Hey Blizz! /applaud

[Pococurante]

They've apparently found a mechanism to stop the more popular bots.

Today is a big day in the history of WoWSharp, most of it bad, some of it good.
(..)
After much deliberation with the other WoWSharp team members, we have come to the conclusion that we can no longer provide the layer of safety requested by, and required for, our users. As its no longer a question ‘if you get caught’ but it’s become ‘when you get caught’.

With this in mind, and looking at the future, we have decided to discontinue development on WoWSharp and the Alpha technology. Since this would completely halt WoWSharp's development, we have also decided to release the sources of the WoWSharp DLL and the pre-alpha WoWHider DLL. We believe that there are several people in the WoWSharp community that poses the skill to continue development and hope that they will step up to create a world of clones.

The real question in my mind is can Blizz combat the professional gold farmers that develop their own utilities for internal use only.

[HaemishM]

Awww, I feel so bad for the little munchkin-raping cocksniffers. Boo-hoo for the fucking hackers.

[Jobu]

I went to their website to try to figure out what the program was (had never heard of it before), but it was all neutered since they've stopped working on it. So what did it do?

[Pococurante]

At its simplest it exposed mobs across the zone and completely automated fishing to the point you could tune which loot to discard and even fend off most attempts to talk to your toon while it was unattended.

At its worst you could set your machine up and come back three days later to a rogue or priest completely leveled from 1 to 60.  They were just about to make it a mandatory subscription product when Blizz cocked them up good.

This was just one of several bots out there.

[SurfD]

you know, i would think that one of the easiest ways to spot a bot in action woud be just monitoring its level progression.

I dont know a lot about the sophistication of the wow bots, but if a character goes from level 1 to level 60 on very little to no quest exp and under a certain amount of consecutive "Time Played", chances are its a bot.

Or are these things sophisticated enough to actually hit up quest givers and automate quest experience also?

[Soln]

never understood these.  I know from AutoIt and related mouse recorders and macro generators you can send commands that enable certain actions, and move the toon as well (wether by mouse coord or other).   In SWG when grinding craft professions, it was possible, since the toon didn't move and only interacted with a single UI.  But the idea of completely afk macroing to level in WoW -- I don't get it. Doesn't seem possible.  Yes, you could get the /loc of a every mob, but then you need to navigate the toon through all the geometry, and then you would have to take into account whether the mobs were social and would train.  Or even actual distance between them for aggro.  No, I don't get it -- some translate to Engrish and explain?

[Bunk]

I was in the Ogre cave in the SW badlands recently, looking for ore. There was a warrior in the back of the cave killing ogres, so I was a nice guy and asked him if he was mining. No response.

I went about my business, killed a few ogres, and mined a few veins. Came back and watched him for a minute. An ogre would spawn - he would immediately charge it and beat it down, and then slowly walk back to the back of the cave. The fact that he wasn't even checking corpses was prety much the tipoff.

In afterthought, I really should have just trained the whole cave on to him.

[Pococurante]

Wow!Sharp is now open source if you want to look into it.  I haven't bothered.

It could be as simple as just running around and going into attack mode when the aggro gets the first hit in.  When I scripted RunUO it was trivial to list local entities and id them.

[Merusk]

I think I ran across one in east plagues a few weeks back running a hunter.  I'd noticed the odd way of targeting.  After a kill she'd rotate in minor increments until facing a monster, then run to it and proceed in a pattern of moves. The exact same moves each time at about the same period of time until the mob was dead, then ran over and looted. 

So I started following her around, not saying anything just walking beside and standing there.  Did that for about 10 mins with no response or acknowledgement of my exsistence. So I decided the next fight I'd charge right after the hunter's mark > send pet sequence.  She shot it a moment or two.. then called the pet off and started the same target reaquisition on the mob a few feet away.  No cursing, no yelling, nothing, just repetative kill after kill after kill.   If it wasn't a bot it was one hell of a methodical and overly-calm player.

Now the odd part is that if it WAS a bot, they're also programmed to answer frequently-asked questions in /general to throw off people who suspect them.  Nothing too fancy, just your normal "where's x" or "who is y" stuff.

[Phred]

From the discussion on the bot board that was posted here earlier it sounds like it was fairly sophisticated, with proramable responses to tells, says etc as well as a programmable waypoint path to follow and actions to take. It also sounded like they were trading scripts from people capable of understanding how to program it out to all the paying customers.

I know after 5 years of eq some of the cheat programs became very sophisticated so I guess it's not surprising that something like this would show up so quickly for WoW, but what does impress me is how quickly Blizzard seems to have got on top of it and made the developers of it throw in the hat. The only thing that really annoys me is how much programmer time that must have cost Blizz and how much better used those resources could have been put to fixing bugs.

[Pococurante]

The only thing that really annoys me is how much programmer time that must have cost Blizz and how much better used those resources could have been put to fixing bugs.

Agreed but they brought this upon themselves.  The game doesn't penalize farming and tries to limit profession advancement by restricting materials availability in a game mostly aimed at casuals.  This combination alone guaranteed the professional farmers would fully exploit the unprotected client.

That said it does seem once Blizz was educated on the problem they seem to have dealt with it more effectively than their competitors.

For the record I approve of gold selling... ;)  I just don't approve of farmers being given free rein.

[Ironwood]

For the record I approve of gold selling... ;)  I just don't approve of farmers being given free rein.

I'd be interested in your views to stop them being mutual.

[Pococurante]

Not something easily thumbnailed.  And something I partially already covered.

Gold farming, camping, griefing adventurers to "hold" an area - these are all customer support issues.  Blizz, the company that gave us non-safed clients.  For over a decade.  Any company unwilling to invest in CS deserves CS issues.  Implicit: anti-casual design mechanics combined with casual marketing leads to contempt for the EULA.

If you want details submit your RFQ and I'll return with my bid.

[Ironwood]

I don't even know what an RFQ is, mate, so I think I'm on to plums.

But I'll think over your points.

[Dren]

I don't even know what an RFQ is, mate, so I think I'm on to plums.

But I'll think over your points.

Request for quote.

[Ironwood]

My thanks.  Too many Goddamned Acronyms these days.  It's NVG.

[Pococurante]

Just being a smartass. ;)  The complaint about farming I most agree with is that farmers can lock other players out of content, usually through harrassment.  That's a CS issue.  All the other complaints (nflation etc) I don't think really impact players and anyway are best dealt with by adding non-coercive goldsinks.

[Shockeye]

A little breakdown on what Warden does for anyone that cares...

When we all lost accounts during our alpha test, I suspected we had missed something stupid in the warden. So, yesturday I spent a few hours reverse engineering the warden which was sent down to my client. I know that hindsight can be 20/20 - and that da_teach has made the decision to open source, but I still think the warden/banning needs some closure.

The warden that is sent to my machine is not detecting the alpha. I can't explain what happened, even after several hours in the debugger. I can, however, tell you what I know.

The warden dumps all the DLL's using a ToolHelp API call. This is a common way to do this, and da_teach's wow!hider code subverts this by removing the wowhider DLL from the list of modules. This cannot be the source of detection.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that doesn't do anything and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard is like the Gestapo. Da_teach's wowhider program evades this check by returning an empty string whenever the window title belongs to WoW!xxx anything. But, I am not totally convinced it wasn't this check that caught us. For example, if you have a window open that is titled "C:/mystuff_4_wow!sharp/bin" - this window title is read by warden, and is not protected by WoW!Hider currently. This could, in theory, explain why only some users were caught, based on which windows were open at the time you were testing.

Next, warden opens every process running on your computer. The alpha version subverted the method used by warden which was GetProcessNext. Thus, during the process queries, the wowbot and wowinmate programs should have been skipped. Although it seems this isn't how warden detected us, I would like to tell you everything I found. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do?

Next, warden opens the memory in WoW.EXE itself. It checks several locations for code patches. These checks are clearly to detect patches for 'no fall dmg' and the like. Our alpha 1 version did not use detours on WoW.exe itself. So, these checks on WoW.EXE should not have detected us. However, I didn't explore this loop long enough to determine if it was also checking the integrity of kernel32.dll, or NTDLL.DLL, where several remaining detour hooks had been placed by WoW!Hider. These detours were placed on VirtualQuery, GetWindowTextA, NtQuerySystemInformation, and others. Any of these detours could, in theory, have been detected by the current warden because WoW!Hider was still using traditional detours on these locations. Although a detour on a common function does not automatically mean your using WoW!Hider, we have seen that Blizzard has a no-tolerance policy about this kind of stuff, and perhaps warden reported us as cheating based on the fact a common function had been modified.

Finally, the warden performs a virtual query in a loop over the entire memory range of WoW.EXE and checks each memory page to see if the bytes 'MZ' are present in the first two bytes. If they are, the entire memory page is scanned for strings. Every single string, when found, is then hashed. You guessed it, the hashes are then compared against the ban hashes. So, in other words, any injected or loaded DLL, regardless of why it's there, has every readable text string hashed. Da_teach's WoWHider code patched VirtualQuery so that the wowhider DLL would not be found using this scanning loop. Assuming that the virtual query hook was working properly, this scan should not have detected us.

In conclusion, I did not find a single and obvious oversight on our part. But clearly, such an oversight is there. Or, the version of warden being sent to my client is not the same as the one that was sent to some of you. There are some small details that were overlooked, and maybe some of these resulted in the banning. If I made the assumption that the warden is the same for everyone, then I posit it must be the additional, unprotected detour hooks that tipped our hand - or, our virtual query protection was not working reliably.

Even after da_teach open sources the system, you will need to understand the warden in order to keep using the bot. But, it is very clear that Blizzard has designed warden to find specific hooks, specific strings, specific series of opcodes, specific window title, etc etc. Given all these specifics, I would venture to say that if you recompile your own special versions of wowhider, and NEVER EVER release them in the public, then Blizzard is going to have a hell of a bad time trying to catch you. At this time, the only generic tests being performed by warden are the detection of detour hooks on WoW.EXE specific functions. Everything else relies on a banning-hash. And, for a banning-hash to be present, Blizzard devleopers have to have a copy of your bot. In retrospect, releasing the sourcecode to WoW!Sharp is a stroke of genius! I think it will represent an appropriate 'fuck you very much' to Blizzard.

Now once teach posts the source you have the source and all warden information you need to patch the system for the new decection. Keep in mind that if you decide to try to maintain this you will be constantly on the defense against a totally dynamic enemy. While the dynamic portion of Warden remains simple there are characteristics which makes it very hard to defend against.

Warden is random
For one the sequence within the dynamic portion of Warden is random even within the same version. So checksums are very hard to get right and verifying Warden is a real pain in the ass. Verifying or altering outgoing packets is not a viable solution.

Warden can be updated at any time
This together with the first issue is probably the most important aspect of why keeping users safe is so hard to achieve. Currently we've only seen updates during rolling server restarts but Blizzard still has the ability to update at any time. This forces you to not just guard against current but also against future versions of Warden. Remember that they are allowed any number of misstakes, we are allowed none.

These were the major issues we were looking at and until a very secure verification method has been developed it's very hard to guarantee user security.

Extra information (from Da_Teach)

The old WoW!Hider used to detour the ProcessMessage call within WoW, every time a Warden check message (ID: 0x2E8 ) was send, it would remove all the detoured functions from WoW and then call the Warden and let it do its job. This worked perfectly until the last 2 Warden's in 1.6.1, after that the Warden checked the stack. Since I called the Warden (instead of WoW), it was able to see this in the stack. To fix this, I had patched the function which looked in the stack. This worked until the Warden started to randomize itself for each user. After that I patched the outgoing message to Blizzard, this worked until 1.7.0 after which that message was 'randomized'.

The first function (within the warden) is the encrypt and decrypt function, its some type of RC4 (or so I've been told). The result packet that is send is now 'randomized', but not completely. It basicly always contains the same parts, but those parts are just re-arranged in order.

So in theory the send-packet patch could still work, if you had all possible variations and how to patch those variations...

I would expect all other games to follow a similar approach as Blizzard as long as there are no successful lawsuits against Blizzard for the invasiveness of their Warden client.

[Righ]

So, you can exploit people by naming pages on your web site after banbot names and have people who browse your site while running WoW locked out? A little bit of tinyurl hiding and a post on your realm forums could be quite the nasty.

[Pococurante]

I suspect Process Guard would actually be the best protection for "light" botting, e.g. anything not attempting to invade the wow space.  I think Blizz has been amazingly resourceful - unprecedented for the industry.  Nevertheless I do think Blizz should be smacked for such an invasive process.  This kind of behavior is what keeps Microsoft in the courts.

[TheWalrus]

 Just so I'm straight on this...this guy is pissed because Blizzard banned accounts that were running cheats/bots, and using software to get around the bullshit these guys think up? Ok, just makin sure.

[Threash]

Just so I'm straight on this...this guy is pissed because Blizzard banned accounts that were running cheats/bots, and using software to get around the bullshit these guys think up? Ok, just makin sure.

To me it sounded like he was pissed that he couldnt figure out how to stop it more than anything else.

[Shockeye]

Just so I'm straight on this...this guy is pissed because Blizzard banned accounts that were running cheats/bots, and using software to get around the bullshit these guys think up? Ok, just makin sure.

To me it sounded like he was pissed that he couldnt figure out how to stop it more than anything else.

I guess the fact he was developing a cheating bot program for WoW was purely incidental.

[Merusk]

Software wants to be free, man!  How dare you boushie capitalist mo fos tell me how to use my software on your game! Fight the power, brothers!

Fuck 'em.

[Paelos]

Fighting the power gets you electrocuted.

[Dren]

Fighting the power gets you electrocuted.

No that's grasping the power....lines.

[Merusk]

Fighting the power gets you electrocuted.

Oh if only that were true..

[Train Wreck]

I guess the fact he was developing a cheating bot program for WoW was purely incidental.

Probably, but then again, some people just really hate to be outsmarted, especially when they were previously "winning."