Warden

[XTElite1]

This has to be one of the most interesting pieces of code I've seen in awhile. If I had the C++ experience, I'd help, but my knowledge is limited. I hope someone picks this up, because this is the ideal solution compared to all the other anti cheats out there.

[henhouse]

This has to be one of the most interesting pieces of code I've seen in awhile. If I had the C++ experience, I'd help, but my knowledge is limited. I hope someone picks this up, because this is the ideal solution compared to all the other anti cheats out there.

Yeah, in my opinion if this is truly almost Warden that can stop exploiters, it should be finished an implemented someday.

[01satkins]

this does look promising - as for knowing what the 0x02 scan is supposed to return, is the purpose of this not to look for modifications to specific addresses that cheat engines hook, (in which case you just need a list of the hacks you want to look for, the memory they edit, and what you expect to find at that address), rather than picking random locations and comparing it to your 'duplicate of the entirety of WoW's Memory'

[LexManos]

this does look promising - as for knowing what the 0x02 scan is supposed to return, is the purpose of this not to look for modifications to specific addresses that cheat engines hook, (in which case you just need a list of the hacks you want to look for, the memory they edit, and what you expect to find at that address), rather than picking random locations and comparing it to your 'duplicate of the entirety of WoW's Memory'

Seriously, nobody else has even touched this?

I have a updated version which is more efficient, but the bulk of everything is still the same.

Anyways, theres a bit of a battle that goes on here, we have cheats, and a way to detect them, but the cheaters also know that detection method, so the thing we need to do, is just make life difficult for the cheater's to deal with. I've done this quite well by allowing non signed modules to be run. Well, I updated it last month to only allow MY signed modules to be run <3

Anyways, someone do some research into where WoW stores it's Mediv module, and it should be cinch to replace it with your own.

I've got no plans to publicly dev this anymore, but I urge others to work on it, seriously, the hard parts are already done!

[The_Game_Master]

I think you're the proper man to finish this patch.

As far as i read i understood that you implemented some random code into the sended/received pachets. Is that correct?

[TOM_RUS]

Today I finally managed to make my sniffer decrypt warden packets properly. There's 3 sessions logged (only warden packets)

http://paste2.org/p/454231

http://paste2.org/p/454237

http://paste2.org/p/454240

[LexManos]

Today I finally managed to make my sniffer decrypt warden packets properly. There's 3 sessions logged (only warden packets)

http://paste2.org/p/454231

http://paste2.org/p/454237

http://paste2.org/p/454240

Vary nice, It's been confirmed, as I always suspected. The initial field in 0x02 is not libraries, it just strings.

So you got a C# version of module prepping/loading/running done?

Thats rather interesting, I haven't delt much with C# but others that I know that have are always bitching how difficult it is to run non managed code from it.

I'd be interested in seeing how you've done it.

Also, Do you know ASM? I still want to have someone figure out the other opcodes, (and preferably a more reliable way to determine them u.u)

[TOM_RUS]

Vary nice, It's been confirmed, as I always suspected. The initial field in 0x02 is not libraries, it just strings.

So you got a C# version of module prepping/loading/running done?

Thats rather interesting, I haven't delt much with C# but others that I know that have are always bitching how difficult it is to run non managed code from it.

I'd be interested in seeing how you've done it.

Also, Do you know ASM? I still want to have someone figure out the other opcodes, (and preferably a more reliable way to determine them u.u)

It's not fully in C#. I wrote C++ DLL that deals with warden modules and than I just get pointers to RC4 keys and read them (pinvoke)...

Edit: I have ported my C++ code to C# completely.

Small research on warden packets: http://paste2.org/p/471651

And whole session with this module: http://paste2.org/p/471660

And some parsed output: http://paste2.org/p/472958

[LexManos]

Small research on warden packets: http://paste2.org/p/471651

And whole session with this module: http://paste2.org/p/471660

And some parsed output: http://paste2.org/p/472958

Is your Packet Logger Open source?

I'd like to see it, see what you've done.

I am really interested in seeing how you split up the requests and extract the proper check IDs.

====== UNK2_CHECK START ======

checkType 5D (A6)

Unk bytes: 0x69EC659067021B7FAF4541F6329B809950252859DFF590B6

Unk string: Afd32uu

====== UNK2_CHECK END ======

Also, could that not be a SHA1 hash and Seed?

Could it not SHA1 that file and compare it to the SHA1 hash, to test this you would need to find the cheat that modifes that file, and a copy of that file, Do some SHA1ing to it and see how things go

If would make sense because it has the same response as a PAGE_CHECK, BTW 0xE9 is the current 'No' response, AE No it was not found, or No it was not a match

====== UNK_CHECK result ======

UNK_CHECK result: 0x01

UNK_CHECK value: 0x1BF697FE

====== UNK_CHECK result END ======

This looks something like:

Did it work? Yes/No

Result: DWORD

Possibly CRC32?

Have you tried scanning WoW's memory for FE 97 F6 1B? It may be a constant that Warden is looking for

254.151.246.27 or 27.246.151.254, Those IPs look familiar?

Sadly I am Missing a lot of Warden modules. If you'd be so kind as to save/upload them to my site I would <3 you.

Anyways, I like the fact that you have been working on this, I'd like to work with you more.

[TOM_RUS]

Is your Packet Logger Open source?

I'd like to see it, see what you've done.

I am really interested in seeing how you split up the requests and extract the proper check IDs.

No, it's not open source.

To parse checks I manually find them first, add them to parser and then parse log.

P.S. Two more parsed sniffs http://paste2.org/p/474078, http://paste2.org/p/474089

Parser is here http://code.google.com/p/mywowtools/source/browse/trunk/WoWPacketViewer/WoWPacketViewer/Parsers/WardenParser.cs?spec=svn137&r=137#, nothing interesting really.

[LexManos]

No, it's not open source.

To parse checks I manually find them first, add them to parser and then parse log.

P.S. Two more parsed sniffs http://paste2.org/p/474078, http://paste2.org/p/474089

Parser is here http://code.google.com/p/mywowtools/source/browse/trunk/WoWPacketViewer/WoWPacketViewer/Parsers/WardenParser.cs?spec=svn137&r=137#, nothing interesting really.

Oh you're manually parsing check IDs Ouch. But it looks sexy.

Just a suggestion, I'd say do ID checks vs the post xored value. Just in case they ever bother to change it during a single connection.

So that you can parse multiple connections using the same module, because they choose seemingly random xor byte during each connection.

But this is cool, how exactly are you determining what each check does? Just guessing, watching the module run, or do you have the modules loaded up in IDA?

Anyway I could get you to upload the binary packet logs? At least the Warden packets. I'd like to some work with the modules you are working with. (yes i *could* parse your text logs but... :*( )

[tehmarto]

ok so i guess the:

     ((MangosSendPacket)ctx->sendpacket)(ctx->session, pdata, size); 

should be replaced by

   WorldPacket data(SMSG_WARDEN_DATA, size);
   data << ctx->sendpacket;
   data << pdata;
   SendPacket(&data);

am i right?

maybe somewhere should be the ctx->session too?

[TOM_RUS]

ok so i guess the:

 
((MangosSendPacket)ctx->sendpacket)(ctx->session, pdata, size);

should be replaced by

           WorldPacket data(SMSG_WARDEN_DATA, size);
           data.append(pdata, size);
           ctx->session->SendPacket(&data);

May be this way?

[TOM_RUS]

Oh you're manually parsing check IDs Ouch. But it looks sexy.

I just added interactive debugging to warden parser, so you don't have to recompile it anymore.

Just a suggestion, I'd say do ID checks vs the post xored value. Just in case they ever bother to change it during a single connection. So that you can parse multiple connections using the same module, because they choose seemingly random xor byte during each connection.

I just realized that xor byte changes each session. Let's see what I can do...

But this is cool, how exactly are you determining what each check does? Just guessing, watching the module run, or do you have the modules loaded up in IDA?

Ralek did some reversing using IDA.

Anyway I could get you to upload the binary packet logs? At least the Warden packets. I'd like to some work with the modules you are working with. (yes i *could* parse your text logs but... :*( )

Can't separate warden packets from rest of packets right now (because I'm lazy).

[LexManos]

I just realized that xor byte changes each session. Let's see what I can do...

Fairly easy jsut change your hard coded values

Ralek did some reversing using IDA.

Any ways I can get a hold of him? I'd like to see if we can find a way of progmatically extracting out the Check IDs. I'm fairly sure it'd be simple, haven't looked at a module in IDA for a while but if they use a switch() then it's just a jump table.

Anyways, I'd also like to figure out exactly what opcode 0x03 does

As for the MPQ checks thats a simple SHA1() of the file.

GetTickCount is kinda interesting, not sure why they would care about that... except its used as a seed in a few of there encryptions but beyond that its not important.

I'd also be really interested in seeing if we could progmatically extract the Yess/No values used in the response (0xE9)

[TOM_RUS]

Fairly easy jsut change your hard coded values

As I said there's no more hardcoded values, I added interactive debugging.

I'm fairly sure it'd be simple, haven't looked at a module in IDA for a while but if they use a switch() then it's just a jump table.

Is some modules it's switch, and in some it's not.

Anyways, I'd also like to figure out exactly what opcode 0x03 does.

Initializes file reading functions (open/getsize/read/close). May be something more... http://paste2.org/p/473332

[LexManos]

As I said there's no more hardcoded values, I added interactive debugging.

Oh ya, dua overlooked that. Sounds good.

Is some modules it's switch, and in some it's not.

Oh ya, I remember that, probably what skunked me out last time I had them open. I haven't actually opened Warden in IDA in months. If I remember correctly, they did like they did with Lockdown, compiled 2 versions (in warden's case I think it was 8 versions) that did exactly the same thing, in different methods, EA: Some used switch() some used if()..else if(), others used pass through functions, etc.. but it's rather annoying.

Initializes file reading functions (open/getsize/read/close). May be something more... http://paste2.org/p/473332

Interesting, Never bothered to check out what this did (as its not used on Bnet) pretty cool that it actually allows for multiple commands per packet. Though your notes appear to be wrong.

What are these Library Index/String Lib? I don't see it passing any strings around. Does the module store a static array of strings like that? Or, are those PStrings like in 0x02? (byte) len (void) str

But ya, it has no response, so from a necessity point of view it's not important, but it's rather interesting.

Have you taken a look at what is at the last 2 addresses?

May simply be a overwriting the function pointers.

[tehmarto]

Last few days i was trying to implant this warden code into mangos, had some hard time clearing out the compilation errors, hardest error to clear was the linking error, took me a lot of time to find out that i should remove #define ZLIB_DLL from module.h other errors were more easy to remove, i may have implanted it not correctly and that causes the errors. So i finally start the server but it crashes instantly as someone try to log in i attach the debugger and looks like it crashes somewhere around:

   instance->module          = memalloc(ctx->modules->size);

Guess because ctx->modules->size is not initialized but used? Prints size: 0 every time. Its really the last time i try to implant someone else code into mangos. Anyone else have tried to do it?

[Agiko]

I got a question...

What exactly is send in SMSG_WARDEN_DATA 0x00? I send the client 0x00,MD5,Seed but they dont seem to reply back

Last few days i was trying to implant this warden code into mangos, had some hard time clearing out the compilation errors, hardest error to clear was the linking error, took me a lot of time to find out that i should remove #define ZLIB_DLL from module.h other errors were more easy to remove, i may have implanted it not correctly and that causes the errors. So i finally start the server but it crashes instantly as someone try to log in i attach the debugger and looks like it crashes somewhere around:

   instance->module          = memalloc(ctx->modules->size);

Guess because ctx->modules->size is not initialized but used? Prints size: 0 every time. Its really the last time i try to implant someone else code into mangos. Anyone else have tried to do it?

I tried

[tehmarto]

I got a question...

What exactly is send in SMSG_WARDEN_DATA 0x00? I send the client 0x00,MD5,Seed but they dont seem to reply back

I tried

I think it's the opcode, for example u send SMSG_CONTACT_LIST, and client responds with CMSG_CONTACT_LIST, but when u send SMSG_WARDEN_DATA it don't responds cuz client dont have the module?

[Agiko]

I think it's the opcode, for example u send SMSG_CONTACT_LIST, and client responds with CMSG_CONTACT_LIST, but when u send SMSG_WARDEN_DATA it don't responds cuz client dont have the module?

But if it does not have the module it would return a CMSG_WARDEN_DATA with a 0 ... But i dont get it at all

[TOM_RUS]

Warden packets are encrypted. Packet logs posted in this topic were decrypted. You need encrypt packets before sending...

[Agiko]

So the packets are encrypted in?

[TOM_RUS]

So the packets are encrypted in?

http://www.skullsecurity.org/wiki/index.php/Warden_Packets

[unix]

Have you figured out a way to calculate the new keys after the 0x05 packet instead of loading the module and let it do the dirty job?

I do know that every module has a different MD5 function, but still, there has to be a pattern between them all. I've tried reversing the MD5 function of a module, but havn't gotten it to calculate either the new keys or the return hash correctly.

Afaik the module first hashes the "seed" with it's own md5 function, and then creates a new hash from that one with the same md5 function. Then it sha1 hashes the first one and that one is supposed to be the return hash. And it then takes the two md5 hashes generated in the beginning into RC4_Init and generates the new keys. Is this correct?