-
Banned
I don't have much knowledge of Warden so forgive the potentially naive question, but is it possible for them to execute any arbitrary code with Warden?
-
Originally Posted by
luckruns0ut
I don't have much knowledge of Warden so forgive the potentially naive question, but is it possible for them to execute any arbitrary code with Warden?
Quoting namreeb on this one:
Originally Posted by
namreeb
Sorry to necro this, but it's actually possible to disable this RSA signature check by sending a certain packet from the server which does not have proper sanity checking in the client, and exploit a small arbitrary code execution.
Check my blog: https://zzuks.blogspot.com
-
Before anyone asks, no I will not give out the details of that. But suffice it to say the exploit I found is not usable in a production environment.
-
Contributor
adding to culino2's post:
1.12.1.5875 client references:
Code:
006CA190 WardenClient_Process
006CA1E0 ActivateNextModule
006CA250 Warden::RawModule::Destroy
006CA290 WardenClient_Destroy2
006CA2F0 WardenClient_Initialize
006CA360 Warden::RawModule::DecryptAndCreate
006CA5C0 WardenClient_HandlePacket
006CA640 WardenClient_Destroy
006CA6A0 Warden::Client::OurLibrary::Data
006CA770 Warden::Client::OurLibrary::ModuleUse
006CA840 Warden::Client::OurLibrary::ModuleCache
006CA8C0 Warden::Client::OurLibrary::MemoryAlloc
006CA8E0 Warden::Client::OurLibrary::MemoryFree
006CA900 Warden::Client::OurLibrary::StateSave
006CA960 Warden::Client::OurLibrary::StateLoad
007A79D0 Warden::RawModule::Create
007A7D80 UnloadWardenModule
misc:
Code:
00811330 s_publicKeyModulus ( used for verification of the module during loading )
00811430 s_publicKeyExponent
00CE8954 s_interface ( pointer to the clients warden interface )
00CE8958 s_wardenLock
00CE8974 s_nextModule
00CE8978 s_currentModule ( pointer to the warden module )
00CE897C s_moduleInterface ( pointer to the warden object )
00CE8980 s_stateData ( used to store RC4 send/recv key states )
00CE8984 s_stateSize ( size of the RC4 send/recv struct )
00CE8988 s_lastTick
warden:
Code:
functions:
0000185F Warden_Init
00002707 Warden_MemAlloc ( calls Warden::Client::OurLibrary::MemoryAlloc )
00002916 Warden_MemFree ( calls Warden::Client::OurLibrary::MemoryFree )
0000563B Warden_Sleep
00005B22 Warden_Destroy ( called from WardenClient_Destroy )
000073A6 Warden_SaveState ( calls Warden::Client::OurLibrary::StateSave saves the warden send/recv rc4 key states? )
00007E83 Warden_LoadPacketHandlers
packet handlers:
00002B77 WARDEN_SMSG_MODULE_USE_handler
000060AB WARDEN_SMSG_MODULE_CACHE_handler
00006590 WARDEN_SMSG_CHEAT_CHECKS_REQUEST_handler
00005E1E WARDEN_SMSG_MODULE_INITIALIZE_handler
00001410 WARDEN_SMSG_MEM_CHECKS_REQUEST_handler
00003812 WARDEN_SMSG_HASH_REQUEST_handler
Last edited by danwins; 12-26-2016 at 04:12 AM.
-
Post Thanks / Like - 3 Thanks
-
Member
UPDATE2: after 20 minutes of playing I recived 10 packets with request to check ( on Elysium PvE server) :
Elysium PvE(MPQ checks during 20min playing session):
Code:
// so it probably checks dungeons doors
World\Lordaeron\stratholme\Activedoodads\doors\nox_door_plague.m2
World\Kalimdor\onyxiaslair\doors\OnyxiasGate01.m2
World\Generic\Human\Activedoodads\doors\deadminedoor02.m2
World\Kalimdor\silithus\activedoodads\ahnqirajdoor\ahnqirajdoor02.m2
Kronos 1 (drivers checks during 10min playing session):
Code:
ndis_x86
IPSect
drvsys_mon
Afd32uu
UPDATE: I was wrong they check mpqs according this:
PHP Code:
+Warden Server package
+-----------------------
+Command: 2
+Lenght : 484
+=======================
+Payload:
0x02 0x41 0x57 0x6f 0x72
0x6c 0x64 0x5c 0x4c 0x6f
0x72 0x64 0x61 0x65 0x72
0x6f 0x6e 0x5c 0x73 0x74
0x72 0x61 0x74 0x68 0x6f
0x6c 0x6d 0x65 0x5c 0x41
0x63 0x74 0x69 0x76 0x65
0x64 0x6f 0x6f 0x64 0x61
0x64 0x73 0x5c 0x64 0x6f
0x6f 0x72 0x73 0x5c 0x6e
0x6f 0x78 0x5f 0x64 0x6f
0x6f 0x72 0x5f 0x70 0x6c
0x61 0x67 0x75 0x65 0x2e
0x6d 0x32 0x31 0x57 0x6f
0x72 0x6c 0x64 0x5c 0x4b
0x61 0x6c 0x69 0x6d 0x64
0x6f 0x72 0x5c 0x6f 0x6e
0x79 0x78 0x69 0x61 0x73
0x6c 0x61 0x69 0x72 0x5c
0x64 0x6f 0x6f 0x72 0x73
0x5c 0x4f 0x6e 0x79 0x78
0x69 0x61 0x73 0x47 0x61
0x74 0x65 0x30 0x31 0x2e
0x6d 0x32 0x39 0x57 0x6f
0x72 0x6c 0x64 0x5c 0x47
0x65 0x6e 0x65 0x72 0x69
0x63 0x5c 0x48 0x75 0x6d
0x61 0x6e 0x5c 0x41 0x63
0x74 0x69 0x76 0x65 0x64
0x6f 0x6f 0x64 0x61 0x64
0x73 0x5c 0x64 0x6f 0x6f
0x72 0x73 0x5c 0x64 0x65
0x61 0x64 0x6d 0x69 0x6e
0x65 0x64 0x6f 0x6f 0x72
0x30 0x32 0x2e 0x6d 0x32
0x44 0x57 0x6f 0x72 0x6c
0x64 0x5c 0x4b 0x61 0x6c
0x69 0x6d 0x64 0x6f 0x72
0x5c 0x73 0x69 0x6c 0x69
0x74 0x68 0x75 0x73 0x5c
0x61 0x63 0x74 0x69 0x76
0x65 0x64 0x6f 0x6f 0x64
0x61 0x64 0x73 0x5c 0x61
0x68 0x6e 0x71 0x69 0x72
0x61 0x6a 0x64 0x6f 0x6f
0x72 0x5c 0x61 0x68 0x6e
0x71 0x69 0x72 0x61 0x6a
0x64 0x6f 0x6f 0x72 0x30
0x32 0x2e 0x6d 0x32 0x00
0x28 0x8c 0x00 0x64 0x6f
0x84 0x00 0x06 0x8c 0x00
0x10 0x86 0x53 0x00 0x04
0x8c 0x00 0x2b 0x36 0x40
0x00 0x03 0x8c 0x00 0xb5
0xa1 0x6c 0x00 0x01 0x8c
0x00 0xe3 0x2b 0x48 0x00
0x01 0x8c 0x00 0x50 0xf6
0x60 0x00 0x06 0x8c 0x00
0x17 0x1c 0x4d 0x00 0x02
0xe7 0x01 0xe7 0x02 0xe7
0x03 0xe7 0x04 0xc0 0x82
0xd7 0xe5 0xcb 0xc8 0xd2
0xf7 0x8a 0x79 0x1e 0x18
0x9b 0xab 0x3f 0xd5 0xd4
0x34 0x2b 0xf7 0xeb 0x0c
0xa3 0xf1 0x29 0x3c 0x21
0x01 0x00 0x07 0xc0 0xa4
0x44 0x51 0x9c 0xc4 0x19
0x52 0x1b 0x6d 0x39 0x99
0x0c 0x1d 0x95 0x32 0x9c
0x8d 0x94 0xb5 0x92 0x26
0xcb 0xaa 0x98 0x7b 0x40
0x00 0x00 0x20 0xc0 0x3a
0x0f 0x89 0x85 0xe7 0x01
0x34 0x3e 0x43 0x9c 0x74
0xb6 0x75 0xc7 0x2b 0xbe
0x2d 0x88 0x10 0xa7 0x45
0x56 0x99 0x13 0x90 0xaf
0x05 0x00 0x0a 0xcd 0x55
0xd1 0x88 0x98 0x3a 0x33
0xc0 0x6f 0xb1 0xf3 0x87
0x2e 0x71 0x4c 0x9d 0xe1
0xcf 0x2f 0x41 0x65 0xea
0x95 0xde 0xe8 0x8e 0x2a
0x00 0x00 0x15 0xc0 0xda
0xf4 0xa6 0xd9 0xb1 0xf6
0x6a 0x35 0x2c 0xd9 0x20
0x35 0x54 0x77 0xd4 0x0b
0xac 0xef 0xf1 0xfc 0x7d
0xd1 0xcf 0x1c 0x80 0x5e
0x04 0x00 0x0b 0xcd 0xdb
0xa0 0xfb 0x45 0x2d 0x78
0x42 0x26 0x11 0x5e 0x8b
0x3e 0xcd 0xde 0x70 0xcd
0xca 0x8d 0x10 0x5f 0x77
0x82 0xf8 0x5f 0x9d 0x12
0x00 0x00 0x20 0x7f
+===============================
+End of package
+===============================
Some warden server packets that I explored on Elysium. This is strange but on both servers Kronos and Elysium I havent seen any lua string,mpqs, and drivers checks. These are Elysium packets:
PHP Code:
// decrypted packets
+==============================+
+Warden Server packets
++-----------------------------+
+Command: 2
+Lenght : 261
+==============================+
+Payload:
0x02 0x00 0x28 0x8c 0x00
0x64 0x6f 0x84 0x00 0x06
0x8c 0x00 0x72 0x62 0x7c
0x00 0x04 0x8c 0x00 0x5e
0x62 0x7c 0x00 0x02 0x8c
0x00 0xdb 0x63 0x61 0x00
0x02 0x8c 0x00 0xf5 0x5c
0x61 0x00 0x01 0x8c 0x00
0x5f 0x62 0x7c 0x00 0x01
0x8c 0x00 0xda 0x63 0x7c
0x00 0x04 0x8c 0x00 0xbc
0x41 0x63 0x00 0x02 0x8c
0x00 0x49 0x67 0x61 0x00
0x02 0x8c 0x00 0x4f 0xe5
0x5f 0x00 0x01 0x8c 0x00
0xe3 0x41 0x63 0x00 0x02
0xc0 0x82 0xd7 0xe5 0xcb
0xc8 0xd2 0xf7 0x8a 0x79
0x1e 0x18 0x9b 0xab 0x3f
0xd5 0xd4 0x34 0x2b 0xf7
0xeb 0x0c 0xa3 0xf1 0x29
0x3c 0x21 0x01 0x00 0x07
0xc0 0xa4 0x44 0x51 0x9c
0xc4 0x19 0x52 0x1b 0x6d
0x39 0x99 0x0c 0x1d 0x95
0x32 0x9c 0x8d 0x94 0xb5
0x92 0x26 0xcb 0xaa 0x98
0x7b 0x40 0x00 0x00 0x20
0xc0 0x3a 0x0f 0x89 0x85
0xe7 0x01 0x34 0x3e 0x43
0x9c 0x74 0xb6 0x75 0xc7
0x2b 0xbe 0x2d 0x88 0x10
0xa7 0x45 0x56 0x99 0x13
0x90 0xaf 0x05 0x00 0x0a
0xcd 0x55 0xd1 0x88 0x98
0x3a 0x33 0xc0 0x6f 0xb1
0xf3 0x87 0x2e 0x71 0x4c
0x9d 0xe1 0xcf 0x2f 0x41
0x65 0xea 0x95 0xde 0xe8
0x8e 0x2a 0x00 0x00 0x15
0xc0 0xda 0xf4 0xa6 0xd9
0xb1 0xf6 0x6a 0x35 0x2c
0xd9 0x20 0x35 0x54 0x77
0xd4 0x0b 0xac 0xef 0xf1
0xfc 0x7d 0xd1 0xcf 0x1c
0x80 0x5e 0x04 0x00 0x0b
0xcd 0xdb 0xa0 0xfb 0x45
0x2d 0x78 0x42 0x26 0x11
0x5e 0x8b 0x3e 0xcd 0xde
0x70 0xcd 0xca 0x8d 0x10
0x5f 0x77 0x82 0xf8 0x5f
0x9d 0x12 0x00 0x00 0x20
0x7f
+==============================+
+End of packet
+==============================+
+==============================+
+Warden Server packet
++-----------------------------+
+Command: 2
+Lenght : 18
+==============================+
+Payload:
0x02 0x00 0x28 0x8c 0x00 // memcheck
0x10 0x2c 0x82 0x00 0x06 // 0x00822c10 reads 0x06 bytes at wow .rdata section
0x8c 0x00 0xd4 0xbc 0xc7 // 0x00c7bcd4 reads 0x04 bytes at wow .data section
0x00 0x04 0x7f
+===============================+
+End of packet +
+===============================+
+===============================+
+Warden Server packet
++------------------------------+
+Command: 2
+Lenght : 18
+===============================+
+Payload:
0x02 0x00 0x28 0x8c 0x00 // another memcheck
0x10 0x2c 0x82 0x00 0x06 // reads the same bytes as before
0x8c 0x00 0xd4 0xbc 0xc7
0x00 0x04 0x7f
+===============================+
+End of packet
+===============================+
// And so on
Last edited by alexsfx; 12-27-2016 at 09:10 AM.
Reason: added kronos info
-
Post Thanks / Like - 1 Thanks
Alfalfa (1 members gave Thanks to alexsfx for this useful post)
-
Contributor
I'm surprised you guys can even get on elysium, its perpetually down for me (ddos i guess?)
-
Contributor
Are there any private servers that actually make use of the Lua string check in the 79c0768d657977d697e10bad956cced1 module?
Elysium seem to leave the FrameScript::GetText unchanged from the warden implementation on tom_rus github here ( 0x00819D40 )
the other functions are as expected:
Code:
006477A0 SFile::Open
006487F0 SFile::GetFileSize
00648460 SFile::Read
00648730 SFile::Close
00819D40 FrameScript::GetText // offset from different binary
0042C010 OsGetAsyncTimeMs
-
Member
Originally Posted by
danwins
Are there any private servers that actually make use of the Lua string check in the 79c0768d657977d697e10bad956cced1 module?
Elysium seem to leave the FrameScript::GetText unchanged from the warden implementation on tom_rus github
here ( 0x00819D40 )
the other functions are as expected:
Code:
006477A0 SFile::Open
006487F0 SFile::GetFileSize
00648460 SFile::Read
00648730 SFile::Close
00819D40 FrameScript::GetText // offset from different binary
0042C010 OsGetAsyncTimeMs
Does Warden module use SFile::Open to open MPQs?
Did I understand correctly?
Via packet WARDEN_SMSG_MODULE_INITIALIZE server initializes warden's module functions that it uses to check mpq files, lua strings , time check and so on .
And offsets of those functions depends on client version , right?
Last edited by alexsfx; 12-28-2016 at 06:46 AM.
-
Contributor
That is what it looks like to me.
heres my warden struct so far ( pointed to by s_moduleInterface ):
Code:
struct Warden
{
int field_0;
int field_4;
int field_8;
int field_C;
int field_10;
int field_14;
WardenLib* m_WardenLib; // pointer to s_interface
void* m_ModuleSomething; // something to do with downloading the warden module from the server
KeyStates m_KeyStates; // struct with the warden rc4 send/recv key states
unk_vmt* unkPointer1; // points to the vmt at 0x8238
char m_packetBuffer[516];
int m_packetBufferSize;
int field_434[226];
unk1 fnFuncImports; // array of function pointers inside the wow binary
};
struct unk1
{
int field_0;
int field_4;
int field_8;
int field_C;
int SFile_Open; // points to SFile::Open in the wow binary
int SFile_GetFileSize; // points to SFile::GetFileSize in the wow binary
int SFile_Read; // points to SFile::Read in the wow binary
int SFile_Close; // points to SFile::Close in the wow binary
int field_20;
int field_24;
int field_28;
int FrameScript_GetText; // should point to FrameScript_GetText but doesnt?
int OsGetAsyncTimeMs; // points to OsGetAsyncTimeMs in the wow binary
};
struct KeyStates
{
rc4_state m_RC4SendKey; // RC4 send key state
rc4_state m_RC4RecvKey; // RC4 recv key state
int m_index; // some index counter
};
struct rc4_state
{
char perm[256];
char index1;
char index2;
};
example of mpq check:
1. Warden_ScanCase ( 0x2CFD ):
Code:
...
if ( checkType == MPQ_CHECK )
{
Warden_PacketGetInt8(v6, &pck);
if ( *(v6 + 8) <= *(v6 + 4) )
{
if ( !Warden_PacketGetString(warden, index, &string) )
return 4;
a3a = &off_815C;
sha1_init(&context);
if ( !Warden_CheckMPQFile(&warden->fnFuncImports, &string, &a3a, warden != 0 ? &warden->field_14 : 0) )
goto LABEL_67;
sha1_finish(&context, &digest);
v31 = v44;
Warden_PacketPutInt8(*(v44 + 12), 0);
v32 = *(v31 + 12);
qmemcpy(&v39, &digest, 0x14u);
Warden_PacketPutBytes(v32, 0x14u, &v39);
return 0;
}
return 3;
}
...
2. inside the Warden_CheckMPQFile function:
Code:
char __userpurge Warden_CheckMPQFile@<al>(unk1 *fnFuncList@<edi>, int string, void (__stdcall ***a3)(_DWORD, _DWORD), int a4)
{
int v4; // esi@1
int v5; // eax@1
char v6; // bl@1
bool v7; // zf@1
int v8; // eax@2
int v9; // eax@3
int v10; // eax@5
signed int v12; // esi@16
bool v13; // al@21
int v14; // ecx@21
__int64 v15; // [sp+8h] [bp-18h]@13
int v16; // [sp+14h] [bp-Ch]@22
int v17; // [sp+18h] [bp-8h]@5
int v18; // [sp+1Ch] [bp-4h]@1
v4 = a4;
v5 = (**a4)(a4, 0x4000);
v6 = 0;
v7 = LOBYTE(fnFuncList->field_24) == 0;
v18 = v5;
if ( v7 )
goto LABEL_10;
v8 = fnFuncList->field_20;
if ( !v8 )
goto LABEL_10;
v9 = v8 - 1;
if ( v9 )
{
if ( v9 != 1 )
{
LABEL_10:
(*(*v4 + 4))(v4, v18);
return 0;
}
v10 = (fnFuncList->SFile_Open)(string, &v17);
}
else
{
v10 = (fnFuncList->field_0)(string, &v17);
}
if ( !v10 )
goto LABEL_10;
if ( !sub_5C57(v17) )
{
(*(*a4 + 4))(v18);
sub_7947(v17);
return 0;
}
if ( HIDWORD(v15) > 0 )
goto LABEL_17;
LABEL_14:
if ( v15 <= 0 )
{
v6 = 1;
}
else
{
while ( 1 )
{
if ( HIDWORD(v15) <= 0 && (v12 = v15, v15 <= 0x4000) )
{
if ( v15 > 0xFFFFFFFF )
break;
}
else
{
LABEL_17:
v12 = 0x4000;
}
if ( fnFuncList->field_20 == 1 )
{
v13 = (fnFuncList->field_8)(v17, v18, v12, &v16, 0) != 0;
v14 = v13 != 0 ? v16 : 0;
}
else
{
if ( fnFuncList->field_20 != 2 )
break;
v13 = (fnFuncList->SFile_Read)(v17, v18, v12, &string, 0, 0) != 0;
v14 = v13 != 0 ? string : 0;
}
if ( !v13 || v12 != v14 )
break;
(**a3)(v18, v12);
v15 -= v12;
if ( !HIDWORD(v15) )
goto LABEL_14;
}
}
(*(*a4 + 4))(v18);
sub_7947(v17);
return v6;
}
Last edited by danwins; 12-28-2016 at 12:06 PM.
Reason: more
-
Post Thanks / Like - 2 Thanks
alexsfx,
culino2 (2 members gave Thanks to danwins for this useful post)
-
Member
Originally Posted by
danwins
That is what it looks like to me.
heres my warden struct so far ( pointed to by s_moduleInterface ):
Code:
struct Warden
{
int field_0;
int field_4;
int field_8;
int field_C;
int field_10;
int field_14;
WardenLib* m_WardenLib; // pointer to s_interface
void* m_ModuleSomething; // something to do with downloading the warden module from the server
KeyStates m_KeyStates; // struct with the warden rc4 send/recv key states
unk_vmt* unkPointer1; // points to the vmt at 0x8238
char pad[1424];
unk1 fnFuncImports; // array of function pointers inside the wow binary
};
struct unk1
{
int field_0;
int field_4;
int field_8;
int field_C;
int SFile_Open; // points to SFile::Open in the wow binary
int SFile_GetFileSize; // points to SFile::GetFileSize in the wow binary
int SFile_Read; // points to SFile::Read in the wow binary
int SFile_Close; // points to SFile::Close in the wow binary
int field_20;
int field_24;
int field_28;
int FrameScript_GetText; // should point to FrameScript_GetText but doesnt?
int OsGetAsyncTimeMs; // points to OsGetAsyncTimeMs in the wow binary
};
struct KeyStates
{
rc4_state m_RC4SendKey; // RC4 send key state
rc4_state m_RC4RecvKey; // RC4 recv key state
int m_index; // some index counter
};
struct rc4_state
{
char perm[256];
char index1;
char index2;
};
example of mpq check:
1. Warden_ScanCase ( 0x2CFD ):
Code:
...
if ( checkType == MPQ_CHECK )
{
Warden_PacketGetInt8(v6, &pck);
if ( *(v6 + 8) <= *(v6 + 4) )
{
if ( !Warden_PacketGetString(warden, pck, &string) )
return 4;
a3a = &off_815C;
sha1_init(&context);
if ( !Warden_CheckMPQFile(&warden->fnFuncImports, &string, &a3a, warden != 0 ? &warden->field_14 : 0) )
goto LABEL_67;
sha1_finish(&context, &digest);
v31 = v44;
Warden_PacketPutInt8(*(v44 + 12), 0);
v32 = *(v31 + 12);
qmemcpy(&v39, &digest, 0x14u);
Warden_PacketPutBytes(v32, 0x14u, &v39);
return 0;
}
return 3;
}
...
2. inside the Warden_CheckMPQFile function:
Code:
char __userpurge Warden_CheckMPQFile@<al>(unk1 *fnFuncList@<edi>, int string, void (__stdcall ***a3)(_DWORD, _DWORD), int a4)
{
int v4; // esi@1
int v5; // eax@1
char v6; // bl@1
bool v7; // zf@1
int v8; // eax@2
int v9; // eax@3
int v10; // eax@5
signed int v12; // esi@16
bool v13; // al@21
int v14; // ecx@21
__int64 v15; // [sp+8h] [bp-18h]@13
int v16; // [sp+14h] [bp-Ch]@22
int v17; // [sp+18h] [bp-8h]@5
int v18; // [sp+1Ch] [bp-4h]@1
v4 = a4;
v5 = (**a4)(a4, 0x4000);
v6 = 0;
v7 = LOBYTE(fnFuncList->field_24) == 0;
v18 = v5;
if ( v7 )
goto LABEL_10;
v8 = fnFuncList->field_20;
if ( !v8 )
goto LABEL_10;
v9 = v8 - 1;
if ( v9 )
{
if ( v9 != 1 )
{
LABEL_10:
(*(*v4 + 4))(v4, v18);
return 0;
}
v10 = (fnFuncList->SFile_Open)(string, &v17);
}
else
{
v10 = (fnFuncList->field_0)(string, &v17);
}
if ( !v10 )
goto LABEL_10;
if ( !sub_5C57(v17) )
{
(*(*a4 + 4))(v18);
sub_7947(v17);
return 0;
}
if ( HIDWORD(v15) > 0 )
goto LABEL_17;
LABEL_14:
if ( v15 <= 0 )
{
v6 = 1;
}
else
{
while ( 1 )
{
if ( HIDWORD(v15) <= 0 && (v12 = v15, v15 <= 0x4000) )
{
if ( v15 > 0xFFFFFFFF )
break;
}
else
{
LABEL_17:
v12 = 0x4000;
}
if ( fnFuncList->field_20 == 1 )
{
v13 = (fnFuncList->field_8)(v17, v18, v12, &v16, 0) != 0;
v14 = v13 != 0 ? v16 : 0;
}
else
{
if ( fnFuncList->field_20 != 2 )
break;
v13 = (fnFuncList->SFile_Read)(v17, v18, v12, &string, 0, 0) != 0;
v14 = v13 != 0 ? string : 0;
}
if ( !v13 || v12 != v14 )
break;
(**a3)(v18, v12);
v15 -= v12;
if ( !HIDWORD(v15) )
goto LABEL_14;
}
}
(*(*a4 + 4))(v18);
sub_7947(v17);
return v6;
}
Thank you man alot for your research
-
Member
I think here :
Originally Posted by
danwins
Code:
...
if ( checkType == MPQ_CHECK )
{
Warden_PacketGetInt8(v6, &pck);
if ( *(v6 + 8) <= *(v6 + 4) )
{
if ( !Warden_PacketGetString(warden, pck, &string) )
return 4;
...
return 0;
}
return 3;
}
...
should be :
Code:
...
if ( checkType == MPQ_CHECK )
{
Warden_PacketGetInt8(v6, &index);
if ( *(v6 + 8) <= *(v6 + 4) )
{
if ( !Warden_PacketGetString(warden, index, &string) )
return 4;
...
return 0;
}
return 3;
}
...
according this:
Code:
...
void WardenWin::RequestData()
{
...
for (uint16 i = 0; i < sWorld.getConfig(CONFIG_UINT32_WARDEN_NUM_OTHER_CHECKS); ++i)
{
switch (wd->Type)
{
case MPQ_CHECK:
case LUA_STR_CHECK:
case DRIVER_CHECK:
buff << uint8(wd->Str.size());
buff.append(wd->Str.c_str(), wd->Str.size());
break;
default:
break;
}
}
...
for (std::list<uint16>::iterator itr = _currentChecks.begin(); itr != _currentChecks.end(); ++itr)
{
wd = sWardenCheckMgr->GetWardenDataById(build, *itr);
type = wd->Type;
buff << uint8(type ^ xorByte);
if (wd)
{
....
switch (wd->Type)
{
....
case MPQ_CHECK:
case LUA_STR_CHECK:
{
buff << uint8(index++);
break;
}
...
default:
break;
}
}
}
...
}
..
Last edited by alexsfx; 12-28-2016 at 11:04 AM.
-
Contributor
this is correct, mine is just broken due to horrible calling conventions and lazyness
-
Legendary
I see you guys are digging something I already did back in 2010, may be you can make some use of this stuff warden.zip.
-
Post Thanks / Like - 5 Thanks
-
Contributor
@tom_rus what date/build did you dump the 79c0768d657977d697e10bad956cced1 module from?
Last edited by danwins; 12-28-2016 at 10:58 PM.
-
Legendary
Originally Posted by
danwins
@tom_rus what date/build did you dump the 79c0768d657977d697e10bad956cced1 module from?
I don't remember exact date/build, but that was around 3.3.x time frame.