Hook Warden Scan

[demonguy]

I Successfully found where Warden is by scan pattern {0x74, 0x02, 0xF3, 0xA5, 0xB1, 0x03, 0x23, 0xCA}
But i can't write it to 0xE9 for the sake of detouring it even if i call "VirtualProtect((LPVOID)WardenAddress,sizeof(DWORD),0x40,&OldProtection)" before write it
And an error occurs "This application has requested the RunTime to terminate it in an unusual way"
How could i handle it?

[DrakeFish]

I Successfully found where Warden is by scan pattern {0x74, 0x02, 0xF3, 0xA5, 0xB1, 0x03, 0x23, 0xCA}
But i can't write it to 0xE9 for the sake of detouring it even if i call "VirtualProtect((LPVOID)WardenAddress,sizeof(DWORD),0x40,&OldProtection)" before write it
And an error occurs "This application has requested the RunTime to terminate it in an unusual way"
How could i handle it?

We are missing a lot of information here. Assuming you are using VirtualProtect(), I suppose you are attempting to do this from an injected DLL. You should check if VirtualProtect() is returning TRUE. If it's not, then you should call GetLastError() and see what's up. You should also do the same if you are using WriteProcessMemory(). Now is your detour executed but crashing, or are you failing to overwrite the instructions? Are you sure that you are calculating your relative JMP properly? Is your detour messing with registers or the stack without restoring them? Are you executing the instructions that your detour is overwriting and jumping back to the next untouched instruction?

[DarkLinux]

Take a look at my old project...

http://www.ownedcore.com/forums/worl...n-scanner.html (EverScan - An Open Source Warden Scanner)

[demonguy]

Yeah, i just saw your projecta and started to try mine
I will take a deep look

[demonguy]

Code:

	
if(VirtualProtect((LPVOID)WardenAddress,sizeof(DWORD),0x40,&OldProtection) == 0)
	{
		MessageBoxA(NULL,"0","0",0);
	}

	MessageBoxA(NULL,"1","1",0);
	Memory::Write<byte>(CHack::WoWBase + WardenAddress , 0xE9);
	MessageBoxA(NULL,"2","2",0);
	Memory::Write<int>(CHack::WoWBase + WardenAddress  + 1, reinterpret_cast<unsigned int>(WardenScan) - (CHack::WoWBase + WardenAddress  + 4 + 1));
	MessageBoxA(NULL,"3","3",0);

here is my codes...
no only msgBox 1 showed, before 2 shows, it encounter a fatal exception. and i still don't get it

and my Memory:Write function will check if the write is successful, if not, it will throw a diffirent error than what i encountered

[Empted]

I'm not so sure (as DrakeFish was) you are doing it from the entire WoW process . If so, just use VirtualProtectEx to work with another process.

[demonguy]

I injected my dll into WOW process
Oh, here i see, WardenAddress isn't rebased so i don't need to plus WowBase

[demonguy]

besides...Will Warden scan itself?

[-Ryuk-]

besides...Will Warden scan itself?

It can... but currently(at least with the scan you wish to hook) it doesn't.

It should be noted that if you hook the start of the "scan function" you may experience a crash, because on some(not all) clients they do check this(but the result is not sent back to the server).

I know that the FireHack Developer experienced this type of check too.

[JuJuBoSc]

This function is the Warden's memcpy, so yeah, it's not used only for scan.

[demonguy]

Take a look at my old project...

http://www.ownedcore.com/forums/worl...n-scanner.html (EverScan - An Open Source Warden Scanner)

DWORD PatternScan(Byte *Signature, char *Mask, DWORD length)
{
DWORD currentAddr = (DWORD)GetModuleHandle(NULL);
DWORD Max;
int i = 0;
DWORD old;
MEMORY_BASIC_INFORMATION mbi;

do{
VirtualQuery((LPVOID)currentAddr,&mbi,sizeof(mbi));

if((mbi.RegionSize <= 0x9000) && (mbi.State == 4096) && (mbi.Type == 131072))
{
VirtualProtect((LPVOID)currentAddr,mbi.RegionSize,0x40,&old);

if(currentAddr < Max) {
return false;
}else
Max = currentAddr;

for(int x=currentAddr; x < (currentAddr+mbi.RegionSize); x++)
{
if((*(BYTE*)x == Signature[i]) || Mask[i] == '?')
i++;
else
i = 0;

if(i >= length){
return (x - length + 1);
}
}
}
currentAddr+=mbi.RegionSize;

}while(true);
}

In your project, what does the uninitialized variable "Max" do? it's not initialized

[demonguy]

I see Thanks

Another wired thing i found is that, if i call PatternScan again after i hook Warden, WOW will be unresponsive briefly when i click left mouse button,
Does any one have the same problem?

[Frosttall]

I see Thanks

Another wired thing i found is that, if i call PatternScan again after i hook Warden, WOW will be unresponsive briefly when i click left mouse button,
Does any one have the same problem?

Are you calling it from the mainthread?

[demonguy]

Are you calling it from the mainthread?

Maybe , I call it through In-Game lua. why will cause this?

[DarkLinux]

I call that 4am code... who knows what 1/2 that stuff does lols... I looked over it the other day and almost killed my self laughing..

Also all that mbi stuff is so it can find Warden a lot faster.. It does not scan over all of wow.. Makes it a little faster I guess...