Warden Wiki Page

[amadmonk]

Quote:

Originally Posted by Cypher

YOU can't. But others can. It's called reverse engineering...

++ that. Right now, I'm too lazy/ignorant to find and steal and use the code that examines the Warden modules on the fly (wasn't that Shynd's work?). But once I get that working it's just a simple bit of disassembly to understand exactly what it's doing, and the fear level will go way, way down.

Don't ascribe magic powers to Warden; it's still running in user mode on YOUR box, which means that given enough time and patience and knowledge, it WILL ultimately obey your will. Hell, if you want, you can just yank your net cable (although that might seriously detract from your gaming experience). This isn't the Matrix, folks.

Hmm, wonder if I could use shimeng to... hmm.

[luthien23]

Quote:

Originally Posted by Cypher

Quote:

YOU can't. But others can. It's called reverse engineering...

False. Reverse engineering can only tell you what has been put into released warden and wow. It can't tell you what blizz is putting into warden and wow.

[ramey]

Quote:

Originally Posted by luthien23

False. Reverse engineering can only tell you what has been put into released warden and wow. It can't tell you what blizz is putting into warden and wow.

Oh boy Can't wait for this

[Nesox]

Quote:

Originally Posted by ramey

Oh boy Can't wait for this

*grab's some popcorns and wait's for the action to start*

[Cypher]

Quote:

Originally Posted by luthien23

False. Reverse engineering can only tell you what has been put into released warden and wow. It can't tell you what blizz is putting into warden and wow.

Are you retarded? If it's never pushed to the public why does it even matter what they put in it?

Also, you're referring to an impossibility. If noone ever has a copy of the software to inspect, then NOONE can see what it does through ANY MEANS.

Sigh, I'm much too tired to deal with this shit right now. Suffice to say, you're a ****ing moron.

[kynox]

Quote:

Originally Posted by luthien23

False. Reverse engineering can only tell you what has been put into released warden and wow. It can't tell you what blizz is putting into warden and wow.

Your poor English is obscuring his point. You haven't worded your posts correctly and it's leading to confusion.

What he said was, we can see what is currently in the module. Obviously we can't see what doesn't exist. For that would require the ability to bent the space time continuum.

I'm not going to expose my methods for time bending, as i don't want to do get nerfed!

[luthien23]

Quote:

Originally Posted by Cypher

Are you retarded? If it's never pushed to the public why does it even matter what they put in it?

Who said anything about never being pushed to the public?
I just pointed out that your statement was wrong because DaemonOnFire said "We can not proof what blizz is putting into warden and wow".
Is putting is present continuous which expresses something that is happening now, at this very moment. Whatever blizz is putting into warden at this very moment you can't know so his phrase, orthography aside, is true.

Quote:

Originally Posted by Cypher

Also, you're referring to an impossibility. If noone ever has a copy of the software to inspect, then NOONE can see what it does through ANY MEANS.

Yes, exactly, it's impossible, no one can see what it does.
That is why DaemonOnFire is right when he says "We can not proof what blizz is putting into warden and wow" and why you were wrong when you said others can.

[Cypher]

Quote:

Originally Posted by luthien23

Who said anything about never being pushed to the public?
I just pointed out that your statement was wrong because DaemonOnFire said "We can not proof what blizz is putting into warden and wow".
Is putting is present continuous which expresses something that is happening now, at this very moment. Whatever blizz is putting into warden at this very moment you can't know so his phrase, orthography aside, is true.


Yes, exactly, it's impossible, no one can see what it does.
That is why DaemonOnFire is right when he says "We can not proof what blizz is putting into warden and wow" and why you were wrong when you said others can.

Sigh. You do realize that with a little bit of work you can detect when new versions of Warden are pushed. Right?

Tripwire and WardenNET are two examples of such projects.

[luthien23]

I do realize such a thing is true.
DaemonOnFire's statement keeps being true though.

[Cypher]

Quote:

Originally Posted by luthien23

I do realize such a thing is true.
DaemonOnFire's statement keeps being true though.

Only because you're adhering to it in such a strict sense. And in that sense, it's a retarded ****ing statement to make in the first place.

Its impossible to see into the future given our current knowledge and technology. <-- HURRRR. LUK GUIZE! IM RITE!

[lanman92]

In the topic of warden..., will SEH through the DR0-7 registers work to hook warden's checksums? I was thinking about trying it out, but I don't want to risk my account since I don't think that trials are treated like real accounts. My main thoughts would be setting a read BP on the LuaProtection check and on QueryPerformanceCounter(). WoW/warden doesn't use GetThreadContext to check these BPs does it? If so, i would hate to waste a BP on hooking that =/

[Cypher]

Quote:

Originally Posted by lanman92

In the topic of warden..., will SEH through the DR0-7 registers work to hook warden's checksums? I was thinking about trying it out, but I don't want to risk my account since I don't think that trials are treated like real accounts. My main thoughts would be setting a read BP on the LuaProtection check and on QueryPerformanceCounter(). WoW/warden doesn't use GetThreadContext to check these BPs does it? If so, i would hate to waste a BP on hooking that =/

1. You typically don't catch HW BPs with SEH, you catch them with VEH.
2. You typically only use DR0->DR3 (which hold the actual addresses) and DR7 (which holds the mask of which out of DR0->DR3 are enabled).
3. HW BP hooking is nothing new, and is very easy to detect. Warden only need to do a GetThreadContext and you're gone. There are also several other methods they can use. If you want to protect yourself you're going to need to hook NtGetContextThread, NtContinue, NtRaiseException, RtlAddVectoredExceptionHandler, etc. The number of APIs you need to hook to protect HW BPs is greater than the number of available HW BPs themselves. And that's ignoring the fact they could attempt to use HW BPs as part of Warden's logic and if the registers are unavailable then obviously someone is using them so at that point you could get kicked from the server.
4. A HW BP on QueryPerformanceCounter isn't going to help you in terms of the speedhack check. It's not based on looking for a hook on that API, so you're wasting your time.
5. Sure it would get around a "checksum" based check that looks purely for modified bytes, but its not gonna save you if they actually start looking for HW BPs (which is a trivial task).

[lanman92]

Well then. Screw that plan. How does warden actually detect speedhacks now? I figured they just checked for API hooks. Do they send data to do movement prediction to the client and have it send back a result?

[Cypher]

Quote:

Originally Posted by lanman92

Well then. Screw that plan. How does warden actually detect speedhacks now? I figured they just checked for API hooks. Do they send data to do movement prediction to the client and have it send back a result?

They harness the power of sunspots to produce cognitive radiation. Warden is actually skynet. Don't hook it or it will become self-aware and take over the world.

[lanman92]

.............................Okay?

I know where the load function is for warden, but it's going to suck hooking it. Gonna say good-bye to return value hi-jacking...