Warden - The definitive anti-cheat system

[Koxta]

Any news about compatibility with Unix systems (under wine) Neo2003?

warden work fine in debian x64 with wine. 2 realms-1500 sum online.

Warden Installing to server with Debian x64.

Установка Warden на сервере с Debian x64.

1. Install needed packets (устанавливаем нужные пакеты) (http://wiki.winehq.org/Recommended_Packages):

# apt-get dep-build wine

or install packets manually (или ставим нужные пакеты вручную)

2. Install x32 libraries (устанавливаем библиотеки x32 (http://wiki.winehq.org/WineOn64bit)

# apt-get install ia32-libs libc6-dev-i386 lib32z1-dev ia32-libs-dev lib32ncurses5-dev

If You compile wardend.exe with VS2010, need to install winbind (если вы собирали wardend.exe с помощью Visual Studio 2010,

нужно поставить пакет winbind-он понадобится для установки библиотек):

# apt-get install winbind

3. Download wine (скачиваем wine) http://sourceforge.net/projects/wine/files/Source/

if present-version (в настоящее время это версия) 1.3.13.

4. Extract and configure (разархивируем и запускаем скрипт конфигурации) wine:

I used the keys (я использовал такие ключи):

./configure --without-freetype --without-opengl --without-opencl --without-ldap --without-openal --without-mpg123 \\

--without-gstreamer --without-gsm --without-v4l --without-alsa --without-hal --without-jack --without-oss --without-esd \\

--without-gettextpo --without-capi --without-cms --without-fontconfig --without-gphoto --without-cups --without-coreaudio \\

--without-xcomposite --without-xcursor --without-xinerama --without-xinput --without-xrandr --without-xrender --without-xslt \\

--without-glu --without-jpeg --without-sane --without-tiff --without-xshape --without-xxf86vm

5. compile (компилируем устанавливаем) wine:

# make

and install (и устанавливаем) wine:

# make install

7. Install dummy X server (устанавливаем x сервер пустышку чтобы обмануть wine, так как у нас голая консоль):

# apt-get install xvfb

8. Prepare to install MS Visual Studio libraries (подготавливаемся к установке библиотек MS Visual studio):

-download script (скачиваем скрипт) winetricks http://wiki.winehq.org/winetricks

# wget http://winetricks.org/winetricks

-run dummy X server (запускаем графический сервер-пустышку):

# Xvfb :1 &

#export DISPLAY=:1

9. Install MS Visual Studio libraries (устанавливаем библиотеки MS Visual studio):

# sh winetricks vcrun2005

or

# sh winetricks vcrun2008

or

# sh winetricks vcrun2010

10. Run wardend.exe

# Xvfb :1 &

#export DISPLAY=:1

# wine wardend.exe

Voila.

Either all that or build the daemon statically. Project properties -> Configuration properties -> C/C++ -> Code Generation. Set Runtime Library to an option without DLL. Should work

Cheers!

[Koxta]

I was thinking what are those checks that has been recently added, checking? I mean, those last last 5 page checks and memory checks past WEH detection? Any specific cheat tools?

Cheers

[HP1]

Thank you TOM_RUS!

Could you give us a little manual or description about this implementation? Using this only one module it can detect different type of cheating programs? Are there any known false positive results?

I am looking forward to see a new version of Neo2003s work

[TOM_RUS]

Could you give us a little manual or description about this implementation?

What kind of manual or description?

Using this only one module it can detect different type of cheating programs? Are there any known false positive results?

It has all detection types that Neo2003's implementation has and even additional one (MODULE_CHECK). PROC_CHECK not implemented though (i'm not even sure that it useful for something). No idea about false positives, better ask zhenya about that as he is using this for more than year now.

[sart13]

It has all detection types that Neo2003's implementation has.

very good. it's works Ah, if you publish the code early ...

[HP1]

After 2 hours of testing I got a lot of fails on these two memory tests:

(403, 243, '', '', 4609675, 5, '5E5DC20800', NULL),

(438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL) this one is same as uac false positives on page 4

I have no idea if the other is also a false positive or not.

And i have a question, this implementation does not cause client freezes to mac users?

[TOM_RUS]

After 2 hours of testing I got a lot of fails on these two memory tests:

(403, 243, '', '', 4609675, 5, '5E5DC20800', NULL),

(438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL) this one is same as uac false positives on page 4

I have no idea if the other is also a false positive or not.

And i have a question, this implementation does not cause client freezes to mac users?

(403, 243, '', '', 4609675, 5, '5E5DC20800', NULL),

this address is in code section and can't be modified without third-party programs

.text:0046568B 5E                             pop     esi
.text:0046568C 5D                             pop     ebp
.text:0046568D C2 08 00                       retn    8

(438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL)

this address is in data section and has default value: FFFFFFFF903C9F00

.data:00AC3DAC FF FF FF FF    dword_AC3DAC    dd 0FFFFFFFFh           ; DATA XREF: sub_4D80C0+5r
.data:00AC3DB0 90 3C 9F 00                    dd offset aCharacterattac ; "CharacterAttachment"

There's a 2 legit memory writes in client, that may change first 4 bytes (FFFFFFFF) at this address. So it indeed may fail on server side.

.text:004D80E2 A3 AC 3D AC 00                 mov     dword_AC3DAC, eax // eax value may vary based on login state (0...17)

.text:004D8AA5 89 0D AC 3D AC+                mov     dword_AC3DAC, ecx // ecx = -1

Mac clients not supported, and probably never will, because I need physical access to mac book, which I don't have.

[HP1]

So you dont know if it causes a client crash on mac or not?

By the way a config option for turning off warden would be good, or a way to specify an account list to exclude them from warden checks

[zhenya``]

cause. need to save client OS in realmd and load os into WorldSession and check os before init.

[HP1]

you didnt have any issues concerning windows firewall users? some of them got randomly disconnected during loading or directly after login while kick wasnt even enabled.

[TOM_RUS]

you didnt have any issues concerning windows firewall users? some of them got randomly disconnected during loading or directly after login while kick wasnt even enabled.

Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).

[HP1]

Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).

That explains a lot of things If I put timeout kicks under effect of kick config, can it result any error?

One more short notice, logging is a bit too detailed, I should have to buy a new hdd after a week of usage

[TOM_RUS]

Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).

That explains a lot of things If I put timeout kicks under effect of kick config, can it result any error?

One more short notice, logging is a bit too detailed, I should have to buy a new hdd after a week of usage

I've fixed bug with timeout kicks ignoring config.

You can comment out some of logging if you don't need it... It's there mostly for debugging purposes.

[redigaffi]

Please, For linux?

[ankso]

Please, For linux?

Please, read the whole post.

[SignFinder]

Сan someone tell how to create a signature for new cheat, which is not found warden?

[HP1]

I think you cant create new signatures, but (correct me if i am wrong) maybe there are still unknown signatures that could be useful

[TOM_RUS]

You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...

[SignFinder]

You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...

Dear TOM_RUS if you're interested, please tell where you can send the cheats that do not catch warden. To pm on here you do not answer

[Tanatos]

Some cheats directly use dynamic memory of player client structure - this undetect by warden

In some case, with this cheats - analysis is pointless

I find method - but it very hard, need calculate of pointer structure through warden mem scans of player pointer addresses in base memory

[TOM_RUS]

You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...

Dear TOM_RUS if you're interested, please tell where you can send the cheats that do not catch warden. To pm on here you do not answer

I'm not interested in cheats analysis. It's may take a lot of time. I have different things to do...

Detection of memory writes to dynamic player structures is possible, but it's not implemented.

[tizbac]

It's possible to detect a bot that does not write memory?

And what is the difference between page check and memory check?

[Tanatos]

No. May be detect, if bot intercepting API, theoretically blizz uses PROC_CHECK, but this check uneffective. Also you can use MEM_CHECK or PAGE_CHECK for some important dll's, user32.dll, ws2_32.dll(winsock) etc.

But func adresses are changed in different types : win 7, win xp, etc

MEM_CHECK - return to server raw data of memory block

PAGE_CHECK - check memory page, use relative addresses of modules(base - wow.exe or some dll's), calclulate hash of memory block and compare with hash from packet. Return on server result of compare hashes

[TOM_RUS]

PAGE_CHECK - check memory page, use relative addresses of modules(base - wow.exe or some dll's), calclulate hash of memory block and compare with hash from packet. Return on server result of compare hashes

It scans whole virtual memory, not just exe and dll's. This way you can detect some third party code caves allocated in game process for example.

There's also difference between PAGE_CHECK_A and PAGE_CHECK_B:

type A scans all memory pages, while B only scans pages that starts with MZ+PE headers (dll's).

Server:
PAGE_CHECK
Hashing bytes: 00B00000355B000000A0
Sending packet 02, size 33:
Data:
02 opcode
00 strings
B2 PAGE_CHECK_A
19E8E264 seed
7DAE3A9E2EFC509E0086F32C8F19CDC4FB2DC3BF hash
00000000 offset
0A size
00 xor

Client:
Handled: 33
       VirtualQuery(0x00010000) = 0x0000001C
       VirtualQuery(0x00020000) = 0x0000001C
       VirtualQuery(0x00030000) = 0x0000001C
       VirtualQuery(0x00040000) = 0x0000001C
       VirtualQuery(0x00050000) = 0x0000001C
       VirtualQuery(0x00060000) = 0x0000001C
       VirtualQuery(0x00070000) = 0x0000001C
       VirtualQuery(0x00080000) = 0x0000001C
       VirtualQuery(0x00090000) = 0x0000001C
       VirtualQuery(0x00100000) = 0x0000001C
       VirtualQuery(0x00110000) = 0x0000001C
       VirtualQuery(0x00120000) = 0x0000001C
       VirtualQuery(0x00130000) = 0x0000001C
       VirtualQuery(0x00140000) = 0x0000001C
       VirtualQuery(0x00170000) = 0x0000001C
       VirtualQuery(0x00180000) = 0x0000001C
       VirtualQuery(0x00190000) = 0x0000001C
       VirtualQuery(0x001A0000) = 0x0000001C
       VirtualQuery(0x001B0000) = 0x0000001C
       VirtualQuery(0x001C0000) = 0x0000001C
       VirtualQuery(0x001D0000) = 0x0000001C
       VirtualQuery(0x001E0000) = 0x0000001C
       VirtualQuery(0x001F0000) = 0x0000001C
       VirtualQuery(0x00227000) = 0x0000001C
       VirtualQuery(0x00229000) = 0x0000001C
       VirtualQuery(0x00230000) = 0x0000001C
       VirtualQuery(0x00269000) = 0x0000001C
       VirtualQuery(0x0026C000) = 0x0000001C
       VirtualQuery(0x00270000) = 0x0000001C
       VirtualQuery(0x00280000) = 0x0000001C
       VirtualQuery(0x00290000) = 0x0000001C
       VirtualQuery(0x002A0000) = 0x0000001C
       VirtualQuery(0x002D0000) = 0x0000001C
       VirtualQuery(0x002E0000) = 0x0000001C
       VirtualQuery(0x002E1000) = 0x0000001C
       VirtualQuery(0x003D6000) = 0x0000001C
       VirtualQuery(0x003D8000) = 0x0000001C
       VirtualQuery(0x003E0000) = 0x0000001C
       VirtualQuery(0x003F0000) = 0x0000001C
       VirtualQuery(0x00400000) = 0x0000001C
       VirtualQuery(0x00410000) = 0x0000001C
       VirtualQuery(0x00449000) = 0x0000001C
       VirtualQuery(0x0044C000) = 0x0000001C
       VirtualQuery(0x00450000) = 0x0000001C
       VirtualQuery(0x00460000) = 0x0000001C
       VirtualQuery(0x00470000) = 0x0000001C
       VirtualQuery(0x00480000) = 0x0000001C
       VirtualQuery(0x00490000) = 0x0000001C
       VirtualQuery(0x004C9000) = 0x0000001C
       VirtualQuery(0x004CC000) = 0x0000001C
       VirtualQuery(0x004D0000) = 0x0000001C
       VirtualQuery(0x004E0000) = 0x0000001C
       VirtualQuery(0x004F0000) = 0x0000001C

       Data(0x008EE1CC, 0x00000008) =
02 opcode
0100 size
D6097373 checksum
4A result = cheat found

[TOM_RUS]

I've add some test code for Mac, but:

- Warden on Mac doesn't support any scanning.

- I can't test anything, because I don't have mac.

- Mac related code not activated.