Warden - The definitive anti-cheat system

[Neo2003]

I spent 2 days checking everything, I will let this ACE problem to an ACE expert, I cannot debug this ____ myself.

I think the best reactor to use on Linux is the default one : ACE_Select_Reactor, then we don't even need any #ifdef. On Windows, there is no problem, the "WFMO" is working fine on Windows, while the "Select" one on Linux fails the run_reactor_event_loot().

I tried to instantiate a reactor out of the ACE_Reactor::instance() singleton, this changes nothing.

I rewrote the WardenSvcHandler class so that method are matching 100% the base ACE_Svc_Handler class, this changes nothing.

I am out of idea. I don't understand why on Linux ACE works so bad.

[yingchong01]

where did the *.key file come from?

*.bin file I think is download from official server.

It seems that *.bin file is a dll file. Can I write my check mod by myself?

[darkstalker]

can't use boost instead of ACE?

[HP1]

where did the *.key file come from?

*.bin file I think is download from official server.

It seems that *.bin file is a dll file. Can I write my check mod by myself?

I think these files are signed and we cant reproduce it.

[Neo2003]

where did the *.key file come from?

*.bin file I think is download from official server.

It seems that *.bin file is a dll file. Can I write my check mod by myself?

The *.key are generated from packet sniff.

The .bin are also get from sniffing, but can be taken from wowcache.wdb. Anyway a module is useless without the RC4 key to decode it (.key file).

You can create your own module but the client will never load it. The last 2048 bits of the .bin are the RSA signature of it. As for the redirect packet, it's not possible at this point of the time to break such an encryption and it's a good thing or anyone could send harmful code to the client.

[DaC]

So any way to produce those .bins from 2.4.3 clients?

[zhenya``]

no one can produce bins

[lillecarl]

So any way to produce those .bins from 2.4.3 clients?

The bin files, probably, the key files is probably another thing, since they have to be sniffed from something using warden already (but this is just what i think and someone might have old packet logs from 2.4.3 so it might be possible),

OBS: I'm no expert but that's how i think it is

[Neo2003]

For 2.4.3, you only need to change void WardenMgr::SendWardenData(WorldSession* const session) method in WardenMgr.cpp line 882-929. The modules are unchanged and the keys are the same since they are associated with the module.

This method send to the client the offsets of the functions in Warden Client (in wow.exe). I did comment them, the first group are the MPQ access functions, then LUA functions and finally the PerformanceCounter for timing check which did not exist by default in 3.3.5 sniffs.

I will dig my hard-disk next week, I probably have the packet somewhere for 2.4.3.

The patch can work for 2.4.3, but it won't work for 1.12 since the modules format was different in Vanilia, then keys were different too.

[SignFinder]

Neo2003 and others tx for your work-warden fine.

Please tell me-how to translate the warden checks on the human tongue. How to explain banned players of what it was banned?

[Patman128]

Neo2003 and others tx for your work-warden fine.

Please tell me-how to translate the warden checks on the human tongue. How to explain banned players of what it was banned?

Check your server log for "Kicking account [hacker's account ID] for failed" for the real reason (this should probably be logged as the ban reason in the db table)

It won't tell you which program they use, just which memory address or file was modified or driver detected.

[SignFinder]

Dear Neo2003

Many players are kicked from game due to "Warden Manager: no Cheat-check reply received, kicking account 165162. " Maybe - this is due to poor quality of players Internet channel. Maybe we should provide resend verification from Waerden and only in cases of repeated non-response to kick?

[lillecarl]

The cool thing about this community is that people really are using those kind of patches and the developers actually fix what they tell them to do IM IN LOVE WITH MANGOS (sorry for going off topic i just wanted to express my feelings)

[yingchong01]

for some reason, I have to use VS2003 to compile the project.

In the source there is some code used keword '__thiscall' which is illegal in VC7.1.

How to deal with it?

btw: If I use '__stdcall' instead I got an error : Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

[TOM_RUS]

for some reason, I have to use VS2003 to compile the project.

In the source there is some code used keword '__thiscall' which is illegal in VC7.1.

How to deal with it?

btw: If I use '__stdcall' instead I got an error : Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

VS2003 not supported.

[nemez]

Hi! i have a problem:

ERROR: Connection to Warden Daemon lost, trying to reconnect in the background
Connection to Warden Daemon established
ERROR: Connection to Warden Daemon lost, trying to reconnect in the background
Connection to Warden Daemon established

this problem arises every every minute

[yingchong01]

warden_module database, how was it generated? these numbers I think is used to indicate what kind of check it is. if so, chk7 and chk8 is the same. how did client discern it?

[Neo2003]

I have no value for Chk7 & Chk8 because blizz don't use them. Then I did use 0xFF as a non know value.

By the way, the patch don't use Chk7 and 8 because I have no values for them for modules and only 1 check to add in DB.

[ankso]

Any news about compatibility with Unix systems (under wine) Neo2003?

[SignFinder]

Any news about compatibility with Unix systems (under wine) Neo2003?

warden work fine in debian x64 with wine. 2 realms-1500 sum online.

Warden Installing to server with Debian x64.

Установка Warden на сервере с Debian x64.

1. Install needed packets (устанавливаем нужные пакеты) (http://wiki.winehq.org/Recommended_Packages):

# apt-get dep-build wine

or install packets manually (или ставим нужные пакеты вручную)

2. Install x32 libraries (устанавливаем библиотеки x32 (http://wiki.winehq.org/WineOn64bit)

# apt-get install ia32-libs libc6-dev-i386 lib32z1-dev ia32-libs-dev lib32ncurses5-dev

If You compile wardend.exe with VS2010, need to install winbind (если вы собирали wardend.exe с помощью Visual Studio 2010,

нужно поставить пакет winbind-он понадобится для установки библиотек):

# apt-get install winbind

3. Download wine (скачиваем wine) http://sourceforge.net/projects/wine/files/Source/

if present-version (в настоящее время это версия) 1.3.13.

4. Extract and configure (разархивируем и запускаем скрипт конфигурации) wine:

I used the keys (я использовал такие ключи):

./configure --without-freetype --without-opengl --without-opencl --without-ldap --without-openal --without-mpg123 \\

--without-gstreamer --without-gsm --without-v4l --without-alsa --without-hal --without-jack --without-oss --without-esd \\

--without-gettextpo --without-capi --without-cms --without-fontconfig --without-gphoto --without-cups --without-coreaudio \\

--without-xcomposite --without-xcursor --without-xinerama --without-xinput --without-xrandr --without-xrender --without-xslt \\

--without-glu --without-jpeg --without-sane --without-tiff --without-xshape --without-xxf86vm

5. compile (компилируем устанавливаем) wine:

# make

and install (и устанавливаем) wine:

# make install

7. Install dummy X server (устанавливаем x сервер пустышку чтобы обмануть wine, так как у нас голая консоль):

# apt-get install xvfb

8. Prepare to install MS Visual Studio libraries (подготавливаемся к установке библиотек MS Visual studio):

-download script (скачиваем скрипт) winetricks http://wiki.winehq.org/winetricks

# wget http://winetricks.org/winetricks

-run dummy X server (запускаем графический сервер-пустышку):

# Xvfb :1 &

#export DISPLAY=:1

9. Install MS Visual Studio libraries (устанавливаем библиотеки MS Visual studio):

# sh winetricks vcrun2005

or

# sh winetricks vcrun2008

or

# sh winetricks vcrun2010

10. Run wardend.exe

# Xvfb :1 &

#export DISPLAY=:1

# wine wardend.exe

Voila.

[HP1]

SignFinder, and you dont have any of these connection errors? I mean ERROR: Unexpected packet loop ... and the connection losses?

[ankso]

SignFinder, and you dont have any of these connection errors? I mean ERROR: Unexpected packet loop ... and the connection losses?

Yep, this is the problem I was referring. I have Warden running in Ubuntu x64. See posts #143 and the following.

[Koxta]

Hey!

First of all, awesome job! This warden support is really great stuff!

I'm looking at the source code here and there's a few questions that arise in my head, there's a fair chance that I misunderstand the way that warden works and/or missing some obvious code that in fact does what I'm talking about, but I'll give it a shot anyway So here goes:

1. When the client sends a warden cheat response, is that cheat anyhow validated with the module or is the list of "answers" somewhat predefined? I mean, I would imagine this works like this:

- Server chooses the module, for instance, memory check and chooses which page / part / address / whatever else of memory to ask for

- Server sends the cheat check request to the client

- Client processes the request and sends the result back

- Server processes the response and cross checks the result with output that the warden module gives server-side

In case the responses are predefined, the warden check communication can be spoofed more easily by the client, cause the possible man-in-the middle attack would only require the cheater to know the predefined values, right?

2. This question implies that the responses are predefined. If so, why do we need to load the modules into the memory and basically operate in Win32 code? My understanding then is that we just need to read the module and send it to the client (more or less) at the beginning of the session, and then just send the requests, get replies and compare them with predefined values. So maybe this can be coded without using native Win32 calls?

Thanks in advance for your reply

[TOM_RUS]

Hey!

First of all, awesome job! This warden support is really great stuff!

I'm looking at the source code here and there's a few questions that arise in my head, there's a fair chance that I misunderstand the way that warden works and/or missing some obvious code that in fact does what I'm talking about, but I'll give it a shot anyway So here goes:

1. When the client sends a warden cheat response, is that cheat anyhow validated with the module or is the list of "answers" somewhat predefined? I mean, I would imagine this works like this:

- Server chooses the module, for instance, memory check and chooses which page / part / address / whatever else of memory to ask for

- Server sends the cheat check request to the client

- Client processes the request and sends the result back

- Server processes the response and cross checks the result with output that the warden module gives server-side

In case the responses are predefined, the warden check communication can be spoofed more easily by the client, cause the possible man-in-the middle attack would only require the cheater to know the predefined values, right?

2. This question implies that the responses are predefined. If so, why do we need to load the modules into the memory and basically operate in Win32 code? My understanding then is that we just need to read the module and send it to the client (more or less) at the beginning of the session, and then just send the requests, get replies and compare them with predefined values. So maybe this can be coded without using native Win32 calls?

Thanks in advance for your reply

Each module implements exactly same checks types like all other modules. The only difference between modules is encryption function. Output of that function is used as seed for initializing RC4 encryption for all warden packets.

Why me have to load module on server side: simply to get encryption keys, so client can understand us (we also can validate some initial packets by feeding them to the module).

Each warden S>C packet is encrypted, C->S packets also encrypted, but in addition each packet also has it's checksum.

It can be spoofed, but you have to deal with stream encryption and checksum checks. You will have to process all packets etc...

[Koxta]

Thank you very much for your descriptive response! I thought the concept was to pass some variable (or a vector of variables) to the module, so that the result would be a function of that input data and thus generating different responses for different input. I guess not

Cheers!