Home > Games, Programming, Reversing, Windows > Finding WoWMimic

Finding WoWMimic

Hey, called this little snippet “WardenMimic” because it’s just mimicing what warden would have to do to detect the fail bot known as WoWMimic. Very simple example, but afaik similar to how Glider was detected (i.e. via window names and contents). A more sophisticated attack would use hashing of the remote processes memory, but that’s totally unnecessary because  WoWMimic don’t bother to obfuscate or hide anything.

Keep in mind, this was written in literally 5 minutes, a much more solid and reliable method would not be much extra work (maybe just another 5?). The code is designed to be in a DLL that is loaded by (or injected into) WoW.exe so that it is in the same context and has the same privilege level as Warden would. I made sure to load WoW via WoWMimic to ensure anything they would be doing against Warden would happen against me also, though they let you attach on the fly so I don’t think security is one of their major concerns.

Please note that I don’t have a WoWMimic sub so I just downloaded it off their site and am amusing nothing special happens if you actually run the bot that activates any window hiding or obfuscation. Let me know if this is the case and I’ll get a sub and release a new finder.

// Windows API
#include <Windows.h>
#include <io.h>
#include <fcntl.h>
#include <tchar.h>

// C++ Standard Library
#include <iostream>
#include <cstdio>
#include <vector>

// StealthLib
#include “Conditional.h”
#include “Cloaker.h”
#include “Injector.h”

// Holds windows from EnumWindows
std::vector<HWND> Windows;

// Top level window enumeration callback
BOOL CALLBACK MyEnumWindowsProc(HWND hwnd, LPARAM /*lParam*/)
{
Windows.push_back(hwnd);
return TRUE;
}

// Child level window enumeration callback
BOOL CALLBACK MyEnumChildWindowsProc(HWND hwnd, LPARAM /*lParam*/)
{
std::vector<TCHAR> Buffer(MAX_PATH);
if (GetWindowText(hwnd,&Buffer[0],MAX_PATH) &&
std::tstring(&Buffer[0]) == TEXT(”http://www.mimicusa.com”))
std::cout << “Found WoWMimic URL label!” << std::endl;
Buffer.clear();
Buffer.resize(MAX_PATH);
if (GetWindowText(hwnd,&Buffer[0],MAX_PATH) &&
std::tstring(&Buffer[0]) == TEXT(”Us Ver 3.0.0.42″))
std::cout << “Found WoWMimic version label!” << std::endl;
return TRUE;
}

// DLL entry point
BOOL WINAPI DllMain(HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID /*lpvReserved*/)
{
// Stop unreferenced param warning when __STEALTH is undefined
UNREFERENCED_PARAMETER(hinstDLL);

#ifdef __CONSOLE
// Whether to free the process’s console upon detach
static bool NeedFree = false;
#endif

// Reason for calling DllMain
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
{
#ifdef __CONSOLE
// Set up debug console
NeedFree = (AllocConsole() ? true : false);
FILE* fpOld = NULL;
freopen_s( &fpOld, “CONOUT$”, “w”, stdout );
#endif

EnumWindows(MyEnumWindowsProc,NULL);
for each (HWND Current in Windows)
{
EnumChildWindows(Current,MyEnumChildWindowsProc,NULL);
}

#ifdef __STEALTH
// Cloaker
Cloaker::Get()->AddModule(hinstDLL,true);
#endif

break;
}
case DLL_PROCESS_DETACH:
{
#ifdef __CONSOLE
// Don’t free the console if it already existed upon injection
if (NeedFree)
FreeConsole();
#endif

break;
}
}

// Success
return TRUE;
}

Sorry for the messy code. The base was taken from one of my other projects because I was too lazy to whip up the skeleton by hand. Then I just slapped in the detection stuff. There’s lots of unnecessary crap there, but you get the point.

Obviously if WoW was started as guest you could defeat remote hashing attacks or those similar, but guess what… That’s how they detected Glider! They checked whether the given access token was restricted (i.e. started with reduced privileges).

Protip: Don’t use WoWMimic. Not only is it an awful bot, its a 30 second job (literally) to write a detection routine.

  1. Sym
    May 7th, 2009 at 08:55 | #1

    That’s incredible. Maybe Blizzard would be better at detecting bots if they had more than a single part time employee on their anti-hacks team.

    Couldn’t Mimic fix this by just randomizing the window title (and by the looks of it, tell their users not to browse the Mimic website while botting). If they were to do that, how long would it take you to detect that?

  2. PGore
    May 7th, 2009 at 10:38 | #2

    WoWMimic doesnt not suck at all. It works great and runs multiple bots 24/7.
    Mimic makers say that there is protection, but they are not telling people what kind of protection (to keep it on the DL from blizz).

    Professional Chinese Coders > Some Script Kiddy Blogger.

  3. Cypherjb
    May 7th, 2009 at 11:40 | #3

    Probably another 5 minutes.

  4. Cypherjb
    May 7th, 2009 at 11:45 | #4

    Actually I’m quite a well respected member of the WoW hacking community. You on the other hand? Not so much. The WoWMimic team? Not so much.

    Also, PROFESSIONAL? LOL! Have you ever actually looked in detail at their so-called bot? Its written just awfully. I find it amusing how many constant patches they have to push because they’ve never heard of QA and every time they push a patch to fix something they end up breaking something else.

    Why does it matter whether the mimic idiots say there is protection? Take a look for yourself, you can see there’s no active protection. Oh right, you can’t reverse engineer software, you’re just a tool with WoWMimics dick so far down your throat its obscuring your vision and you can’t see that its a pile of crap. Also, if my module can see mimic, Warden can see mimic, its pretty much that simple.

    Anyway, I wish the warden guy wasn’t so lazy, hopefully WoWMimic will be gone soon.

  5. Lax
    May 7th, 2009 at 12:16 | #5

    You should do more research on how warden works in it’s current incarnation. A “respected member of the wow hacking community” shouldn’t come off sounding like an idiot. You are right about one thing, mimic has no real protection it’s up to Blizzard what happens at this point.

  6. Happy Day
    May 7th, 2009 at 14:43 | #6

    You appear to just be iterating through available window handles and comparing text, yet every copy of Mimic I’ve downloaded for the last 2 months has had unset Windows title bars. (Actually, now that I look, I have 3.0.0.41. Perhaps they fucked up with 3.0.0.42? Can’t tell, because their site is down.)

    If this does actually work, a) you downloaded a weird copy or 3.0.0.42 is specifically screwed up and b) it’s a cute Windows privilege escalation exploit, since you shouldn’t be able to interogate other windows from a different context. (Run WoW as an unprivleged user, inject this as the same unprivileged user, it should not have access to a privileged user’s windows.) Patch that, Microsoft!

    Either way, Mimic (assuming it isn’t flawed as you describe) is no more or less hidden from Warden and WoW’s processes than almost every other bot out there, including the ones that use morphing title bars. You’re fooling yourself if you think that’s protection and that there aren’t other privilege escalation bugs that could be used to detect any bot out there. The question is whether WoW dev has the bandwidth to do this — all indications say ‘no’.

    Not saying it’s a good bot… just that your 2-minute code snippet to detect it doesn’t prove much of anything.

  7. Jola
    May 7th, 2009 at 16:07 | #7

    Thanks for posting, Cypher, this is something I have long suspected but didn’t have the know-how to confirm for myself. Suggestion 1: get a 200 hour key (or whatever is the cheapest) and try it with the bot running, as they may implement something different on the fly, you never know. Suggestion 2: rip out the political crap and just make this post about how WoWmimic can be detected; I think it can be far more effective that way in its mission as a PSA. Thanks again, mate.

  8. lolmimic
    May 7th, 2009 at 17:56 | #8

    @PGore

    Did It ever occur to you that the protection is a “Secret” because there is none?

    And claiming the Chinky coders as god’s yet no one has ever spoken to them other than a resellers who of course has your best interest at heart and not making as much money as possible before Mimic goes down?

    lol.

    Nice Blog btw.

  9. Cypherjb
    May 7th, 2009 at 18:22 | #9

    @Lax
    Sssh. You’re runing the trolling fun.

    I’m perfectly aware its not scanning windows, processes, etc. but it’s irrelevant, they could easily re-enable those scans or add new scans like was done for Glider. The point is that there’s nothing there, at all, to protect it.

  10. Cypherjb
    May 7th, 2009 at 18:25 | #10

    @Happy Day
    You’re confusing top level windows with child windows. Yes the top level windows are unset, the child windows are not. Its not an exploit, mimic just runs in the same account as WoW does by default. Even if you did bother to run as an unprivileged account you’d still get caught out just like Glider did. WoWMimic is NOT more or less hidden from Warden, at all. You’re fooling yourself if you think there is any warden protection there, there is not, and its trivial to detect.

  11. nothing
    May 7th, 2009 at 21:04 | #11

    so what bot can used now if mimic not safe ?

  12. Cypherjb
    May 7th, 2009 at 21:06 | #12

    Safely? None unless you write your own.

  13. nothing
    May 7th, 2009 at 22:31 | #13

    im not a dev, where i can start for learn coding a bot ?

  14. Cypherjb
    May 7th, 2009 at 23:13 | #14

    @nothing
    Learn to program first. Lol.

  15. Happy Day
    May 7th, 2009 at 23:43 | #15

    @Cypherjb

    “You’re fooling yourself if you think there is any warden protection there, there is not, and its trivial to detect.”

    I’m pretty sure that’s exactly what I said… all bots, should Blizzard have enough development cycles to spin (and we aren’t talking many), could be easily detected in their current incarnations. I think this has to do with the fact that bots are for lazy people… and lazy people don’t know how to properly protect themselves.

    I can confirm that this (with modification to not hardcode 3.0.0.42 as version number) will detect Mimic if you run it ‘out of the box’. Run WoW as guest and Mimic as a privileged user, though, and it fails. I assumed this was standard operating procedure when botting, even though it provides (at best) a minimal layer of additional protection from the WoW process.

    Same statement as before: this is no more or less detectable than any of the other bots out there right now. It may be a shitty bot, but don’t scare people away because this has a ‘one of a kind flaw’. People should get banned and learn from mistakes.

  16. Cypherjb
    May 7th, 2009 at 23:54 | #16

    @Happy Day
    Doesn’t have a “one of a kind flaw”. If you run as guest, you can still detect their injected DLL quite trivially. No amount of API restriction can stop that, because it’s injected into WoWs process space, something which it HAS to have full control of.

    So, its still trivial to detect, even in guest mode. Sorry.

  17. nothing
    May 8th, 2009 at 00:37 | #17

    @Cypher Yes off course but what language for start ?
    And do u know if NoD-0 Bot affiliate at Mimic is too crap ?

  18. Cypherjb
    May 8th, 2009 at 01:21 | #18

    @nothing
    Yes it is, the guy who wrote it is a total tool and basically stole 90% of the code. I doubt he’ll be able to maintain it (that is, if it even works properly).

    Obviously there is zero warden protection on that too.

    As for the language? I personally like C++, but C# is probably a better starter language.

  19. nothing
    May 8th, 2009 at 01:29 | #19

    Ty Cypher u are very nice, i am surprised to receive a answer with your level (god) :p
    Remain as you are, good guy

  20. Untouchable
    May 8th, 2009 at 01:50 | #20

    quit hang gliding off of his nuts.. if mimic is easy to detect then the ban wave would have already came. where is it? do you think blizzard is waiting on x number of people to pay for mimic before they really write detection rules for it? Blizzard has stopped almost all of the public bots with thier lawyers voice after what happened to glider in court. The reason they went down that road is because the only way to truely detect a bot is to check what people are running on their personal computer. Blizzard doesn’t have the right to do that as said in the computer privacy laws. It’s called spyware and is illegal. Let blizzard detect what website i am visiting or what other programs i am running due to the fact that they check the title of it or check memory. There will be be a lot bigger law suit against blizzard than what they did to glider and i’ll LOL all the way to the bank!!

  21. Cypherjb
    May 8th, 2009 at 02:06 | #21

    @Untouchable
    1. I have nothing to do with Glider, I was not a Glider user, nor a Glider ‘fan’.
    2. Warden is typically very slowly updated. It takes months for the lazy guy in charge to actually get off his ass and detect new hacks. Why? Nobody knows. But it is definitely detectable, I challenge you to ask anyone (Kynox, Harko, Hamut, Lax, etc etc).
    3. Blizzard DO have the right to do the scans they were doing. The server sent down a hash, they hashed all the windows, did a compare, and sent back a yes/no response. No private data was ever transferred so no privacy violation exists. Please do your research.
    4. You agree to their ToS, you agree to their EULA, as much as you may not like it, Warden, even in its agressive state, is perfectly legal.
    5. I have no idea what you’re rambling about in the rest of your post so I’ll just take it that you’re another idiot who doesn’t really understand what exactly is going on behind the scenes with all these bots springing up after Glider’s demise.

  22. Happy Day
    May 8th, 2009 at 02:50 | #22

    @Cypherjb

    Your simple ‘detection’ method won’t work if people take very basic steps to protect themselves. Since Mimic uses injection, it’s pretty much a given it could be detected by the WoW process that way, but that’s not what your original post was about.

    Once again, I’ll repeat: “this is no more or less detectable than any of the other bots out there right now”. Stop fear mongering because you don’t like this particular bot. All bots are risky, all bots are detectable: why single Mimic out? Given an hour of time, you could detect Glider’s shadow driver from an unprivileged context. The question is whether or not Blizzard has the inclination to do so.

  23. Happy Day
    May 8th, 2009 at 02:56 | #23

    And to clarify… banning piecemeal (more on player reports than on systematic processes) rather than via banwaves is in Blizzard’s best interest from a revenue perspective. So long as the game economy isn’t being skewed negatively too much by botting, they don’t have a huge inclination to target specific bots.

  24. Untouchable
    May 8th, 2009 at 05:10 | #24

    Cypherjb, go cypher a dick for starters! If it detects what you are running then then it is spyware even if it sends a “yes or no”, “1 or 0″, “on or off” because it is checking against a string and if (string == wowmimic) { return true; } even though it doesn’t return string(”WoWMimic”); it is still returning a representation of said string. It’s like telling the president, “I’ll kill you” in Spanish. You are going go get jumped on and dog piled by some big ass dudes! Blizzard has the right, by law, to check their own games memory… nothing else.

    quote from Cypherjb, “2. Warden is typically very slowly updated. It takes months for the lazy guy in charge to actually get off his ass and detect new hacks. Why? Nobody knows. But it is definitely detectable, I challenge you to ask anyone (Kynox, Harko, Hamut, Lax, etc etc).”

    You crack me up! I assume you now work for blizzard because of the millions they recieve per month you assume that they can afford to pay a guy to do a specific job but he just takes 4 hour lunches, comes in late and leaves early? I’m sure their management has a tighter grip on their employees than the US Military, but thats me making an assumption. Thats what this thread is about right? “Ramblings++”

    So my main assumption, well not really, is blizzard doesn’t have the right by law.

  25. Eradicator
    May 8th, 2009 at 09:22 | #25

    Cypher: Why don’t you write a post about how Glider was detected, and how Warden works in general?

    Untouchable: There hasn’t been a banwave because:

    1. Blizzard doesn’t want to ban thousands of people, because then they’ll be losing money. They want to take out the providers of those bots.

    2. If Blizzard did decide to ban bot-users, they’d wait a long time (cite: Diablo 2), and do a massive banwave so they can say “We have banned 200,000 botters across US servers.” That makes a larger impact on people than individual bans every day.

  26. Cypherjb
    May 8th, 2009 at 16:20 | #26

    @Happy Day
    ‘Once again, I’ll repeat: “this is no more or less detectable than any of the other bots out there right now”.’

    I never stated otherwise. You’re just enforcing my point that this is VERY easy to detect.

    And yes, it is using injection, and they’re doing that wrong too. So I don’t know what your point is, but it doesn’t change the fact that its easy to detect in both forms.

  27. Cypherjb
    May 8th, 2009 at 16:23 | #27

    @Untouchable
    You’re wrong again. Warden sent a list, compared the titles to whats on the list, and sent back a boolean. Even if they sent back the hashes, there is still no way to recover the original title.

    Do you even know how hashing works? It’s called a ‘one-way’ process for a reason.

    If you think that the Warden guy is hard working then why don’t YOU explain why he takes so long to detect stuff that is trivial to detect?

    WoWInifinity? Changes bytes in read-only memory. Very easy to look for.
    Most of the injection based fish-bots? Do a stack trace in FrameScript_Execute.
    WoWMimic? Do a simply check for the injected DLL and a memory hash. Do a simple check for the presence of the window or process.

    It’s amusing to watch people like you come out of the woodworks and defend a bot you know nothing about in a game with an anti-cheat system you know nothing about.

  28. kynox
    May 8th, 2009 at 21:34 | #28

    @Untouchable

    First of all, it never sent strings. It sent one way hashes of titles to compare hashes of the running windows with.

    Secondly, Mimic is detectable and like i stated on the glider forums; we have no idea why the Warden dev is being so lazy.

  29. Untouchable
    May 9th, 2009 at 03:28 | #29

    Cypher, you say you are part of the wow hacking community so why do you even care enough to want wowmimic gone? If you are so knowledgeable about it and clearly you speak perfect english why don’t you write a bot that towers over the rest, move to china and start up a bot server while you are really accessing the server to update it from you living room in Florida.

  30. May 9th, 2009 at 04:50 | #30

    @Untouchable
    Because I dislike irresponsible botting, and most public botters are irresponsible botters. They ruin markets, overfarm quest areas, and generally make the game shittier for others.

    Also, I already have access to bots that ‘tower over the rest’, making that stuff public though is just silly, its much easier to make money botting in private with a good bot, than it is selling a bot publicly.

    Also, I’m an Australian.

    EDIT: I also dislike idiots who claim they are some how super-programmers who have written a public bot which is immune to warden, when in fact the only things they have on their side are the fact that the Warden guy is lazy, and plain old luck. If you reverse WoWMimic (thanks Kynox!) you will see how terribly its written, and trust me, its bad, REALLY bad.

  31. dekz
    May 9th, 2009 at 23:37 | #31

    I love a good flame war in the morning.

    Untouchable I have no idea how you found your way here but I feel like you’re out of your depth.

    Keep the entries coming cypher, they are good and informative to read.

  32. May 10th, 2009 at 14:15 | #32

    @dekz
    I love it too.

    Thanks.

  33. Untouchable
    May 11th, 2009 at 10:26 | #33

    Information is minimal here and its more opinions and badgering. Cypher wrote, “Yes it is, the guy who wrote it is a total tool and basically stole 90% of the code. I doubt he’ll be able to maintain it (that is, if it even works properly).” about NoD-0 but the coder just recoded the entire thing to make it run more smoothly but I guess the code that he stole just happened to get redone by someone else so he can use it to make his product better. Cypher doesn’t know shit but what he thinks and you guys that hang glide off of his nut sack are obviously tools. To hell with being a busy body, gossip column writing, uninformed hater.

  34. May 11th, 2009 at 17:25 | #34

    @Untouchable
    I have to laugh at idiots who think they know what they’re talking about when actually they’re missing half the information. You are one of those idiots.

    Until you’re actually privy to the inside information surrounding Krypton/Jay I suggest you just stop posting, because you look more and more stupid every time you hit submit.

    But hey, why would anyone listen to me, Kynox, Mads/Unknowned/Malu05, Apoc, etc. when they’ve got YOU to get information from. Someone who noone has ever heard of and who evidently has zero presence in the underground WoW scene. Yep, sounds like you sure know where you’re coming from. *cough*

  35. Untouchable
    May 13th, 2009 at 02:28 | #35

    @Cypherjb
    I know you run your information off of assumptions and it is clear in your posts. Anyone who uses NoD-0 can see that clearly. I claim this, I claim that bla bla fucking bla.. Actions speak louder than words and all you do is talk.

  36. May 13th, 2009 at 07:20 | #36

    @Untouchable
    I’m sure you know more about the WoW hacking scene and the Krypton ’situation’ than myself, Kynox, Malue, Apoc, etc.

    Lol @ you. Ignorance must be bliss.

  37. Blackbook
    May 13th, 2009 at 12:04 | #37

    Interesting post and interesting discussion.

    For the record (@Untouchable) I cant see anything wrong (or even closely illegal) with what Cypher’s suggesting at all. I’ve not had a chance to ‘use’ mimic thus far, but I looked over the code that was released over at mmowned and, well, it made me chuckle a bit (not too much, I’m not claiming to be a hardcore script kiddie…but I understood enough).

    I can’t for the life of me understand people who say ‘THEY HAVE detection methods, they just dont want to say what they are’ - thats like the fucking Mormons ‘We have a Gold plate from God, but no you can’t see it….believe me!!!!’. Idiots.

    Keep it up, keep it clean, wipe it down.

    -bb

  38. ayrab
    May 13th, 2009 at 12:58 | #38

    I agree, those gook codemonkeys cant program for shit. I also looked over the mimic code, i seriously lol’d. It’s no wonder 5 things break when they push out 1 bugfix in their new patch.

  39. Rimsy
    May 15th, 2009 at 15:28 | #39

    Why poke aorund mimic that much? Do you have a better Bot!
    If Yes link it please.

    Same with Ebot why did/do you do all that!!?

  40. Rimsy
    May 15th, 2009 at 15:29 | #40

    Ahh and a Question if Mimic is so easaly detectet why did the ban us not long ango??

  41. Eradicator
    May 16th, 2009 at 02:29 | #41

    @Rimsy

    All of those questions are already answered.

    “Why poke aorund mimic that much? Do you have a better Bot!
    If Yes link it please.”

    The only decent bots are private, which isn’t going to link because it’s private. (Redundancy check, anyone?)

    “Ahh and a Question if Mimic is so easaly detectet why did the ban us not long ango??”

    The guy that writes Warden is incredibly lazy, or something along those lines.

  42. June 3rd, 2009 at 01:00 | #42

    Hi, good post. I have been wondering about this issue,so thanks for posting.

  43. AndrewBoldman
    June 5th, 2009 at 00:13 | #43

    Great post! Just wanted to let you know you have a new subscriber- me!

  44. GarykPatton
    June 16th, 2009 at 13:12 | #44

    How soon will you update your blog? I’m interested in reading some more information on this issue.

  1. No trackbacks yet.