TOM_RUS

Sorry for offtopic: could anyone upload WoW [Release Assertions Enabled] Build 11792 (Apr 1 2010) binary mentioned by TOM_RUS? I wasn't able to find it anywhere on the net.

http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/285075-collection-wow-binaries-release-ptr-5.html#post2067796

Btw, a guy who posted this http://paste2.org/p/1388089 told he got it with some "script"

That's actually structs generated by my IDA script from leaked internal cataclysm alpha build WoW [Release Assertions Enabled] Build 11792 (Apr 1 2010) (as you can see it was build even before 3.3.5 ). There's small differences between structs in 11792 and 12340, but mostly they are same.

checks are not problem.... the problem is 132 error.....

Have you modified 0x03 warden packet for 2.4.3? It's required step...

Blizzard don't have to run whole module on server, they only need single function to generate RC4 encryption seed's and they can compile this function for any platform they want...

Is is client locale dependent:

for enUS/esMX(?) clients use: http://launcher.worldofwarcraft.com/alert

and for european clients (notice additional folder for locale):

enGB: http://status.wow-europe.com/en/alert

deDE: http://status.wow-europe.com/de/alert

frFR: http://status.wow-europe.com/fr/alert

esES: http://status.wow-europe.com/es/alert

ruRU: http://status.wow-europe.com/ru/alert

Any new on OS X support?

I tried your implementation TOM_RUS and currently it crashes the client after loading the module (Module_0DBBF209A27B1E279A9FEC5C168A15F7_Data).

**edit

Client crashes with

Improper header received: [ CE FA ED FE 07 00 00 00 03 00 00 00 08 00 00 00 0A 00 00 00 48 07 00 00 85 20 01 00 01 00 00 00 ]

That's weird, because header looks correct... http://paste2.org/p/1478703

The link looks to have been replaced now.

Yeah, i've re-uploaded 20110427 file and it should be available using old link.

Hi Neo2003, File 20110427 link broken? =(

Yeah, someone deleted all uploaded files.

I've add some test code for Mac, but:

- Warden on Mac doesn't support any scanning.

- I can't test anything, because I don't have mac.

- Mac related code not activated.

PAGE_CHECK - check memory page, use relative addresses of modules(base - wow.exe or some dll's), calclulate hash of memory block and compare with hash from packet. Return on server result of compare hashes

It scans whole virtual memory, not just exe and dll's. This way you can detect some third party code caves allocated in game process for example.

There's also difference between PAGE_CHECK_A and PAGE_CHECK_B:

type A scans all memory pages, while B only scans pages that starts with MZ+PE headers (dll's).

Server:
PAGE_CHECK
Hashing bytes: 00B00000355B000000A0
Sending packet 02, size 33:
Data:
02 opcode
00 strings
B2 PAGE_CHECK_A
19E8E264 seed
7DAE3A9E2EFC509E0086F32C8F19CDC4FB2DC3BF hash
00000000 offset
0A size
00 xor

Client:
Handled: 33
       VirtualQuery(0x00010000) = 0x0000001C
       VirtualQuery(0x00020000) = 0x0000001C
       VirtualQuery(0x00030000) = 0x0000001C
       VirtualQuery(0x00040000) = 0x0000001C
       VirtualQuery(0x00050000) = 0x0000001C
       VirtualQuery(0x00060000) = 0x0000001C
       VirtualQuery(0x00070000) = 0x0000001C
       VirtualQuery(0x00080000) = 0x0000001C
       VirtualQuery(0x00090000) = 0x0000001C
       VirtualQuery(0x00100000) = 0x0000001C
       VirtualQuery(0x00110000) = 0x0000001C
       VirtualQuery(0x00120000) = 0x0000001C
       VirtualQuery(0x00130000) = 0x0000001C
       VirtualQuery(0x00140000) = 0x0000001C
       VirtualQuery(0x00170000) = 0x0000001C
       VirtualQuery(0x00180000) = 0x0000001C
       VirtualQuery(0x00190000) = 0x0000001C
       VirtualQuery(0x001A0000) = 0x0000001C
       VirtualQuery(0x001B0000) = 0x0000001C
       VirtualQuery(0x001C0000) = 0x0000001C
       VirtualQuery(0x001D0000) = 0x0000001C
       VirtualQuery(0x001E0000) = 0x0000001C
       VirtualQuery(0x001F0000) = 0x0000001C
       VirtualQuery(0x00227000) = 0x0000001C
       VirtualQuery(0x00229000) = 0x0000001C
       VirtualQuery(0x00230000) = 0x0000001C
       VirtualQuery(0x00269000) = 0x0000001C
       VirtualQuery(0x0026C000) = 0x0000001C
       VirtualQuery(0x00270000) = 0x0000001C
       VirtualQuery(0x00280000) = 0x0000001C
       VirtualQuery(0x00290000) = 0x0000001C
       VirtualQuery(0x002A0000) = 0x0000001C
       VirtualQuery(0x002D0000) = 0x0000001C
       VirtualQuery(0x002E0000) = 0x0000001C
       VirtualQuery(0x002E1000) = 0x0000001C
       VirtualQuery(0x003D6000) = 0x0000001C
       VirtualQuery(0x003D8000) = 0x0000001C
       VirtualQuery(0x003E0000) = 0x0000001C
       VirtualQuery(0x003F0000) = 0x0000001C
       VirtualQuery(0x00400000) = 0x0000001C
       VirtualQuery(0x00410000) = 0x0000001C
       VirtualQuery(0x00449000) = 0x0000001C
       VirtualQuery(0x0044C000) = 0x0000001C
       VirtualQuery(0x00450000) = 0x0000001C
       VirtualQuery(0x00460000) = 0x0000001C
       VirtualQuery(0x00470000) = 0x0000001C
       VirtualQuery(0x00480000) = 0x0000001C
       VirtualQuery(0x00490000) = 0x0000001C
       VirtualQuery(0x004C9000) = 0x0000001C
       VirtualQuery(0x004CC000) = 0x0000001C
       VirtualQuery(0x004D0000) = 0x0000001C
       VirtualQuery(0x004E0000) = 0x0000001C
       VirtualQuery(0x004F0000) = 0x0000001C

       Data(0x008EE1CC, 0x00000008) =
02 opcode
0100 size
D6097373 checksum
4A result = cheat found

You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...

Dear TOM_RUS if you're interested, please tell where you can send the cheats that do not catch warden. To pm on here you do not answer

I'm not interested in cheats analysis. It's may take a lot of time. I have different things to do...

Detection of memory writes to dynamic player structures is possible, but it's not implemented.

You can create new signatures, but you need to analyze how that cheat work (writing memory at some address, injecting dll etc) first...

Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).

That explains a lot of things If I put timeout kicks under effect of kick config, can it result any error?

One more short notice, logging is a bit too detailed, I should have to buy a new hdd after a week of usage

I've fixed bug with timeout kicks ignoring config.

You can comment out some of logging if you don't need it... It's there mostly for debugging purposes.

you didnt have any issues concerning windows firewall users? some of them got randomly disconnected during loading or directly after login while kick wasnt even enabled.

Even if there's any disconnection issues, it's not caused by windows firewall... I never had any random disconnects. Also, kick option is ignored at client response timeout, so it may disconnect client that not sent warden response in given time (1.5 minutes).

After 2 hours of testing I got a lot of fails on these two memory tests:

(403, 243, '', '', 4609675, 5, '5E5DC20800', NULL),

(438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL) this one is same as uac false positives on page 4

I have no idea if the other is also a false positive or not.

And i have a question, this implementation does not cause client freezes to mac users?

(403, 243, '', '', 4609675, 5, '5E5DC20800', NULL),

this address is in code section and can't be modified without third-party programs

.text:0046568B 5E                             pop     esi
.text:0046568C 5D                             pop     ebp
.text:0046568D C2 08 00                       retn    8

(438, 243, '', '', 11287980, 8, '04000000903C9F00', NULL)

this address is in data section and has default value: FFFFFFFF903C9F00

.data:00AC3DAC FF FF FF FF    dword_AC3DAC    dd 0FFFFFFFFh           ; DATA XREF: sub_4D80C0+5r
.data:00AC3DB0 90 3C 9F 00                    dd offset aCharacterattac ; "CharacterAttachment"

There's a 2 legit memory writes in client, that may change first 4 bytes (FFFFFFFF) at this address. So it indeed may fail on server side.

.text:004D80E2 A3 AC 3D AC 00                 mov     dword_AC3DAC, eax // eax value may vary based on login state (0...17)

.text:004D8AA5 89 0D AC 3D AC+                mov     dword_AC3DAC, ecx // ecx = -1

Mac clients not supported, and probably never will, because I need physical access to mac book, which I don't have.

Could you give us a little manual or description about this implementation?

What kind of manual or description?

Using this only one module it can detect different type of cheating programs? Are there any known false positive results?

It has all detection types that Neo2003's implementation has and even additional one (MODULE_CHECK). PROC_CHECK not implemented though (i'm not even sure that it useful for something). No idea about false positives, better ask zhenya about that as he is using this for more than year now.

The problem is that it is not work on Win7.

Got pointer: 0X10
couldn't read sessionkey, read 0 bytes instead of 40
reading sessionkey failed - will try again in 2 second

It does work, you need to use it properly.

Do you realize that each character in the string is 1 byte, but it represents only half of real value (string FF - 2 bytes, but byte FF is 1 byte). So 64-character string become 32 bytes BigNumber....

Code is detailed enough to figure out how it works and what it does. You probably should read about SRP first.

I think proper way to implement this aura will be Spell Effect/State Immune implementation...

Those spells apply following auras:

Apply Aura: Aura of Despair (1)

Apply Aura: Mod Melee Attack Speed - %

Apply Aura: Effect Immunity (30) - SPELL_EFFECT_ENERGIZE

Apply Aura: Effect Immunity (137) - SPELL_EFFECT_ENERGIZE_PCT

Apply Aura: State Immunity (24) - SPELL_AURA_PERIODIC_ENERGIZE

Apply Aura: State Immunity (21) - SPELL_AURA_OBS_MOD_MANA

We have somewhere in Unit.cpp:

bool Unit::IsImmuneToSpell(SpellEntry const* spellInfo)
{
   if (!spellInfo)
       return false;

   //TODO add spellEffect immunity checks!, player with flag in bg is immune to immunity buffs from other friendly players!
   //SpellImmuneList const& dispelList = m_spellImmune[iMMUNITY_EFFECT];

hm i dont think so, i actually can login , after that the message appears.

Also i edited the realmlist.wtf

Blizzard servers don't require correct login information to apply client patches.

You are probably connecting to blizzard's server...

Hey!

First of all, awesome job! This warden support is really great stuff!

I'm looking at the source code here and there's a few questions that arise in my head, there's a fair chance that I misunderstand the way that warden works and/or missing some obvious code that in fact does what I'm talking about, but I'll give it a shot anyway So here goes:

1. When the client sends a warden cheat response, is that cheat anyhow validated with the module or is the list of "answers" somewhat predefined? I mean, I would imagine this works like this:

- Server chooses the module, for instance, memory check and chooses which page / part / address / whatever else of memory to ask for

- Server sends the cheat check request to the client

- Client processes the request and sends the result back

- Server processes the response and cross checks the result with output that the warden module gives server-side

In case the responses are predefined, the warden check communication can be spoofed more easily by the client, cause the possible man-in-the middle attack would only require the cheater to know the predefined values, right?

2. This question implies that the responses are predefined. If so, why do we need to load the modules into the memory and basically operate in Win32 code? My understanding then is that we just need to read the module and send it to the client (more or less) at the beginning of the session, and then just send the requests, get replies and compare them with predefined values. So maybe this can be coded without using native Win32 calls?

Thanks in advance for your reply

Each module implements exactly same checks types like all other modules. The only difference between modules is encryption function. Output of that function is used as seed for initializing RC4 encryption for all warden packets.

Why me have to load module on server side: simply to get encryption keys, so client can understand us (we also can validate some initial packets by feeding them to the module).

Each warden S>C packet is encrypted, C->S packets also encrypted, but in addition each packet also has it's checksum.

It can be spoofed, but you have to deal with stream encryption and checksum checks. You will have to process all packets etc...

for some reason, I have to use VS2003 to compile the project.

In the source there is some code used keword '__thiscall' which is illegal in VC7.1.

How to deal with it?

btw: If I use '__stdcall' instead I got an error : Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

VS2003 not supported.

You lacking warden modules? Isn't I sent you all mine? Like 200+ of them...