Trinitycore: [Core/warden] : Not checked The Hitchhiker's Hack (35$ bounty)

Confirmed

it checks certain hacks within it i beleive.

Confirmed

im checked and not checked this hack plz fix it

its important :)

Confirmed on 19cec23f396c0ab8cb6a574eea5665c73e5ce5a2

How can I know which character is using hacks?

Confirm.

Any solution?

Confirm

Rev: TrinityCore/TrinityCore@27f0918

TDB: TDB 335.49+

confirm 1c1405c

Confirm

Any working solutions to detect this hack?

It gets really annoying now.

I would love to, thing is I'm not too familiar with hacking and memory addresses and all that jazz.

any news ?!

Confirm and very critical!

Confirm

I had a look at the tool's source, it cannot be detected because it does not inject anything into the game (like emuhacker for example does), it just edits some parts of memory and does nothing automatically. Just having it open is impossible to detect and to my knowledge, most of the things this hack features are not possible to be checked server-side (such as speed, fly etc as they are just some dynamic variables that can be changed by anything). I have this warden module disabled on my server because it caused way too many false-positives. The most common one was 437, which in database matched to "login state" and it happened to me too even if I didn't have anything but wow opened. For the memory address that corresponds to login state ingame you don't just have a static value, thus, it's completely mishandled in TC. There are more false-positives than that, if I were to enable that for a day with logging-only mode, I bet I would see more false-positives detected that I can definitely confirm to be those.

I have an idea though. Why not allow us to choose which ones to take an action for when detected in the config rather than in source code? It would make me use it again.

That's why you have warden_action, to allow to choose the action.

I'll take another look then, I don't want some of these things to even be
logged, I'll play around with it and maybe change the code of it a little
to disable certain parts of it being logged.
On Jan 26, 2013 3:49 PM, "Aokromes" [email protected] wrote:

That's why you have warden_action, to allow to choose the action.

—
Reply to this email directly or view it on GitHubhttps://github.com/TrinityCore/TrinityCore/issues/7639#issuecomment-12735523.

Confirm

Works 2013-07-15_21:08:22 WARN [WARDEN] [Player: Anorexia (Guid: 100117559, Account: 36071)] failed Warden check 785. Action: None

Nota: el jugador le contaba a otros como ponerse dicho hack en cuestion.

The Hitchhiker's Hack, The warden did not see, which may be done??

confirm

As I said earlier, I have the source code of this "hack" (it's freely available) and there is no way to reliably detect if it is opened or not. The reason is that this hack does not make a single change in the wow's executable that is running in the user's computer. What it does is that when you check one of these hacks, it does it all by editing the game's memory and most of the regions it edits are too dynamoc to check with a static value. The server does never get some of the values of these addresses, thus, it is not possible to detect every single thing it does. Since we are dealing with a piece of open-source, checking window names or process names and such will not help - the user can change those with ease. Any questions? Anything I did not explain why and how? Feel free to reply.

Confirm Antiches no works for hack Hitchhiker's hack.

+1 on this.

Trinity Revision: 69a616e55d8e+ Database Version: TDB 335.52
confirmed

Any workaround for this so far?

You cannot simply detect all of its functionality because
1) it does absolutely nothing to the game when it is opened, it only lists
the wow.exe instances just like any task manager would. That means that you
cannot detect whether it's opened or not - people can rename the process,
so process name check would never help.
2) it changes some very dynamic addresses that are not static and change
quite randomly, making it impossible to accurately detect who's using the
flyhack and who got a false-positive. You would be banning every single
player eventually if you tried to detect it.
3) since you don't know if it's opened (on the server), you cannot make
assumptions on what changed your coordinates. I tried making it so that if
you just move left/right without any other possible movement, it detects,
but I was able to trigger that without the hack way too easily. There are
measures to detect the teleport and speedhack, but they are not reliable at
all to ban/kick by them.
4) even if you would somehow look past all that, it would still not prevent
anyone making an essentially the same thing and continuance - it's an
open-source hack.
On Oct 31, 2013 4:46 PM, "3v3rh11t" [email protected] wrote:

any news?

—
Reply to this email directly or view it on GitHubhttps://github.com/TrinityCore/TrinityCore/issues/7639#issuecomment-27491614
.

Confirm

Rev: https://github.com/TrinityCore/TrinityCore/commit/97d415d1b2a429557f667f9c30e8577ab89e6434

TDB: TDB 335.57

Confirm and very critical!

Confirm still have this problem :) need some solution Thanks!

this cant be checked by the warden - the only to check this is to have an active anticheat running on the server that check player position every x ms and tries to understand if the new position is valid compared to the last one, given any teleport and auras on the player. There is a massive amount of false positives that needs to be handled....

Isn't this a won't fix issue?

Good point. If this specific hack is too difficult for Blizzard to solve, why should TrinityCore keep the issue open for 10 years to see if it gets solved?

Just to note it's still an issue i guess? :dancer:

Sure, I get that. I just don't see any solution for this in the next year or so.

@tkrokli Similar to #13660 which is stated as won't fix

Thanks for the tip. I leave it up to the owners/main TC devs to decide if that will be the case here.

I implemented it years ago on a 434 Trinitycore.. or was it 335? i dunno anymore.. but its 100% possible to detect hitchhiker with Anticheat.. you just need to implement a logic which is able to validate the movement of the player.. you can start by the speedhack.. you need to check if the distance the user just traveled is possible by the current speed of the player... the same goes for teleport hack.. its basically the same

ofc after this you need to handle things like charge spells or jump effects.. but for this you have the motionmaster...

Portal teleports or map changes can be checked by a certain flag which the server sents when someone is teleported

@Seyden could you share you code at least we get something to work on it?

That kind of detection is called a passive anti-cheat which is in fact able to detect any speedhack e.g.
But it has various negative effects which are maybe the reason why never such a feature was implemented. The two main reasons which i would think of are:

1. It isn't that easy to calculate the correct speed and in fact it will take extra resources (cpu e.g.)
2. It may detect players with a high-ping/lags as cheater so there are various cases where false-detection could happen and therefore a GM must check every player.

@Killyana There was already a pull request: https://github.com/TrinityCore/TrinityCore/pull/16774

@Killyana i can look if i always have the code for it.

@FireEmerald i can't remember.. but i think i thought about point 2 when i did the anti cheat.. but have to look..

try this https://github.com/WoWSource/WoWSource434/tree/dcb2fec245b3b2ab4a8f6f4f8cd77a51c80bfb68/src/server/game/Anticheat i remember there was no hacks to work in that core, all was detected right away and auto banned all attempts and options can be modify from worldserver.conf, i'm sure its required a few adjustments to fit with actually tc

News?

news is this will continue to be the same.
https://github.com/TrinityCore/TrinityCore/issues/7639#issuecomment-224385035
(use passive anticheat and check warnings because it has to much false positives)

This is the source code of this cheat. Maybe someone will figure out how to deal with it.
https://github.com/wodim/hitchhiker

the answer will be the same whatever you write, use passive anticheat. even on retail some cheats aren't detected and you can fly around and they use player reports.

Maybe anyone can find in this source and add somethink in warden, maybe offsets, I don't know

@Aokromes Are you talking about the anti-cheat that is on the forum? You have to be a sadomasochist to use it. Cheats of this type will never work on the official server, because every player there is processed by the server. Most cheats now use a clumsy implementation of the system of movements. So there is no need for a passive anti-cheat, you need to improve the server-side code.

i have seen myself tc members fly hacking on retail. so don't tell me they don't work.

@Aokromes Well, try to hack the official server through the transport and substitution of MOVEMENTFLAG_ON_TRANSPORT. In Trinity and MaNGOS this is possible.

In case anyone wants to check, there are some warden checks here, I can't confirm if any works, but most of them, for sure, does not.
http://www.ac-web.org/forums/showthread.php?227605-Warden-Checks-WoTLK

@sirikfoll I checked it. A lot of false positives. Warden will never recognize The Hitchhiker's Hack or Admin Panel WoW, it do not affect WoW.exe and are aimed at poor synchronization of the server with the client.

There is also advanced hacks to Cast Spells while moving and some more epic things

@tje3d This can be done because move interrupt is only checked on Spell Update and on cancel cast packet. You can send specific MSG_MOVE opcodes after your last movement (like turn). This can be stopped by checking spell casting in movement opcode handler or by tracking the movement flags until next spell update.