Are my assumptions of tools and skills required to reverse engineer correct? menu

User Tag List

Results 1 to 5 of 5
  1. #1
    Powerstroke 6.0's Avatar Member
    Reputation
    2
    Join Date
    Nov 2017
    Posts
    1
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Are my assumptions of tools and skills required to reverse engineer correct?

    I only just started to look into all of this last week but with a background of software engineering in industrial manufacturing automation with 9 programming languages I don't feel near as intimidated as I once did. I'm assuming I'll realize how asinine these questions are in a few weeks but until then please humor me. So far I've only learned what offsets are(can't believe I was intimidated by the term for so long) and trying to memorize registers and assembly functions.

    I've been around since the glider days. My most recent project was a crude C# pixel based bot using pixels set by LUA addons with the entire profiles being in LUA. I was doing mouseover scanning for tooltips to check if there was something I needed to loot or interact with if the quest was in the tooltip. I've since realized I can only take that so far since I found in 7.1 they removed the ability to get coordinates and facing directions within dungeons and instances.

    I want to get away from the unreliability of both third party bots and reliance on leeching. I've already ordered roughly $350 in reverse engineering, assembly and C books including the IDA Pro book but haven't got them yet.

    Are there any topics I would not naturally discover through those categories that would be required to reverse engineer the WoW client to discover detection methods and find any and all offsets including object manager and local player?

    From my understanding warden is nothing more than a crude anti virus doing blacklist scans on what I assume are some kind of hash signatures and that the module known as warden is very little of their overall security measures. I remember warden used to be it's own DLL in the root folder but I assume it's functionality is baked into the client itself now?

    I believe I saw some resemblance of a class system from reversed examples. Such as movement methods belonging to one C class and spell casting/checks in a different class. Am I imagining that or is it possible to have some organization of methods upon dissaembling? Would detection methods/warden belong to a specific class if so?

    I've also read that simply reading memory is no safer than writing. That kind of boggles my mind that reading can be detected. I've repurposed HBRelog for my own pixel bot with websockets to create characters and do other gluescreen interaction. Graymagic is a common module and reading various gluescreen offsets would make me assume that if they could detect memory reading and have the opensource then why do they not ban anyone using HBRelog? Does their scanning not start until you are in the game world? I know people got banned a while back from ARelog and I believe also HBRelog but "mistakes were made" was the only answer I remember.

    Also, is IDA Pro the most efficient tool to wholly learn for getting offsets and reverse engineering or does Cheat Engine play some role in the process?

    Finally is there any reason I would need to do any packet analysis with wireshark or equivalent assuming I only want read basic coordinate/object details and potentially trigger interacts or CTM? Like as part of understanding/reversing part of the client?

    Are my assumptions of tools and skills required to reverse engineer correct?
  2. Thanks Corthezz (1 members gave Thanks to Powerstroke 6.0 for this useful post)
  3. #2
    zys924's Avatar Active Member
    Reputation
    20
    Join Date
    Nov 2009
    Posts
    113
    Thanks G/R
    0/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Retail WoW nowadays adopts a sophisticated Anti-Cheating mechanism which goes far beyond the classic Warden.

    Such technologies include, for example,
    1. static code obfuscation (which applies primarily to their static Anti-Cheat code)
    2. anti-debugging (3-4 intermixed approaches)
    3. TLS callback based memory protection and heuristic cheat detection
    4. RET based function call detection
    5. Encrypted states used by Anti-Cheat system
    6. A more advanced Warden scan over the entire .text section

    This list is still not complete just because of point 1. I suspect nobody knows the entire one, but just to name a few I have found. So it is not wise if you start working on reverse engineering of WoW from today since you can hardly debug the process nor can you happily staticly reverse the EXE, without great knowledge of Windows internals.

    Suggestedly, pick up a non-obfuscated game, maybe PUBG? to start your happy trip of reverse engineering.

  4. Thanks Romath, tutrakan (2 members gave Thanks to zys924 for this useful post)
  5. #3
    lolp1's Avatar Site Donator CoreCoins Purchaser
    Reputation
    190
    Join Date
    Feb 2013
    Posts
    210
    Thanks G/R
    43/77
    Trade Feedback
    3 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am going to have to some what disagree with some points here, but I'll do my best to be helpful.
    Originally Posted by zys924 View Post
    Retail WoW nowadays adopts a sophisticated Anti-Cheating mechanism which goes far beyond the classic Warden.
    Yes and no. They've invested much more effort in actually being clever and clearly a background in malware will be useful to deal with changes. The general concept of 'the warden' remains the same as it has for nearly a decade -- manually map space in for their mod files to execute code based on what the server tells it to do. It has always been completely dynamic and the protocol has always been able to be changed at any moment. You've never been able to ignore updates to mod files (or you would disconnect) and they have been able to push updates via other means with out client patches needed. This pretty much remains the same -- but harder to investigate, harder to anticipate, harder to track, etc.


    Originally Posted by zys924 View Post
    static code obfuscation (which applies primarily to their static Anti-Cheat code)
    Not the end of the world, annoying though.
    Originally Posted by zys924 View Post
    anti-debugging (3-4 intermixed approaches)
    Very well thought out anti-debug code and it has many layers and they are adding more as time goes on and hiding them well. Math magic and cleverness goes a long way.
    Originally Posted by zys924 View Post
    TLS callback based memory protection and heuristic cheat detection
    Existed since over-watch AFAIK and I see no evidence of a major increase in heuristic based detection short of perhaps sending a lot more hashed data in their packets and rumor has it banning people via a range of unique identifiers
    .
    Originally Posted by zys924 View Post
    Encrypted states used by Anti-Cheat system
    Any review will reveal lots of calls that are encrypted/decrypted at runtime. Standard ways exist to deal with this.

    Originally Posted by zys924 View Post
    A more advanced Warden scan over the entire .text section
    More advanced than their previous memcpy only check? Sure. I'd hardly call it ground breaking though.

    Originally Posted by zys924 View Post
    This list is still not complete just because of point 1. I suspect nobody knows the entire one, but just to name a few I have found. So it is not wise if you start working on reverse engineering of WoW from today since you can hardly debug the process nor can you happily staticly reverse the EXE, without great knowledge of Windows internals.

    Suggestedly, pick up a non-obfuscated game, maybe PUBG? to start your happy trip of reverse engineering.
    You can pretty much debug any process given enough time spent tracking down their systems preventing you from doing so. In all honesty, while it is much harder than before to reverse the game -- anyone willing to research into standard/modern malware and anti-malware practices and some good old fashion elbow grease should be just fine.

    Summary

    Are you looking for an easy time and have no interest in the more fine details of reverse engineering and surrounding knowledge? Sure stay away from WoW -- but for those who are, it is not some hopeless adventure. You will learn a lot in the process.

  6. Thanks Nephilim2016, Midi12 (2 members gave Thanks to lolp1 for this useful post)
  7. #4
    Midi12's Avatar Contributor
    Reputation
    90
    Join Date
    Sep 2012
    Posts
    182
    Thanks G/R
    6/13
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by lolp1 View Post
    Math magic
    If you are referring to constant obfuscation, this was (when I reversed beta overwatch, so it might have changed ofc) basic (yes basic) constant unfolding that can be reversed at static analysis time.
    If you are referring to the big (did I meant gigantic) xor table index computing it is integer overflow based computation.

    I would not call that math magic (no sorcery in math you can’t disagree ) but I would name that a neat application of low level code tricks. Nothing too fancy.

    Did I named opaque predicates, junk code insertion and dead code insertion ? Looks like devs bought a copy of Practical Reverse Engineering and read Chapter 5 after all (and it is a very good ressource).

    Overwatch (and WoW as it seems the same packer) is a good and safe resource to get experience on unpacking.
    92izii !

  8. #5
    lolp1's Avatar Site Donator CoreCoins Purchaser
    Reputation
    190
    Join Date
    Feb 2013
    Posts
    210
    Thanks G/R
    43/77
    Trade Feedback
    3 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Midi12 View Post
    If you are referring to constant obfuscation, this was (when I reversed beta overwatch, so it might have changed ofc) basic (yes basic) constant unfolding that can be reversed at static analysis time.
    If you are referring to the big (did I meant gigantic) xor table index computing it is integer overflow based computation.

    I would not call that math magic (no sorcery in math you can’t disagree ) but I would name that a neat application of low level code tricks. Nothing too fancy.

    Did I named opaque predicates, junk code insertion and dead code insertion ? Looks like devs bought a copy of Practical Reverse Engineering and read Chapter 5 after all (and it is a very good ressource).

    Overwatch (and WoW as it seems the same packer) is a good and safe resource to get experience on unpacking.
    It is an incorrect wording for referring to the fact they use clever code flow and jumps to avoid references, making calls harder to find relevant to your needs.Yes, you are 100% correct that 90% of this 'new' stuff is standard modern (ironically malware) practices well documented and researched.

Similar Threads

  1. [Help] My concept of botting and reverse engineering
    By reliasn in forum WoW Memory Editing
    Replies: 3
    Last Post: 06-07-2012, 04:44 PM
  2. What are my chances of being banned?
    By chickenx5 in forum World of Warcraft General
    Replies: 3
    Last Post: 07-06-2010, 04:49 AM
  3. what are the consequences of bots and hacks?
    By marcspc in forum World of Warcraft General
    Replies: 16
    Last Post: 03-12-2010, 09:13 PM
  4. Macro Love - My Collection of useful and/or Space saving Macro's!
    By Anotherfox in forum World of Warcraft Guides
    Replies: 15
    Last Post: 12-28-2008, 12:29 AM
  5. Dragonmaw to Talon of azshara and Gladiator hacker to Thunderfury MY SECOND EDIT!
    By david12 in forum World of Warcraft Model Editing
    Replies: 11
    Last Post: 09-07-2007, 12:46 PM
All times are GMT -5. The time now is 04:13 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search