Warden - The definitive anti-cheat system

[Auntie Mangos]

hi cant patch please help me. i'm noob

Read the source code management section. It contains guides for patching, merging, etc. freghar has collected and written quite a few very good ones.

[Auntie Mangos]

I've created a branch on github, which contains very simple warden implementation for mangos (unrelated to Neo2003 implementation) developed by zhenya and me in March, 2010. It uses only one module and can run on any platform.

[Auntie Mangos]

Hehe, I thought that someone make integration with the server immediately

warden with server integration imho is better solution than daemon with connect and network problems

Well, if TOM_RUS officially posted this work, I can discover that was explored me) i can explain work of any cheat and detect memory address and actions which used by cheat

I make warden 8 month ago with this theme - http://getmangos.eu/community/topic/8866/warden/ - this is partly manual warden work + very good sniffs

PROC_CHECK not implemented though (i'm not even sure that it useful for something)

I see one check in your sniffs

====== PROC_CHECK START ======
CheckType 8A (54)
Seed: 0xB8E64FC2
SHA1: 0x0E2E61748604BB170347570DBA9CF0332667C8E2
Module: user32.dll
Proc: GetCursorPos
Address: 0x00046BB0
Bytes to read: 60
====== PROC_CHECK END ======

I think that blizz not used this check currently

[Auntie Mangos]

Xfurry: http://getmangos.eu/community/post/134520/#p134520

[Auntie Mangos]

@lillecarl: I replied to you time ago in this topic when you asked for linux warden, but it took you several days to reply again and probably you didn't see my answer.

http://getmangos.eu/community/post/136559/#p136559

[Auntie Mangos]

@lillecarl: I replied to you time ago in this topic when you asked for linux warden, but it took you several days to reply again and probably you didn't see my answer.

http://getmangos.eu/community/post/136559/#p136559

I saw now, so there are more then one warden branch? I personally think it would be better to have warden in the mangosd but who knows

- LilleCarl

[Neo2003]

Hello,

Here is a patch to have warden managed by MaNGOS rev 11289.

About the patch

In game project I added WardenMgr.cpp and WardenMgr.h. This Warden Manager is doing everything for client<->mangosd communication, including encrypting/decrypting packets.

I store the two 2048bits rc4 keys in the WorldSession + a shortTimer to manage the timings between cheat checks and to be able to timeout a not responding client and kick it.

That is mostly what this manager does for client, it does not manage any module nor have any storage requirement. however, it has a communication part to exchange information with a Warden Daemon.

Warden Daemon is a Win32 VC project only because it will load modules that are Win32 code.

This Daemon waits for mangosd connection and then is using his own protocol to discuss with mangosd.

This daemon loads the modules and checks information from the realm DB; it loads modules code, generates the keys, build cheat checks and validate them.

This Daemon is loading each module only for about 1 second in order to have the keys and seed then unload it. I did set it arbitrary to handle a maximum of 20 modules at the same time, meaning client connection rate at 20 clients/second. if 20 modules are already loaded and if it gets a new request, it will simply delay it by 5 seconds.

Warden

Each client is assigned a module randomly (from the 71 I have), then it will keep the same module for the full day. If the client is disconnecting and come back the same day, the same module is reused. If he come back another day, he will get a new one. A module is never changed during a session, whatever the length of the session is. Each time the same user connect the same day, keys will change each time.

For the cheat checks, the daemon build the list based on what is in the DB.

All checks are working: timing, page, drivers, memory, mpq and lua. Checks are done a the rate 6 to 9 checks every 30sec-1minute approximately. A new cheat check set is sent 15 to 25 seconds after the last reply from client, and the client can take up to 1 minute to reply.

Timing are not validated because I don't know how to compute the client tick count from the server. I simply accept any value.

Memory check are not validated too (so I accept anything) because what the client returns seams to differ from what I got in past.

Client is kicked if it did not load the module after the module has been sent.

The client is banned for 24H if it failed a cheat check (I only kick it for the moment).

Installation:

This patch is very light on mangos, so it will apply properly on any rev. But only 3.x ones since 2.x and 1.x warden system was different.

- Apply the patch and compile mangos as always, I tested Win32, Winx64 and Linux 32.

- Compile wardend with your favorite VC, I added the 3 solutions in /win for the 3 VCs.

- Configure wardend.conf to have DB information and path to the folder containing the warden folder present in the archive.

- Apply the update sql (sql/update/99999_*.sql) on realm db and apply the content sql which is in the archive

- Start wardend on a windows machine and after that start mangos anywhere, you will have to update mangosd.conf to activate this code and to setup the IP address and port information for wardend. See the end of mangosd.conf.

Warning:

Don't let this warden daemon be accessible from outside, make it listen on the loopback interface if you run it on a windows box connected to internet along with mangosd.

File: 20110326: http://filebeam.com/97478ef0a0133a493ad164fe05f76e43

- Initial published version

File: 20110327 http://filebeam.com/6bf78f32b0beb3dced13cb8be2cdf82d

- fixed memory check code, there was a bug in it

- added proper content for memory check and activated it by default

File: 20110327c http://filebeam.com/16eb3e969b151b74cda28581ad9f8531

- Added OS detection, so you will have to apply 99999_01_realmd_account.sql again due to a new column

As a result, MAC client will not be checked since I don't have any macho module to test

- Fixed wardend crash in case mangosd is stopped and reconnect

- Timing between checks is fixed, checks were sent too often (twice speed)

- Content sql now includes WEH and others, thanks to zhenya``

File: 20110328 http://filebeam.com/4ff191aca8c8405612b6f922b19d7648

- Wardend doesn't crash anymore when you close it when it is still connected to mangosd

- Mangosd can reconnect to wardend if you close it or if it crashes, just wait that mangosd display the deconnection before you start wardend again

In this case, some clients can be kicked because of some problems to synchronize between mangosd and wardend

File 20110331 http://filebeam.com/26a8fff342b2b7d77a6194d4dd646a0e

- Moved most code around.

Wardend is just a process that requires no DB connection and no files except itself and 2 dll. It accepts only 1 command and does not store anything in its memory. It just get a module+seed+sessionKey and return transformed seed+server key+client key

Mangosd now do all the work about negociation and cheat-checks

I added a new option in mangosd.conf: Wardend.ban = 0|1. This sets the Warden Manager to ban account for 24H instead of just kicking at failed check when set to 1. Timeout in replies are still only kicking clients

I removed DB and file path information in wardend.conf

- Wardend is not limited to 1 mangosd connection, it can host many mangosd if needed

- Reconnection code redone to work lot better and even at start if mangosd was started before wardend

- All warden_* tables moved from realm DB to world DB

- warden folder containing modules must be next to dbc/maps/vmaps/mmaps folders

File 20110402 http://filebeam.com/fe266bbfeae7f7b2799a7fab4767e47b

- Prevent crash if warden is disabled in configuration

- Make the core properly connect to wardend if started after

- Added a small delay in main loop to try to get packets fully from wardend

File 20110403 http://filebeam.com/fddc1f2246bc16bc443d6b4ed82c4c05

- Fixed the incomplete packet problem

- Fixed sending several time the same request after wardend reconnection which caused clients kicks

Note: I did forget to update VC80 and VC90 wardend projects. Remove the used BufferedSocket.cpp and .h from the wardend project and re-add the ones in /src/wardend. I will fix in next version where I plan to add some better content.

File 20110404 http://filebeam.com/a6816547bc270668bec43cb9704b3d24

- Fixed memory leak in wardend

- Another Reactor used on Linux, let's hope it's the proper one

- Fixed sql data files

File 20110406 http://filebeam.com/f7e5f956f718991dd371a6007b2c0359

- Timer for wardend communication and timers for the state machine in each session are now all updated with the same source from World::Update()

- Ping timer is now 10 seconds instead of fluctuating between 1 second and 5 seconds

- Warden system base tick interval is now 1 second instead of 500ms

- WardenMgr class is now a friend of WorldSession class, most access methods I did add are now removed

- Warden System automatically disables itself if any table is empty or if no module can be used

- Fixed a possible wrong error message about a memory check when a cheat is detected in other checks

- Don't mark anymore all remaining checks failed once one is failed

- Wardend will timeout any connection where no data has been received for 15 seconds and close it

File 20110427 http://filebeam.com/97dd974c4da5d17513c54ab9a8946f68

- Added an option in mangosd.conf to configure the ban length

- Fixed kick at log-off problem thanks to Vlad852

- Trash any unknown packet from Wardend to prevent freeze like behavior

- Changed the default communication port to 6555

- Adjusted some timers to get less false kicks

Neo2003

[Thyros]

Cool neo, great work!

[darkstalker]

this means server can send and execute arbitrary code on client?

[TOM_RUS]

this means server can send and execute arbitrary code on client?

No. Client won't run random crap. All modules are RSA signed and validated by client.

[zhenya``]

*pkt << uint8(mWardenModuleChecks[md5][WARD_CHECK_TIMING] ^ m_seed1);

its for 3.3.3 ? in 3.3.5a there is no TIMING_CHECK and MPQ.

[iforgotmypassword]

WEH working like without warden

[Neo2003]

*pkt << uint8(mWardenModuleChecks[md5][WARD_CHECK_TIMING] ^ m_seed1);

its for 3.3.3 ? in 3.3.5a there is no TIMING_CHECK and MPQ.

Yes, I know that in 3.3.5 there WERE no time_check, it has been reactivated See src/game/WardenMgr.cpp line 275

It just works fine with 3.3.5 too.

WEH working like without warden

Probably yes, I just provided sample data to put in the DB, and memory check is disabled since the data I gave seams to be wrong.

So I think it's a matter of knowing the memory address that is hook by this tool and, put the unmodified content in warden_check_memory table and activate it in src/wardend/WardenDaemon.cpp line 944 by returning false when the test fails.

[zhenya``]

try 0x71B810 - 10 - 8B81CC07000025000000 in memcheck actual data.

p.s. you did forget about mac users. they have own warden modules this modules were crash macos client.

p.s.s check pm.

[iforgotmypassword]

is it possible to allow worldserver restore connection if connection to wardend was interrupted?

[Neo2003]

Hello, New version posted.

There was a bug in memory check validation code, bad index used. It's now working then I fixed the content sql to have proper data and activated it, so bad memory check by client will make it be kicked.

See first post and get file 20110327.

is it possible to allow worldserver restore connection if connection to wardend was interrupted?

Not yet. for the moment you have to restart mangos. Anyway if wardend crashs, this should not kick clients, this just disables the system.

[iforgotmypassword]

had a crash:

http://paste2.org/p/1327653

can't start wardend if in debug build, sorry

this happens when mangos lost connection to wardend, but client still connected

[iforgotmypassword]

okay, got it:

http://paste2.org/p/1327723

Crash at:

uint8 m_seed1 = mWardenClientSeed[accountId];

--> DEBUG_LOG("Seed byte: 0x%02X, end byte: 0x%02X", m_seed1, mWardenModuleChecks[md5][WARD_CHECK_END]);

to reproduce:

- start wardend

- start mangosd

- enter world

- shutdown mangosd

- start mangosd

[Neo2003]

New file: 20110327c

This crash fixed + more, see first post.

[tyrael]

so let me understand...

no more speed hack, climb hack, fly hack, teleport hack, dupe item hack, etc?

[iforgotmypassword]

Neo2003, we need an ability to setup chances for each check defined in database

because with current count of memory checks warden needs about 30 minutes to detect weh (weh is mostly used cheating tool)

currently we have a curious situation: the more we have checks, the less we get chances to detect cheats.

[Neo2003]

Hello,

On top of WardenDeamon.h in src/wardend/ you have the chance of the checks.

// Definition of ratio of check types (based on a long session of 1162 checks)
// They are cumulative, meaning that I add the %age to the previous one
#define WCHECK_PAGE1_RATIO  36.5f   // 36.5
#define WCHECK_PAGE2_RATIO  73.0f   // 36.5
#define WCHECK_MEMORY_RATIO 94.0f   // 21.0
#define WCHECK_DRIVER_RATIO 97.4f   // 03.4
#define WCHECK_FILE_RATIO   98.7f   // 01.3
#define WCHECK_LUA_RATIO   100.0f   // 01.3

For example put PAGE1 and PAGE2 to 15% each so MEMORY will be 64% instead of 21%:

#define WCHECK_PAGE1_RATIO  15.0f   // 15.0%
#define WCHECK_PAGE2_RATIO  30.0f   // 15.0%
#define WCHECK_MEMORY_RATIO 94.0f   // 64.0%
#define WCHECK_DRIVER_RATIO 97.4f   // 03.4%
#define WCHECK_FILE_RATIO   98.7f   // 01.3%
#define WCHECK_LUA_RATIO   100.0f   // 01.3

Have fun

[iforgotmypassword]

no, I mean that entries in database must have different chances to execute

[thekliver]

Only left fix and port to Linux.

Its great!

[TOM_RUS]

port to Linux.

Will never happen.