So, VesperCore, based on ur opinion, is PQR safe to use atm?
So, VesperCore, based on ur opinion, is PQR safe to use atm?
I was ingame for quite some time now and farmed herbs manually, but it seems like I won't get the trigger-opcode for enabling the detection.
I used page exceptions to track modifications to the function but so far nothing came up. (Also doublechecked with cheatengine)
Another question:
For now it seems like lua_loadbuffer is the only function that's being affected by the check.
But nothing prevents them from adding that check to other functions (like execute buffer) too.
So wouldn't it make more sense to actually counter their detection somehow (un-hooking / stack-spoofing / calling from codecaves / ...)
instead of just using another function?
Ah, and will warden (I'll just call it warden because it's easier) unhook the function again after one call?
Or does the function remain hooked indefinitely after the trigger?
Can anyone confirm if Framescript_LoadBuffer is currently (17055) at 0xD6BF0 (rebased)?
Since we don't (publicly ) have an ida database that's anywhere near what we had before 5.3, it makes more sense to tell others the function address.
|Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|
so is pqr "safe"?
Epic fail from Blizzard. Not putting HONORBUDDY in the packet name might be a good start
VesperCore thank you for the infos
Last edited by ginuwine12; 06-14-2013 at 12:34 PM.
Reports are coming in on the HB forum about Tripwire being Activated with some users.
Seems something is going on....
Reference URL's:
Tripwire activated. Shutting down Honorbuddy
[17:50:06.536 N] Tripwire activated. Shutting down Honorbuddy
Flattery makes friends,
Truth makes enemies!
I have been leveling two characters from 1-90 and pvping to get full malevolent gear within 2 weeks only by botting, about 20 hours a day mostly non stop and i haven't recieved any warning or seen anything suspicious.
VesperCore, you said the check is "range n+1", I think you mean that the hook checks the complete callstack right?
If that isn't what you meant then please explain the pharse "n+1.
Next thing you said that using lua_load / FrameScript_loadbuffer(4D6BF0) isn't safe since the hook is placed inside "lua_load" (D61F0).
But then you said it would be ok to use "FrameScript_ExecuteBuffer = 0x55347; // good to execute lua".
But execute buffer also uses lua_load (indirectly) to load the supplied code. So why exactly do you say that this function should be safe?
They're checking the complete stack anyway or not?
@HunterHero: I think you're in the wrong section of this forum.
I love tactics blizzard.
They are all wrong, it's as if they wanted to infiltrate a drug cartel having written "POLICE" on their jackets.
Super discreet.
LOL
@VesperCore:
Ah now I get it. Thanks for the explanation!
Flame them all you want. But their idea is good.
Who knows how long that hook would have remained unknown to us if it weren't for that named network-opcode.
Imagine them adding another (or even the same) kind of protection at a different address, but this time without telling everyone.
Then it stops being funny...
ontopic:
I really want to analyze the hook and the code behind it in detail.
But for me the hook-placement just doesn't trigger even though I'm running both of my wow accounts parallel.
Would be really cool if someone could post a dump of the hooked FrameScript_load and the target it jumps to?
Last edited by dadude123; 06-14-2013 at 08:40 PM.
I'm with vesper. I appreciate his frustrations. People join and then read 2 posts of a thread and think they are contributing to discussion by offering up baseless nonsense. It just makes the poster looks stupider than before.
The people on here who develop and code are smart people who have little tolerance for pretenders and people who they to come off like they know more than they do.
He's only saying what the rest are thinking.
Bravo vesper