WoW Bots Reverse Engineering

Now that the dust has settled, there doesn’t seem to be any point in delaying this any longer.

December 19th, WardenGuy sends instructions to Warden, detailing how to detect LuaNinja and WoWGremlin. At an undisclosed time, the ‘client’ activates it’s special routine which effectively disables the anti-detection in both tools (Vague, i know. Don’t want to give out too many secrets, right?).

What follows, is what seems to be the new direction in most anti-cheat software.

Warden, among other anti-cheats employ the methods of delayed banning; where by recording all of the offending users, they can maximize the effect of casualties by giving people that false sense of security.

To summarize, anyone who blames Cypher for their accounts being terminated are self-centered morons. You knew the risks of using software that infringes on the contract you signed, and even agreed to have your account terminated if found doing so.

So, unless you live under a rock, you’ve noticed there is a rather wide-spread banwave in effect right now. Finding the proper sources are providing difficult due to the overwhelming amount of cross-contamination from the many sources reporting bans.

If any of you have been banned, please write a list of the Bots/Hacks you have used in the past 4 weeks, preferably in chronological order.

Clarification (Updated):

Well, after searching around for a while with Harko; he found the culprit. He, being on Windows XP, ran his logger over LuaNinja.dll and found that it was in-fact reporting back detection flags. However, when i ran my logger over LuaNinja, it returned clean flags.

I run Windows 7, as does Cypher; which would appear to be how he missed the Windows XP incompatibility.

Long story short? LuaNinja’s protection only worked on certain operating systems and Warden has been detecting LuaNinja since December 19th.

Update #02:

It’s got to be something in the client – too many reports contradicting earlier theories.
42e3d28a01319e58661ca4c201e7dc376ee1e7fa

Recently, a friend asked if I knew how to run the authenticator on a Windows Mobile; puzzled that Blizzard hadn’t supported that platform yet, I decided to take a look for myself.
Attached is the result of my findings. A complete authenticator emulator library, with included basic demonstration.

* Notes *

1. This does not allow you to gain unauthorized access to peoples authenticators.
2. This is limited to mobile-authenticators keys, as I don’t have the know-how to disassemble the physical hardware authenticators.
3. To use this tool with a pre-existing authenticator, you must have access to your phones file-system in order to extract the Serial and Token from its configuration file.

Caveat: The library itself is closed source until further notice, and must retain the included license files if used in projects other than the included test project.

Serial refers to the "US-XXXX-XXXX-XXXX" code and Token refers to a shared-public key used in the generation of the one-time keys.

* Releases *
v20090108

Lately i’ve had a couple people tell me ProBotters(AIOBot) are claiming I’m their “Warden Guy”. I just want to clarify that i have no intentions of helping this group of people.

This is the second time they have publicly lied to their community; i seriously do not recommend this bot.

PS: The ‘kynox’ user on their forum is not me.

First and foremost, sorry for any grammatical errors in this. It’s a little rushed.

So, another day in the WoW botting community has come by, and just like every other day, someone has released some two-bit bot. Except, this isn’t just someone, for it is the same people Cypher and I destroyed a few months back.

The mimic team are back in all their fury, with another terribly written, hilariously advertised bot, that as per usual, is advertised with a number of false claims.

“I can assure you, its NOT injection” was one of the claims spouted, yet as you can expect, a stupidly named DLL was found; containing all of the bots interoperability between WoW and itself. In addition to this, three API hooks are present: LoadLibraryA, GetCursorPos and GetPhysicalCursorPos.

The first, LoadLibraryA, was to protect it from.. GameGuard. Yes, they are hiding their module from an anti-cheat from another game. Why would they do this you might ask? Who fucking knows what goes through the minds of the mimic-devs.

The second and third are used to send mouse movements to the game while it doesn’t have focus.

In summary, do not use this bot, and if you have.. see me in a week or so :).

2031f09253e0dbc911a8813616cdf9b1486b52fc (SHA1 hash of the trailing block of text, for verification purposes)

Time-zone is NZST.

15:43 – 19/12/09

So, if you’re reading this and wondering why your account has been banned.. i’m truly sorry. We’ve gotta let the WardenDev show his glory somehow, right!?

So 5 1/2 hours ago (from the date noted above), a new memory scan was pushed into Warden, which targeted AIOBot. If you were caught up in this, then shame on you for buying into such a shitty and detectable piece of software.

Seeing as the auth servers are now (presumably. hard to tell with the ddos) closed, now seems like an opportune moment to unmask this.

Hey, as some of you are aware, i’m writing a small rendering library for injected C# tools. While i’m writing features, is there any features you guys might want added? So far i’ve added:

// Fields
internal static Device Device
internal static TextDrawer TextRenderer
internal static Matrix Projection
internal static Matrix View

// Rendering functions
internal static void DrawOutlinedBox(Vector3 position, float length, float width, float height, Color color)
internal static void DrawBox(Vector3 position, float length, float width, float height, Color color)
internal static void DrawLine(Vector3 vecStartPos, Vector3 vecEndPos, float width, Color color)
internal static bool WorldToScreen(Vector3 position, out Vector3 screen)
internal static bool ScreenToWorld(Vector2 screen, out Vector3 world)

In addition to these functions, you can subscribe to an OnFrame callback.

Let me know what you guys want.

Welcome to the new home!!1111!ONE

Anyone using the tool “UltimateChat” by Jadd of MMOwned, this is now being detected as of a few minutes ago.

Have fun!

Hey everyone.

Just a quick update on the status of Warden; For the entire weekend, the warden server was actually offline, which i found rather odd, but i guess even WardenGuy doesn’t work on the weekends.

Now, onto the 11 changes. Regarding DLL detection, two new dlls have been added to the hit list and based on the scan size, it’s safe to assume they’re the same module, just different variants.

That leaves us with 9 memory scans, specifically targeting allocated memory (I’m looking at you, “passive” botters who find yourselves injecting large code stubs). These all seem to be different offenders, based on the diversity in the offsets and sizes.

Don’t say i didn’t warn you!

Clarification

It seems a lot of people haven’t understood what i was trying to convey. (Fair enough. It was late, and i was tired)

This update isn’t looking for memory changes in WoW’s .text/.data sections. These are targeting injected DLL files and the memory those DLL(or VirtualAllocEx’d memory from a third party process) allocate.

Update #2

Well, that was quick. Hawker asked me if there were any worrying updates to Warden, so i gave him the following picture from my tool. Hawker posted it on his forum before asking me, but promptly removed it when asked. Someone snagged it before it was taken down, so i guess its public domain now.

So, it’s been a while since i posted here (protip: leave comments and request shit!) so i may as well use this time to publicly laugh at Cypher is being DDoS’d right now. Nothing more to say than “lol, skiddies”.