[1.12.1] Issues bypassing warden for distributed software

[prospectingemu]

Hey guys,

I've been looking into warden on the 1.12.1 client. I get that for a private hack/bot you are pretty much safe as long as you don't hook something they are scanning for (e.g wallclimb) but if you plan on distributing the bot/hack which the devs can get their hands on i don't see how you can ever be safe if you're modifying code outside of the endscene (or anywhere the bytes are often modified / different for legitimate reasons).

- MEM_CHECK
Easy enough to patch this, check if your hooks were scanned and replace the bytes if necessary

- MPQ_CHECK, DRIVER_CHECK, PROC_CHECK, TIMING_CHECK, MODULE_CHECK
As far as i can see these are irrelevant for the most part as im not current injecting a dll / playing with drivers / mpq etc

- PAGE_CHECK A/B
This is where I run into problems. Without knowing what hash they are looking for I wont know which bytes to restore. One option is to restore all bytes when these are being done but the page checks can take too long and bot functionality would be frozen until they are finished.

If they try to get a hash of the warden module I can allocate an unmodified warden module (_CodeMonkey's idea from the 1.12.1 dump thread).

BUT this is where I'm stuck, what happens when they scan for a hash containing my modifications to the warden module? Is there a solution to this which im missing?

If i cant be sure that its safe I figure I should just hook the endscene, add some 'noise' around my hook and deal with not having a lua unlock etc. Any ideas / solutions would be greatly appreciated.

[lolp1]

I suggest going through this thread, the all of these topics are discussed and the information pretty much is the same today as it was nearly a decade ago.

Blizzhackers • View topic - Warden discussion and FAQ

[prospectingemu]

I suggest going through this thread, the all of these topics are discussed and the information pretty much is the same today as it was nearly a decade ago.

Blizzhackers • View topic - Warden discussion and FAQ

Thanks, I went thought the thread but didn't find anything relating to the page scan issue. The 'clean client' idea might be worth looking into though

[namreeb]

I'm not sure how you are doing this since you're not injected, so I'm going to just casually ignore that fact and hope it doesn't matter. =D

The page check can be defeated with essentially the same logic as the memory check. Hook the function which performs it, determine the affected area overlaps with your code (be it a patch or an injected module), and if so, modify the reply accordingly.

[tutrakan]

Take a look at the instruction at 0x3099

[prospectingemu]

I'm not sure how you are doing this since you're not injected, so I'm going to just casually ignore that fact and hope it doesn't matter. =D

The page check can be defeated with essentially the same logic as the memory check. Hook the function which performs it, determine the affected area overlaps with your code (be it a patch or an injected module), and if so, modify the reply accordingly.

Thanks, will do this

Take a look at the instruction at 0x3099

Aaaand that just saved me looking for it - awesome ty!

[tutrakan]

Check the one at 0x33D0 as well

[prospectingemu]

Check the one at 0x33D0 as well

I thought for the page scans I should be doing the check at 0x299C? Still going through it but I was pretty sure this was what im after

[tutrakan]

I think is this one: sub_2CFD

[prospectingemu]

0x299C seems to be where the query takes place - does anyone know how to generate the hashes for the mangos warden? Really need to generate some to fully test my patch

[tutrakan]

The offset you posted sends me in the middle of nowhere, are we talking for the same warden_module.zip?

[namreeb]

0x299C seems to be where the query takes place - does anyone know how to generate the hashes for the mangos warden? Really need to generate some to fully test my patch

What do you mean by 'the hashes'? Hashes of what? For which check, etc.?

[prospectingemu]

The offset you posted sends me in the middle of nowhere, are we talking for the same warden_module.zip?

Thats my bad its 0x399C from the base of the allocated memory at runtime, it should be a call to VirutalQuery

Code:

13353992    57              PUSH EDI
13353993    6A 1C           PUSH 1C
13353995    8D7E 40         LEA EDI,DWORD PTR DS:[ESI+40]
13353998    57              PUSH EDI
13353999    8BC2            MOV EAX,EDX
1335399B    50              PUSH EAX
1335399C    FF15 30803513   CALL DWORD PTR DS:[13358030]             ; KERNEL32.VirtualQuery
133539A2    83F8 1C         CMP EAX,1C
133539A5    73 17           JNB SHORT 133539BE
133539A7    33C0            XOR EAX,EAX

What do you mean by 'the hashes'? Hashes of what? For which check, etc.?

From warden - Mangos Zero - getMaNGOS | The home of MaNGOS it explains that the data field in the DB is "uint Seed + byte[20] SHA1 + uint Addr + byte Len" When i try to add my own hashes they aren't being found so I'm obviously doing something wrong.

So yeah my wording was incorrect, im not after hashes

[namreeb]

explains that the data field in the DB is "uint Seed + byte[20] SHA1 + uint Addr + byte Len"

That is describing the packet structure for the page scan opcodes. Do you mean that you're using Mangos Zero with Warden to try and detect yourself, and you aren't detecting yourself? If so, that is most likely because their Warden is not implemented properly. Not sure though.

[tutrakan]

Thats my bad its 0x399C from the base of the allocated memory at runtime, it should be a call to VirutalQuery

You made me dig deeper in this famous module, so thank you for the challenge.

Maybe I'm repeating myself, but from the sub_2cfd both page checks are referring to the sub_11e4. So, probably, there is the key of the magic kingdom.