Warden - The definitive anti-cheat system

[kerhong]

http://pastebin.com/HguDsvNn

http://pastebin.com/2dgshw6V (this patch also got some comment removals, but they should be ignored as those parts shouldn't be commented out at all)

Simple fix for creating needed warden (Windows/Mac), written for TC2, but with small modifications should work for mangos

[sart13]

Simple fix for creating needed warden (Windows/Mac), written for TC2, but with small modifications should work for mangos

I always thought that the people in the TC are kind people ... This is not a fix, this is a very bad hack. I would be ashamed to publish this.

We do not insult other projects or what they do. It's a matter of being kind.

[kerhong]

Why would you call it 'hack'?

• Client sends OS data only to authserver, so the operating system detection can't be handled in worldserver
  
• The value must be stored in database, because all data from authserver to worldserver is sent this way
  
• Storing plain string instead of comparing it to known operating systems and storing some ID of the OS is better, because there could be more possible values other than "Win" and "OSX"
  

The 'if (ch->os[n]) operatingSystem.push_back(ch->os[n]);' part could be done without IFs or in loop, but really checking if byte is zero is faster than pushing 0 in end of string.

[Static-WoW]

After i installed this i keep getting errors that the 0004331.map file is not compilable with the rev that the Warden is. can sombody help me with this or teamview me so we can fix this ill really appreticate this

[VasiaMangos]

Hi Neo2003, File 20110427 link broken? =(

[TOM_RUS]

Hi Neo2003, File 20110427 link broken? =(

Yeah, someone deleted all uploaded files.

[VasiaMangos]

Can somebody upload the file 20110427 to another resource?

[Sephiroth1983]

The link looks to have been replaced now.

About mac support, I found all modules for it some weeks ago, here they are

For more informations about Warden on mac, you can consult this detailed guide http://blog.tanaris4.com/tag/os-x/

[TOM_RUS]

The link looks to have been replaced now.

Yeah, i've re-uploaded 20110427 file and it should be available using old link.

[VasiaMangos]

I have a question, patch warden 20110427 can be adapted to 1.12.2? and if yes then what it needs to, I don't very well know the code of mangos... yet... Sorry for the translation.

[lukaasm]

The patch can work for 2.4.3, but it won't work for 1.12 since the modules format was different in Vanilia, then keys were different too.

[leak]

Any new on OS X support?

I tried your implementation TOM_RUS and currently it crashes the client after loading the module (Module_0DBBF209A27B1E279A9FEC5C168A15F7_Data).

**edit

Client crashes with

Improper header received: [ CE FA ED FE 07 00 00 00 03 00 00 00 08 00 00 00 0A 00 00 00 48 07 00 00 85 20 01 00 01 00 00 00 ]

[TOM_RUS]

Any new on OS X support?

I tried your implementation TOM_RUS and currently it crashes the client after loading the module (Module_0DBBF209A27B1E279A9FEC5C168A15F7_Data).

**edit

Client crashes with

Improper header received: [ CE FA ED FE 07 00 00 00 03 00 00 00 08 00 00 00 0A 00 00 00 48 07 00 00 85 20 01 00 01 00 00 00 ]

That's weird, because header looks correct... http://paste2.org/p/1478703

[leak]

Can't really do any further debugging - not a Mac owner myself either.

[Allister]

I'm a Mac owner and can offer any required help regarding development and testing of Warden on Mac OS X. Unfortunately I have no skills in reverse-engineering and similar tasks (and do not expect that anybody will spend his time training me to do it, though it would be nice), but Macbook Pro itself and my decent C++ skills are always ready to help.

By the way, I'd like to note that I have tested current implementation made by TOM_RUS and it works "fine" on Mac OS X (client does not crash). But I know that it does not do any real work now.

[Sephiroth1983]

but Macbook Pro itself and my decent C++ skills are always ready to help.

I can guarantee that this guy has more than decent skills with C++

[slackware]

Hi TOM_RUS, firstly BIG thanks for amazing work.

I am testing on local, and i have questions, my gm account continue been banned by warden without any third program...

Here examples of this bans

2011-06-29 06:09:31 RESULT PAGE_CHECK fail, CheckId 800 account Id 5

2011-06-29 06:36:40 RESULT PAGE_CHECK fail, CheckId 261 account Id 7

2011-06-29 06:36:40 RESULT PAGE_CHECK fail, CheckId 88 account Id 7

2011-06-29 06:36:42 RESULT PAGE_CHECK fail, CheckId 261 account Id 5

2011-06-29 15:45:56 RESULT PAGE_CHECK fail, CheckId 799 account Id 5

2011-06-29 15:56:00 RESULT PAGE_CHECK fail, CheckId 799 account Id 5

2011-06-29 16:17:59 RESULT PAGE_CHECK fail, CheckId 261 account Id 5

2011-06-29 18:53:57 RESULT PAGE_CHECK fail, CheckId 88 account Id 5

2011-06-30 00:48:43 RESULT PAGE_CHECK fail, CheckId 261 account Id 5

2011-06-30 03:19:02 RESULT PAGE_CHECK fail, CheckId 799 account Id 5

2011-06-30 03:53:15 RESULT PAGE_CHECK fail, CheckId 134 account Id 5

2011-06-30 04:36:18 RESULT PAGE_CHECK fail, CheckId 261 account Id 11

2011-06-30 17:12:57 RESULT PAGE_CHECK fail, CheckId 782 account Id 11

2011-06-30 17:58:36 RESULT PAGE_CHECK fail, CheckId 88 account Id 11

Thanks for any reply man

[qrangerq]

The Hitchhiker undetectable by Warden?

[zhenya``]

no. Hitchhiker use dynamic memory )

[Tassader2]

Can someone explain what the "checks" check for?

If I understand it correctly (which I may not), this check types

PROC_CHECK = 0x7E, // uint Seed + byte[20] SHA1 + byte moluleNameIndex + byte procNameIndex + uint Offset + byte Len (check to ensure proc isn't detoured)

MEM_CHECK = 0xF3, // byte moduleNameIndex + uint Offset + byte Len (check to ensure memory isn't modified)

MPQ_CHECK = 0x98, // byte fileNameIndex (check to ensure MPQ file isn't modified)

LUA_STR_CHECK = 0x8B, // byte luaNameIndex (check to ensure LUA string isn't used)

TIMING_CHECK = 0x57, // empty (check to ensure GetTickCount() isn't detoured)

check for modification of the client itself and theese

DRIVER_CHECK = 0x71, // uint Seed + byte[20] SHA1 + byte driverNameIndex (check to ensure driver isn't loaded)

PAGE_CHECK_A = 0xB2, // uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans all pages for specified hash)

PAGE_CHECK_B = 0xBF, // uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans only pages starts with MZ+PE headers for specified hash)

MODULE_CHECK = 0xD9, // uint Seed + byte[20] SHA1 (check to ensure module isn't injected)

look for malicious programs/drivers, ok?

And let's say I have the source code of of some well-known cheat program, like WoWEmuhacker (I don't, but _someone_ does). And I rename it, do some really minor modifications in the code and recompile it, so its checksums are different. Now it can't be detected by any of the last four checks and probably naither can it be by the rest, because it does not modify the client, only it's data in memory (like movement speed). Is this correct?

[slackware]

i am having this crash

http://pastebin.com/TCrjus73

And what hack i prevent using

PAGE_CHECK_A ( check 178) and PAGE_CHECK_B( check 191)

Thanks all

[Patman128]

Now it can't be detected by any of the last four checks and probably naither can it be by the rest, because it does not modify the client, only it's data in memory (like movement speed).

And what do you think MEM_CHECK is for? I'm not sure what you're definition of "modify the client" is, but if it's screwing with WoW's data I would most certainly call that modifying the client.

[slackware]

no. Hitchhiker use dynamic memory )

in my test server its not founded by warden... (using fly )

[Patman128]

no. Hitchhiker use dynamic memory )

in my test server its not founded by warden... (using fly )

You probably aren't checking the right address.

[zhenya``]

at this moment warden can`t detect cheats, which use dynamic memory. But you can write reading of dynamic offset add some value to it and read data from dynamic struct.