Originally Posted by
zys924
This is not because of Warden, but the client obfuscation instead. You should never tamper with .text section's CRC.
Yes, it is. Warden always gets downloaded and executed from each BLZ server once you login to the game, in terms of shell code. There is no difference between Retail and Classic. In general, the following is how Warden works at the moment.
1. A warden launcher shell code will be loaded after 2-5 minutes of login, and will stay in memory in long term. It is responsible for loading actual warden modules later across the current login session.
2. The warden launcher will start loading different detection modules from server in about 10 minutes, once every 1-2 minutes. This is why Warden can get updated at any minute without restarting the game client.
3. Each detection Warden module runs on a different thread for a few seconds, uploads its scan result data to the server, and then gets released by launcher. This is how your account gets "flagged". But whether you will get banned because of this is still subject to BLZ server's discretion.
To counteract Warden, EWT's tripwire system can intercept these modules, recognize them by some kind approach and disconnect you if an unknown one is found. It is hard since you need to collect all of them and sig them well, but effective. Other commercial products may have other approaches that I don't know. Anyway, nothing is easy.