Parsing SMSG_WARDEN_DATA

[-Ryuk-]

Hi everyone,

For the past few days I have been working on reading the incoming warden packets on the 64-bit client.

I can read the decrypted data, which contains all 17 memory checks, and the various page scans; my problem is at the end of every packet there are 8 bytes that I can't figure out what they are intended for.

Below are a few examples:

Code:

1E 00 00 00 00 00 00 00 
1E DA 27 B8 1A 44 5B 43 
1E C4 A4 39 54 45 BD B6 
1E 01 00 00 00 00 00 00 
1E 8C 2F CF F4 EF 9A 73 
1E 00 00 00 00 00 00 0A

I know that 1E is the CheckType for the following 7 bytes.
I also know that I do get some duplicate data if I let the hook running.
It should also be noted that the CheckTypes change depending on the warden module you have loaded into the game

According to all the warden info I have found by searching (here/google/and the wikis) none of the scans need 7 bytes of data.

So far I have seen MEM_CHECK, PAGE_CHECK_A or B, DRIVER_CHECK(only on x32)


Does anyone have any ideas?

[namreeb]

The warden packet structure changed in cata, or whenever it was that ASLR was introduced. I don't remember all of the changes off-hand, but here are a few I can recall:

- WARDEN_SMSG_MODULE_USE module id changed from 16 bytes to 32.
- 32 bit integer for packet length prepended to all packet data
- MD5 hashes replaced with SHA256 hashes
- WARDEN_SMSG_MODULE_INITIALIZE client function address offsets are now relative to base wow.exe address (they maybe always were, I don't remember)

Have you found in this module the function which calls handlers based on the 'check type'?

[-Ryuk-]

Thanks for the info, I haven't yet found that function; but honestly I haven't really looked. I will look at this today.

Regarding module dumping; I am reading the bytes from the start of the "module" to the end and saving to a file. While this does work and I can look in IDA, there is ALWAYS a change in the bytes which is usually like this: qword_40+984h

If I relog and dump a fresh one its only that same place that changes, is this what people talk about when they say there are lots of modules or is this something that is caused after allocating the space.

I suppose I could read the module from the incoming packets(which is probably a better idea)

[namreeb]

The way that I have done it is to do a bin dump from OllyDBG, dumping the different memory pages individually, and then loading them into IDA in the same address as they were at the time. Then auto-analysis in IDA works, for the most part.

[-Ryuk-]

As it turns out 0x1E was the last byte, I had miscalculated the length to read.

Namreeb, do you have skype? you would be an good contract to have about warden related questions

[namreeb]

Yes. I sent you a private message with the name.