How does Overwatch's Warden (anticheat) work, and what can be done to bypass it?

[FiTTeRBoy91]

Do any experienced users know how overwatch detects cheat programs? Like what do they scan for, are there any precautions that could be took or any ways of bypassing the sending if information to blizzard's anti-cheat program?

Please civil discussion, as I'm trying to learn.

[DvASystems]

Did you create this thread because you bragged about buying the chinese memory aimbot that just got banned?

I'm pretty sure that you are paranoid right now and expect that account ban to happen any second now.

[Fire007]

I dont knw how, but its there on unknowncheats - hope its helps u - 守望先锋反外挂技术测评 - 外挂分析游戏安全实验室

[Fire007]

I dont knw how, but its there on unknowncheats - hope it helps u - 守望先锋反外挂技术测评 - 外挂分析游戏安全实验室

[FiTTeRBoy91]

Did you create this thread because you bragged about buying the chinese memory aimbot that just got banned?

I'm pretty sure that you are paranoid right now and expect that account ban to happen any second now.

Honestly I don't care about ban or being banned. If I get banned it isn't the end of the world bud, It isn't hard to get another OW Acc, I'm just interesting in learning about potential ways to bypass the detection system.
I like AHK hacks, but they just don't compare to what a memory hack can do for you, even though it is intrusive.

[FiTTeRBoy91]

I dont knw how, but its there on unknowncheats - hope it helps u - 守望先锋反外挂技术测评 - 外挂分析游戏安全实验室

Can you or anyone else translate this? I can't read chinese.

[glidarn]

Can you or anyone else translate this? I can't read chinese.

Google Translate

[FiTTeRBoy91]

Google Translate

Tried that.. pretty rough translation.

Back to topic, does ANYONE know how OW's detection system works?

[brucemalis]

Here's is more info.

I can read chinese, but honeslty don't have the time to translate that right now. I will start working on it tonight after work, but it may take me a little bit to get through it all.

[FiTTeRBoy91]

Here's is more info.

I can read chinese, but honeslty don't have the time to translate that right now. I will start working on it tonight after work, but it may take me a little bit to get through it all.

Thanks man

[FiTTeRBoy91]

Thanks man

bump? 1

[atmos]

If you go over the paper even with google translate, you'll see 1 significant part and that's the almost complete lack of real-time security suggested in the 2nd 'part' of the paper.

[paladog312]

Google Translate

前言
守望先锋作为目前最为火爆的游戏，赢得了广大玩家的青睐。在天梯赛开放过后，其反外挂机制受到了玩家的挑战。本文本着学习态度，通过“黑盒测试”的方式逐步分析其反外挂机 制，最后再结合目前市面上的一款外挂验证其反外挂机制的有效性。

First of All,
it just bullsheeting how overwatch popular is & blah blah blah, and now they using a "black box test" method to analyse and perform anti hack. Finally, they combine with an anti hacking system to make their anti hack system more rigid.

反外挂之文件结构
首先从守望先锋的文件入手，找到其反外挂机制的载体。守望先锋的文件结构树如图1所示。

Anti Hacking File Config
First, we start with Overwatch Files, find the anti hacking system carrier. Overwatch Anti Hack System File Configuration is shown as Figure 1.

[img] http://gslab.qq.com/data/attachment/...tts7x78o7r.png [/img]
Figure 1 : Anti Hack System File Config.

文件结构很清晰明了，可执行的文件包括：( The File Config is CLEAR enough, the file it works with included: )
1. OverWatch.exe，该文件即为守望先锋的主程序；( Overwatch.exe , this file is Overwatch Main client)
2. OverWatch_Launcher.exe，该文件即为守望先锋的登录程序；(Overwatch_Launcher,exe, this file is Overwatch Login Client)
3. Bink2w64.dll，该文件为图像处理模块；( Bink2w64.dll , this file is Image Process Module)
4. Vivoxsdk_x64.dll，该文件为声音处理模块；(Vivoxsdk_x64.dll, this file is Sound Process Module)
5. Ortp_x64.dll，该文件为网络传输模块。(Ortp_x64.dll , this file is Network Transmission Module)

it also include these Indexes , Cache，data，ErrorReporting Index。According their name，size to predict，Cache keeps Players Caches，including the Skins and ETC，data keeps the models resources，ErrorReporting keeps Error reporting lols.

文件结构按照功能分类存放，因此可以推断，反外挂机制就存在与主程序OverWatch.exe里面。
File config. is keeping in this manners > depends on their Functions. Anti Hack is inside the Main client , Overwatch.exe

OverWatch.exe是一个纯64位的程序，因此32位的系统是不能运行守望先锋的。在安装过程中，战网也会提示仅支持64位系统，如图2所示。
Overwatch is a pure 64bit program, so that 32bit system cant run Overwatch. During game installation, Blizzard did mentioned that it only support 64bit systems, As shown as Figure 2

[img] http://gslab.qq.com/data/attachment/...hr9cj72189.png [/img]
Figure 2

而根据OverWatch.exe的Section表来看，并没有发现市面上常见的PE保护方式，如图3所示。

According to Overwatch.exe Section Table, it doesnt found the common PE protection method. As shown as Figure 3.

[img] http://gslab.qq.com/data/attachment/...v6h68h5xqg.png [/img]
Figure 3

[spoiler] 1st column :Name, 2nd column :Ram Offset 3rd column Ram Size , 4thcolumn File Offset, 5th column File Size, 6th is Remark/ Marking [/spoiler]

各个Section的名称很规范，给人感觉就是很干净。但实际上并非如此，IDA直接导入文件后发现，里面的内容并不友好，如图4所示。

The name of every section is so good , standard, looks clear. Actually not at all, after IDA directed inside the file, actually their details are not friendly at all. As shown Figure 4.

[img] http://gslab.qq.com/data/attachment/...th1gv8ttf1.png [/img]
Figure 4 : Dissembled Overwatch.exe

Thats all for today im tired for translating this