InvalidPtrCheck is now being scanned by Warden!

[demonguy]

as the titile says...I tried to hook sub_561470 which InvalidPtrCheck calls but failed, What are you doing about this?

[TOM_RUS]

Put trampoline to your callback somewhere in code segment?

[demonguy]

That seems to be the last way to handle it.... i'm now working on it and try to master the basis...
However, i'm now really upset because my account is banned....due to the lack of knowledge of Warden..
I'm now curious about it , is there any thread telling people how to know the address which warden is scanning?

[-Ryuk-]

Im sure InvalidPtrCheck(at least the start of it) has been scanned for ages.

You only need to edit a single byte, somewhere in the function(I won't tell you where) to get the exact same result.

[Master674]

I won't tell you where

Has this raised your EPEEN?

[l0l1dk]

Im sure InvalidPtrCheck(at least the start of it) has been scanned for ages.

You only need to edit a single byte, somewhere in the function(I won't tell you where) to get the exact same result.

They started scanning it to detect OHack. It wasn't scanned until then.

as the titile says...I tried to hook sub_561470 which InvalidPtrCheck calls but failed, What are you doing about this?

I'm still writing to it, since I prevent Warden from reading the real bytes from WoW.

[demonguy]

They started scanning it to detect OHack. It wasn't scanned until then.



I'm still writing to it, since I prevent Warden from reading the real bytes from WoW.

I know which byte should i edit, it's quite easy stuff by finding it in the IDA
but i'm afraid being detected again some time later....Could teach me how to "prevent Warden from reading the real bytes from WoW." it's a quite cool stuff

[Cypher]

Im sure InvalidPtrCheck(at least the start of it) has been scanned for ages.

You only need to edit a single byte, somewhere in the function(I won't tell you where) to get the exact same result.

You don't need to edit anything. TOM_RUS had the best solution (put a callback somewhere in the .text segment of WoW.exe), however you can use VEH to create a trampoline without modifying anything in .text (register a callback to an instruction or set of instructions that will generate an exception, then use VEH to transfer control to your hook).

[hb123220]

They started scanning it to detect OHack. It wasn't scanned until then.



I'm still writing to it, since I prevent Warden from reading the real bytes from WoW.

I greatly appreciate your OHACK~,,any chance on how to prevent Warden from reading bytes from WOW?

[l0l1dk]

I greatly appreciate your OHACK~,,any chance on how to prevent Warden from reading bytes from WOW?

I'm not going to post how I do it, but something similar has been posted before IIRC.

[-Ryuk-]

Has this raised your EPEEN?

Not at all. I'm just encouraging them to look in the function.

However if you don't want to use the other methods described here, you can do this:

Code:

Memory.Write<byte>(Offsets.LuaInterface.InvalidPtrCheck, 0xEB);

Offsets.LuaInterface.InvalidPtrCheck = 0x161972(Rebased)

It's not the best way... but it works.

[demonguy]

Not at all. I'm just encouraging them to look in the function.

However if you don't want to use the other methods described here, you can do this:

Code:

Memory.Write<byte>(Offsets.LuaInterface.InvalidPtrCheck, 0xEB);

Offsets.LuaInterface.InvalidPtrCheck = 0x161972(Rebased)

It's not the best way... but it works.

Yeah, i know it ... but just as i said above... i'm afraid that it will be scanned as soon as the warden updates next time

[-Ryuk-]

Yeah, i know it ... but just as i said above... i'm afraid that it will be scanned as soon as the warden updates next time

I used this method for months...

[rik.chong]

I know which byte should i edit, it's quite easy stuff by finding it in the IDA
but i'm afraid being detected again some time later....Could teach me how to "prevent Warden from reading the real bytes from WoW." it's a quite cool stuff

Hook warden scan function, detour it, put the original bytes to the buffer. (using ASM code like REPE MOVSD/MOVSB)
@DarkLinux's EverScan (EverScan - An Open Source Warden Scanner) will help you get an easy start.