Dribble

Now that the dust has settled, there doesn’t seem to be any point in delaying this any longer.

December 19th, WardenGuy sends instructions to Warden, detailing how to detect LuaNinja and WoWGremlin. At an undisclosed time, the ‘client’ activates it’s special routine which effectively disables the anti-detection in both tools (Vague, i know. Don’t want to give out too many secrets, right?).

What follows, is what seems to be the new direction in most anti-cheat software.

Warden, among other anti-cheats employ the methods of delayed banning; where by recording all of the offending users, they can maximize the effect of casualties by giving people that false sense of security.

To summarize, anyone who blames Cypher for their accounts being terminated are self-centered morons. You knew the risks of using software that infringes on the contract you signed, and even agreed to have your account terminated if found doing so.

First and foremost, sorry for any grammatical errors in this. It’s a little rushed.

So, another day in the WoW botting community has come by, and just like every other day, someone has released some two-bit bot. Except, this isn’t just someone, for it is the same people Cypher and I destroyed a few months back.

The mimic team are back in all their fury, with another terribly written, hilariously advertised bot, that as per usual, is advertised with a number of false claims.

“I can assure you, its NOT injection” was one of the claims spouted, yet as you can expect, a stupidly named DLL was found; containing all of the bots interoperability between WoW and itself. In addition to this, three API hooks are present: LoadLibraryA, GetCursorPos and GetPhysicalCursorPos.

The first, LoadLibraryA, was to protect it from.. GameGuard. Yes, they are hiding their module from an anti-cheat from another game. Why would they do this you might ask? Who fucking knows what goes through the minds of the mimic-devs.

The second and third are used to send mouse movements to the game while it doesn’t have focus.

In summary, do not use this bot, and if you have.. see me in a week or so :).

2031f09253e0dbc911a8813616cdf9b1486b52fc (SHA1 hash of the trailing block of text, for verification purposes)

Time-zone is NZST.

15:43 – 19/12/09

So, if you’re reading this and wondering why your account has been banned.. i’m truly sorry. We’ve gotta let the WardenDev show his glory somehow, right!?

So 5 1/2 hours ago (from the date noted above), a new memory scan was pushed into Warden, which targeted AIOBot. If you were caught up in this, then shame on you for buying into such a shitty and detectable piece of software.

Seeing as the auth servers are now (presumably. hard to tell with the ddos) closed, now seems like an opportune moment to unmask this.

Anyone using the tool “UltimateChat” by Jadd of MMOwned, this is now being detected as of a few minutes ago.

Have fun!

Hey everyone.

Just a quick update on the status of Warden; For the entire weekend, the warden server was actually offline, which i found rather odd, but i guess even WardenGuy doesn’t work on the weekends.

Now, onto the 11 changes. Regarding DLL detection, two new dlls have been added to the hit list and based on the scan size, it’s safe to assume they’re the same module, just different variants.

That leaves us with 9 memory scans, specifically targeting allocated memory (I’m looking at you, “passive” botters who find yourselves injecting large code stubs). These all seem to be different offenders, based on the diversity in the offsets and sizes.

Don’t say i didn’t warn you!

Clarification

It seems a lot of people haven’t understood what i was trying to convey. (Fair enough. It was late, and i was tired)

This update isn’t looking for memory changes in WoW’s .text/.data sections. These are targeting injected DLL files and the memory those DLL(or VirtualAllocEx’d memory from a third party process) allocate.

Update #2

Well, that was quick. Hawker asked me if there were any worrying updates to Warden, so i gave him the following picture from my tool. Hawker posted it on his forum before asking me, but promptly removed it when asked. Someone snagged it before it was taken down, so i guess its public domain now.

Well, seems there’s a wave flying through and GB was in it’s path.

Something worth noting about this, is that GB wasn’t the target. GB wrote to some memory that LuaFoo did too. Once LuaFoo got detected, sadly, GB as a side-effect to the new memory scan was hit (dating before they installed their tripwire).

So to summarize, direct all hate to Apoc (:D!).

A friend asked me recently whether the Mac WoW client actively ran a copy of the Warden module we see on Windows.

Yes, Mac’s do have a Warden and yes Blizzard are streaming modules to your Mac. However, the modules they stream are just shells, which i assume is to prevent clientless bots (although, it would be stupidly easy to emulate). I have omitted the exact details of what happens, however reversers shall bare witness to the comical side of the warden dev with constants like 0x1337F00D and 0xDEADBEEF instead of a tedious polymorphic crypto function.

Warden on a Mac is a “Mach-O”(http://en.wikipedia.org/wiki/Mach-O) file type. I’m not from a Mac background, so I’ll just assume its the safe way of loading up assembly and executing it.

__text:001F0301                 mov     ecx, offset s_WardenDecryptKey
__text:001F0306                 mov     edx, 1A96h
__text:001F030B                 mov     eax, offset s_WardenModule
__text:001F0310                 call    WardenModule__Load

__data:00B9A420 s_WardenDecryptKey db 9Eh, 0BBh, 81h, 0Fh, 34h, 0E9h, 0DFh, 8Ah, 0B8h, 0BAh
__data:00B9A420                                         ; DATA XREF: sub_1F02EA+17o
__data:00B9A420                 db 13h, 0D9h, 3Dh, 0CAh, 0Dh, 50h

__data:00B9A440 s_WardenModule  db 4Eh, 5, 50h, 0A4h, 0D2h, 0CBh, 1Ah, 0D6h, 6, 25h, 0FEh [..omitted]

BYTE RC4Key[] = { 0x9E, 0xBB, 0x81, 0x0F, 0x34, 0xE9, 0xDF, 0x8A, 0xB8, 0xBA, 0x13, 0xD9, 0x3D, 0xCA, 0x0D, 0x50 };
BYTE Module[ 0x1A96 ] = {0};
FILE* fp = fopen("Warden.bin", "rb");
fread( Module, sizeof( Module ), 1, fp );
fclose( fp );

RC4 rc4;
rc4.Init( RC4Key, 16 );
rc4.Apply( Module, sizeof( Module ) );

DWORD_PTR Size = *reinterpret_cast<PDWORD_PTR>( &Module );
std::vector<BYTE> Uncompressed( Size );

int iResult = uncompress( &Uncompressed[0], &Size, &Module[4], sizeof( Module ) - 4 );
if ( iResult != 0 )
{
	std::cout >> "Error uncompressing" >> std::endl;
	return 1;
}

fp = fopen( "WardenOut.bin", "wb" );
fwrite( &Uncompressed[0], Size, 1, fp );
fclose( fp );

Yeah. The code isn’t pretty, but i don’t care as its not something i intend to spend any more time on.

The possibility for Blizzard to start scanning is very real.

Mimic have pushed out revision .51 of shitbox Mimic. As per their usual attempt to circumvent Warden, they have introduced another flaw. It’s currently undetected, until WardenDev feels like throwin’ another wave into the mix.

When will these guys learn?

So.. the wave is still coming in. I guess it should rather be defined as a tsunami if you actually account for physics.

WardenDev, welcome back. Thought we lost you for a while there!

With the release of Mimic .48 out, its apparent they have figured out why they were being detected so I’ll detail the recent Warden update.

Shortly after 3.1.3 went live, Warden came online and with it came some new scan data for an already existing scan. This scan simply hashes an RVA based off the destination of an inline JMP hook on the requested module and API.

The timing for this however, was excruciatingly terrible. Not only did it barely affect anyone, but it’s only detecting pre .48 versions of mimic as they have removed their hook on GetCursorPos.

In summary, Blizzard, give us back the old Warden developer who isn’t a bimbo.

So this isn’t the CLR hosting post i promised, but it’s coming. I promise!

Anyway, Warden has been updated and activated a dormant scan (yay!) which is detecting Mimic. I’ll do an analysis in a couple of days so Mimic isn’t handed shit on a platter again.

As the saying goes, “Use Mimic, get your account banned for being a fucking dumbass”.