Warden - The definitive anti-cheat system

[Neo2003]

OK, seems is working. But some problems exist: memory leak in warden demon, after connecting about 300 testers, wardend allocate 150Mb. Also still sometime:

2011-04-03 21:36:31 WardenSocket::_HandleLoadModule, received 15264

2011-04-03 21:36:31 Got 15264 bytes of data, 18976 bytes needed, waiting for next tick

2011-04-03 21:36:31 Command handler failed for cmd 3 recv length 15264

2011-04-03 21:36:31 WardenSocket::_HandleLoadModule, received 19620

2011-04-03 21:36:31 Wardend::LoadModule()

2011-04-03 21:36:31 ERROR:Warden module seams damaged, cannot find signature data.

2011-04-03 21:36:31 There was a problem in running the sent module

I think the too problems are related.

"Got 15264 bytes of data, 18976 bytes needed, waiting for next tick", not much a problem. The ACE::reactor did call the packet parser while the full packet was not completely received. I need to remove this old message "Command handler failed for cmd 3 recv length 15264".

"WardenSocket::_HandleLoadModule, received 19620": this is a problem. We need 18976 bytes and we got 19620 bytes, there a a memory problem somewhere probably related to "wardend allocate 150Mb".

[iforgotmypassword]

the warden daemon is working, the connection is established with the mangosd server, but the connection is lost each 10-20 seconds (and reconects instantly).

have same issue with connection between windows and linux. Firewall is disabled

[iforgotmypassword]

Also I didn't get any cheat detection with 1 hour uptime on Linux

[ankso]

Also I didn't get any cheat detection with 1 hour uptime on Linux

Mee too, but I think is related to connection lost issue. And my testers have problems with login after some time online, they are kicked (with ~50 testers). On Windows works well, I have tested with WoWEmuHacker and after 20 seconds of use I have been banned automatically. This is a very promising feature ^^.

[Neo2003]

I found and fixed the wardend memory problem. I did send 25000 packets to ask for a module load/key generation/module unload. The test took 21 seconds on my test PC and the process has not increased in memory. Also not a single module load error while this stress was more on ACE and BufferedSocket than on Module load/unload code which is fast anyway.

I will check if I find what can cause connection problem on Linux and upload a new version this evening.

Edit: I fixed the Linux problem. The ACR::reactor was not a proper type for linux in WardenMgr

[iforgotmypassword]

excellent!

[ankso]

Thanks Neo2003 ¡!

[Neo2003]

New version for 11313 posted with memory leak fixed and another reactor on Linux.

[fdb]

Great work Neo2003

[kbz]

does Warden detect WPE too? im having issues with players quest-swapping / spell-swapping via this tool

[Neo2003]

For "most" of the existing hacks, it's a matter of putting the proper data in the DB to detect them with MEM_CHECK, LUA_CHECK or PAGE[AB]_CHECK. Currently there is in the DB only sample data and a single version of WPE detection, I plan to add more checks but I am not familiar with them and the way they work, so I mostly rely on you to help me on this If you know the way to detect one hack, PM me with the data to scan, then I will encrypt them to fill the DB in a format warden directly understand and also to protect a bit these sensitive information.

Unfortunately I don't have the CheckId for MODULE_CHECK for any module, so even if I implement this check, we can not run it, it would be useful for some hacks too, I even have data for it.

[Vlad852]

Now work great, without memory leaks. But sometime mangosd says "connection to wardend lost", but I see, connection still here and established, so mangosd make new connection, and repeat it after sometime not killing existing connection (which is real working). I increased ping time x10, and now mangosd and wardend keep their first and unique connection up 10 hours for now.

P.S. Is there exist any "not hack" program In this sample data? ) I get banned myself when was running spell_work, or skype... or something else.

[zhenya``]

Write check which you fail

[Neo2003]

Some data for pages that should detect a hack if I made it properly

INSERT IGNORE INTO `warden_check_page` VALUES 
(2538611263, '1529EB2FBA39B306B018DAD4A6046DF4F877F49A', 0x63D801B0, 24),
(4289895411, 'AE4C7A22758087A10D0DE5BD2A79669DE553F6B2', 0x63D801B0, 24),
(1683631648, '6D4B77EA21B47111544505A8D7DB34031BD42C5D', 0x63D801B0, 24),
(0812875479, '0DF67B88FE74BD837B39E293246AC834AF247E96', 0x63D801B0, 24),
(0767954206, 'F5E39AF674FD53890C199C522BF36413281972D0', 0x63D801B0, 24);

[iforgotmypassword]

feature request

we need a locale-based MPQ checks

for example, Spell.dbc file is different for different locales, but client-side modification of this file can provide some extra stuff

[Lynx3d]

Hm to me Neo explained that DBC are actually signed and checked by client itself, and it will refuse to load modified DBC. So you would have to modify the client executable, which in turn would be detected by warden from what i understand ^^

But that's just what i understood from various conversations...

[iforgotmypassword]

nope, client can load modified Spell.dbc and there is many guides how to modify some stuff like global cooldowns, etc

[Neo2003]

nope, client can load modified Spell.dbc and there is many guides how to modify some stuff like global cooldowns, etc

Hello iforgotmypassword

Feel free to PM me a link explaining this. Since client 2.something, I was never able to make client load a modified dbc anymore, it always tell something like "the file blabla.dbc is failing signature check". If I make it load a custom dbc, then I can consider making this implementation.

For the moment by the way, I did make wardend cut the connection after a timeout, it was not easy.

[Undergarun]

Modify Spell.dbc in order to remove cooldown doesn't work anymore since MaNGOS has server side cooldown check.

[Vlad852]

Write check which you fail

It was:

2011-04-04 22:46:19 Kicking account 5 for failed check, MEM Offset 0xAC3DAC length 8 has content '02000000903C9F00' instead of '04000000903C9F00'

It is not weh, so what it was? Are there any solution to find which programm it? )

[iforgotmypassword]

same for some players on my test server. Seems like this check is broken

[Neo2003]

I will drop it from warden_check_memory table, just do the same. It's possible that I made a typo on the samples.

[Patman128]

If you're trying to detect WPE client-side, you're doing it wrong.

Even if you could detect it, you've still forgotten the first rule of client-server security: the client is in the hands of the enemy. Nothing can be done client-side to 100% prevent all hacking as long as the hacker has access to the client and the machine running it. Only through good server-side checks and protections can you be completely secure.

TL;DR: If you spend all your time chasing WPE signatures and drivers instead of fixing the hacks in mangos, you're wasting your time.

[Neo2003]

Maybe throw the same message @ bliz. telling them warden serves nothing...

[zhenya``]

Write check which you fail

It was:

2011-04-04 22:46:19 Kicking account 5 for failed check, MEM Offset 0xAC3DAC length 8 has content '02000000903C9F00' instead of '04000000903C9F00'

It is not weh, so what it was? Are there any solution to find which programm it? )

remove this check. its connected with UAC may be.. this is not cheat.