[Howto]Bypassing Warden [theory with partial code]

[rik.chong]

After a long study on Warden stuff, I finally added an anti-warden feature on my own bot.
This is how I implement:

1) Hook LoadWardenModule (using VirtualAlloc within this function)

PHP Code:

.text:00BF7CF5                 push    4               ; flProtect
.text:00BF7CF7                 push    1000h           ; flAllocationType
.text:00BF7CFC                 push    eax             ; dwSize
.text:00BF7CFD                 push    0               ; lpAddress
.text:00BF7CFF                 call    ds:VirtualAlloc 


We care about two values:
A) dwSize (eax)
B) the new allocated base address, after calling VirtualAlloc, read from eax.

2) Find WardenScan
Search it from WardenBase(B), size (A), using pattern (74 02 F3 A5 B1 03 23 CA), you can simply find WardenScan, like this (only available after LoadWardenModule):

PHP Code:

0677784F - 56                    - push esi
06777850 - 57                    - push edi
06777851 - FC                    - cld 
06777852 - 8B 54 24 14           - mov edx,[esp+14]
06777856 - 8B 74 24 10           - mov esi,[esp+10]
0677785A - 8B 44 24 0C           - mov eax,[esp+0C]
0677785E - 8B CA                 - mov ecx,edx
06777860 - 8B F8                 - mov edi,eax
06777862 - C1 E9 02              - shr ecx,02
06777865 - 74 02                 - je 06777869 >>> we care only this part
06777867 - F3 A5                 - repe movsd   
06777869 - B1 03                 - mov cl,03
0677786B - 23 CA                 - and ecx,edx
0677786D - 74 02                 - je 06777871
0677786F - F3 A4                 - repe movsb 
06777871 - 5F                    - pop edi
06777872 - 5E                    - pop esi
06777873 - C3                    - ret 


Place an inline hook after (shr ecx, 02):

PHP Code:

    __asm
    {
        // Save params
        mov dwScanAddress, esi        // bytes source
        mov dwScanLength, edx        // scan length
        mov dwDest, edi                // original dest

        // We will copy the bytes to our own buffer
        lea edi, pByteTmp

        // continued from (shr ecx, 02)
        je JeSingle1                
        repe movsd

JeSingle1:                            
        mov cl, 03
        and ecx, edx

        je JeDetour                    
        repe movsb

JeDetour:
        push dwScanLength
        push dwScanAddress
        call WardenGetRealBytes          // replace real bytes (you must save them before modifying / hooking) 
        add esp, 0x8

        cld

        // ok, fool Warden using our own buffer
        lea esi, pByteTmp            // set source
        mov edi, dwDest                // restore dest 
        mov edx, dwScanLength        // length
        mov ecx, edx                
        shr ecx, 02

        je JeSingle2
        repe movsd

JeSingle2:
        mov cl,03
        and ecx, edx

        je JeExit
        repe movsb 

JeExit:
        pop edi
        pop esi
        jmp dword ptr dwGetBack;    //Jump back...
    }; 


3) done, just log those bytes/length, and verify with WardenMon

Hmm, I'm new to bot programming, If something is wrong, please correct me, thanks in advanced.

[aeo]

Very nice. I had implemented a scanner myself but no actual buffer replacment. This is great info. Thanks.

[Jadd]

What use does this have in a bot?

[rik.chong]

Many hacks are scanned by Warden, like anti-afk, lua hook, etc.
before modifying memory data, I saved the original bytes.
By hijacking WardenScan, I can replace them with the original bytes,
so blz won't know my hooking stuff by Warden. is this make sense?

[Jadd]

Many hacks are scanned by Warden, like anti-afk, lua hook, etc.
before modifying memory data, I saved the original bytes.
By hijacking WardenScan, I can replace them with the original bytes,
so blz won't know my hooking stuff by Warden. is this make sense?

I can see why it's useful for hacks but I don't know why a bot would ever need to modify any functions. Anti-AFK can be done without any modification of static memory. Lua hooks (?) shouldn't be needed in any case. I can't see any hooks being necessary for a bot so I'm curious as to what you're using it for.

[rik.chong]

I can see why it's useful for hacks but I don't know why a bot would ever need to modify any functions. Anti-AFK can be done without any modification of static memory. Lua hooks (?) shouldn't be needed in any case. I can't see any hooks being necessary for a bot so I'm curious as to what you're using it for.

As I said I am new to bot programming, and still doing some hacks by inline hooking. (Learning and learning
And I am not sure if I have missed something that will flag me as banned, so I am thinking making all this will keep my bot safer.
Thanks Jadd!

[Wildbreath]

my protection works same like a 5 months or more, still alive -_-

[aeo]

my protection works same like a 5 months or more, still alive -_-

you do a similar thing by removing hooks/detours calling the original saving and after you reapply your hooks and return the clean result. Warden doesn't check for a detour on the start of its scan function so your method is safe. However if they were to check for that you'd be caught, the above would make it by. Just some insight.

Code:

snip

[Wildbreath]

yay, you get code funny
but now i change something, check a last offspring ptr build

[yellow82]

Hi, thanks for the guide. I have tried in the wow.exe the Signature to find "74 02 03 23 F3 A5 B1 CA", but unfortunately I can not find them. Is the Signature still correct? Aso my mask was thus 8x "x". I hope that was correct!

greeting

[rik.chong]

Hi, thanks for the guide. I have tried in the wow.exe the Signature to find "74 02 03 23 F3 A5 B1 CA", but unfortunately I can not find them. Is the Signature still correct? Aso my mask was thus 8x "x". I hope that was correct!

greeting

yes, still working with the same signature(all masks 'x').
But Warden was dynamically loaded after LoadWardenModule(). You can check that with CE/ollydbg.

[Torpedoes]

Many hacks are scanned by Warden, like anti-afk, lua hook, etc.
before modifying memory data, I saved the original bytes.
By hijacking WardenScan, I can replace them with the original bytes,
so blz won't know my hooking stuff by Warden. is this make sense?

Thanks for the guide but I should mention that just because you have a Warden scanner doesn't mean "Blz won't know". If you're modifying any code, injecting code, hooking functions, detouring, you're eventually going to get banned. Whether warden detects it or not if Blizzard is after you they will get you. The safest method is external hacking, but even that doesn't protect you against being an obvious bot. But don't take my word for it, let the Glider God himself explain it. I suspect this is what happened with PQR when the ban wave hit.