Warden, and what is means for us
What is Warden?
Warden is Blizzards anti-cheat system that is used in World of Warcraft & Starcraft 2.
It has also been used in other blizzard games, and will no doubt be used in Diablo 3!
How do we know it’s called Warden?
This is a two part answer really, when blizzard update their games they have been known to leave debug strings in the applications(most recently it was a mac build), from these builds we can see “official” function names. Blizzard have publicly confirmed that their anti-cheat is called Warden, as they used it as part of their case against MMOGlider.
So what does Warden do?
As far as I can see there are 3 different scans that Warden runs to check if you are cheating or not.
1) Memory scanning:
This is their most used method of detecting cheaters. They basically read a set amount of bytes from a certain address, and hash the bytes and send the value back to the server. If the value isn’t what it should be they you have modified the game client and you are classed as a cheater!
2) Module hash scan(Type 1):
This method has been used in the past to detect injected ASM code, and is what started the eBot banwave before it got closed down. For this method they parse the module list for the game process, and then hash a set area and if they value isn’t what it should be you have modified the game client, and therefore get flagged!
3) Module hash acan(Type 2)
This method only activates after a new module has been created after initial checks… For example if you inject a dll(it doesn’t have to be a cheat; I believe fraps injects a dll) this kicks off this scan, again this scans an address in the dll so just like we do for cheating they do modulebase + address and check the value, this is a very handy method for detecting known bots and hacks but they also have to be extremely cautious when adding one as other legitimate dlls might have the same value in this spot.
How often is Warden updated?
The warden module it’s self isn’t updated that much, the last “Major” change was when Warden 2.0 was released. However little things do change, like in the past two weeks Warden is now capable of scanning relative bytes.
Warden scans do get updated a little more frequently than the module it’s self. Usually warden goes “idle” for a while before new memory scans are pushed out. The module scans haven’t been updated in some time and it seems that blizzard no longer use this method(it still checks for previously know bots & hacks though).
Why is Warden so relaxed?
This we will never know, there are many hacks & bots publicly available and Warden could detected most of them in one swoop, however appart from the recent memory scan update(which hit most of the free hacks and a few well known paid ones) blizzard seems to have moved onto “Server side fixes”. These fixes that they implement are not Warden, and currently we don’t get banded if we trigger them, just disconnected.
So what does Warden mean for us?
Warden could change at anytime without a patch and therefore we have to be careful, most good Bots & Hacks have “Live Warden Protection” which trips a killswitch and therefore no one else can get banned.
Some bots & hacks have Live Warden Protection but the killswitch is manual and therefore a lot more people get banned before the developers get around to dissabling the software.
It’s good pratice to make warden hang until, you have checked the scans to make sure if they are new or not.
For this example I will use HeliosBots:
When warden scans HeliosBots pauses the game client and checks if the wardens scan is known.
If the warden scan is known and the area of the scan is not modified it resumes the client and let’s warden do its thing. If however the scan area is modified we disconnect the user and send them to a warning page and close the client broker we resume the game. If a new scan is found we send this information back to our server, who once again checks if the scan is known or not; if the scan is indeed new our killswitch is automatically engaged to prevent any possible bans.
So to clarify Warden is bad for anyone who uses bots & hacks and there is always a chance you will get banned with any cheating software.
Nothing is “Undetectable”, but many remain “undetected”.
You always use cheating software at your own risk!
Myths
The below statements are not true.
Warden checks your open windows,
Warden checks your message logs,
Warden scans your hard drive,
Warden scans the process list for know application names,
Warden is a virus,
There are more but you get my point…
I hope this post was informative and helpful, if(and I probably have) got anything wrong please feel free to correct me in the comments below!
-Ryuk-'s Blog 