Warden - The definitive anti-cheat system

[darkstalker]

If you're trying to detect WPE client-side, you're doing it wrong.

Even if you could detect it, you've still forgotten the first rule of client-server security: the client is in the hands of the enemy. Nothing can be done client-side to 100% prevent all hacking as long as the hacker has access to the client and the machine running it. Only through good server-side checks and protections can you be completely secure.

TL;DR: If you spend all your time chasing WPE signatures and drivers instead of fixing the hacks in mangos, you're wasting your time.

That's true for server side bugs, but not everything is implemented there. Things like player movement are implemented client-side, so there is where checks should be done.

[Patman128]

That's true for server side bugs, but not everything is implemented there. Things like player movement are implemented client-side, so there is where checks should be done.

Hm, maybe I was not clear. I don't mean memory hacks or similar hacks, as these are easily detectable and detection is hard / impossible to avoid. What I mean is WPE and similar packet hacking. Hard to detect given the limitations of Warden and can be run on a non-local machine.

My point is that Warden is not the complete and final solution to all hacking problems on WoW, and too many people without knowledge of it might get this impression that because they are using it, they are immune to hacking and it will be able to find any hackers, when this is not the case. Mangos still needs server-side security to defend against packet hacks and similar.

[iforgotmypassword]

I am not sure about another check, 0x987255.

Maybe it is wrong check too, maybe not =\\

[idostyle]

2011-04-06 16:06:26 Kicking account XXX for failed check, MEM Offset 0x7EDA0C length 12 has content '8990900000008B9194000000' instead of '8990900000008B9194000000'

8990900000008B9194000000

8990900000008B9194000000

Some checks are strange

Anyway good work over there neo

[Neo2003]

You probably have another check failed just before this one. This message is a false positive one when another check fails. I fixed this case and will upload a new patch this evening with others changes.

[iforgotmypassword]

2011-04-06 19:44:46 Warden Manager: no Cheat-check reply received, kicking account 1568

it happens very often for different accounts, when player tries to log out to character select screen

[Neo2003]

Can you please check if the client did stop to reply to cheat-check? I let the client 2 minutes, which is long enough I think.

Btw, there is a new version, see 1st post.

- Time source changed to be from World always

- Wardend can timeout

and much more

I recommend you try the new data, less duplicate page checks and new pages/lua checks.

[hatnaa]

1>------ Build started: Project: shared, Configuration: Release Win32 ------
1>Extract revision
1>Build log was saved at "file://c:\\mangos\\win\\VC90\\shared__Win32_Release\\BuildLog.htm"
1>shared - 0 error(s), 0 warning(s)
2>------ Build started: Project: wardend, Configuration: Release Win32 ------
2>Compiling...
2>WheatyExceptionReport.cpp
2>WardenSocket.cpp
2>WardenDaemon.cpp
2>Main.cpp
2>BufferedSocket.cpp
2>Compiling resources...
2>Microsoft (R) Windows (R) Resource Compiler Version 6.1.6723.1
2>Copyright (C) Microsoft Corporation.  All rights reserved.
2>..\\..\\src\\wardend\\wardend.rc(19) : error RC2135 : file not found: wardend.ico
2>Build log was saved at "file://c:\\mangos\\win\\VC90\\wardend__Win32_Release\\BuildLog.htm"
2>wardend - 1 error(s), 0 warning(s)
========== Build: 1 succeeded, 1 failed, 6 up-to-date, 0 skipped ==========

Please help....

[hatnaa]

wardend.ico problem kekekek

[Neo2003]

Wardend.ico is in the .diff (saved with --binary option). I don't know why some of you miss this file after you apply this git diff.

Anyway just copy /src/mangosd/mangosd.ico to /src/wardend/ and rename it wardend.ico.

[iforgotmypassword]

Can you please check if the client did stop to reply to cheat-check? I let the client 2 minutes, which is long enough I think.

I recommend you try the new data, less duplicate page checks and new pages/lua checks.

same in new version

how to check client cheat-checks reply?

[Neo2003]

You can't really without adding some log output

Btw, go around line 157 of src/game/WardenMgr.cpp

1st replace "session->m_WardenTimer.Reset();" line 158 by "session->m_WardenTimer.SetCurrent(0);"

If this does not help, keep this modification and also increase the time to 3 minutes line 157.

Let's see if this strange .Reset() which does not really reset anything has something to do with this problem, or if the time is too short.

[yad02]

Hi Neo,

In your latest (20110406) version, some references on realmd are specified.

l3888 : +# Realmd daemon PID file

l3904 : +# Default: "Realmd.log"

In any case thank you

[iforgotmypassword]

1st replace "session->m_WardenTimer.Reset();" line 158 by "session->m_WardenTimer.SetCurrent(0);"

didn't help, I will try to increase timer

[iforgotmypassword]

1st replace "session->m_WardenTimer.Reset();" line 158 by "session->m_WardenTimer.SetCurrent(0);"

didn't help, I will try to increase timer

did not help too

[Vlad852]

Can you please check if the client did stop to reply to cheat-check? I let the client 2 minutes, which is long enough I think.

Easy to reproduce:

After server send Wardend::BuildCheatCheck press logout->you will be kicked like timer passed.

Warden Manager: no Cheat-check reply received, kicking account

EDIT: OK, I found. HandleWardenRegister(); called for already registered session.

Fix:

void WorldSession::HandleWardenRegister()
{
   if (sWardenMgr.IsEnabled() && m_wardenStatus == WARD_STATE_UNREGISTERED)
       sWardenMgr.Register(this);
}

[Neo2003]

Yes, register reset the counter then the client has no chance to reply in the 2 seconds delay.

Nice catch.

[PablukY]

The system is only valid for 71 players? or even if you have 71 keys has nothing to do?

Where I have to copy the keys? or what is its use?

Warden can be installed as a service? (if it is closed)

Greetings

P.D: Sorry for my bad English, I'm Spanish

[Sephiroth1983]

The system is only valid for 71 players? or even if you have 71 keys has nothing to do?

Where I have to copy the keys? or what is its use?

Warden can be installed as a service? (if it is closed)

Greetings

P.D: Sorry for my bad English, I'm Spanish

As I know each module is an anti-cheat definition, it's obviously not related to the number of players checked.

[zhenya``]

yes.. 1 module can be used for all players..

[lillecarl]

Is it possible to make warden get the mac adresses of the client computers? It would give server administrators that do want to ban multiboxing really simple and correct.

[Skirnir]

@lillecarl if I got it right Neo2003 implemented a way to run a warden instance with mangos. It should work like original warden does and I doubt he will change that. Other than that google will tell you how to fake a mac address, it's just as effective as ip bans.

Other than that I still don't know why your friends cheat on your non public servers.

Regards

Skirnir

[lillecarl]

Doesn't warden run on the clients as a application also? otherwise how would it be possible to do memchecks

Edit: Sorry if im asking wierd questions, im not home atm

[caeruleaus]

warden is built into the WoW.exe file.

[Patman128]

Warden isn't built into the WoW.exe file, but the part that downloads and runs Warden is, and it will only run properly encrypted modules, meaning you can't make your own Warden modules. The modules don't contain any code for getting MAC addresses, so no, you can't ban their MAC address.

In any case, as he said, MAC addresses are simple to change, so it wouldn't really offer any more protection than banning the account.