Posts Tagged ‘anti-cheat’

Update on Mimic

June 19th, 2009

Hey, as most of the people interested in the Mimic saga already know, a new version is out.  A bunch of people have contacted me to ask if I would be posting about it, so I figured I’d post an explanation as to why I may or may not be. Kynox has done a minor coverage of the update available here.

I may or may not do a full and in-depth coverage for three reasons:

  1. I think it has been proven beyond doubt now that Mimic is indeed full of shit when it comes to their anti-anti-cheat code.
  2. I think they have been given enough handouts for now.
  3. Working on my new project is simply much more fun.

That being said, if I get bored I might take a look at the changes, but all I will be doing is documenting them, and pointing out whether it as a whole is still detectable. I will no longer be handing them free anti-warden ideas, they’re on their own now.

WoWMimic PvPAdvance v15

June 5th, 2009

More epic fail from the WoWMimic team with the release of PvPAdvance v15.

They have made ZERO improvements to their anti-detection since v14. That means that it can still be detected using  a  warden scan that’s already implemented. No new functionality is required, only a new hash.

The only thing they are currently doing to protect themselves is unlink their module from the linked list, but Warden doesn’t even use that list!*

Sigh. It seems like they’re never going to learn. Hopefully Blizzard will teach them the hard way, but given how lazy the Warden guy is, I can’t exatly say you should count on it.


*Whilst there is a scan in place that does in fact use that list through the use of Module32First/Module32Next, it is not currently activated. Thank you Kynox for catching and confirming that.

Presenting: WardenMimic

May 21st, 2009

Releasing the initial version of my latest project, dubbed WardenMimic. Its purpose is to basically ‘mimic’ Warden and try and detect WoWMimic. It will be fully in-process so it works within the constraints of Warden itself. Releasing it as a binary so the devs have to work for it this time, they’ve had enough charity handouts.

Simply run the loader, point it to WoW, and the module will spawn a console and let you know whether its detected WoWMimic or not. Go back to the loader, hit enter again, and the module will be unloaded for your convenience.

I will continually update this for any new WoWMimic builds until I get bored or they really pick up their game and make it too much trouble for me to bother (keeping in mind I’m a very lazy person).

Download here.

P.S. Has recieved limited testing. If it crashes please post your system specs (os, architecture, etc etc) plus a crash dump.


Huge credits to both Harko and Kynox for their help/input/etc.

WoWMimic API Hook List

May 15th, 2009

Here is a list of functions WoWMimic hooks.

Version .44










Version .43
Its obvious that I’m the cause of the .44 update, but what they don’t seem to realize is twofold:
  1. Warden can follow their hooked code path and hash their function. Obviously its going to have a unique signature. If you find the WoWMimic hook then just ban for it.
  2. Warden can also bypass all their hooks entirely by just doing manual syscall code for each major OS version. That is a very easy thing to do, and no amount of usermode hooking will be able to stop it. (Kernelmode is the only option)

Not only that, but they’re missing half the funcitons they need to hook. All warden needs to do is call VirtualQueryEx and they’ve bypassed the hook. It astounds me how stupid the WoWMimic team is. Lastly, afaik it’s possible to manually walk the VAD tree (I have never attempted it but have seen code that can do it). No amount of API hooking can protect you from that either.

To the WoWMimic devs:
Tip: Unless you decide to elevate to the kernel (which still won’t protect you from stack traces) or actively attack warden (which is a LOT of work and still impossible to get 100% right, even if you’re an expert), you’re screwed. It’s that simple. At the very least, if you’re going to do usermode protection, at least do a decent job, your current half-assed attempt is just plain sad.