How to Work Around Anti-Debugging

**Azarchius** · 08-06-2019

Originally Posted by king48488

Some info about remapping:
- It WILL crash your Wow unless you hook some functions or patch out these crashes.
- IT IS detected (espescially together with patched out crashes) on retail. DO NOT use it there for any of your tools in the future.
- You can remap whenever you want. Doesn't have to be with a suspended startup. Also no need to check region sizes etc. Just remap at the base address.
- After remapping you will face the CRC checks that WILL crash your client too :P

I should stress to any readers that:

1. Like I said, this was done on 7.3.5.26972, so if you're planning it there, remapping will not crash your wow, the instructions I gave and the relevant code I presented work perfectly for 26972.
3. My code shouldn't be taken as the only way to do things--launcher with suspended startup is just the easy way. Like my instructions say, you must suspend WoW during the remapping, or it will crash.
4. There are no CRC checks on 7.3.5.26972, so if you're planning on conducting your operations on that version, you shouldn't worry. When I eventually move to the final BFA patch, though that'll probably be in at least a year, I'll investigate and post what I find. I'm hoping that it's as simple as finding a place where WoW is trying to read memory, as in 26972 it has no readprocessmemory or similar Windows operations.

**doityourself** · 08-06-2019

7.3.5.26972 got both. crc checks and remapping checks. they are just not triggered that often. There is a huge a mount of people without crashes and others will get crashes.
Also of course you won't see such things as RPM for crc checks etc (lol)

**Azarchius** · 08-06-2019

I've unlocked lua after I'd done this and had a script run most functions. It sounds like nonsense that some people get it and some people don't--a CRC check isn't random, it's triggered by something that would affect all equally when triggered, unless we're talking about different distributions (mac users vs windows). The only dynamic way a crash would happen is during the remap. To assure that that is not a dynamic situation, I perform it on startup.

Developers have been running the remapped binary for a week now as we test our 8.2 downport. I don't know what kind of CRC checks 26972 may or may not have (I bid you to point them out as I'd hate surprises myself), but we have been testing most things a player on our server could do and no one has crashed, and if WoW doesn't read its own memory in any way to check the integrity of specific locations, all the better, as it would mean any test would be against a hash of the entire module (but how, when the module itself contains runtime offsets?). I don't change the base address obviously, so there is nothing in MBI that can alert WoW a change has occurred other than the page protection. Perhaps a different way entirely--my experience in this field is lacking.

Right now to me, it seems more like any crashes would be because of a shoddy remap. WoW is susceptible to crashes during the remap, for the same reasons it's susceptible to crashes after sometimes using breakpoints. WoW should be in suspended state during the remap, and in my implementation (remapping on launch), no one has run into any kind of crashes. Attempting to modify regions without suspending the threads from time to time may cause memory could not be executed crashes (this occurs within half a second to two seconds after the operation). Are you sure you're applying your region modifications while WoW is suspended? I don't know if Arctium performed region remaps once, but if you remapped memory on change and then remapped it back, while the game is running, it seems clear to me that crashes can happen. Of course, maybe that was required to avoid Warden, or these crashes really are the CRC check--and if they are, my instructions to launch in suspended state and perform the remap there stand.

All I know is that no one on my team has run into any CRC checks. I have only run into memory execution errors on region remaps by Cheat Engine (breakpoints), and when I performed region remaps live without stopping threads. This is why I perform them on program startup, in suspended state. This assures that the remap always occurs under the same conditions, with the exception of addresses.

**doityourself** · 08-07-2019

You cant remap without suspending that is why it's crashing when remapping and not because wow detects it.... In addition to that the crc checks are running on the text section not on the data section or rdata.
For the text section it doesn't matter when you apply your modifications. They are detected by the client. Don't try to fight against these facts :P

**baby110** · 08-07-2019

unlock lua: wow.exe+117CB29
If I change it, wow. exe will shut down incorrectly later.

**ynyzyfy** · 08-08-2019

Wow is using crc32 instructions to do the CRC check(because it has a hardware acceleration).Also, in wow,it uses RegisterEvent to register callbacks to do some checks.