Ramblings++

Home > Games, Programming, Windows > In-process WoWMimic Detection

In-process WoWMimic Detection

May 14th, 2009

The following is code that will detect if WoWMimic is running using fully in-process checks. That means that you can lock it down with guest mode, hide the window, etc all you want, this will still work, because we’re operating entirely inside WoW.exe’s address space.

Before we begin, huge thanks to Kynox for unpacking Melete (WoWMimic’s injected DLL).

WoWMimic needs a way for its DLL to communicate with its application component, it does this through shared memory. Here is the disassembled function responsible for setting this up. I have commented the virtualized API calls to make it apparent what is going on:

___:1002F630 ; =============== S U B R O U T I N E =======================================

___:1002F630

___:1002F630 ; Attributes: bp-based frame

___:1002F630

___:1002F630 sub_1002F630 proc near ; CODE XREF: DllMain(x,x,x)+45p

___:1002F630

___:1002F630 var_24 = dword ptr -24h

___:1002F630 var_20 = dword ptr -20h

___:1002F630 var_1C = dword ptr -1Ch

___:1002F630 var_10 = dword ptr -10h

___:1002F630 var_8 = dword ptr -8

___:1002F630 var_4 = dword ptr -4

___:1002F630

___:1002F630 push ebp

___:1002F631 mov ebp, esp

___:1002F633 push 0FFFFFFFEh

___:1002F635 push offset dword_10070488

___:1002F63A push offset __except_handler4

___:1002F63F mov eax, large fs:0

___:1002F645 push eax

___:1002F646 sub esp, 14h

___:1002F649 push ebx

___:1002F64A push esi

___:1002F64B push edi

___:1002F64C mov eax, dword_10072054

___:1002F651 xor [ebp+var_8], eax

___:1002F654 xor eax, ebp

___:1002F656 push eax

___:1002F657 lea eax, [ebp+var_10]

___:1002F65A mov large fs:0, eax

___:1002F660 xor ebx, ebx

___:1002F662 mov [ebp+var_24], ebx

___:1002F665 mov [ebp+var_1C], ebx

___:1002F668 xor esi, esi

___:1002F66A mov [ebp+var_20], esi

___:1002F66D mov [ebp+var_4], ebx

___:1002F670 push offset a0xa0c82e ; “0xA0C82E”

___:1002F675 push ebx

___:1002F676 push 2

___:1002F678 call near ptr 3E0000h ; OpenFileMappingW

___:1002F67D nop

___:1002F67E mov edi, eax

___:1002F680 mov [ebp+var_1C], edi

___:1002F683 cmp edi, ebx

___:1002F685 jz short loc_1002F6D8

___:1002F687 push 0Ch

___:1002F689 push ebx

___:1002F68A push ebx

___:1002F68B push 2

___:1002F68D push edi

___:1002F68E call near ptr 3E0370h ; MapViewOfFile

___:1002F693 nop

___:1002F694 mov esi, eax

___:1002F696 mov [ebp+var_20], esi

___:1002F699 cmp esi, ebx

___:1002F69B jz short loc_1002F6D8

___:1002F69D push ebx

___:1002F69E push ebx

___:1002F69F mov eax, [esi]

___:1002F6A1 push eax

___:1002F6A2 push offset loc_1002F570

___:1002F6A7 push ebx

___:1002F6A8 push ebx

___:1002F6A9 call near ptr 21092Eh ; CreateThread

___:1002F6AE nop

___:1002F6AF mov dword_100730C0, eax

___:1002F6B4 cmp eax, ebx

___:1002F6B6 jz short loc_1002F6D8

___:1002F6B8 mov ecx, [esi+10h]

___:1002F6BB mov dword_100730C4, ecx

___:1002F6C1 mov edx, [esi+20h]

___:1002F6C4 mov dword_100730C8, edx

___:1002F6CA mov [ebp+var_24], 1

___:1002F6D1 mov [esi], ebx

___:1002F6D3 call sub_10058CD0

___:1002F6D8

___:1002F6D8 loc_1002F6D8: ; CODE XREF: sub_1002F630+55j

___:1002F6D8 ; sub_1002F630+6Bj …

___:1002F6D8 mov [ebp+var_4], 0FFFFFFFEh

___:1002F6DF call sub_1002F701

___:1002F6E4 mov eax, [ebp+var_24]

___:1002F6E7 mov ecx, [ebp+var_10]

___:1002F6EA mov large fs:0, ecx

___:1002F6F1 pop ecx

___:1002F6F2 pop edi

___:1002F6F3 pop esi

___:1002F6F4 pop ebx

___:1002F6F5 mov esp, ebp

___:1002F6F7 pop ebp

___:1002F6F8 retn

___:1002F6F8 sub_1002F630 endp

The file name they have is hardcoded and doesn’t change (even across mimic versions), so it’s obvious what we can do to abuse this fact:

bool IsMimicInjected()

{

HANDLE MimicIPC = OpenFileMapping(FILE_MAP_READ,FALSE,”0xA0C82E”);

if (!MimicIPC)

return false;

// You could do even more to check here by inspecting the memory

// mapped file but that is unnecessary.

CloseHandle(MimicIPC);

return true;

}

There you have it. WoWMimic detected yet again. This time though the bar has been raised heavily, as you can no longer hide just by restricing WoW’s security descriptors.

Your move, WoWMimic.

Author: Cypherjb Categories: Games, Programming, Windows Tags: c++, Programming, pwned, wardenmimic, Windows, wowmimic

Comments (4) Trackbacks (2) Leave a comment Trackback

Verbist Robbin

May 15th, 2009 at 00:12 | #1

Reply | Quote

Awesome copypasta for wardenguy
amadmonk

May 15th, 2009 at 04:14 | #2

Reply | Quote

I think it was Terry Pratchett who said that, when running from a dragon, you don’t have to be the fastest runner. Just be faster than the slowest one.

In other words, I’m happy if Cypher feeds blizz shit like this; it keeps them from doing more insidious shit.
big dragon

May 17th, 2009 at 02:57 | #3

Reply | Quote

dude why not just work for mimic youd make a shit load more money than you would helping the warden bell ends detecting it
iphonesman

May 21st, 2009 at 07:46 | #4

Reply | Quote

If you can’t beat ‘em, join ‘em. You should just go work for Mimic. LOL. I’m sure they would pay you a lot more then your current job…if you have one since this obviously took a lot of your free time? I doubt you’re getting paid for any of this, so that’s what I would do. You should always be paid for your work. Good luck on the next move.