LexManos

Well, from what i've seen 'Warden 2.0' (aside from being a gimmicky name some noobs made up) is simply Warden for Mac. Cuz IIRC warden was just a stub with minimal functionality for Mac. I am still interested in seeing a current module. Also, why the HELL couldn't I find this thread when I was looking for it? Seriously, my profile -> Fime Threads Started By -> Nothing...

Hey guys Figured i'd drop my head back in here. It appears my old Warden thread has disappeared. No worries. Just curious if anyone has a dump of any of the 'new' 'Warden 2.0' modules they would be willing to give me. Figured i'd take a crack at seeing what they did. I got a hold of one of the mac modules, and honestly.. nothing much significant there, they just implemented stuff that was already in windows. I have some time on my hands, i couldn't find any details about what has changed, and i'm bored. So I figured i'd ask.

There is no way, thats what they are saying. Just tell your GMs not to level over 80. You can lower everyone's level whos over 80, but they can simply just set there level again.

Whelp, first time trying to install Mangos on a Linux box. (The others have been Windows) I get this error during the configure step. Configuration of MaNGOS 0.16.0 is now complete. === configuring in dep/ACE_wrappers (/home/lex/mangos/objdir/dep/ACE_wrappers) configure.new: running /bin/sh ../../../dep/ACE_wrappers/configure '--prefix=/mangos' '--sysconfdir=/mangos/etc' '--enable-cli' '--enable-ra' '--datadir=/mangos/data' --cache-file=/dev/null --srcdir=../../../dep/ACE_wrappers checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for a BSD-compatible install... /usr/bin/ginstall -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking whether #! works in shell scripts... yes checking for g++... g++ checking for C++ compiler default output file name... configure: error: C++ compiler cannot create executables See `config.log' for more details. configure.new: error: ../../../dep/ACE_wrappers/configure failed for dep/ACE_wrappers I compile C++ on this box all the time. Ideas? Ohy, tracked down the error more, it's caused by the ACE_wrappers configuration script not properly removing the end lines from the version, therefore causing a fuckedup confdefs.h header, causing compilations to fail. dnl particularly with M4, do not modify this macro definition. define([ACE_VERSION], patsubst(esyscmd(grep ACE_VERSION ace/Version.h | sed 's/.*\\" *\\(.*\\)\\".*/\\1/'), [ ]))dnl remove newline ending every `esyscmd' answer Thats from the latest pull. *should* be working fine. I don't know why it isn't but it results in '5.6.6\\r\\n' so it's not doing it's job properly.

Seriously guys? Do any of you actually know anything about C++/C#? Tom_Rus has done a great job expanding on what I posted. And I doubt he will ever post a patch for mangos to add warden support nativly. I'm kinda curious why the main dev team hasn't given an official ya/nay on this. But I'm kinda disappointed that nothing has come out of this. I have it in my to-do to re-write my Warden library, and I may post more information and cleaner code after that. Because in my few re-writes of my code I've found a lot better ways to do a lot of the stuff. Anyways, PowerPC versions of WoW and other games DO support Warden, but yes, IIRC they use a different set of modules because they are different architectures. But basically, functionality wise, they are the exact same. Anyways, if anyone actually gives a crap about warden, and wants to actually work on it and not just ask for code. Feel free to PM me if you have any questions, it sends me an email and I keep forgetting to check this place.

Last time I check the functions were actually the same, jsut compiled/coded in different manors with SLIGHTLY different functionality. And last I checked there were 32 different versions of it.But yes, the best way to deal with warden, is to load the module up, and only handle 0x02 yourself. Honestly get your hands on a copy of mediv.mod (The original module) and load it up. Let it handle all the loading, unloading, etc.. of new modules, and you're golden! Thats how I do it for Battle.net and I haven't had any issues in the last 4 functionality changes. The only problem is determining exactly what to do with the 0x02 packet, currently there are 5 versions, Mediv, which jsut returns a SHA1/MD5 of the data sent in 0x02 (Hence why I call it the test module ) One that only supports memory grabs, which is jsut a array of (DWORD Address BYTE Length) places to check. One that added support for file MD5's so it was now (BYTE) ID [1 for MD5, 0 for Address] If it was MD5 it was a CString file name. Then theres the version jsut previous to this one with all the functionality of the current 0x02, but didn't support 0x04/0x05 And then theres what we have today, with the ability to make new RC4 keys. I am Collecting modules so that I can 1) Track whats being used and when 2) Hopefully derrive an algorythem that will determine what version, and what Check IDs there are. So if you would be a dear and add the function into your packet logger to dump the modules/keys that would be awesome! The .mod file is the fully compressed, encrypted module The .key file is the 16 byte RC4 seed you get in 0x01. They are named with the MD5 of the module.

Oh ya, dua overlooked that. Sounds good. Oh ya, I remember that, probably what skunked me out last time I had them open. I haven't actually opened Warden in IDA in months. If I remember correctly, they did like they did with Lockdown, compiled 2 versions (in warden's case I think it was 8 versions) that did exactly the same thing, in different methods, EA: Some used switch() some used if()..else if(), others used pass through functions, etc.. but it's rather annoying. Interesting, Never bothered to check out what this did (as its not used on Bnet) pretty cool that it actually allows for multiple commands per packet. Though your notes appear to be wrong. What are these Library Index/String Lib? I don't see it passing any strings around. Does the module store a static array of strings like that? Or, are those PStrings like in 0x02? (byte) len (void) str But ya, it has no response, so from a necessity point of view it's not important, but it's rather interesting. Have you taken a look at what is at the last 2 addresses? May simply be a overwriting the function pointers.

Fairly easy jsut change your hard coded values Any ways I can get a hold of him? I'd like to see if we can find a way of progmatically extracting out the Check IDs. I'm fairly sure it'd be simple, haven't looked at a module in IDA for a while but if they use a switch() then it's just a jump table.Anyways, I'd also like to figure out exactly what opcode 0x03 does As for the MPQ checks thats a simple SHA1() of the file. GetTickCount is kinda interesting, not sure why they would care about that... except its used as a seed in a few of there encryptions but beyond that its not important. I'd also be really interested in seeing if we could progmatically extract the Yess/No values used in the response (0xE9)

Oh you're manually parsing check IDs Ouch. But it looks sexy. Just a suggestion, I'd say do ID checks vs the post xored value. Just in case they ever bother to change it during a single connection. So that you can parse multiple connections using the same module, because they choose seemingly random xor byte during each connection. But this is cool, how exactly are you determining what each check does? Just guessing, watching the module run, or do you have the modules loaded up in IDA? Anyway I could get you to upload the binary packet logs? At least the Warden packets. I'd like to some work with the modules you are working with. (yes i *could* parse your text logs but... :*( )

Is your Packet Logger Open source? I'd like to see it, see what you've done. I am really interested in seeing how you split up the requests and extract the proper check IDs. ====== UNK2_CHECK START ====== checkType 5D (A6) Unk bytes: 0x69EC659067021B7FAF4541F6329B809950252859DFF590B6 Unk string: Afd32uu ====== UNK2_CHECK END ====== Also, could that not be a SHA1 hash and Seed? Could it not SHA1 that file and compare it to the SHA1 hash, to test this you would need to find the cheat that modifes that file, and a copy of that file, Do some SHA1ing to it and see how things go If would make sense because it has the same response as a PAGE_CHECK, BTW 0xE9 is the current 'No' response, AE No it was not found, or No it was not a match ====== UNK_CHECK result ====== UNK_CHECK result: 0x01 UNK_CHECK value: 0x1BF697FE ====== UNK_CHECK result END ====== This looks something like: Did it work? Yes/No Result: DWORD Possibly CRC32? Have you tried scanning WoW's memory for FE 97 F6 1B? It may be a constant that Warden is looking for 254.151.246.27 or 27.246.151.254, Those IPs look familiar? Sadly I am Missing a lot of Warden modules. If you'd be so kind as to save/upload them to my site I would <3 you. Anyways, I like the fact that you have been working on this, I'd like to work with you more.

Vary nice, It's been confirmed, as I always suspected. The initial field in 0x02 is not libraries, it just strings. So you got a C# version of module prepping/loading/running done? Thats rather interesting, I haven't delt much with C# but others that I know that have are always bitching how difficult it is to run non managed code from it. I'd be interested in seeing how you've done it. Also, Do you know ASM? I still want to have someone figure out the other opcodes, (and preferably a more reliable way to determine them u.u)

Seriously, nobody else has even touched this?I have a updated version which is more efficient, but the bulk of everything is still the same. Anyways, theres a bit of a battle that goes on here, we have cheats, and a way to detect them, but the cheaters also know that detection method, so the thing we need to do, is just make life difficult for the cheater's to deal with. I've done this quite well by allowing non signed modules to be run. Well, I updated it last month to only allow MY signed modules to be run <3 Anyways, someone do some research into where WoW stores it's Mediv module, and it should be cinch to replace it with your own. I've got no plans to publicly dev this anymore, but I urge others to work on it, seriously, the hard parts are already done!

Indeed thats as far as we went and then droped it. We run the modules for 0x05, and handle 0x00-0x02 ourselves. IF you were to FULLY run the module letting it handle everything then yes you would need to duplicate the eintirity of wow to be save it grabs the correct values in 0x02. hence why i'm shifting it off to you nice fellow <3 I know, and i'm not going to do them! This research was solely done because it started to affect chat bots on Battle.net. Since they do not employ any other scans or opcodes at the channel level, this was all that was needed to keep out chat bots online, so I really don't care about the other stuff. (Though I would like a better pragmatic way to obtain the sub-commands for the scan opcode any tips?) <3Ugh spoke to soon, Warden was just reactivated on Battle.net with a new sub-command enabled u.u Its in channel so people are bitching at me to fix it -.-

Considering the fact that a lot of the inner working of Warden have been public all along. And most people who make real cheats can simply look at the code and see whats going on, I don't see anything new here that would drastically reduce the already vulnerable security of Warden. The things that make warden work, is not HOW it does something its how much, it does something. Basically you got to make something to fucking rediclious that it's a bitch and a half for cheat makers to work around. (having to completely duplicate the entirety of WoW's Memory and screen buffers for example) If you can do something like that, not many people will make cheats. What I would like to see is it being the norm that Servers can create and run there own modules. Yes you would need severe trust int eh server operators because they will have the ability to run arbitrary code. But, to fucking bad! If a server is ran that distributes malicious modules, then you shouldn't be using the server! I don't know about most of you guys but I'm a rather trusting and trustworthy individual. (I am entrusted with over 50,000 cdkeys that run through my JBLS server every hour) Never once have I logged or used any. It's all a matter of trust. Considering the fact that you would have to modify your client yourself to not verify the RSA signature, you should be full aware what that would do.

so reading is good right? Some of the functionality of some packets I do not fully understand, but common I can't hold your hand. And I'm bad with ASM so someones gunna have to get elbow deep and help if you want more documentation then that, But for now, we know how to create modules, we know how to transfer them, we know how to load them, we know how to encrypt/decrypt them, we know how to communicate with them! *Looks for someone open to pass the football to...*BTWm Just a side note, due to the nature of warden, all this shit could change in a heart beat. EXCEPT the fact that the initial module work like this. But once it'd downloaded/loaded a neww module the formats for each packet can be completely different.