Сообщения

[Autofire does not press the mouse button for you. It bypasses the normal input layer and triggers the firing function directly inside the game code.To achieve this, the module hooks (injects into / replaces pointers of) the internal function that handles firing. Same at the autoaim. The risk might be lower if you only use the predicted point and try to hit it like a human would, firing your own weapon.]

Even the simplest mod for displaying player statistics above a ship requires a call to the game server, but even when playing with Warpack, the game sees your client dialing a third-party server. The only thing left to do is look at the addresses of the servers that are connected to your client.

No, bro – from what I can see, it seems to work the other way around.

I'm not a developer, just a user analyzing my logs, so I can only describe what I actually observed.

Based on the logs I checked, the WoWS client itself does not appear to connect to any WarPack server. The WarPack connection seems to be handled by the loader as a completely separate process, outside the WoWS network stack.

There's no download into the mod folder; the loader retrieves the modules, packages them and injects them before the game even starts. That's why no WarPack URL shows up anywhere – the download happens before injection and outside the client.

In all logs I reviewed, WorldOfWarships64.exe only communicates with the official WG/Lesta endpoints. I didn't see any additional outbound connections or foreign servers in crash logs or telemetry.

Of course, I can't see what WG does on deeper internal layers; I can only speak about what the logs show on the user side.

But from everything visible to me as a player, detection seems to rely on memory changes, injected code, and CAT monitor failures, not on simple network traffic.

or may be - second account not chosen by ban randomizer

I'm not criticizing the system. I'm only sharing what the logs show on a technical level. Nothing more, nothing less.
All logs I'm referring to here including python.log, preferences, crash dumps and monitor reports — do not prove WarPack usage in any way.
These files contain generic diagnostic information that appears on completely clean installations as well.
Crashes, warnings, and Python errors happen on unmodded clients every day, and the log format is identical whether you use mods or not.

I want to share exact technical findings directly from my client logs (python.log, monitor_*.log, crash dumps).
The account these logs came from will be banned sooner or later, so this is posted purely for transparency.

This is not theory, this is what the game client actually recorded and uploaded.

The Anti-Tamper System ("CAT Monitor") is active and reporting

In the monitor logs you see entries like:

Код Выделить Развернуть

Monitor started
Config updated from the server
Statistic event="client_connected" sent
Statistic event="monitor_online" sent

This confirms:

Anti-Tamper is running
It connects to WG/Lesta servers
It reports status immediately
Server endpoint:

Код Выделить Развернуть

http://cat.wargaming.net

The logs contain:

Код Выделить Развернуть

Incoming event: Crash has occurred
Event subtype: unhandled_exception
callstack hash: 9531df639286b8679c3c0034bf1b960aff3b2bbf

Meaning:
The exception is fingerprinted
The call stack hash uniquely identifies the code path
This can be compared across thousands of clients
Injection-related crashes stand out immediately

The Artifact Collector gathers a full forensic package

The monitor log explicitly lists:

Код Выделить Развернуть

requested artifacts = ["cef logs", "crash_info", "dump", "python_log", "monitors_logs"]

This includes:
python.log (contains CAT monitor failures and initialization errors)
Crash dumps (.dmp)
Monitor internal logs
DXDiag hardware profile
Preferences and user settings

Everything is attached to your account ID. Nothing is anonymized.

The report was uploaded and accepted by the server

The log shows:

Код Выделить Развернуть

Procedure: upload report(...) status="uploaded"
archive path="...\6560_25-11-07-15_19_33_240.zip"
Report ... successfully registered.

This proves:
The ZIP was created
It was transferred to the WG/Lesta server
The server confirmed successful reception
The server explicitly requested the artifacts

This does not mean a ban is immediate, only that the diagnostics are stored for the next review wave.

Код Выделить Развернуть

1 files (label="python_log") were copied
1 files (label="monitors_logs") were copied
Anti-Tamper repeatedly failed

From python.log:

Код Выделить Развернуть

ERROR: [CAT monitor] Unable to run an out of process handling.
ERROR: [CAT] Monitor process initialization failed!

Common reasons:
Foreign DLL injected before CAT
Hooked functions
Modified memory regions
Corrupted EXE integrity
Blocked monitor initialization
The client constantly sends telemetry

The logs show connections to:

Код Выделить Развернуть

https://phobos-api.worldofwarships.eu
https://ares.worldofwarships.eu
https://stats.worldofwarships.eu
https://ws.worldofwarships.eu/ws

These endpoints handle:

Client errors
Telemetry
Anti-cheat events
Crash metadata
Hardware identifiers

Even without a crash, data is constantly transmitted.

After fully reinstalling the client, deleting all logs and running the game without Wp, the results are very clear

Код Выделить Развернуть

• python.log contains no CAT monitor errors
• no crash is generated
• no "unhandled_exception" event appears
• no report package is created
• no archive (ZIP) is generated
• nothing is uploaded to cat.wargaming.net
• monitor logs only show "client_connected" and "monitor_online"

A clean client session produces no crash dumps, no exception reports and no uploads of any kind.

When running the game normally, the Anti-Tamper monitor works as intended and stays silent.
Only the basic status events ("monitor_online") are sent, which is standard for every player.

A note on log file protection. Setting python.log (or any other WoWS log file) to read-only instantly caused a crash on startup in my case. The client still tries to write to the file, fails, and the monitor detects the access-denied state, logs it, and reports it immediately. A write-protection blocks writing, but it does not prevent the file from being read or copied into crash-reports.

Autofire does not press the mouse button for you. 
It bypasses the normal input layer and triggers the firing function directly inside the game code.
To achieve this, the module hooks (injects into / replaces pointers of) the internal function that handles firing. Same at the autoaim. The risk might be lower if you only use the predicted point and try to hit it like a human would, firing your own weapon.

I hope these observations help with analysis and development.
My subscription expired, so I can't provide further comparisons for now.

[one]

or may be - second account not chosen by ban randomizer

🙂 Hello smokescreen,

For context: I've used WarPack for months with multiple keys — not just a single test.
The mod works as advertised on both carriers and surface ships; its functions are stable and effective.
That's not the issue I want to discuss.

The core problem is detection. Ban waves make it clear that detection now relies on memory/process checks and behavioral telemetry, not just screenshots or public exposure.
Injection, hooking, crash dumps, and telemetry can be analyzed even when nothing remains in the mod folder.
That means even careful long-term users can be flagged later in ban waves.

Feel free to follow the discussion and answer this:
If WarPack doesn't download anything into the game folder, what exactly does the client "repair"?

After using WarPack, performing a Check & Repair via the Game Center always results in the message: "Game is being repaired."

Running a second check immediately afterward shows no issues found. This strongly indicates that WarPack modifies at least one core game file on disk, not only in memory.
If it were a purely in-memory injection, no repair would be needed.

Wargaming collects data silently and releases warnings in waves.
That means using WarPack once and then staying away for months doesn't prevent a later warning.
Treat affected accounts as "tagged but not yet processed."

Premium ships, progress, and paid content disappear far faster than any short-term benefit from a mod.
And please don't misunderstand me I've bought keys for months and tested different setups.
I also received my second strike.

But honestly, we don't want to create dozens of throwaway accounts just to grind bots; many of us were close to moving up to the Gold League.
I'm not trying to provoke anyone I genuinely hope this helps improve understanding and transparency on both sides.

After all, I've paid multiple times, and I want it to work — and yes, we're all aware of the risk. 😉

Ранее разработчик писал что они могут банить по разным причинам и их очень много, что если они найдут то как они видят варпак то они придумают новый способ как вычислять варпак, думаю это дело эксперементов, и они могут не дать результатов, если вам интересно то можете задать вопрос администратору в этом чате и он вам ответит на тот вопрос который вы ему поставите)

I'd like to add some more details:

On a second account, I launched WoWS with WarPack active and only entered the port. I did not start a battle and then closed the game. WarPack loaded as usual.

On the other account, I played battles with WarPack, as I mentioned earlier.

The account where I only stayed in port with WarPack was not affected by the wave.

Additionally, this might be useful for development or further detection analysis. Speculatively, this could give some insight into how the detection works — it might really be linked to the auto-fire feature.

Also, thank you for the friendly and constructive exchange so far. 

просто создайте новый аккаунт и продолжайте играть дальше)

Yeah, bro, I get that. But that can't be the solution. The launcher or Warpack downloads something that the client detects and can fix. That might be a good hint for the developers to maybe fix it. Just starting over again and again is all well and good, it's a lot of fun playing against level 1 bots. But maybe we can solve it and survive the next ban wave.

If game files can be repaired, but the mod data comes from the server, what exactly is being repaired? If it's not being downloaded into the folder. Bro, I'm just trying to understand. 

Я надеюсь что вы получили ответ на свой вопрос)

Partly, partly. I think neither of us really knows how we're being recognized. I just find it strange that the client can "repair" the game after I've used WP. Something must be stored there, then.

Дорогой друг я тоже сейчас на евро сервере получил блокировку за нарушение, Это наша общая проблема так как это называется волной банов в которой много игроков которые получают предупреждение, создай новый аккаунт и продолжай играть дальше), это мой тебе совет), а если в общем то сегодня прошла очередная волна банов на евро сервере, я играл 3 часа назад все было хорошо, вышел с игры и вот ща зашел а там предупреждение)

Hello my friend. Thank you for your message.

Something I'd like to add, and something I've noticed: After using Warpack and performing a Check & Repair via the client, the game finds something and repairs it. I understand that the mods are loaded from the server into the game and not stored in the directory?

How is it possible that the client finds something to repair during the check?

If you then perform a second check, nothing is found. Of course, it's always a risk, I understand that. But I'd like to know, based on your experience, how I was detected.

If I won ranked battles solo against everyone with 600k damage and simply gave everyone 30 citadel hits, that would be okay. But only in PvE?

Anti-Cheat Policy Enforcement – 2nd strike
Dear Player,

We've discovered that some prohibited software has been used on this account. This software makes changes to the system libraries and intrudes into the system processes of the game, or helps players aim at targets using methods that aren't allowed in the game.
Due to this violation, the given account will be suspended for 7 days.

Only used in version 14.9. Not used at all in version 14.10. Only PvE game mode. Used on all ships, also played with auto-fire a little, but not much. Any idea how they found me? Never overdid it, never even in PvE battles, never in the top 3. The first strike was years ago.