WoWMimic v53
Took a look at the latest build of WoWMimic yesterday. Yet again they claim to have made improvements to their “anti-detection methods”, and yet again I see little to no evidence of that. There really is only one word to describe the current state of WoWMimic and their attempts to fix their anti-warden stuff, and that is “failure”.
They have added another layer of obfuscation since the last build I looked at, but like all their obfuscation attempts their efforts are ultimately futile and it’s a 5 minute job at most to pull away all the crap and find the relevant code. What they did was simply add another level of indirection.
Simple explanation:
They use an INT3 (breakpoint) placed on the return address of the function they wish to hook, then they handle that exception in their vectored exception handler, but rather than go straight to their hook sub like previously, they now go to a block of code which raises a second interrupt. From there they handle that second interrupt and go to the hook sub. In short, all they’ve done is add another layer of indirection which is defeated by simply following flow from the exception address of that layer rather than the first layer. A very basic trick, obviously an amateur attempt.
Their hook on NtQueryVirtualMemory is STILL INSECURE. That’s right, after all this time they still can’t get it right. Sure, they fixed the hole that they got burned by in the last wave, but there are still at least 5 holes that I can see in that hook function alone, and 3 elsewhere. Plus, that’s only with a quick look! With an in-depth check I’m positive more could be uncovered.
Obviously I’m not going to tell them what all the holes are though, that would ruin the fun. But if I have some spare time this week I will write a new WardenMimic build, and we might just play a little game…
If anyone is interested, here is their latest code:
http://cypherjb.privatepaste.com/07090Hlmku
Thanks to Kynox for disassembling some misaligned bytes for me because I didn’t have a VM up and running at the time.
So, in summary:
WoWMimic is going in circles. It’s still just as detectable as it has been since day one. Every time they attempt to ‘fix’ one hole they end up opening up several more. It’s obvious their dev team have no idea what they’re doing. You’re free to waste your money on it, but imo you’re stupid for doing so, because at the end of the day you’re simply playing russian roulette with your accounts, and hey, you don’t need to throw money away to do that, there are plenty of free hacks you can use to get banned.
Update:
Oh, I have some advice for the Mimic team.
Rather than wasting all your time attempting (and failing) to obfuscate your code, why don’t you spend some time on actually implementing your anti-warden properly. Security by obscurity is stupid, because it only takes 5-10 minutes to undo what seems to take you guys days. The people you are up against (Blizzard) are not like you, they’re not amateurs. The Warden guy may be lazy, but he’s not stupid, so the only person’s time you’re wasting is your own.