Statement on Warden

[Dark_Mage-]

Well, this is the new anti-hacking detection system Blizzard has implemented into Diablo II and WoW.
I've known about it for a while now, but haven't really said anything about it.
All discussion of it (for Diablo II) will go in this thread please.

It is constantly updated server-side and will put a hurting on hackers of Diablo II.
It searches for DLLs loaded in memory used by common hacks.

So, they can pretty much update when new hacks come out and detect/ban hackers uber fast now (over night)...
This is what happened to Netter's Maphack..

Anyone interested in researching it, open up D2Client.dll ...

Text strings referenced in D2Client:.text, item 627
 Address=6FB0261E
 Disassembly=PUSH D2Client.6FB86160
 Text string=ASCII "..\Source\D2Client\WARDEN\WardenClient.cpp"

It's not like ub3rhard to find or anything... :\

Some info:

I think the server sends 0xAE with a list of DLLs to look for in memory and then the client returns 0x66 which declares wether they were found or not and flags you for bannage.

I think it also sends 0xB0 and drops you from the game if you don't return 0x66 (I think this is why people with 2 d2s were getting dropped)...

I'm not confirming this though.

Actually, I think I'm just going to stop researching this as I probably will never play D2 again.
So, if anyone out there wants to research this, please do.

I currently have Netter looking into it.

 

[_CM]

sounds interesting... but I'm not the guy who could actually use that information
Thx tho!

 

[Andrewp30]

well when mousepads comes out, if i get banned. i am just going to quite the game/

 

[Forged]

To get around the detection methods, I have created a program called WoWInmate. This program will first of all hide all processes and windows that start with WoW! . It will also add protection to other detection methods that Blizzard has implemented. We will keep a close eye on the new detection routine and if it gets updated / changed / etc, we will update WoWInmate right away.

How to get around warden in wow, I assume it can be done the same way on d2.

 

[_Ace]

It doesn't seem really hard as long as you can somehow filter the packets that your Warden client sends and modify them slightly. Still, there may have some kind of encryption / double check which may be hard to get over. However, I don't give a flying **** about this game anymore... Maybe after I finish my ololol degree I'll go and hack it lmfao.

 

[dremis]

It sound like your're saying Battle.net is scanning our memory to see what else we may have running. ??

Don't know about anywhere else but in the USA that's called Invasion of Privacy and is VERY Illegal.

 

[Pretendo]

yes but i geuss when you agree or w/e u give up some writes so i guess for example steam will scan you css dirctory for hacks or something liekthat

 

[chocofilez]

Is this anti-hack program used with WoW? If so there should be some new hacks soon ^^. But ill think ill wait another few weeks even after mousepads comes out because, well, im gonna be carefull after the last incident.

 

[Forged]

It doesn't seem really hard as long as you can somehow filter the packets that your Warden client sends and modify them slightly. Still, there may have some kind of encryption / double check which may be hard to get over. However, I don't give a flying **** about this game anymore... Maybe after I finish my ololol degree I'll go and hack it lmfao.

You would have to figure out the proper response, I doubt it is the same thing every time, and a wrong response would disconnect you and mark you as a cheater.

 

[vampire-blade]

It sound like your're saying Battle.net is scanning our memory to see what else we may have running. ??

Don't know about anywhere else but in the USA that's called Invasion of Privacy and is VERY Illegal.

Dude, have you ever heard of George W. Bush, and the USA patriot act? Blizzard, and hundreds (if not thousands) of other private, government, and public orginizations scan yours, (and my computer) every day. We have no real privacy on the internet anymore, and I'm very sure Blizzard does scan us to see if we're running hacks, etc. There's been so many people bitching that "this hack stole my acct!" or, "this hack has a backdoor, I lost everything" bla bla bla. The simple fact is that when you're logged on to blizzard's battle.net you've agreed to their Terms of Use agreement, therefor you are they're property. If you dont play by blizz rules thats fine But sooner or later blizzard will find out whats going on and take action, as they've stated many of times. I personally dont use hacks, but some people cant live without them. I dont think its wrong to hack but the point is when u use battle.net they are watching what you're dooing and hopefully you're not hacking when they're paying attention But hey, I have confidence in you crazy cats, and eventually you'll work arround blizzards anti-hacker detection software, it just takes time and paitence

 

[_Ace]

Actually anyone has ever had the right to scan dll modules loaded into his own program because they are considered "his" modules.

 

[Dark_Mage-]

I forgot to mention that you should also watch for the server sending 0x8F and the client returning 0x6D (the new ping packets) because there is also something with those that checks memory.

 

[TheRealMalakai]

So if we could block those packets being sent, in theory, blizzard's Warden would be unable to scan the computer in question?

Would it be possible to make it think its scanning the computer? but it would actually be scanning a fake file which produces all of the "Legal" processes?

 

[Forged]

If you block the packet or do not send a proper response you are disconnected.

 

[TheRealMalakai]

Er I edited, you responded to quick. Check again.

 

[Nameless77]

I've read on other forums (the new Blizzhackers forums to be exact.. and I don't trust them now that they don't have any of the old mods or admins) that blizzard is scanning for dlls (obviously with the map hack bannings) but that they are also scanning for d2loader and that people are/have gotten banned simply from using d2loader and nothing else. I was wondering if there was any fact behind this. I like many was banned. I was running d2loader as well as easymap. However, due to a lucky draw, I have been able to aquire a new cd-key from a friend of mine who quit the game a while ago. As would be expected, I am trying to be more cautious this time around.


I posted this in the d2loader discussion thread yesterday, thought it might get a quicker/more accurate responce here.

 

[Forged]

So if we could block those packets being sent, in theory, blizzard's Warden would be unable to scan the computer in question?

Would it be possible to make it think its scanning the computer? but it would actually be scanning a fake file which produces all of the "Legal" processes?

Hmmm to answer that I have no idea I don't think so. It would probablly be easier to make a file that hides all of the proccess Diablo 2 considers illegal. As they did with wowsharp in the quote I posted near the top of the thread.

 

[w00t3r]

Has anyone thought of making more hacks in txt/dhack form? It seems that they only check for dlls, and if they checked ALL of the other files it uses, it would lag too much. So what if we changed form?

 

[fattyxp]

w00t3r: They also check for modified dlls in memory, something that HAS to be done to make most types of hacks. txt can only go so far because most things are run from files gotten from the server and not off your computer.
So basically, no matter what kind of hack you are getting d2 processes need to be modified to make it work and blizz detects that. The old AntiDetection module would protect the memory locations that would be scanned and maphack makers also had thier own anti-detections that would unload the hack if you were being scanned. Since everyone was "OMFG GIMME MH OMFG OMFG LOL OMFG !!!11 OMFG PLZZZZZZ1111!!!!17" netter came out with his without even thinking of even 1.10 detection methods. (I assume that beating mousepad to the chase also made his release premature so he could have bragging rights)
Now he has released v3.0 and claims it to be undetectable (using the cloakdll.cpp) I personally think this to be complete bullshit. It's there in memory waiting to be scanned. Even though it "wipes" the dll from memory the program dllshow still showed it for a few people saying that it's still scanable in some way or another.

also blizzard can basically do whatever in the hell they want because you clicked "I agree" I've talked about this sort of detection system with my friends and family for years regarding d2 and I'm happy to finally see it implemented (proving every single person wrong and collecting a few dollars in the process =-D)
P.S always be on the lookout for "may change without notice" when you agree to things. a situation that is fine now may change later without you knowing.