, you're in trouble. Don't disable aslr.

Anyway, I am 99% confident that you will never get banned for this. As of right now, they do not check the PE header to see if ASLR is enabled/disabled. It is very unlikely they will start in the future. Why? It would be STUPID for Blizzard to ban for something like this (or even flag your account for review). If they did, you could EASILY get Account Administration to overturn their decision. There is legitimate uses to disabling ASLR (e.g. incompatibility with software on your computer [antivirus], random crashes, etc..).

[Lecht]

Woah woah woah there buddy. I'm not saying you'll get banned for disabling aslr, what I'm saying is that when the server requests a checksum or a number off bytes from a certain address, it will read THAT ADDRESS and come up invalid and probably flag you. You obviously have no clue how warden works, I'm just trying to save everyone else the headache of having to go through account administration etc after their accounts get suspended. Why in the hell are you disabling it to begin with? Don't come at me like that.

[luciferc]

I can verify what Lecht says, If warden does a consitency check like it does for many other files and addresses. If it returns false, your banned =).

[Cheatz0]

Woah woah woah there buddy. I'm not saying you'll get banned for disabling aslr, what I'm saying is that when the server requests a checksum or a number off bytes from a certain address, it will read THAT ADDRESS and come up invalid and probably flag you. You obviously have no clue how warden works, I'm just trying to save everyone else the headache of having to go through account administration etc after their accounts get suspended. Why in the hell are you disabling it to begin with? Don't come at me like that.

Im pretty sure warden is not so naïve in its implementation as to allow that to happen.
Do you really believe that warden would not account for this? What about win XP users, who doesn't use ASLR?
Im not that in to what warden does and does not do, only the basics. But your statement sounds wrong by every law of logic there is.

[ddebug]

Woah woah woah there buddy. I'm not saying you'll get banned for disabling aslr, what I'm saying is that when the server requests a checksum or a number off bytes from a certain address, it will read THAT ADDRESS and come up invalid and probably flag you. You obviously have no clue how warden works, I'm just trying to save everyone else the headache of having to go through account administration etc after their accounts get suspended. Why in the hell are you disabling it to begin with? Don't come at me like that.

I can verify what Lecht says, If warden does a consitency check like it does for many other files and addresses. If it returns false, your banned =).

No, you BOTH obviously don't understand. Why does this have anything to do with a checksum? Disabling ASLR doesn't ALTER any of the "contents" in memory within the program. So, if Warden does do a "checksum" of an address in memory (base + offset), it will STILL RETURN THE SAME VALID VALUE. You really need to read what ASLR is: Address space layout randomization - Wikipedia, the free encyclopedia and what it isn't.

Lecht, you should understand the concepts here before you talk. This is a problem with a lot of people on the forums, not just you.

I'm not trying to say I'm "smart" (or know everything) regarding this stuff (in fact, I'm a newbie in reverse engineering), but at least I don't "pretend" to know it. Before playing around with ASLR, I made sure that I understood what it did (and why it was implemented). I am well aware of all the features Warden currently has (much thanks to Cypher for his blogs & talks on MSN) in its arsenal. I just dislike it when people, like you Lecht, try to talk about something they don't understand fully. You are assuming stuff that doesn't make sense. Plus you are filling my thread with utter nonsense (other people MAY actually believe what you said, which is incorrect).

btw, I do explain the reason for disabling it on my main post ["Benefits section"].

[Lecht]

So let me get this straight. The server sends a warden check, address 0041F312. That offset is valid for both bases?

[ddebug]

So let me get this straight. The server sends a warden check, address 0041F312. That offset is valid for both bases?

It must be base + offset to get the hash of the address. "0041F312", on each instance, of World of Warcraft will not be the same (UNLESS World of Warcraft has a fixed base - ASLR is off).

I think I see where the confusion lies. I am assuming this is what you think (or thought):

- Blizzard servers tell Warden to check a HARD CODED ADDRESS "0041F312" in memory to match a hash "X". Since WoW is ASLR, your base address will be some variable "B" (it changes each time; that's the point of ASLR)
- By your logic (which is incorrect), "0041F312" in memory must always have the same data. So, regardless of each World of Warcraft instance I start, the data in that instance's address "0041F312" must always be the same. Right? Then my hash "X" will match (if nothing is modified).

However, WoW implements ASLR. Since everything is shifted due to ASLR, "0041F312" (directly in memory) won't be the same contents. Therefore each time Warden checked "0041F312" in memory, it wouldn't match the hash "X" and everyone would be banned.

So, WoW must implement some feature of reading from "B" + offset (relatively) to get the hash of the data.

This is why when a packet to check the hash of an arbitrary address "0041F312" is sent, it would have to read from the "base" to get the relative address OR it wouldn't be the same each time. Disabling ASLR makes our World of Warcraft base equal to 0x401000 each time. Since Warden reads from "B" + offset, when it reads from our fixed base address "0x401000" + offset, it will read the same area in memory (and would match the same hash).

[Cypher]

Woah woah woah there buddy. I'm not saying you'll get banned for disabling aslr, what I'm saying is that when the server requests a checksum or a number off bytes from a certain address, it will read THAT ADDRESS and come up invalid and probably flag you. You obviously have no clue how warden works, I'm just trying to save everyone else the headache of having to go through account administration etc after their accounts get suspended. Why in the hell are you disabling it to begin with? Don't come at me like that.

You're a ****ing moron. Seriously.

[ddebug]

Everytime I read one of your posts I just can't help but hear it in my head being narrated by the napoleon dynamite guy. Get a life.

Come on, don't disrespect Cypher by telling him to get a life. That's totally uncalled for. The guy DOES have a life (much more than me at least [and a handful of other Computer Science guys I know]). He is barely ever on (busy with his rock climbing and everything else). Just because he knows his shit (and uses that to his advantage), doesn't mean he is not "living life to his fullest". People like me (and maybe Cypher, but I can't really speak for him) enjoy this kind of stuff. This is my life, personally.

Might not be everyones cup of tea, but hell... it is for me. Who are you to tell us differently ?

[Lecht]

*shrug* if calling someone a "****ing moron" isn't disrespect then neither is my comment lol. If I'm wrong, I'll gladly yield and admit to it. In all honesty I was just trying to be helpful, learn something new every day. There's a difference between knowing your shit and using it to your advantage....and what Cypher does. He knows his shit, and well I might add. It's like some one that has a master's in a certain field calling you an idiot because you don't understand their field 100%.