[WoW][4.1.0.14007] Info Dump Thread

[tymezz]

Wheres the fun in that?

Where's the point in that?

[Cypher]

...or that you can disable it by changing one byte in the WoW binary.

...or you can just write code that doesn't suck.

[-Ryuk-]

...or you can just write code that doesn't suck.

My point exactly :P

Anyway, Cypher I could do with having a chat with you. I believe you know a lot more about warden then I do, and I could do with passing my idea by you.

[Cypher]

My point exactly :P

Anyway, Cypher I could do with having a chat with you. I believe you know a lot more about warden then I do, and I could do with passing my idea by you.

I don't work on WoW anymore. Unless it's a relatively generic question I'm unlikely to be of much help.

[Verletzer]

The reason for the patch is to enable IDA to attach more quickly. If ASLR is enabled, you need to wait for it to rebase the program every time it attaches.

[-Ryuk-]

I don't work on WoW anymore. Unless it's a relatively generic question I'm unlikely to be of much help.

Well, Ill go ahead and ask anyway.

Currently my warden scanner only looks at memory scans; does warden physically access every dll that is injected into wow? If so could it be detoured just like I am doing for the memory scans?

Thanks

[TOM_RUS]

Well, Ill go ahead and ask anyway.

Currently my warden scanner only looks at memory scans; does warden physically access every dll that is injected into wow? If so could it be detoured just like I am doing for the memory scans?

Thanks

Yes, it scans every dll loaded into wow process at specific offsets (offsets+size of data sent by server), hashes data and checks against hash received from server.
No idea about detouring, but I assume if you can do that for memory scans, it also possible for dll scans...

Some pseudo code:

Code:

uint offset; // received from server
byte size; // received from server
var hmac = new HMACSHA1(seed); // seed is random 4 bytes, also received from server
var data = ReadBytes(dll_base_adddress+offset, size);
var hash = hmac.ComputeHash(data); // compute client side hash
if(hash == serverHash) // compare client hash with hash received from server
    // module adds 0xE9 to it's CMSG_WARDEN_DATA response packet
else
    // never bothered to check what it sends to server if hash doesn't match

[tymezz]

Well, Ill go ahead and ask anyway.

Currently my warden scanner only looks at memory scans; does warden physically access every dll that is injected into wow? If so could it be detoured just like I am doing for the memory scans?

Thanks

Do you mean perform a cheksum on modules loaded into the process? I'm not sure if they do that currently, but you're safe as long as you dont release anything.

edit: TOM_RUS wins.

[-Ryuk-]

Yes, it scans every dll loaded into wow process at specific offsets (offsets+size of data sent by server), hashes data and checks against hash received from server.
No idea about detouring, but I assume if you can do that for memory scans, it also possible for dll scans...

Some pseudo code:

Code:

uint offset; // received from server
byte size; // received from server
var hmac = new HMACSHA1(seed); // seed is random 4 bytes, also received from server
var data = ReadBytes(dll_base_adddress+offset, size);
var hash = hmac.ComputeHash(data); // compute client side hash
if(hash == serverHash) // compare client hash with hash received from server
    // module adds 0xE9 to it's CMSG_WARDEN_DATA response packet
else
    // never bothered to check what it sends to server if hash doesn't match

Thank you.

So if am understanding this correctly. It does the following:

Find dll base,
Adds offset,
Reads the data according to the size,
Converts this into a hash,
Checks this hash with the one from the warden server,
Replys with the result,

and starts again.

Looks like I need to find where this scan takes place then, so I can detour it and peak at the results

[sitnspinlock]

TOM_RUS,

what about asm injection, for instance an allocated memory region not allocated by wow? Is there any jumping around with memory query functions?

[-Ryuk-]

TOM_RUS,

what about asm injection, for instance an allocated memory region not allocated by wow? Is there any jumping around with memory query functions?

Yes, I believe this is how eBot got its banwave.

Its good practice to randomize(but not too much) the size of your codecave, and to randomize your asm.

Although I could be wayyy wrong :P

[TOM_RUS]

TOM_RUS,

what about asm injection, for instance an allocated memory region not allocated by wow? Is there any jumping around with memory query functions?

I have a feeling that it does VirtualQuery or whatever it is to get wow memory map and then scans that whole thing using method I posted above. So it's not just DLL's...

[Verletzer]

Finding code injected by almost every bot/hack is easy. Almost all cheats use BlackMagic for allocating memory in the target process. The problem is that the memory is always allocated with PAGE_EXECUTE_READWRITE permission and is never changed to PAGE_EXECUTE_READ. WoW has a section of memory with the same permission (tsk tsk) but it can easily be filtered out. When memory is allocated via VirtualAlloc(Ex), "BaseAddress" will be equal to "AllocationBase" (see code below). You can iterate through all the allocated memory regions in a few milliseconds.

Code:

ULONG_PTR addressOffset = 0;
MEMORY_BASIC_INFORMATION memInfo;

while(VirtualQuery((LPCVOID)addressOffset, &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) != 0){
   if((memInfo.State != MEM_FREE) &&
      (memInfo.Protect == PAGE_EXECUTE_READWRITE) &&
      (memInfo.BaseAddress == memInfo.AllocationBase) &&
      (memInfo.RegionSize != 0)){
	//Process suspicious memory...
   }
   addressOffset += memInfo.RegionSize;
}

[xalcon]

Hey guys, ' want to contribute something too
Unit_Name1 = 0x91C // found by TOM_RUS, thanks
Unit_Subname = 0x4 // Jep... this was hard... since Unit_Name2 is @ 0x60 :P
Unit_Subname = [[ObjBase + UnitName1] + UnitSubname]

[erix920]

Has subzone and zone changed? I thought I used to read an offset and it would give the text but now with the new offsets it doesn't work. Am I not suppose to read as ASCII?