Does wow classic still have warden monitoring?

[sanyle]

Hello, guys
I changed the .text content from kernel mode to make calling framescriptexecutebuffer normal.
At the same time try to fix the CRC check, but still intermittent game crash.
I found that the game intermittently uses VirtualAlloc to allocate a piece of memory to perform something.
Is this the warden module?
I also read the forum after a large number of threads guess.
I haven't figured out what caused the crash yet. I hope experienced friends can help me. thanks.
If it's not convenient for public discussion, I hope the private letter can get your advice.

[namreeb]

My understanding is that it is not running in China, but it is everywhere else.

[sanyle]

My understanding is that it is not running in China, but it is everywhere else.

Thanks for the guidance, I will continue to analyze it. Now it seems that several methods of executing Lua all have byte detection. Headache

[Jadd]

Warden is running in China but for the longest time they were not acting on any detection data. I think they are now, though.

[Scumstation]

Warden is running in China but for the longest time they were not acting on any detection data. I think they are now, though.

How did you find this out?

[zys924]

At the same time try to fix the CRC check, but still intermittent game crash.

This is not because of Warden, but the client obfuscation instead. You should never tamper with .text section's CRC.

I found that the game intermittently uses VirtualAlloc to allocate a piece of memory to perform something.
Is this the warden module?

Yes, it is. Warden always gets downloaded and executed from each BLZ server once you login to the game, in terms of shell code. There is no difference between Retail and Classic. In general, the following is how Warden works at the moment.

1. A warden launcher shell code will be loaded after 2-5 minutes of login, and will stay in memory in long term. It is responsible for loading actual warden modules later across the current login session.
2. The warden launcher will start loading different detection modules from server in about 10 minutes, once every 1-2 minutes. This is why Warden can get updated at any minute without restarting the game client.
3. Each detection Warden module runs on a different thread for a few seconds, uploads its scan result data to the server, and then gets released by launcher. This is how your account gets "flagged". But whether you will get banned because of this is still subject to BLZ server's discretion.

To counteract Warden, EWT's tripwire system can intercept these modules, recognize them by some kind approach and disconnect you if an unknown one is found. It is hard since you need to collect all of them and sig them well, but effective. Other commercial products may have other approaches that I don't know. Anyway, nothing is easy.

[charles420]

was banned by warden in us dicking around on a throwaway trialing so def running us

[sanyle]

This is not because of Warden, but the client obfuscation instead. You should never tamper with .text section's CRC.


Yes, it is. Warden always gets downloaded and executed from each BLZ server once you login to the game, in terms of shell code. There is no difference between Retail and Classic. In general, the following is how Warden works at the moment.

1. A warden launcher shell code will be loaded after 2-5 minutes of login, and will stay in memory in long term. It is responsible for loading actual warden modules later across the current login session.
2. The warden launcher will start loading different detection modules from server in about 10 minutes, once every 1-2 minutes. This is why Warden can get updated at any minute without restarting the game client.
3. Each detection Warden module runs on a different thread for a few seconds, uploads its scan result data to the server, and then gets released by launcher. This is how your account gets "flagged". But whether you will get banned because of this is still subject to BLZ server's discretion.

To counteract Warden, EWT's tripwire system can intercept these modules, recognize them by some kind approach and disconnect you if an unknown one is found. It is hard since you need to collect all of them and sig them well, but effective. Other commercial products may have other approaches that I don't know. Anyway, nothing is easy.

Thank you for your detailed answers. It seems that a lot of work is needed. Let me try to learn slowly.