Warden confusion?

[-Ryuk-]

Hey guys,

Im a bit confused.

Warden is now watching 0x4D22C1 and 9 bytes

On my laptop the bytes read

Code:

 8B EC 83 3D 34 83 C2 01 00

On my friends PC the bytes read

Code:

8B EC 83 3D 34 83 76 01 00

This has really confused me... So I asked DrakeFish to check his bytes and he gets

Code:

8B EC 83 3D 34 83 D3 00 00

Any ideas why this is?

[sitnspinlock]

833d is cmp double word ds:

its a different 4 bytes each time because of base relocation da derp.

[-Ryuk-]

833d is cmp double word ds:

its a different 4 bytes each time because of base relocation da derp.

Yes, but isnt this sent back to warden server? and cause false positives?

[sitnspinlock]

yes they cannot possibly be that brainless. i'm sure they just sub it against the current imagebase to make sure it points to it's proper place.

either that or someone is going to be flippin their shit when 8 million ban notifications roll in

[SwInY]

hahaha, they hired some 1 straight out of tafe

[-Ryuk-]

Looks like its time to update some of my warden protection then... Currently I dump the bytes that should be valid, and test them against my current bytes; which in this case will cause false positives on my side :/

[_Mike]

Code:

.text:004D22C1 8B EC                                   mov     ebp, esp
.text:004D22C3 83 3D 34 83 93 00 00                    cmp     lua_tainted, 0

Are people really that obvious when patching lua? That's the first place I'd check if I were Blizzard and I'm kinda surprised they haven't done so until now.

[Cypher]

Code:

.text:004D22C1 8B EC                                   mov     ebp, esp
.text:004D22C3 83 3D 34 83 93 00 00                    cmp     lua_tainted, 0

Are people really that obvious when patching lua? That's the first place I'd check if I were Blizzard and I'm kinda surprised they haven't done so until now.

Patching any of that crap is silly imo.

Register a Lua callback using the address of an int3 or similar instruction that will both cause an exception and pass the function pointer bounds check imposed when registering an ingame callback, then have your Lua callback execute the code (which will cause it to execute without protection), get the return values, etc.

Obviously still detectable, but a step up from hooking the client, and if your code is private it's much less likely to get detected if you're using a technique like that as opposed to client hooking (where there's a good chance you'll be 'caught in the crossfire').

[_Mike]

My method was a tiny "debugger" with a write BP on lua_tainted and in the BP handler flip it back to 0.
They can obviously detect that they're being debugged and then see the DR address I'm watching as I didn't bother faking the thread context. But it felt like overkill considering I don't think that many public hacks do it that way.
Only problem was that it totally killed the frame rate for some people; Although personally I never had any issues and that's all I care about

But now that I look back, a better way would have been to BP just after that cmp instruction and flip the flags instead.

[-Ryuk-]

Quite a few people seem to be getting banned, and then getting the ban lifted...

Maybe they don't check it against the image base xD