Finding WoWMimic
Hey, called this little snippet “WardenMimic” because it’s just mimicing what warden would have to do to detect the fail bot known as WoWMimic. Very simple example, but afaik similar to how Glider was detected (i.e. via window names and contents). A more sophisticated attack would use hashing of the remote processes memory, but that’s totally unnecessary because WoWMimic don’t bother to obfuscate or hide anything.
Keep in mind, this was written in literally 5 minutes, a much more solid and reliable method would not be much extra work (maybe just another 5?). The code is designed to be in a DLL that is loaded by (or injected into) WoW.exe so that it is in the same context and has the same privilege level as Warden would. I made sure to load WoW via WoWMimic to ensure anything they would be doing against Warden would happen against me also, though they let you attach on the fly so I don’t think security is one of their major concerns.
Please note that I don’t have a WoWMimic sub so I just downloaded it off their site and am amusing nothing special happens if you actually run the bot that activates any window hiding or obfuscation. Let me know if this is the case and I’ll get a sub and release a new finder.
// Windows API
#include <Windows.h>
#include <io.h>
#include <fcntl.h>
#include <tchar.h>// C++ Standard Library
#include <iostream>
#include <cstdio>
#include <vector>// StealthLib
#include “Conditional.h”
#include “Cloaker.h”
#include “Injector.h”// Holds windows from EnumWindows
std::vector<HWND> Windows;// Top level window enumeration callback
BOOL CALLBACK MyEnumWindowsProc(HWND hwnd, LPARAM /*lParam*/)
{
Windows.push_back(hwnd);
return TRUE;
}// Child level window enumeration callback
BOOL CALLBACK MyEnumChildWindowsProc(HWND hwnd, LPARAM /*lParam*/)
{
std::vector<TCHAR> Buffer(MAX_PATH);
if (GetWindowText(hwnd,&Buffer[0],MAX_PATH) &&
std::tstring(&Buffer[0]) == TEXT(”http://www.mimicusa.com”))
std::cout << “Found WoWMimic URL label!” << std::endl;
Buffer.clear();
Buffer.resize(MAX_PATH);
if (GetWindowText(hwnd,&Buffer[0],MAX_PATH) &&
std::tstring(&Buffer[0]) == TEXT(”Us Ver 3.0.0.42″))
std::cout << “Found WoWMimic version label!” << std::endl;
return TRUE;
}// DLL entry point
BOOL WINAPI DllMain(HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID /*lpvReserved*/)
{
// Stop unreferenced param warning when __STEALTH is undefined
UNREFERENCED_PARAMETER(hinstDLL);#ifdef __CONSOLE
// Whether to free the process’s console upon detach
static bool NeedFree = false;
#endif// Reason for calling DllMain
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
#ifdef __CONSOLE
// Set up debug console
NeedFree = (AllocConsole() ? true : false);
FILE* fpOld = NULL;
freopen_s( &fpOld, “CONOUT$”, “w”, stdout );
#endifEnumWindows(MyEnumWindowsProc,NULL);
for each (HWND Current in Windows)
{
EnumChildWindows(Current,MyEnumChildWindowsProc,NULL);
}#ifdef __STEALTH
// Cloaker
Cloaker::Get()->AddModule(hinstDLL,true);
#endifbreak;
}
case DLL_PROCESS_DETACH:
{
#ifdef __CONSOLE
// Don’t free the console if it already existed upon injection
if (NeedFree)
FreeConsole();
#endifbreak;
}
}// Success
return TRUE;
}
Sorry for the messy code. The base was taken from one of my other projects because I was too lazy to whip up the skeleton by hand. Then I just slapped in the detection stuff. There’s lots of unnecessary crap there, but you get the point.
Obviously if WoW was started as guest you could defeat remote hashing attacks or those similar, but guess what… That’s how they detected Glider! They checked whether the given access token was restricted (i.e. started with reduced privileges).
Protip: Don’t use WoWMimic. Not only is it an awful bot, its a 30 second job (literally) to write a detection routine.
That’s incredible. Maybe Blizzard would be better at detecting bots if they had more than a single part time employee on their anti-hacks team.
Couldn’t Mimic fix this by just randomizing the window title (and by the looks of it, tell their users not to browse the Mimic website while botting). If they were to do that, how long would it take you to detect that?
WoWMimic doesnt not suck at all. It works great and runs multiple bots 24/7.
Mimic makers say that there is protection, but they are not telling people what kind of protection (to keep it on the DL from blizz).
Professional Chinese Coders > Some Script Kiddy Blogger.
Probably another 5 minutes.
Actually I’m quite a well respected member of the WoW hacking community. You on the other hand? Not so much. The WoWMimic team? Not so much.
Also, PROFESSIONAL? LOL! Have you ever actually looked in detail at their so-called bot? Its written just awfully. I find it amusing how many constant patches they have to push because they’ve never heard of QA and every time they push a patch to fix something they end up breaking something else.
Why does it matter whether the mimic idiots say there is protection? Take a look for yourself, you can see there’s no active protection. Oh right, you can’t reverse engineer software, you’re just a tool with WoWMimics dick so far down your throat its obscuring your vision and you can’t see that its a pile of crap. Also, if my module can see mimic, Warden can see mimic, its pretty much that simple.
Anyway, I wish the warden guy wasn’t so lazy, hopefully WoWMimic will be gone soon.
You should do more research on how warden works in it’s current incarnation. A “respected member of the wow hacking community” shouldn’t come off sounding like an idiot. You are right about one thing, mimic has no real protection it’s up to Blizzard what happens at this point.
You appear to just be iterating through available window handles and comparing text, yet every copy of Mimic I’ve downloaded for the last 2 months has had unset Windows title bars. (Actually, now that I look, I have 3.0.0.41. Perhaps they fucked up with 3.0.0.42? Can’t tell, because their site is down.)
If this does actually work, a) you downloaded a weird copy or 3.0.0.42 is specifically screwed up and b) it’s a cute Windows privilege escalation exploit, since you shouldn’t be able to interogate other windows from a different context. (Run WoW as an unprivleged user, inject this as the same unprivileged user, it should not have access to a privileged user’s windows.) Patch that, Microsoft!
Either way, Mimic (assuming it isn’t flawed as you describe) is no more or less hidden from Warden and WoW’s processes than almost every other bot out there, including the ones that use morphing title bars. You’re fooling yourself if you think that’s protection and that there aren’t other privilege escalation bugs that could be used to detect any bot out there. The question is whether WoW dev has the bandwidth to do this — all indications say ‘no’.
Not saying it’s a good bot… just that your 2-minute code snippet to detect it doesn’t prove much of anything.
Thanks for posting, Cypher, this is something I have long suspected but didn’t have the know-how to confirm for myself. Suggestion 1: get a 200 hour key (or whatever is the cheapest) and try it with the bot running, as they may implement something different on the fly, you never know. Suggestion 2: rip out the political crap and just make this post about how WoWmimic can be detected; I think it can be far more effective that way in its mission as a PSA. Thanks again, mate.
@PGore
Did It ever occur to you that the protection is a “Secret” because there is none?
And claiming the Chinky coders as god’s yet no one has ever spoken to them other than a resellers who of course has your best interest at heart and not making as much money as possible before Mimic goes down?
lol.
Nice Blog btw.
@Lax
Sssh. You’re runing the trolling fun.
I’m perfectly aware its not scanning windows, processes, etc. but it’s irrelevant, they could easily re-enable those scans or add new scans like was done for Glider. The point is that there’s nothing there, at all, to protect it.
@Happy Day
You’re confusing top level windows with child windows. Yes the top level windows are unset, the child windows are not. Its not an exploit, mimic just runs in the same account as WoW does by default. Even if you did bother to run as an unprivileged account you’d still get caught out just like Glider did. WoWMimic is NOT more or less hidden from Warden, at all. You’re fooling yourself if you think there is any warden protection there, there is not, and its trivial to detect.
so what bot can used now if mimic not safe ?
Safely? None unless you write your own.
im not a dev, where i can start for learn coding a bot ?
@nothing
Learn to program first. Lol.
@Cypherjb
“You’re fooling yourself if you think there is any warden protection there, there is not, and its trivial to detect.”
I’m pretty sure that’s exactly what I said… all bots, should Blizzard have enough development cycles to spin (and we aren’t talking many), could be easily detected in their current incarnations. I think this has to do with the fact that bots are for lazy people… and lazy people don’t know how to properly protect themselves.
I can confirm that this (with modification to not hardcode 3.0.0.42 as version number) will detect Mimic if you run it ‘out of the box’. Run WoW as guest and Mimic as a privileged user, though, and it fails. I assumed this was standard operating procedure when botting, even though it provides (at best) a minimal layer of additional protection from the WoW process.
Same statement as before: this is no more or less detectable than any of the other bots out there right now. It may be a shitty bot, but don’t scare people away because this has a ‘one of a kind flaw’. People should get banned and learn from mistakes.
@Happy Day
Doesn’t have a “one of a kind flaw”. If you run as guest, you can still detect their injected DLL quite trivially. No amount of API restriction can stop that, because it’s injected into WoWs process space, something which it HAS to have full control of.
So, its still trivial to detect, even in guest mode. Sorry.
@Cypher Yes off course but what language for start ?
And do u know if NoD-0 Bot affiliate at Mimic is too crap ?
@nothing
Yes it is, the guy who wrote it is a total tool and basically stole 90% of the code. I doubt he’ll be able to maintain it (that is, if it even works properly).
Obviously there is zero warden protection on that too.
As for the language? I personally like C++, but C# is probably a better starter language.
Ty Cypher u are very nice, i am surprised to receive a answer with your level (god) :p
Remain as you are, good guy
quit hang gliding off of his nuts.. if mimic is easy to detect then the ban wave would have already came. where is it? do you think blizzard is waiting on x number of people to pay for mimic before they really write detection rules for it? Blizzard has stopped almost all of the public bots with thier lawyers voice after what happened to glider in court. The reason they went down that road is because the only way to truely detect a bot is to check what people are running on their personal computer. Blizzard doesn’t have the right to do that as said in the computer privacy laws. It’s called spyware and is illegal. Let blizzard detect what website i am visiting or what other programs i am running due to the fact that they check the title of it or check memory. There will be be a lot bigger law suit against blizzard than what they did to glider and i’ll LOL all the way to the bank!!
@Untouchable
1. I have nothing to do with Glider, I was not a Glider user, nor a Glider ‘fan’.
2. Warden is typically very slowly updated. It takes months for the lazy guy in charge to actually get off his ass and detect new hacks. Why? Nobody knows. But it is definitely detectable, I challenge you to ask anyone (Kynox, Harko, Hamut, Lax, etc etc).
3. Blizzard DO have the right to do the scans they were doing. The server sent down a hash, they hashed all the windows, did a compare, and sent back a yes/no response. No private data was ever transferred so no privacy violation exists. Please do your research.
4. You agree to their ToS, you agree to their EULA, as much as you may not like it, Warden, even in its agressive state, is perfectly legal.
5. I have no idea what you’re rambling about in the rest of your post so I’ll just take it that you’re another idiot who doesn’t really understand what exactly is going on behind the scenes with all these bots springing up after Glider’s demise.
@Cypherjb
Your simple ‘detection’ method won’t work if people take very basic steps to protect themselves. Since Mimic uses injection, it’s pretty much a given it could be detected by the WoW process that way, but that’s not what your original post was about.
Once again, I’ll repeat: “this is no more or less detectable than any of the other bots out there right now”. Stop fear mongering because you don’t like this particular bot. All bots are risky, all bots are detectable: why single Mimic out? Given an hour of time, you could detect Glider’s shadow driver from an unprivileged context. The question is whether or not Blizzard has the inclination to do so.
And to clarify… banning piecemeal (more on player reports than on systematic processes) rather than via banwaves is in Blizzard’s best interest from a revenue perspective. So long as the game economy isn’t being skewed negatively too much by botting, they don’t have a huge inclination to target specific bots.
Cypherjb, go cypher a dick for starters! If it detects what you are running then then it is spyware even if it sends a “yes or no”, “1 or 0″, “on or off” because it is checking against a string and if (string == wowmimic) { return true; } even though it doesn’t return string(”WoWMimic”); it is still returning a representation of said string. It’s like telling the president, “I’ll kill you” in Spanish. You are going go get jumped on and dog piled by some big ass dudes! Blizzard has the right, by law, to check their own games memory… nothing else.
quote from Cypherjb, “2. Warden is typically very slowly updated. It takes months for the lazy guy in charge to actually get off his ass and detect new hacks. Why? Nobody knows. But it is definitely detectable, I challenge you to ask anyone (Kynox, Harko, Hamut, Lax, etc etc).”
You crack me up! I assume you now work for blizzard because of the millions they recieve per month you assume that they can afford to pay a guy to do a specific job but he just takes 4 hour lunches, comes in late and leaves early? I’m sure their management has a tighter grip on their employees than the US Military, but thats me making an assumption. Thats what this thread is about right? “Ramblings++”
So my main assumption, well not really, is blizzard doesn’t have the right by law.
Cypher: Why don’t you write a post about how Glider was detected, and how Warden works in general?
Untouchable: There hasn’t been a banwave because:
1. Blizzard doesn’t want to ban thousands of people, because then they’ll be losing money. They want to take out the providers of those bots.
2. If Blizzard did decide to ban bot-users, they’d wait a long time (cite: Diablo 2), and do a massive banwave so they can say “We have banned 200,000 botters across US servers.” That makes a larger impact on people than individual bans every day.
@Happy Day
‘Once again, I’ll repeat: “this is no more or less detectable than any of the other bots out there right now”.’
I never stated otherwise. You’re just enforcing my point that this is VERY easy to detect.
And yes, it is using injection, and they’re doing that wrong too. So I don’t know what your point is, but it doesn’t change the fact that its easy to detect in both forms.
@Untouchable
You’re wrong again. Warden sent a list, compared the titles to whats on the list, and sent back a boolean. Even if they sent back the hashes, there is still no way to recover the original title.
Do you even know how hashing works? It’s called a ‘one-way’ process for a reason.
If you think that the Warden guy is hard working then why don’t YOU explain why he takes so long to detect stuff that is trivial to detect?
WoWInifinity? Changes bytes in read-only memory. Very easy to look for.
Most of the injection based fish-bots? Do a stack trace in FrameScript_Execute.
WoWMimic? Do a simply check for the injected DLL and a memory hash. Do a simple check for the presence of the window or process.
It’s amusing to watch people like you come out of the woodworks and defend a bot you know nothing about in a game with an anti-cheat system you know nothing about.
@Untouchable
First of all, it never sent strings. It sent one way hashes of titles to compare hashes of the running windows with.
Secondly, Mimic is detectable and like i stated on the glider forums; we have no idea why the Warden dev is being so lazy.
Cypher, you say you are part of the wow hacking community so why do you even care enough to want wowmimic gone? If you are so knowledgeable about it and clearly you speak perfect english why don’t you write a bot that towers over the rest, move to china and start up a bot server while you are really accessing the server to update it from you living room in Florida.
@Untouchable
Because I dislike irresponsible botting, and most public botters are irresponsible botters. They ruin markets, overfarm quest areas, and generally make the game shittier for others.
Also, I already have access to bots that ‘tower over the rest’, making that stuff public though is just silly, its much easier to make money botting in private with a good bot, than it is selling a bot publicly.
Also, I’m an Australian.
EDIT: I also dislike idiots who claim they are some how super-programmers who have written a public bot which is immune to warden, when in fact the only things they have on their side are the fact that the Warden guy is lazy, and plain old luck. If you reverse WoWMimic (thanks Kynox!) you will see how terribly its written, and trust me, its bad, REALLY bad.
I love a good flame war in the morning.
Untouchable I have no idea how you found your way here but I feel like you’re out of your depth.
Keep the entries coming cypher, they are good and informative to read.
@dekz
I love it too.
Thanks.
Information is minimal here and its more opinions and badgering. Cypher wrote, “Yes it is, the guy who wrote it is a total tool and basically stole 90% of the code. I doubt he’ll be able to maintain it (that is, if it even works properly).” about NoD-0 but the coder just recoded the entire thing to make it run more smoothly but I guess the code that he stole just happened to get redone by someone else so he can use it to make his product better. Cypher doesn’t know shit but what he thinks and you guys that hang glide off of his nut sack are obviously tools. To hell with being a busy body, gossip column writing, uninformed hater.
@Untouchable
I have to laugh at idiots who think they know what they’re talking about when actually they’re missing half the information. You are one of those idiots.
Until you’re actually privy to the inside information surrounding Krypton/Jay I suggest you just stop posting, because you look more and more stupid every time you hit submit.
But hey, why would anyone listen to me, Kynox, Mads/Unknowned/Malu05, Apoc, etc. when they’ve got YOU to get information from. Someone who noone has ever heard of and who evidently has zero presence in the underground WoW scene. Yep, sounds like you sure know where you’re coming from. *cough*
@Cypherjb
I know you run your information off of assumptions and it is clear in your posts. Anyone who uses NoD-0 can see that clearly. I claim this, I claim that bla bla fucking bla.. Actions speak louder than words and all you do is talk.
@Untouchable
I’m sure you know more about the WoW hacking scene and the Krypton ’situation’ than myself, Kynox, Malue, Apoc, etc.
Lol @ you. Ignorance must be bliss.
Interesting post and interesting discussion.
For the record (@Untouchable) I cant see anything wrong (or even closely illegal) with what Cypher’s suggesting at all. I’ve not had a chance to ‘use’ mimic thus far, but I looked over the code that was released over at mmowned and, well, it made me chuckle a bit (not too much, I’m not claiming to be a hardcore script kiddie…but I understood enough).
I can’t for the life of me understand people who say ‘THEY HAVE detection methods, they just dont want to say what they are’ - thats like the fucking Mormons ‘We have a Gold plate from God, but no you can’t see it….believe me!!!!’. Idiots.
Keep it up, keep it clean, wipe it down.
-bb
I agree, those gook codemonkeys cant program for shit. I also looked over the mimic code, i seriously lol’d. It’s no wonder 5 things break when they push out 1 bugfix in their new patch.
Why poke aorund mimic that much? Do you have a better Bot!
If Yes link it please.
Same with Ebot why did/do you do all that!!?
Ahh and a Question if Mimic is so easaly detectet why did the ban us not long ango??
@Rimsy
All of those questions are already answered.
“Why poke aorund mimic that much? Do you have a better Bot!
If Yes link it please.”
The only decent bots are private, which isn’t going to link because it’s private. (Redundancy check, anyone?)
“Ahh and a Question if Mimic is so easaly detectet why did the ban us not long ango??”
The guy that writes Warden is incredibly lazy, or something along those lines.
Hi, good post. I have been wondering about this issue,so thanks for posting.
Great post! Just wanted to let you know you have a new subscriber- me!
How soon will you update your blog? I’m interested in reading some more information on this issue.