Warden - The definitive anti-cheat system

[zhenya``]

tobmaps, send me all cheats, which undetected by warden;)

by TOM_RUS

MODULE_CHECK is HMACSHA1(random_seed).ComputeHash(GetBytes(UPPER_C ASE("some.dll"))), but can rename dll and warden will not detect you.

PROC_CHECK http://paste2.org/p/1328034

DRIVER_CHECK http://paste2.org/p/1327840

PAGE_CHECK: HMACSHA1(random_seed).ComputeHash(baseAddress + address, length) can be used for dll checks..

[Tanatos]

WpeSpy.dll, for example, needed for execute cheat. Cheaters - noobz much more, than proff-cheaters, who can use disassembler or debugger This check is good with a complex of other checks. But page_check or mem_check are the best if you know how to properly make)

[Neo2003]

Hello all,

A redone version is available, see 1st post.

Basically, in wardend there is now only module load and execute it, the rest is in mangosd. So only 1 exchange only for each account it done.

Also, it can ban people if you configure it to do this.

Neo2003

[voidx]

when we can use this in linux?

[ankso]

Hi guys,

I'm trying to make this work with wine on ubuntu 10.04. I have do the following:

- Installed wine and winetricks

- Installed the vcrun2010s dlls with winetricks (to get msvcp100.dll)

- Compile and copy the binaries and dlls from windows to ubuntu.

But when I try to run wardend.exe from terminal it gives me some errors:

[email]user@user-desktop:~/.wine[/email]/dosdevices/c:/Program Files/wardend$ wine wardend.exe
Trying to load PE image for unsupported architecture (AMD-64)
err:module:import_dll Loading library MSVCP100.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\ACE.dll") failed (error c000007b).
err:module:import_dll Library ACE.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\wardend.exe") not found
Trying to load PE image for unsupported architecture (AMD-64)
err:module:import_dll Loading library MSVCP100.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\wardend.exe") failed (error c000007b).
err:module:LdrInitializeThunk Main exe initialization for L"C:\\\\Program Files\\\\wardend\\\\wardend.exe" failed, status c0000135

So, the "Trying to load PE image for unsupported architecture (AMD-64)" is because I have compiled for win32 and my ubuntu is x64, isn't it?

But, anyone knows what's happening with MSVCP100.dll and ACE.dll? I have ACE.dll in the same folder with wardend.exe and I have copied it in System32 to be sure. Anyone was able to get this working on Linux? Any tips, advices? I'm not used to wine

Of course, thanks for the patch. It looks very well ^^

[TOM_RUS]

when we can use this in linux?

You can try run it in Wine, may be it work. It will never work on unix natively.

[TOM_RUS]

Hi guys,

I'm trying to make this work with wine on ubuntu 10.04. I have do the following:

- Installed wine and winetricks

- Installed the vcrun2010s dlls with winetricks (to get msvcp100.dll)

- Compile and copy the binaries and dlls from windows to ubuntu.

But when I try to run wardend.exe from terminal it gives me some errors:

[email]user@user-desktop:~/.wine[/email]/dosdevices/c:/Program Files/wardend$ wine wardend.exe
Trying to load PE image for unsupported architecture (AMD-64)
err:module:import_dll Loading library MSVCP100.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\ACE.dll") failed (error c000007b).
err:module:import_dll Library ACE.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\wardend.exe") not found
Trying to load PE image for unsupported architecture (AMD-64)
err:module:import_dll Loading library MSVCP100.dll (which is needed by L"C:\\\\Program Files\\\\wardend\\\\wardend.exe") failed (error c000007b).
err:module:LdrInitializeThunk Main exe initialization for L"C:\\\\Program Files\\\\wardend\\\\wardend.exe" failed, status c0000135

So, the "Trying to load PE image for unsupported architecture (AMD-64)" is because I have compiled for win32 and my ubuntu is x64, isn't it?

But, anyone knows what's happening with MSVCP100.dll and ACE.dll? I have ACE.dll in the same folder with wardend.exe and I have copied it in System32 to be sure. Anyone was able to get this working on Linux? Any tips, advices? I'm not used to wine

Of course, thanks for the patch. It looks very well ^^

Are you sure your windows binaries compiled as x86? Because it looks like they aren't. I guess it's better to look for similar errors on unix/wine forums.

[darkstalker]

you need to compile wine with win64 support

[Neo2003]

you need to compile wine with win64 support

No.

Wardend CAN BE ONLY Win32. If you compile it for Winx64 or any other OS (Linux, Mac...). It won't work.

I recall you that Warden modules ARE 32bit PE DLL, so as for all 32bits DLL, you can only load it from a Windows Process which is 32 bits.

I did remove the Linux support on purpose in code because it can only be Win32.

Compile it with VC2005, VC2008 or VC2010, then copy wardend.exe, ACE.dll, tbbmalloc.dll and wardend.conf to a Win32 capable environment (Any Windows or a 32 bits wine or anything that knows how to run a 32bits Windows PE executable.

[Vlad852]

Hi, Neo.

I tested last patch. Seems not working (.

Somehow one time ok, but than nothing helps like: deleteting from DB session key, last module, day module, restart both daemons, restart my PC, nothing..i got only these logs:

http://paste2.org/p/1339988

BTW, it is ok that daemons all time are reconnecting?

[Neo2003]

Oh, I saw the problem too, but I don't have it always.

I send the module from mangosd to wardend and sometimes the BufferedSocket code does not get the packet which is around 20KB in one shot, I get a 34xx size packet then the rest. I don't know how to fix, I will probably have to drop this BufferedSocket code from wardend and use a simpler one.

Edit: Seams that the Socket is still getting data while we already parse the packet. The only difference with previous code is the removal of the DB ping code which added some delay, so I tested a small hack which seams to fix this:

Open src/wardend/main.cpp and go line 238

Replace:

   while (!stopEvent)
   {
       // dont move this outside the loop, the reactor will modify it
       ACE_Time_Value interval(0, 100000);

       if (ACE_Reactor::instance()->run_reactor_event_loop(interval) == -1)
           break;

       if (m_ServiceStatus == 0) stopEvent = true;
       while (m_ServiceStatus == 2) Sleep(1000);
   }

By:

   while (!stopEvent)
   {
       // dont move this outside the loop, the reactor will modify it
       ACE_Time_Value interval(0, 100000);

       if (ACE_Reactor::instance()->run_reactor_event_loop(interval) == -1)
           break;
       // Let time for the socket to get all data
       Sleep(500);
       if (m_ServiceStatus == 0) stopEvent = true;
       while (m_ServiceStatus == 2) Sleep(1000);
   }

Tell me is you face the problem again after adding this small delay.

Neo2003

[Vlad852]

Not helped =\\

EDIT:

Interesting experiment I done: I run wardend on remote host under WINE, and successful rate encrease up 5-7 times per 10 connections.But still not 100% =\\

P.S. It is ok that 2-6 connections between mangosd and wardend simultaneously? Maybe it is real problem?

And yes, wardend is working on WINE =)

[Neo2003]

Vlad852, try to get latest version I just posted. I made lot of mistakes with my booleans in previous one.

[iforgotmypassword]

same issue with last version

[Neo2003]

Hello,

This time I found a way to fix this incomplete packet problem + fixed another problem at wardend reconnection due to lost flag set.

Please use the last version I just posted (see 1st post) and report if anything else is broken.

Neo2003

[iforgotmypassword]

WardenSocket::_HandleLoadModule, received 4096

Got 4096 bytes of data, 18160 bytes needed, waiting for next tick

Command handler failed for cmd 3 recv length 4096

Terminating connection from '127.0.0.1'

[Neo2003]

Oh, I did forget to update VC80 and VC100 projects.

wardend must use the BufferedSocket.cpp/.h which is in /src/wardend, not the realmd one

Since you probably use VC100, remove BufferedSocket.cpp and BufferedSocket.h from wardend project and re-add the ones in /src/wardend

This error is because realm version of these file is limited to 4k packets only.

[iforgotmypassword]

core crash in WardenMgr: SendCheatCheck at checkList->clear();

locals:

+        this    0x0000000043f57018 {m_WardenProcessStream=0x00000000323f72b0 m_WardenProcessConnection=0xcdcdcdcdcdcdcdcd m_Enabled=true ...}    WardenMgr * const
+        session    0x00000000025acbc0 {m_muteTime=1279703127 m_timeOutTime=895093 m_nameQueryCallbacks={...} ...}    WorldSession * const
+        data    {m_opcode=52428 }    WorldPacket
+        md5    "841EF47866310AE3D26A3D8546A4CD0D"    std::basic_string<char,std::char_traits<char>,std::allocator<char> >
-        checkList    0xcdcdcdcdcdcdcdcd [...]()    std::vector<WardenMgr::GenericCheck,std::allocator<WardenMgr::GenericCheck> > *
       [size]    CXX0030: Error: expression cannot be evaluated    
       [capacity]    CXX0030: Error: expression cannot be evaluated    
       nbChecks    204 'М'    unsigned char
       m_seed1    204 'М'    unsigned char
       m_strIndex    204 'М'    unsigned char

[iforgotmypassword]

solved by adding m_WardenClientChecks(NULL) to worldsession constructor

[Vlad852]

Good job! Now all working. Thx you Neo for your work =)

[ankso]

In WardenData.sql:

-- More checks and WEH detection
INSERT IGNORE INTO `warden_check_memory` (`String`, `Offset`, `Length`, `Result`, `Comment`) VALUES
('', 7452688, 10, '8B 81 CC 07 00 00 25 00 00 00','0x0071B810: WEH'),
('', 5296823, 7, '75166824020000',''),
('', 5283280, 12, '558BECB8084E0000E8731DF0',''),
('', 5417948, 5, '7734FF2485',''),
('', 11287980, 8, '04000000903C9F00',''),
('', 5345746, 7, '746583F9177760',''),
('', 7860712, 5, '742DF6407C',''),
('', 10714892, 8, 'BB8D243FD4D0313E',''),
('', 4623652, 7, '578B7D08578BF1',''),
('', 5090917, 8, 'E886EE1D0083C40C',''),
('', 4609675, 5, '5E5DC20800,'''), <------------ Missed comma here
('', 7517484, 7, '7518683B010000',''),
('', 10694516, 8, '2F549A416F12033B',''),
('', 4609669, 5, '8986100F00',''),
('', 10010636, 12, '8166443FFF1FFFD9565CD95E,'''), <-- And here
('', 5265823, 5, '72118B5518',''),
('', 5124558, 5, '8BF08D4608',''),
('', 5296496, 12, '558BEC81ECE80D00006A0AE8',''),
('', 5081862, 8, '6840AAB600C60200',''),
('', 8491566, 5, '8B4D10890D',''),
('', 5284488, 9, '7507C7451400000000',''),
('', 11154396, 8, 'D893FEC0488C11C1',''),
('', 4618113, 10, 'FF1554F79D003B470C89',''),
('', 9990741, 9, '8B878000000089463C',''),
('', 7246064, 6, '8950108B450C','');

Nothing important but easy to fix.

[Vlad852]

OK, seems is working. But some problems exist: memory leak in warden demon, after connecting about 300 testers, wardend allocate 150Mb. Also still sometime:

2011-04-03 21:36:31 WardenSocket::_HandleLoadModule, received 15264

2011-04-03 21:36:31 Got 15264 bytes of data, 18976 bytes needed, waiting for next tick

2011-04-03 21:36:31 Command handler failed for cmd 3 recv length 15264

2011-04-03 21:36:31 WardenSocket::_HandleLoadModule, received 19620

2011-04-03 21:36:31 Wardend::LoadModule()

2011-04-03 21:36:31 ERROR:Warden module seams damaged, cannot find signature data.

2011-04-03 21:36:31 There was a problem in running the sent module

[hatnaa]

hi cant patch please help me. i'm noob

[ankso]

I have a problem runing this with wine, the warden daemon is working, the connection is established with the mangosd server, but the connection is lost each 10-20 seconds (and reconects instantly). Someone has the same issue runing it with wine? (in windows is working without problems). Also, warden daemon don't close the connection when it is lost, so it opens a new connection each time. Don't know if I need to configure something, I haven't much experience with unix

[Neo2003]

I have a problem runing this with wine, the warden daemon is working, the connection is established with the mangosd server, but the connection is lost each 10-20 seconds (and reconects instantly). Someone has the same issue runing it with wine?

Hello,

I saw the quite same problem personally when having mangosd on Linux and Wardend on a different Windows Box. This was because a firewall was preventing anything to go back to mangosd. Since I use a ping between the too and mangosd don't see the pong message from wardend, it thinks wardend is no more here and closes the connection, then retry to open a new one.

I have to put some code in wardend to also close the connection after a timeout and will take a look at wardend memory allocation.