- 1,395
- 2020
- 693
Hi,
I've been digging into Warden behaviour on 3.3.5a recently while working on some tooling, and ended up writing a small external scanner to watch what the anti-cheat is doing.
The tool doesn't inject or hook anything inside the client. It just opens the process and monitors memory/state to see how Warden behaves during runtime.
In passive mode it tracks things like RWX pages, hidden modules, Warden state, handler integrity, etc. It also reads the session key from the connection structure and derives the RC4 keys used for Warden traffic.
There's also an optional HWBP mode (requires admin) that attaches as a debugger and sets hardware breakpoints on a few Warden functions. That lets you catch module loads, ARC4 init, handler registration and raw scan batches, which the tool can then decode (MemCheck, ModuleCheck, LuaStrCheck, etc).
UI is just a small WPF dashboard with logs and decoded scan info. Nothing fancy but it does the job.
I mainly built this while researching Warden behaviour on private servers, but maybe it can be useful to others doing similar work.
Source:
GitHub - Likon69/WardenScanner . GitHub
Credits:
--DarkLinux
--Makkah (Warden-Export)
--OwnedCore community
--Warden RC4 key derivation seeds: TrinityCore WardenWin.cpp
I've been digging into Warden behaviour on 3.3.5a recently while working on some tooling, and ended up writing a small external scanner to watch what the anti-cheat is doing.
The tool doesn't inject or hook anything inside the client. It just opens the process and monitors memory/state to see how Warden behaves during runtime.
In passive mode it tracks things like RWX pages, hidden modules, Warden state, handler integrity, etc. It also reads the session key from the connection structure and derives the RC4 keys used for Warden traffic.
There's also an optional HWBP mode (requires admin) that attaches as a debugger and sets hardware breakpoints on a few Warden functions. That lets you catch module loads, ARC4 init, handler registration and raw scan batches, which the tool can then decode (MemCheck, ModuleCheck, LuaStrCheck, etc).
UI is just a small WPF dashboard with logs and decoded scan info. Nothing fancy but it does the job.
I mainly built this while researching Warden behaviour on private servers, but maybe it can be useful to others doing similar work.
Source:
GitHub - Likon69/WardenScanner . GitHub
Credits:
--DarkLinux
--Makkah (Warden-Export)
--OwnedCore community
--Warden RC4 key derivation seeds: TrinityCore WardenWin.cpp