Unpacked The Warden < - MMOwned - World of Warcraft Exploits, Hacks, Bots and Guides

zhPaul · (#1)

Hey all,

Well i was tinkering around with warden and its scanning functions and i managed to unpack it and learn what API's it uses. Here are the enumerated DLLs which it uses functions from. I will highlight in RED what some if not all of the important functions are for how warden detects your cheating. (might be a lot of text but you can skim to the red color)

I'll be coding a little app/dll that will load with WoW when the game is launched that will turn off wardens functions completely. I'm contemplating releasing it here to the public but then blizz will just patch my method way too fast. I'll discuss it with the admins of this board before i release anything.

(code included, if you don't know what these functions do don't ask)
KERNEL32.dll
------------

Code:

function ReadProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer;
      lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL;
      stdcall; external 'kernel32.dll' name 'ReadProcessMemory' index 577; 

function OpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL;
      dwProcessId: DWORD): THandle; stdcall;
      external 'kernel32.dll' name 'OpenProcess' index 530; 

function GetVersionEx(var lpVersionInformation: TOSVersionInfo): BOOL;
      stdcall; external 'kernel32.dll' name 'GetVersionExA' index 400; 

function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): THandle;
      stdcall;
      external 'kernel32.dll' name 'CreateToolhelp32Snapshot' index 81; 

function LCMapStringW(Locale: LCID; dwMapFlags: DWORD; lpSrcStr: PWideChar;
      cchSrc: Integer; lpDestStr: PWideChar; cchDest: Integer): Integer;
      stdcall; external 'kernel32.dll' name 'LCMapStringW' index 478; 

function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL;
      stdcall; external 'kernel32.dll' name 'Process32First' index 546; 

function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL;
      stdcall; external 'kernel32.dll' name 'Process32Next' index 548; 

function GetCurrentProcess: THandle; stdcall;
      external 'kernel32.dll' name 'GetCurrentProcess' index 266; 

function GetLastError: DWORD; stdcall;
      external 'kernel32.dll' name 'GetLastError' index 302; 

function CloseHandle(hObject: THandle): BOOL; stdcall;
      external 'kernel32.dll' name 'CloseHandle' index 31; 

function GetCurrentThreadId: DWORD; stdcall;
      external 'kernel32.dll' name 'GetCurrentThreadId' index 269; 

function GetCommandLine: PAnsiChar; stdcall;
      external 'kernel32.dll' name 'GetCommandLineA' index 219; 

function HeapFree(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer): BOOL;
      stdcall; external 'kernel32.dll' name 'HeapFree' index 443; 

function HeapAlloc(hHeap: THandle; dwFlags, dwBytes: DWORD): Pointer; stdcall;
      external 'kernel32.dll' name 'HeapAlloc' index 437; 

function GetProcessHeap: THandle; stdcall;
      external 'kernel32.dll' name 'GetProcessHeap' index 342; 

function TerminateProcess(hProcess: THandle; uExitCode: UINT): BOOL; stdcall;
      external 'kernel32.dll' name 'TerminateProcess' index 716; 

function UnhandledExceptionFilter(const ExceptionInfo: TExceptionPointers):
      Longint; stdcall;
      external 'kernel32.dll' name 'UnhandledExceptionFilter' index 732; 

function SetUnhandledExceptionFilter(lpTopLevelExceptionFilter:
      TFNTopLevelExceptionFilter): TFNTopLevelExceptionFilter; stdcall;
      external 'kernel32.dll' name 'SetUnhandledExceptionFilter' index 697; 

IsDebuggerPresent()

function GetProcAddress(hModule: HMODULE; lpProcName: LPCSTR): FARPROC;
      stdcall; external 'kernel32.dll' name 'GetProcAddress' index 340; 

function GetModuleHandle(lpModuleName: PAnsiChar): HMODULE; stdcall;
      external 'kernel32.dll' name 'GetModuleHandleA' index 315; 

procedure ExitProcess(uExitCode: UINT); stdcall;
      external 'kernel32.dll' name 'ExitProcess' index 141; 

function TlsGetValue(dwTlsIndex: DWORD): Pointer; stdcall;
      external 'kernel32.dll' name 'TlsGetValue' index 723; 

function TlsAlloc: DWORD; stdcall;
      external 'kernel32.dll' name 'TlsAlloc' index 721; 

function TlsSetValue(dwTlsIndex: DWORD; lpTlsValue: Pointer): BOOL; stdcall;
      external 'kernel32.dll' name 'TlsSetValue' index 724; 

function TlsFree(dwTlsIndex: DWORD): BOOL; stdcall;
      external 'kernel32.dll' name 'TlsFree' index 722; 

function InterlockedIncrement(var Addend: Integer): Integer; stdcall;
      external 'kernel32.dll' name 'InterlockedIncrement' index 460; 

procedure SetLastError(dwErrCode: DWORD); stdcall;
      external 'kernel32.dll' name 'SetLastError' index 669; 

function InterlockedDecrement(var Addend: Integer): Integer; stdcall;
      external 'kernel32.dll' name 'InterlockedDecrement' index 457; 

procedure Sleep(dwMilliseconds: DWORD); stdcall;
      external 'kernel32.dll' name 'Sleep' index 708; 

function SetHandleCount(uNumber: UINT): UINT; stdcall;
      external 'kernel32.dll' name 'SetHandleCount' index 665; 

function GetStdHandle(nStdHandle: DWORD): THandle; stdcall;
      external 'kernel32.dll' name 'GetStdHandle' index 361; 

function GetFileType(hFile: THandle): DWORD; stdcall;
      external 'kernel32.dll' name 'GetFileType' index 297; 

procedure GetStartupInfo(var lpStartupInfo: TStartupInfo); stdcall;
      external 'kernel32.dll' name 'GetStartupInfoA' index 359; 

procedure DeleteCriticalSection(var lpCriticalSection: TRTLCriticalSection);
      stdcall; external 'kernel32.dll' name 'DeleteCriticalSection' index 91; 

function GetModuleFileName(hModule: HINST; lpFilename: PAnsiChar;
      nSize: DWORD): DWORD; stdcall;
      external 'kernel32.dll' name 'GetModuleFileNameA' index 313; 

function FreeEnvironmentStrings(p1: PAnsiChar): BOOL; stdcall;
      external 'kernel32.dll' name 'FreeEnvironmentStringsA' index 194; 

GetEnvironmentStrings()

function FreeEnvironmentStringsW(p1: PWideChar): BOOL; stdcall;
      external 'kernel32.dll' name 'FreeEnvironmentStringsW' index 195; 

function WideCharToMultiByte(CodePage: UINT; dwFlags: DWORD;
      lpWideCharStr: LPWSTR; cchWideChar: Integer; lpMultiByteStr: LPSTR;
      cchMultiByte: Integer; lpDefaultChar: LPCSTR;
      lpUsedDefaultChar: PBOOL): Integer; stdcall;
      external 'kernel32.dll' name 'WideCharToMultiByte' index 770; 

function GetEnvironmentStringsW: PWideChar; stdcall;
      external 'kernel32.dll' name 'GetEnvironmentStringsW' index 284; 

function HeapDestroy(hHeap: THandle): BOOL; stdcall;
      external 'kernel32.dll' name 'HeapDestroy' index 441; 

function HeapCreate(flOptions, dwInitialSize, dwMaximumSize: DWORD): THandle;
      stdcall; external 'kernel32.dll' name 'HeapCreate' index 439; 

function VirtualFree(lpAddress: Pointer; dwSize, dwFreeType: DWORD): BOOL;
      stdcall; external 'kernel32.dll' name 'VirtualFree' index 754; 

function QueryPerformanceCounter(var lpPerformanceCount: TLargeInteger): BOOL;
      stdcall;
      external 'kernel32.dll' name 'QueryPerformanceCounter' index 556; 

function GetTickCount: DWORD; stdcall;
      external 'kernel32.dll' name 'GetTickCount' index 391; 

function GetCurrentProcessId: DWORD; stdcall;
      external 'kernel32.dll' name 'GetCurrentProcessId' index 267; 

procedure GetSystemTimeAsFileTime(var lpSystemTimeAsFileTime: TFileTime);
      stdcall;
      external 'kernel32.dll' name 'GetSystemTimeAsFileTime' index 375; 

procedure LeaveCriticalSection(var lpCriticalSection: TRTLCriticalSection);
      stdcall; external 'kernel32.dll' name 'LeaveCriticalSection' index 479; 

procedure EnterCriticalSection(var lpCriticalSection: TRTLCriticalSection);
      stdcall; external 'kernel32.dll' name 'EnterCriticalSection' index 112; 

function VirtualAlloc(lpvAddress: Pointer; dwSize, flAllocationType,
      flProtect: DWORD): Pointer; stdcall;
      external 'kernel32.dll' name 'VirtualAlloc' index 751; 

function HeapReAlloc(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer;
      dwBytes: DWORD): Pointer; stdcall;
      external 'kernel32.dll' name 'HeapReAlloc' index 446; 

function HeapSize(hHeap: THandle; dwFlags: DWORD; lpMem: Pointer): DWORD;
      stdcall; external 'kernel32.dll' name 'HeapSize' index 447; 

function WriteFile(hFile: THandle; const Buffer; nNumberOfBytesToWrite: DWORD;
      var lpNumberOfBytesWritten: DWORD; lpOverlapped: POverlapped): BOOL;
      stdcall; external 'kernel32.dll' name 'WriteFile' index 783; 

function LoadLibrary(lpLibFileName: PAnsiChar): HMODULE; stdcall;
      external 'kernel32.dll' name 'LoadLibraryA' index 480; 

procedure InitializeCriticalSection(var lpCriticalSection:
      TRTLCriticalSection); stdcall;
      external 'kernel32.dll' name 'InitializeCriticalSection' index 454; 

function GetCPInfo(CodePage: UINT; var lpCPInfo: TCPInfo): BOOL; stdcall;
      external 'kernel32.dll' name 'GetCPInfo' index 208; 

function GetACP: UINT; stdcall;
      external 'kernel32.dll' name 'GetACP' index 202; 

function GetOEMCP: UINT; stdcall;
      external 'kernel32.dll' name 'GetOEMCP' index 327;

ADVAPI32.dll // few things here, but not important <

USER32.dll

----------

Code:

function GetWindowTextW(hWnd: HWND; lpString: PWideChar;
      nMaxCount: Integer): Integer; stdcall;
      external 'user32.dll' name 'GetWindowTextW' index 358; 

function GetWindowText(hWnd: HWND; lpString: PAnsiChar;
      nMaxCount: Integer): Integer; stdcall;
      external 'user32.dll' name 'GetWindowTextA' index 355; 

function EnumWindows(lpEnumFunc: TFNWndEnumProc; lParam: LPARAM): BOOL;
      stdcall; external 'user32.dll' name 'EnumWindows' index 211;

afiwarlord · (#2)

holy **** dude. /bow /praise

LightWave · (#3)

Great post man +rep for u

Relz · (#4)

awesome, i am REALLY looking forward to the "warden killer" app =P anyways +rep

zhPaul · (#5)

I need some people to help me with some testing, feel free to add my msn. [Only registered and activated users can see links. ] to help me with testing you must be a contributor or above.

LightWave · (#6)

As in testing what u mean ? cuz im not going to put my account up for ban lmao so ya if there is any way to test besides that im down to test

Lyvan · (#7)

I'm not in to hacks, but there is something called trial accounts for you...needs.

Relz · (#8)

ill help if its not a 50+% chance of being banned. im starting school soon so i wont be playing WoW much but id still like to have an account for the weekends/breaks.
ps: hacks ftw

zhPaul · (#9)

Quote:

Originally Posted by Lyvan

I'm not in to hacks, but there is something called trial accounts for you...needs.

Lol yea, i was looking around for my guest pass key, but i can't seem to find it.. Anybody have one to donate to "science"?

LightWave · (#10)

lol well he need testers to see if it works cuz i have used process hind hacks befor and ya but

Here is the catcher with trials if u use one internet connectio u share the ip with ur other wow and wow can track ips for people that didnt know that so they can trace it back to your other account and look at the activity on that account form that ip

And dont say what if ur at a cyber cafe or anyting cuz Cyber Cafes dont allow downloading anything i know use to work at one

And what if i was at a firends house well u just ****ed oyur friend over his account has been flaged for ip searching to see if he cheats

zhPaul · (#11)

Quote:

Originally Posted by LightWave

lol well he need testers to see if it works cuz i have used process hind hacks befor and ya but

Here is the catcher with trials if u use one internet connectio u share the ip with ur other wow and wow can track ips for people that didnt know that so they can trace it back to your other account and look at the activity on that account form that ip

And dont say what if ur at a cyber cafe or anyting cuz Cyber Cafes dont allow downloading anything i know use to work at one

And what if i was at a firends house well u just ****ed oyur friend over his account has been flaged for ip searching to see if he cheats

Well i actually have my wow on a thumb drive for portability, so i could just go to any decent computer and "plug & play". Also I use a program which spoofs my mac so WoW never has my real IP.

Relz · (#12)

id be glad to test, if you got me a trial account that is. i dont care if my ip gets flagged, ill just be a little more carefull =P just dont want my account banned.

zhPaul · (#13)

Quote:

Originally Posted by relz

id be glad to test, if you got me a trial account that is. i dont care if my ip gets flagged, ill just be a little more carefull =P just dont want my account banned.

I have a dll for you to test, you don't even need to login to see if it's working... This is going to be hard to facilitate if you don't have an IM service.

Relz · (#14)

i have AOL i believe its in my profile (my screen name that is) of course we could use PM's if you dont like AIM.

Lyvan · (#15)

[Only registered and activated users can see links. ]

That's the europe adress (doh!)

And in case you need for the US version, i got that one too.

[Only registered and activated users can see links. ]

I won't support you with any testing or anything else releated to hacks, since i don't think it's fair playing.

However, if you intead to block Warden from checking my modelchanged files, i will/can support you.

Send me a PM and i will give you contact details.