private static void DisableWarden(IntPtr parWardenPtr1) { //var second = Memory.Reader.Read<IntPtr>(parWardenPtr1); var wardenModuleStart = parWardenPtr1.ReadAs <IntPtr>(); var memScanPtr = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenMemScanStart); var pageScanPtr = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenPageScan); Console.WriteLine(pageScanPtr.ToString("X")); if (pageScanPtr != WardensPageScanFuncPtr) { var CurrentBytes = Memory.Reader.ReadBytes(pageScanPtr, 5); //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes? var isEqual = CurrentBytes.SequenceEqual(PageScanOriginalBytes); if (!isEqual) { return; } if (AddrToWardenPageScan == IntPtr.Zero) { _wardenPageScanDelegate = WardenPageScanHook; AddrToWardenPageScan = Marshal.GetFunctionPointerForDelegate(_wardenPageScanDelegate); if (WardenPageScanDetourPtr == IntPtr.Zero) { // IntPtr readBase, int readOffset, IntPtr writeTo string[] asmCode = { SendOvers.WardenPageScanDetour[0], SendOvers.WardenPageScanDetour[1], SendOvers.WardenPageScanDetour[2], SendOvers.WardenPageScanDetour[3], SendOvers.WardenPageScanDetour[4], SendOvers.WardenPageScanDetour[5], SendOvers.WardenPageScanDetour[6], SendOvers.WardenPageScanDetour[7], SendOvers.WardenPageScanDetour[8], SendOvers.WardenPageScanDetour[9].Replace("[|addr|]", ((uint)AddrToWardenPageScan).ToString()), SendOvers.WardenPageScanDetour[10], SendOvers.WardenPageScanDetour[11], SendOvers.WardenPageScanDetour[12], SendOvers.WardenPageScanDetour[13].Replace("[|addr|]",((uint)wardenModuleStart + 0x2B2C).ToString()) }; WardenPageScanDetourPtr = Memory.InjectAsm(asmCode, "WardenPageScanDetour"); } } Memory.InjectAsm((uint)pageScanPtr, "jmp 0x" + WardenPageScanDetourPtr.ToString("X"), "WardenPageScanJmp"); WardensPageScanFuncPtr = pageScanPtr; } if (memScanPtr != WardensMemScanFuncPtr) { var CurrentBytes = Memory.Reader.ReadBytes(memScanPtr, 5); //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes? var isEqual = CurrentBytes.SequenceEqual(MemScanOriginalBytes); if (!isEqual) { return; } if (AddrToWardenMemCpy == IntPtr.Zero) { _wardenMemCpyDelegate = WardenMemCpyHook; AddrToWardenMemCpy = Marshal.GetFunctionPointerForDelegate(_wardenMemCpyDelegate); if (WardenMemCpyDetourPtr == IntPtr.Zero) { string[] asmCodeOnline = { SendOvers.WardenMemCpyDetour[0], SendOvers.WardenMemCpyDetour[1], SendOvers.WardenMemCpyDetour[2], SendOvers.WardenMemCpyDetour[3], SendOvers.WardenMemCpyDetour[4], SendOvers.WardenMemCpyDetour[5], SendOvers.WardenMemCpyDetour[6], SendOvers.WardenMemCpyDetour[7], SendOvers.WardenMemCpyDetour[8], SendOvers.WardenMemCpyDetour[9], SendOvers.WardenMemCpyDetour[10], SendOvers.WardenMemCpyDetour[11], SendOvers.WardenMemCpyDetour[12], SendOvers.WardenMemCpyDetour[13].Replace("[|addr|]","0x" + ((uint)AddrToWardenMemCpy).ToString("X")), SendOvers.WardenMemCpyDetour[14], SendOvers.WardenMemCpyDetour[15], SendOvers.WardenMemCpyDetour[16], SendOvers.WardenMemCpyDetour[17], SendOvers.WardenMemCpyDetour[18].Replace("[|addr|]","0x" + ((uint)(memScanPtr + 0x24)).ToString("X")) }; WardenMemCpyDetourPtr = Memory.InjectAsm(asmCodeOnline, "WardenMemCpyDetour"); } } Memory.InjectAsm((uint)memScanPtr, "jmp 0x" + WardenMemCpyDetourPtr.ToString("X"), "WardenMemCpyJmp"); WardensMemScanFuncPtr = memScanPtr; } }
private static void DisableWarden(IntPtr parWardenPtr1) { //var second = Memory.Reader.Read<IntPtr>(parWardenPtr1); var wardenModuleStart = parWardenPtr1.ReadAs <IntPtr>(); var memScanPtr = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenMemScanStart); var pageScanPtr = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenPageScan); Console.WriteLine(pageScanPtr.ToString("X")); if (pageScanPtr != WardensPageScanFuncPtr) { var CurrentBytes = Memory.Reader.ReadBytes(pageScanPtr, 5); //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes? var isEqual = CurrentBytes.SequenceEqual(PageScanOriginalBytes); if (!isEqual) { return; } if (AddrToWardenPageScan == IntPtr.Zero) { _wardenPageScanDelegate = WardenPageScanHook; AddrToWardenPageScan = Marshal.GetFunctionPointerForDelegate(_wardenPageScanDelegate); if (WardenPageScanDetourPtr == IntPtr.Zero) { // IntPtr readBase, int readOffset, IntPtr writeTo string[] asmCode = { "mov eax, [ebp+8]", "pushfd", "pushad", "mov ecx, esi", "add ecx, edi", "add ecx, 0x1C", "push ecx", "push edi", "push eax", "call " + (uint)AddrToWardenPageScan, "popad", "popfd", "inc edi", "jmp " + ((uint)wardenModuleStart + 0x2B2C) }; WardenPageScanDetourPtr = Memory.InjectAsm(asmCode, "WardenPageScanDetour"); } } Memory.InjectAsm((uint)pageScanPtr, "jmp 0x" + WardenPageScanDetourPtr.ToString("X"), "WardenPageScanJmp"); WardensPageScanFuncPtr = pageScanPtr; } if (memScanPtr != WardensMemScanFuncPtr) { var CurrentBytes = Memory.Reader.ReadBytes(memScanPtr, 5); //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes? var isEqual = CurrentBytes.SequenceEqual(MemScanOriginalBytes); if (!isEqual) { return; } if (AddrToWardenMemCpy == IntPtr.Zero) { _wardenMemCpyDelegate = WardenMemCpyHook; AddrToWardenMemCpy = Marshal.GetFunctionPointerForDelegate(_wardenMemCpyDelegate); if (WardenMemCpyDetourPtr == IntPtr.Zero) { string[] asmCodeOnline = { "PUSH ESI", "PUSH EDI", "CLD", "MOV EDX, [ESP+20]", "MOV ESI, [ESP+16]", "MOV EAX, [ESP+12]", "MOV ECX, EDX", "MOV EDI, EAX", "pushfd", "pushad", "PUSH EDI", "PUSH ECX", "PUSH ESI", "call " + "0x" + ((uint)AddrToWardenMemCpy).ToString("X"), "popad", "popfd", "POP EDI", "POP ESI", "jmp " + "0x" + ((uint)(memScanPtr + 0x24)).ToString("X") }; WardenMemCpyDetourPtr = Memory.InjectAsm(asmCodeOnline, "WardenMemCpyDetour"); } } Memory.InjectAsm((uint)memScanPtr, "jmp 0x" + WardenMemCpyDetourPtr.ToString("X"), "WardenMemCpyJmp"); WardensMemScanFuncPtr = memScanPtr; } }