I've dumped the warden client only one time. maybe the client itself is changing?
md5sum of the dumped client: 0f784da4dbd7757f37dd834afa7687a8 (40960 Bytes, the whole mapped area)
I am gonna dump the warden client again later, lets see if it changes.
I was busy the whole day with trying to understand, which functions warden wants to protect.
I've compared the windows version disassembly with the mac os x disassembly, which has the symbol names, to get the real functions names and the parameters for better understanding and later use
What i got so far are these functions and two values inside .rdata.
Code:
FrameScript_ExecuteBuffer(char const*,ulong,char const*,CStatus *,char const*)
NetClient::HandleData(ulong,void *,int)
NetClient::Send2(CDataStore *,CONNECTION_ID)
CGPlayer_C::CGPlayer_C(ulong,JamCliObjCreate const&)
CMovement_C::ExecuteMovement(ulong,ulong)
MovementIdleMoveUnits(void const*, void *)
CGUnit_C::UpdateSwimmingStatus(ulong,int)
CMovement_C::GetFacetQueryFlags(void)
World::IsValidPosition(C3Vector const&,float)
CMovement_C::TraceSurface(ulong,uint,float,C2Vector const&)
CGGameUI::UpdatePlayerAFK(ulong,CGPlayer_C *)
CGGameUI::CanPerformAction(UIACTIONTYPE)
CGGameUI::Initialize(void)
CGChat::AddChatMessage(char const*,SLASH_COMMAND_ID,ChatMessageParams *)
Script_SendChatMessage(lua)
World::QueryObjectLiquid(CMapBaseObj *,uint &,float &,int &)
CMovementShared::Jump(int)
CMovementShared::StopSwim(void)
Grunt::ClientLink::PackLogon(CDataStore &,Grunt::ClientLink::Logon const&)
.rdata used in CMovementShared::Jump(int)
.data used in CGlueMgr::DisplayLoginStatus(void)
Functions i couldn't identify are
Code:
sub_46FCF0
sub_4705A0
sub_487910 something camera related?
sub_4EB320
sub_B14E40
sub_B630B0
sub_CB5BB0 CMovement_C::something
933DB0 .rdata
937B7C .rdata
I am wondering, which kind of hacks they want to protect. Which is obvious is Waterwalk, Flyhack, network packet functions, afk hack.
But i don't know, why they are protecting the chat related stuff.
And i extended my filter to collect everything from 0x0 to .data END and didn't get any false positives. Still the same 47 results.
@Jadd: Suspending on detection, stopping hack and restoring the original bytes and letting it scan? This sounds like a laggy or buggy hack, warden scans many times in a minute. Do you think this is practicable? My original idea was not letting him scan the address itself. Since we can control memcpy, we can do something like "if (addr_to_scann == myaddr) cpy(destination, orgbytes)". I am not sure how and if they are controlling this function, but according to Masters post, he got banned doing something like this.
Update:
Changed .rdata used in CGlueMgr:isplayLoginStatus(void) to .data
Thx to Jadd for pointing out this.