Jump to content

TOM_RUS

Members
  • Posts

    164
  • Joined

  • Last visited

    Never
  • Donations

    0.00 GBP 

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

TOM_RUS's Achievements

Advanced Member

Advanced Member (3/3)

0

Reputation

  1. http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/285075-collection-wow-binaries-release-ptr-5.html#post2067796
  2. That's actually structs generated by my IDA script from leaked internal cataclysm alpha build WoW [Release Assertions Enabled] Build 11792 (Apr 1 2010) (as you can see it was build even before 3.3.5 ). There's small differences between structs in 11792 and 12340, but mostly they are same.
  3. Have you modified 0x03 warden packet for 2.4.3? It's required step...
  4. Blizzard don't have to run whole module on server, they only need single function to generate RC4 encryption seed's and they can compile this function for any platform they want...
  5. Is is client locale dependent: for enUS/esMX(?) clients use: http://launcher.worldofwarcraft.com/alert and for european clients (notice additional folder for locale): enGB: http://status.wow-europe.com/en/alert deDE: http://status.wow-europe.com/de/alert frFR: http://status.wow-europe.com/fr/alert esES: http://status.wow-europe.com/es/alert ruRU: http://status.wow-europe.com/ru/alert
  6. That's weird, because header looks correct... http://paste2.org/p/1478703
  7. Yeah, i've re-uploaded 20110427 file and it should be available using old link.
  8. I've add some test code for Mac, but: - Warden on Mac doesn't support any scanning. - I can't test anything, because I don't have mac. - Mac related code not activated.
  9. It scans whole virtual memory, not just exe and dll's. This way you can detect some third party code caves allocated in game process for example. There's also difference between PAGE_CHECK_A and PAGE_CHECK_B: type A scans all memory pages, while B only scans pages that starts with MZ+PE headers (dll's). Server: PAGE_CHECK Hashing bytes: 00B00000355B000000A0 Sending packet 02, size 33: Data: 02 opcode 00 strings B2 PAGE_CHECK_A 19E8E264 seed 7DAE3A9E2EFC509E0086F32C8F19CDC4FB2DC3BF hash 00000000 offset 0A size 00 xor Client: Handled: 33 VirtualQuery(0x00010000) = 0x0000001C VirtualQuery(0x00020000) = 0x0000001C VirtualQuery(0x00030000) = 0x0000001C VirtualQuery(0x00040000) = 0x0000001C VirtualQuery(0x00050000) = 0x0000001C VirtualQuery(0x00060000) = 0x0000001C VirtualQuery(0x00070000) = 0x0000001C VirtualQuery(0x00080000) = 0x0000001C VirtualQuery(0x00090000) = 0x0000001C VirtualQuery(0x00100000) = 0x0000001C VirtualQuery(0x00110000) = 0x0000001C VirtualQuery(0x00120000) = 0x0000001C VirtualQuery(0x00130000) = 0x0000001C VirtualQuery(0x00140000) = 0x0000001C VirtualQuery(0x00170000) = 0x0000001C VirtualQuery(0x00180000) = 0x0000001C VirtualQuery(0x00190000) = 0x0000001C VirtualQuery(0x001A0000) = 0x0000001C VirtualQuery(0x001B0000) = 0x0000001C VirtualQuery(0x001C0000) = 0x0000001C VirtualQuery(0x001D0000) = 0x0000001C VirtualQuery(0x001E0000) = 0x0000001C VirtualQuery(0x001F0000) = 0x0000001C VirtualQuery(0x00227000) = 0x0000001C VirtualQuery(0x00229000) = 0x0000001C VirtualQuery(0x00230000) = 0x0000001C VirtualQuery(0x00269000) = 0x0000001C VirtualQuery(0x0026C000) = 0x0000001C VirtualQuery(0x00270000) = 0x0000001C VirtualQuery(0x00280000) = 0x0000001C VirtualQuery(0x00290000) = 0x0000001C VirtualQuery(0x002A0000) = 0x0000001C VirtualQuery(0x002D0000) = 0x0000001C VirtualQuery(0x002E0000) = 0x0000001C VirtualQuery(0x002E1000) = 0x0000001C VirtualQuery(0x003D6000) = 0x0000001C VirtualQuery(0x003D8000) = 0x0000001C VirtualQuery(0x003E0000) = 0x0000001C VirtualQuery(0x003F0000) = 0x0000001C VirtualQuery(0x00400000) = 0x0000001C VirtualQuery(0x00410000) = 0x0000001C VirtualQuery(0x00449000) = 0x0000001C VirtualQuery(0x0044C000) = 0x0000001C VirtualQuery(0x00450000) = 0x0000001C VirtualQuery(0x00460000) = 0x0000001C VirtualQuery(0x00470000) = 0x0000001C VirtualQuery(0x00480000) = 0x0000001C VirtualQuery(0x00490000) = 0x0000001C VirtualQuery(0x004C9000) = 0x0000001C VirtualQuery(0x004CC000) = 0x0000001C VirtualQuery(0x004D0000) = 0x0000001C VirtualQuery(0x004E0000) = 0x0000001C VirtualQuery(0x004F0000) = 0x0000001C Data(0x008EE1CC, 0x00000008) = 02 opcode 0100 size D6097373 checksum 4A result = cheat found
  10. Dear TOM_RUS if you're interested, please tell where you can send the cheats that do not catch warden. To pm on here you do not answer I'm not interested in cheats analysis. It's may take a lot of time. I have different things to do... Detection of memory writes to dynamic player structures is possible, but it's not implemented.
  11. You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...
  12. That explains a lot of things If I put timeout kicks under effect of kick config, can it result any error? One more short notice, logging is a bit too detailed, I should have to buy a new hdd after a week of usage I've fixed bug with timeout kicks ignoring config. You can comment out some of logging if you don't need it... It's there mostly for debugging purposes.
  13. Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).
  14. (403, 243, '', '', 4609675, 5, '5E5DC20800', NULL), this address is in code section and can't be modified without third-party programs .text:0046568B 5E pop esi .text:0046568C 5D pop ebp .text:0046568D C2 08 00 retn 8 (438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL) this address is in data section and has default value: FFFFFFFF903C9F00 .data:00AC3DAC FF FF FF FF dword_AC3DAC dd 0FFFFFFFFh ; DATA XREF: sub_4D80C0+5r .data:00AC3DB0 90 3C 9F 00 dd offset aCharacterattac ; "CharacterAttachment" There's a 2 legit memory writes in client, that may change first 4 bytes (FFFFFFFF) at this address. So it indeed may fail on server side. .text:004D80E2 A3 AC 3D AC 00 mov dword_AC3DAC, eax // eax value may vary based on login state (0...17) .text:004D8AA5 89 0D AC 3D AC+ mov dword_AC3DAC, ecx // ecx = -1 Mac clients not supported, and probably never will, because I need physical access to mac book, which I don't have.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use