New build of WardenMimic. I held on to it because I got word of a new build in the near future, I wanted to give them a chance to maybe fix some of their shit. The changelog says they’ve improved their anti-detection, but my checks say otherwise. This is confirmed working on v54, but should work on previous builds too (shit, I think pretty much all of their builds are vulnerable to this particular hole).
There are still plenty more holes left though so don’t worry, I’m not taking all the fun away from Blizzard, just a bit of it.
WardenMimic v20090723a
Let the drama begin!
Author: Cypherjb Categories: Games, Programming, Reversing, Windows Tags: ban, bot, detectable, detection, failure, hook, lolz, pwned, wardenmimic, wowmimic
I just managed to get Hades working in native x64 mode, which is a huge step forward. Not even InnerSpace can do that at the moment. Currently I only have one game to test it on because I can’t find half my fucking game discs >.<. I’ll be getting my hands on some more x64 games soon though, so that should be good.
The game I currenly have and am testing is Half-Life 2. Below is a screenshot of the first working build. Please disregard the profanity, Kynox was trying to troll me on IRC about not being able to get it working, and pretty much just as he said that I did infact get it working .
I had some very minor issues porting the code over, but luckily (and surprisingly) I didn’t fuck up much at all so it nearly worked “out of the box”. Only took about 30 minutes to track down and fix the issues I was having.
Pretty much the only one that was an actual issue and not just caused by a typo, wrong datatype, etc was with hooking the window subclassing APIs. Don’t forget that SetWindowLongPtrA/W resolves to SetWindowLongA/W via a #define under x86, yet is an actual API of that name under x64. If you don’t explicitly handle that then you’ll be hooking the wrong API and you won’t be able to get subclass detection and rehooking working correctly (if at all).
Honestly I’m amazed at how easy it was to get working. Makes me wonder why the rest of the tools out there are lagging so far behind.
Anyway, I guess I’ll test this for a bit longer, fix any bugs I find, then move on to getting D3D10 working and stable.
Author: Cypherjb Categories: Games, Programming, Reversing, Windows Tags: 64-bit, d3d, directx, framework, game, hack, hades, hl2, hook, x64
WoWMimic v49 is out, a very quick bugfix release.
Nothing has changed in terms of anti-detection (so WardenMimic still works), but amusingly, they introduced a bug into their (recently removed) GetCursorPos and SetCursorPos hook subs for VEH.
They have removed a line from both that compares an internal flag to 1/0. What’s amusing about it is, they left in a conditional jump that relied on that line. That conditional jump will now fire based off the line above (a SUB instruction, which like CMP sets the ZF), and the jump will never be taken. Why is this amusing? Because its proof that the devs wrote the code using inline assemby. I was moderately sure of this before (due to the use of PUSHAD, POPAD, etc), but now we have confirmation. Not only is it totally unneeded to do all that crap in inline ASM, but it also explains that they did in fact implement the obfuscation code manually (mentioned in a previous post), obviously thinking it posed some kind of barrier.
Sorry guys, but it probably took me less time to undo it than it took you to figure it out and write it. REALLY obvious job. The call/pop trick is one of the oldest in the book, literally. C’mon. Raise the bar and give us something fun and challenging to play with. (Yeah I know, I’m asking for the world from these guys)
P.S. Still can’t figure out how to stop detection by WardenMimic?
As everyone probably already knows, the Windows 7 release candidate was leaked to the interwebs (build 7100). Because I’m an Australian and our technology infrastructure is 5 years behind the rest of the western world I can’t grab the builds straight away due to caps on internet usage and whatnot.
Thanks to maclone though I don’t have to. He was kind enough to rip the binaries I was interested in from the x64 build and send them to me. I figured they might be of use to other people too (there’s quite a few changes you’ll need to be aware of if you’re doing heavy API hooking like I am) so I’ve mirrored them to a public link. All credits to maclone for actually pulling these out for me.
Download
Included is both the x86 and x64 versions of Kernel32.dll, Ntdll.dll, User32.dll, and KernelBase.dll (new in Windows 7 — along with a handful of other Kernel32 sub-binaries which I did not request).
Anyway, this is just a quick post so people can avoid downloading the entire OS unnecessarily if they’re like me and just need a handful of DLLs.
A more interesting post should be incoming today or tomorrow where I’ll be posting usermode rootkit code.