Neo2003

Hello all,

A redone version is available, see 1st post.

Basically, in wardend there is now only module load and execute it, the rest is in mangosd. So only 1 exchange only for each account it done.

Also, it can ban people if you configure it to do this.

Neo2003

Hello all,

For the moment, I focus only on the patch, not on the db content.

The next version of the patch will be different: warden tables in world db, no db connection needed for wardend, nor any warden module folder. Only mangosd will need these data, then wardend is used only to run the modules, that's it. Moreover the wardend will be able to support more than one mangosd at the same time. Also reconnection will be better working. Let me finish and test the patch, then I will release it (before the end of the week I think).

Then after, I will focus on the content data. Given content is just a sample data to show what it needs and how it works. When we will start to put real detections, we will most probably truncate the tables and drop the current sample data which more or less is random test without any real detection in mind.

Neo2003

The easiest way to fix this problem will be move all cheat checking code from wardend to mangosd, and use wardend only to get encryption keys... It will also reduce useless network traffic between wardend<>mangosd and make it faster overall.

will eliminate desync problem.

While I don't see any reason for wardend to crash with current code, so this case of reconnection would be rare, I agree on this. The more I code, the more I see it would be simpler to move near all code to mangosd and let only the keys/seed generation in wardend.

Give me a couple of days to make this. Btw I don't think we can say it's a big traffic, no packet reach the 1KB size currently.

New version, mangosd can now reconnect to wardend automatically, see 1st post.

It has been made as a separate daemon just because it can only be win32 code in order to load the win32 modules which are dll without header.

Now we know that these modules runs on Wine, and these modules detect that they run on Wine. This should not affect the way they compute the keys, so this warden daemon most probably works fine in Wine.

Hello,

On top of WardenDeamon.h in src/wardend/ you have the chance of the checks.

// Definition of ratio of check types (based on a long session of 1162 checks)
// They are cumulative, meaning that I add the %age to the previous one
#define WCHECK_PAGE1_RATIO  36.5f   // 36.5
#define WCHECK_PAGE2_RATIO  73.0f   // 36.5
#define WCHECK_MEMORY_RATIO 94.0f   // 21.0
#define WCHECK_DRIVER_RATIO 97.4f   // 03.4
#define WCHECK_FILE_RATIO   98.7f   // 01.3
#define WCHECK_LUA_RATIO   100.0f   // 01.3

For example put PAGE1 and PAGE2 to 15% each so MEMORY will be 64% instead of 21%:

#define WCHECK_PAGE1_RATIO  15.0f   // 15.0%
#define WCHECK_PAGE2_RATIO  30.0f   // 15.0%
#define WCHECK_MEMORY_RATIO 94.0f   // 64.0%
#define WCHECK_DRIVER_RATIO 97.4f   // 03.4%
#define WCHECK_FILE_RATIO   98.7f   // 01.3%
#define WCHECK_LUA_RATIO   100.0f   // 01.3

Have fun

New file: 20110327c

This crash fixed + more, see first post.

Hello, New version posted.

There was a bug in memory check validation code, bad index used. It's now working then I fixed the content sql to have proper data and activated it, so bad memory check by client will make it be kicked.

See first post and get file 20110327.

is it possible to allow worldserver restore connection if connection to wardend was interrupted?

Not yet. for the moment you have to restart mangos. Anyway if wardend crashs, this should not kick clients, this just disables the system.

*pkt << uint8(mWardenModuleChecks[md5][WARD_CHECK_TIMING] ^ m_seed1);

its for 3.3.3 ? in 3.3.5a there is no TIMING_CHECK and MPQ.

Yes, I know that in 3.3.5 there WERE no time_check, it has been reactivated See src/game/WardenMgr.cpp line 275

It just works fine with 3.3.5 too.

WEH working like without warden

Probably yes, I just provided sample data to put in the DB, and memory check is disabled since the data I gave seams to be wrong.

So I think it's a matter of knowing the memory address that is hook by this tool and, put the unmodified content in warden_check_memory table and activate it in src/wardend/WardenDaemon.cpp line 944 by returning false when the test fails.

Hello,

Here is a patch to have warden managed by MaNGOS rev 11289.

About the patch

In game project I added WardenMgr.cpp and WardenMgr.h. This Warden Manager is doing everything for client<->mangosd communication, including encrypting/decrypting packets.

I store the two 2048bits rc4 keys in the WorldSession + a shortTimer to manage the timings between cheat checks and to be able to timeout a not responding client and kick it.

That is mostly what this manager does for client, it does not manage any module nor have any storage requirement. however, it has a communication part to exchange information with a Warden Daemon.

Warden Daemon is a Win32 VC project only because it will load modules that are Win32 code.

This Daemon waits for mangosd connection and then is using his own protocol to discuss with mangosd.

This daemon loads the modules and checks information from the realm DB; it loads modules code, generates the keys, build cheat checks and validate them.

This Daemon is loading each module only for about 1 second in order to have the keys and seed then unload it. I did set it arbitrary to handle a maximum of 20 modules at the same time, meaning client connection rate at 20 clients/second. if 20 modules are already loaded and if it gets a new request, it will simply delay it by 5 seconds.

Warden

Each client is assigned a module randomly (from the 71 I have), then it will keep the same module for the full day. If the client is disconnecting and come back the same day, the same module is reused. If he come back another day, he will get a new one. A module is never changed during a session, whatever the length of the session is. Each time the same user connect the same day, keys will change each time.

For the cheat checks, the daemon build the list based on what is in the DB.

All checks are working: timing, page, drivers, memory, mpq and lua. Checks are done a the rate 6 to 9 checks every 30sec-1minute approximately. A new cheat check set is sent 15 to 25 seconds after the last reply from client, and the client can take up to 1 minute to reply.

Timing are not validated because I don't know how to compute the client tick count from the server. I simply accept any value.

Memory check are not validated too (so I accept anything) because what the client returns seams to differ from what I got in past.

Client is kicked if it did not load the module after the module has been sent.

The client is banned for 24H if it failed a cheat check (I only kick it for the moment).

Installation:

This patch is very light on mangos, so it will apply properly on any rev. But only 3.x ones since 2.x and 1.x warden system was different.

- Apply the patch and compile mangos as always, I tested Win32, Winx64 and Linux 32.

- Compile wardend with your favorite VC, I added the 3 solutions in /win for the 3 VCs.

- Configure wardend.conf to have DB information and path to the folder containing the warden folder present in the archive.

- Apply the update sql (sql/update/99999_*.sql) on realm db and apply the content sql which is in the archive

- Start wardend on a windows machine and after that start mangos anywhere, you will have to update mangosd.conf to activate this code and to setup the IP address and port information for wardend. See the end of mangosd.conf.

Warning:

Don't let this warden daemon be accessible from outside, make it listen on the loopback interface if you run it on a windows box connected to internet along with mangosd.

File: 20110326: http://filebeam.com/97478ef0a0133a493ad164fe05f76e43

- Initial published version

File: 20110327 http://filebeam.com/6bf78f32b0beb3dced13cb8be2cdf82d

- fixed memory check code, there was a bug in it

- added proper content for memory check and activated it by default

File: 20110327c http://filebeam.com/16eb3e969b151b74cda28581ad9f8531

- Added OS detection, so you will have to apply 99999_01_realmd_account.sql again due to a new column

As a result, MAC client will not be checked since I don't have any macho module to test

- Fixed wardend crash in case mangosd is stopped and reconnect

- Timing between checks is fixed, checks were sent too often (twice speed)

- Content sql now includes WEH and others, thanks to zhenya``

File: 20110328 http://filebeam.com/4ff191aca8c8405612b6f922b19d7648

- Wardend doesn't crash anymore when you close it when it is still connected to mangosd

- Mangosd can reconnect to wardend if you close it or if it crashes, just wait that mangosd display the deconnection before you start wardend again

In this case, some clients can be kicked because of some problems to synchronize between mangosd and wardend

File 20110331 http://filebeam.com/26a8fff342b2b7d77a6194d4dd646a0e

- Moved most code around.

Wardend is just a process that requires no DB connection and no files except itself and 2 dll. It accepts only 1 command and does not store anything in its memory. It just get a module+seed+sessionKey and return transformed seed+server key+client key

Mangosd now do all the work about negociation and cheat-checks

I added a new option in mangosd.conf: Wardend.ban = 0|1. This sets the Warden Manager to ban account for 24H instead of just kicking at failed check when set to 1. Timeout in replies are still only kicking clients

I removed DB and file path information in wardend.conf

- Wardend is not limited to 1 mangosd connection, it can host many mangosd if needed

- Reconnection code redone to work lot better and even at start if mangosd was started before wardend

- All warden_* tables moved from realm DB to world DB

- warden folder containing modules must be next to dbc/maps/vmaps/mmaps folders

File 20110402 http://filebeam.com/fe266bbfeae7f7b2799a7fab4767e47b

- Prevent crash if warden is disabled in configuration

- Make the core properly connect to wardend if started after

- Added a small delay in main loop to try to get packets fully from wardend

File 20110403 http://filebeam.com/fddc1f2246bc16bc443d6b4ed82c4c05

- Fixed the incomplete packet problem

- Fixed sending several time the same request after wardend reconnection which caused clients kicks

Note: I did forget to update VC80 and VC90 wardend projects. Remove the used BufferedSocket.cpp and .h from the wardend project and re-add the ones in /src/wardend. I will fix in next version where I plan to add some better content.

File 20110404 http://filebeam.com/a6816547bc270668bec43cb9704b3d24

- Fixed memory leak in wardend

- Another Reactor used on Linux, let's hope it's the proper one

- Fixed sql data files

File 20110406 http://filebeam.com/f7e5f956f718991dd371a6007b2c0359

- Timer for wardend communication and timers for the state machine in each session are now all updated with the same source from World::Update()

- Ping timer is now 10 seconds instead of fluctuating between 1 second and 5 seconds

- Warden system base tick interval is now 1 second instead of 500ms

- WardenMgr class is now a friend of WorldSession class, most access methods I did add are now removed

- Warden System automatically disables itself if any table is empty or if no module can be used

- Fixed a possible wrong error message about a memory check when a cheat is detected in other checks

- Don't mark anymore all remaining checks failed once one is failed

- Wardend will timeout any connection where no data has been received for 15 seconds and close it

File 20110427 http://filebeam.com/97dd974c4da5d17513c54ab9a8946f68

- Added an option in mangosd.conf to configure the ban length

- Fixed kick at log-off problem thanks to Vlad852

- Trash any unknown packet from Wardend to prevent freeze like behavior

- Changed the default communication port to 6555

- Adjusted some timers to get less false kicks

Neo2003

Last version of the diff: http://trunk.dyndns.org/Warden110326b.diff

Changes:

- Proper structure in MEM_CHECK and FILE_CHECK is case memory not read or file not found

- If wardend crashes, the client are not disconnected and an error message is displayed in mangos console

- Use PAGE1 and PAGE2 checks instead of just PAGE1

Since I will post on public part, I uploaded the files to filebeam.

In case of problem, here is the delete link, don't use it if not required

http://filebeam.com/97478ef0a0133a493ad164fe05f76e43&del=910477
[url]http://filebeam.com/6bf78f32b0beb3dced13cb8be2cdf82d&del=185390[/url]
[url]http://filebeam.com/16eb3e969b151b74cda28581ad9f8531&del=913252[/url]
[url]http://filebeam.com/4ff191aca8c8405612b6f922b19d7648&del=442842[/url]
[url]http://filebeam.com/26a8fff342b2b7d77a6194d4dd646a0e&del=876343[/url]
[url]http://filebeam.com/fe266bbfeae7f7b2799a7fab4767e47b&del=868927[/url]
[url]http://filebeam.com/fddc1f2246bc16bc443d6b4ed82c4c05&del=615408[/url]
one missed
[url]http://filebeam.com/f7e5f956f718991dd371a6007b2c0359&del=764441[/url]
[url]http://filebeam.com/97dd974c4da5d17513c54ab9a8946f68&del=448608[/url]

Hello,

This is last version.

- Better variable initialization in constructors

- Some English changes

- Added a column in warden_check_file table to store the MPQ checks resulting SHA1

- Checking this SHA1 on mpq cheat-check result

http://trunk.dyndns.org/Warden110325_11282.zip

Simple, replace the RSA public certificate in client by a one for which we have the private part.

Raison: The redirect packet (sent by realm containing the world server address) is RSA signed and the client does not accept the packet if the signing is not done with Offy private certificate.

Last words: RSA is not breakable at this point of time.

Cheaters can change whole game world, not just textures. It's not that hard to put SHA1 of the files in DB in addition to file names. This can be useful for someone.

Ah ok, I thought only .adt and .m2 files were checked. Btw, It's coded (SHA1 added to the DB and used) already.

I will do an English pass and also try to homogenize the variable names. Then I will post a new version the evening.

About MPQ file check, how to check it fully?

I don't want to extract the MPQ to check all the files and this check is only for people that change the textures, do we care?

But hes I will test the result, not the SHA1, or I can put some SHA1 of files in the DB but I doubt it is useful.

Do you have other idea for the SHA1?

For grammar, I will check. When I am tired, my English is horrible

Do you happen to have the connection/session key offsets for current (4.0.6) ?

I just don't know how to get them myself

New version (just the patch, the rest does not change): http://trunk.dyndns.org/Warden110319b.diff

Lua reply parsed properly and written clearly on wardend console

Added message BASIC_LOG on wardend console for all reasons of kicking

All other messages are DEBUG_LOG now, loading/unloading module messages are DEBUG_DETAIL

Really change the module every day, last_login was already updated by realmd, so I cannot use it, I added a mediumit containing the year_day to be able to track day change.

New Version : http://trunk.dyndns.org/Warden110318_11263.zip

WardenMgr::SendWardenData() changed to use BuildChecksum() and opcode and added content description

Coded transformed seed sent back by client is now checked for validity

The order of things done with timer was not proper and we were lucky that client was fast enough or we would have a problem of packet order. Fixed

I also share the flow of the functions so that you can trace what the code is doing easier:

http://trunk.dyndns.org/Flow.txt

Qsa or faramir118,

Can you please add the MaNGOS copyright in the python file I gave you to generate mmaps (contrib/mmap/mmap_extract.py)? I did forgot to add it.

Thanks,

Neo2003

Here is the patch with all needed to test it:

http://trunk.dyndns.org/Warden110317_11260.zip

You can't. Moreover this forum is not about hacking an online game.

I close this subject.

If you talk about official as I suspect: You can't.

The server will kick any client no responding in time (~2 minute timer). Repetitive non answering will probably end up in being banned.

Hello,

I post here for a simple raison: I would like that we all discuss what to do.

I have a working patch.

About the patch

In game project I added WardenMgr.cpp and WardenMgr.h. This Warden Manager is doing everything for client<->mangosd communication, including encrypting/decrypting packets.

I store the two 2048bits rc4 keys in the WorldSession + a shortTimer to manage the timings between cheat checks and to be able to timeout a not responding client and kick it.

That is mostly what this manager does for client, it does not manage any module nor have any storage requirement. however, it has a communication part to exchange information with a Warden Daemon.

Warden Daemon is a Win32 VC project only because it will load modules that are Win32 code.

This Daemon waits for mangosd connection and then is using his own protocol to discuss with mangosd.

This daemon loads the modules and checks information from the realm DB; it loads modules code, generates the keys, build cheat checks and validate them.

This Daemon is loading each module only for about 1 second in order to have the keys and seed then unload it. I did set it arbitrary to handle a maximum of 20 modules at the same time, meaning client connection rate at 20 clients/second. if 20 modules are already loaded and if it gets a new request, it will simply delay it by 5 seconds.

Warden

Each client is assigned a module randomly (from the 71 I have), then it will keep the same module for the full day. If the client is disconnecting and come back the same day, the same module is reused. If he come back another day, he will get a new one. A module is never changed during a session, whatever the length of the session is. Each time the same user connect the same day, keys will change each time.

For the cheat checks, the daemon build the list based on what I did put in the DB and this is sniffed data I know nothing about.

All checks are working: timing, page, drivers, memory, mpq and lua. Checks are done a the rate 6 to 9 checks every 1 minutes approximately. A new cheat check set is sent 12 to 15 seconds after the last reply from client, and the client can take up to 1 minute to reply.

Timing are not validated because I don't know how to compute the client tick count from the server. I simply accept any value.

Memory check are not validated too (so I accept anything) because I don't know what the client returns.

We need to get the offset in wow.exe memory for the values we want to check. For example ask the client for the memory chunk that is containing player speed, and then we could check the results. I did not code anything around this yet.

Client is kicked if it did not load the module after the module has been sent.

The client is banned for 24H if it failed a cheat check (I only kick it for the moment).

Now let's raise the problems:

- Do we apply such a patch on git? It adds a unique anti-cheat system MaNGOS miss a lot, but what about Blizz?

My feeling: Noone will care. Blizz is not chasing after emulator for a long time

- Can I post such a patch in the public section of the forum?

My feeling: same

- How can I share the modules with their keys and their cheat check table?

My feeling: For this I will have to use IRC I think, it's a bit dangerous to post modules here .

- If this patch is added, do you think someone will use the code to build a cheating proxy on official and then expose mangos to problems?

My Feeling: One wanting to do it would have done it without the patch, many information are present on Internet

Since I am at work I cannot post the patch. I will post it this evening. I will give you the patch for [11260], 71 modules with their full Check table and a set of cheat check I did capture from Official.

To make it work you have to:

- Apply the patch and compile mangos as always, I tested Win32, Winx64 and Linux 32.

- Compile wardend with your favorite VC, I added the 3 solutions in /win for the 3 VCs.

- Configure wardend.conf to have DB information and path to the folder containing the warden folder I put in the archive.

- Apply the update sql on realm db and apply the content sql

- Start wardend on a windows machine and mangos anywhere, you will have to update mangosd.conf and to setup the IP address and port information for wardend.

Neo2003

Good news. I did not know since it was not the case when I worked on bit on this long ago.

First of all, don't alter creature table structure. You just need a column in transport table, that's it.

Let's says you have some npc on boat 176231.

In transport table, add a 'map' column to associate the boat id and the moving map id.

Here 176231 is map 584.

Then in creature table, you don't have to alter anything, just spawn the npcs based on map 584 coords, then it's "just" a matter of sending to the client the proper information with transport guid, local and global coords (related to the moving map 584 and the upper map).