[Live] About the integrity check in live

[youyanruyu]

Trying to update my hack to work with live. Find that any modify on wow .text section will cause the client to crash after a random time.
Is there anyone that has successfully bypassed this integrity check? I'm eager to get help, and any hint/code/theory is appreciated.
Thanks in advance.

[MrNoble]

I believe there was someone that was successful in doing this for a Diablo II: Resurrected

May I ask why you want to write to the .text section? IIRC they have additional checks for integrity, better not to modify .text unless you know what you are doing!

[aeo]

There are multiple things you have to pass, first its mapped SEC_NO_CHANGE so you cant even write to it without fixing that first. Second that have CRC checks for the text section that run every x cpu cycles. There was at one point a great article and repo by Ferib on how to bypass this but it may have got taken down by blizzard. I would start by looking around github.

GitHub - hollerith/Wow-Remap-Tool: Remaps Wow & bypass CRC checks

[ChrisIsMe]

aaaaaaaaaaaaaaaaaaaa

[_chase]

There are multiple things you have to pass, first its mapped SEC_NO_CHANGE so you cant even write to it without fixing that first. Second that have CRC checks for the text section that run every x cpu cycles. There was at one point a great article and repo by Ferib on how to bypass this but it may have got taken down by blizzard. I would start by looking around github.

GitHub - hollerith/Wow-Remap-Tool: Remaps Wow & bypass CRC checks

You can find a cached version of Ferib's article about the crc32 checks here
Ferib: Bypassing World of Warcraft's read-only code protection (crc32)

[oiramario]

Code:

Bypassed CRC at 7FF781D97640
Bypassed CRC at 7FF781D99A10
Bypassed CRC at 7FF781EF1AF0
Bypassed CRC at 7FF7821C94E0
Bypassed CRC at 7FF7821C99E0
Bypassed CRC at 7FF7821D6A20
Bypassed CRC at 7FF7821D7110
Bypassed CRC at 7FF7821E2620
Bypassed CRC at 7FF78224CB00
Bypassed CRC at 7FF78248AEB0
Bypassed CRC at 7FF7825DB5A0
Bypassed CRC at 7FF78263BF50
Bypassed CRC at 7FF782FB94D0
Bypassed CRC at 7FF7831B3F00
Bypassed CRC at 7FF7831DE7F0
Bypassed CRC at 7FF7838E7290

@_chase @aeo
After bypassing the read-only code protection and integrity CRC checks, "F3 A4 5F 5E C3" will no longer be called.
What about the warden? Remember that it scans more than 100 addresses. Do we still need to care about it?

[aeo]

they do check if you have remapped the game by trying to change protection

[MrNoble]

they do check if you have remapped the game by trying to change protection

Which is why you have to map back after making your changes

Oh and don't get caught while suspending the process!

[doityourself]

Which is why you have to map back after making your changes

Oh and don't get caught while suspending the process!

You remap with SEC_NO_CHANGE too and just open a readonly and writable view. close the writable view after you are done and gg.
Alone the remap itself without changing anything in the text section will trigger other checks that can make your client crash (but won't do in all cases).
They actually detected remap and bypassing crashes in legion/bfa. That's where all my users got banned (unbanned later of course) because they wanted to target bots etc but not my users. Since then no bans related to doing these things happened

[MrNoble]

You remap with SEC_NO_CHANGE too and just open a readonly and writable view. close the writable view after you are done and gg.
Alone the remap itself without changing anything in the text section will trigger other checks that can make your client crash (but won't do in all cases).
They actually detected remap and bypassing crashes in legion/bfa. That's where all my users got banned (unbanned later of course) because they wanted to target bots etc but not my users. Since then no bans related to doing these things happened

Yeah they weird, I see they scan for many things but only bother to ban when big cheats are using them.

[oiramario]

Thanks guys.
I have done remap and CRC detection, which makes detour work normally, and the client does not crash.what am i missing?
dump from warden's memcpy, 20m file were generated in about 10 seconds:

Code:

dst: 0x25b50069e00, src: 0x25b25da6388, len:1952
dst: 0x25b38dab980, src: 0x25b38dac6c8, len:0
dst: 0x25b38901d50, src: 0x25b38901d70, len:0
dst: 0x25b3863fa20, src: 0x25b3863fa64, len:0
dst: 0x25b3638d6a0, src: 0x25b3638d6c0, len:0
dst: 0x25b3638dac0, src: 0x25b3638db04, len:0
dst: 0x25b21bc31b0, src: 0x25b21bc3ef8, len:0
dst: 0xe7196fb540, src: 0x25b38dd4c30, len:2416
dst: 0xe7196fb540, src: 0x25b38dd4c30, len:2416
dst: 0xe7196fb540, src: 0x25b38dd4c30, len:2416
dst: 0x25b5006b800, src: 0xe7196fbb84, len:352
dst: 0x25b5006cc00, src: 0xe7196fbb84, len:352
dst: 0x25b5006d700, src: 0xe7196fbb84, len:352
dst: 0x25b5006e000, src: 0xe7196fbb84, len:352
dst: 0x25b5006ef00, src: 0xe7196fbb84, len:352
dst: 0x25b5006fe00, src: 0xe7196fbb84, len:352
dst: 0x25b50071200, src: 0xe7196fbb84, len:352
dst: 0x25b50072100, src: 0xe7196fbb84, len:352
dst: 0xe7196fb350, src: 0x25b38dd4c30, len:2416
dst: 0xe7196fb200, src: 0x25b38dd4c30, len:2416
dst: 0xe7196fb320, src: 0x25b38dd4c30, len:2416
dst: 0xe7196fb320, src: 0x25b38dd4c30, len:2416
dst: 0x25b21d5b4d0, src: 0x25b3b21e768, len:1920
dst: 0x25b50072d00, src: 0xe7196fb964, len:352
dst: 0x25b50073600, src: 0xe7196fb964, len:352
dst: 0x25b50073760, src: 0x25b9237f090, len:2560
dst: 0x25b50074160, src: 0x25b9237fa90, len:1792
...
......

It seems that these things are everywhere. I found about 7000 references in IDA. How to deal with this information? Do you have any good suggestions? thank you!
In order to avoid being detected by them, do you mean I must remap section back to readonly after things done?