WoWMimic API Hook List
May 15th, 2009
Here is a list of functions WoWMimic hooks.
Version .44
VirtualQuery
GetCursorPos
SetCursorPos
FindWindowW
FindWindowA
FindWindowExW
FindWindowExA
EnumWindows
EnumChildWindows
Version .43
VirtualQueryGetCursorPosSetCursorPos
Its obvious that I’m the cause of the .44 update, but what they don’t seem to realize is twofold:
- Warden can follow their hooked code path and hash their function. Obviously its going to have a unique signature. If you find the WoWMimic hook then just ban for it.
- Warden can also bypass all their hooks entirely by just doing manual syscall code for each major OS version. That is a very easy thing to do, and no amount of usermode hooking will be able to stop it. (Kernelmode is the only option)
Not only that, but they’re missing half the funcitons they need to hook. All warden needs to do is call VirtualQueryEx and they’ve bypassed the hook. It astounds me how stupid the WoWMimic team is. Lastly, afaik it’s possible to manually walk the VAD tree (I have never attempted it but have seen code that can do it). No amount of API hooking can protect you from that either.
To the WoWMimic devs:
Tip: Unless you decide to elevate to the kernel (which still won’t protect you from stack traces) or actively attack warden (which is a LOT of work and still impossible to get 100% right, even if you’re an expert), you’re screwed. It’s that simple. At the very least, if you’re going to do usermode protection, at least do a decent job, your current half-assed attempt is just plain sad.
Cypherjb Categories: Games, Programming, Windows anti-cheat, botting, Programming, Reversing, warden, wow, wowmimic
Ha…still quite funny - but you should stop now. There are a lot of ex-gliders using mimic now, so for the sake of the community you should stop.
Cypher just did it again!
@Blackbook
We are not part of the community.
I’ll second what 1814 said. I hope Untouchable comes back to try to argue against this.
“Cypher just did it again!”
The only truly safe options are:
1) Go kernel and obfuscate the hell out of any injected stacks, and/or
2) Don’t use public bots. Period.
Everything else carries risk; it’s just a matter of degree. Honestly, I’m banking on the Warden devs being lazy and unwilling to mass ban innocent people who just happen to be running the “wrong” antivirus software, or whatever.
@amadmonk
Actually its very easy to eliminate all the false positives, but like you said, it all rests on how lazy the warden guy is.
Why? wouldn’t the community want a safer bot to begin with? the more someone nit picks it the more things “should” get fixed/improved.
It seems so far their track records isn’t that great
Interact(Object_Base_Adress, Handle_Windows_WoW)
how to use it ??
Mailed to me the answer thanks.
[email protected]
@pandyer
Fuck off moron.