Warden upgrade! Be careful!!!

[rocambole]

So, VesperCore, based on ur opinion, is PQR safe to use atm?

[dadude123]

I was ingame for quite some time now and farmed herbs manually, but it seems like I won't get the trigger-opcode for enabling the detection.
I used page exceptions to track modifications to the function but so far nothing came up. (Also doublechecked with cheatengine)

Another question:
For now it seems like lua_loadbuffer is the only function that's being affected by the check.
But nothing prevents them from adding that check to other functions (like execute buffer) too.
So wouldn't it make more sense to actually counter their detection somehow (un-hooking / stack-spoofing / calling from codecaves / ...)
instead of just using another function?

Ah, and will warden (I'll just call it warden because it's easier) unhook the function again after one call?
Or does the function remain hooked indefinitely after the trigger?

[-Ryuk-]

Can anyone confirm if Framescript_LoadBuffer is currently (17055) at 0xD6BF0 (rebased)?

Since we don't (publicly ) have an ida database that's anywhere near what we had before 5.3, it makes more sense to tell others the function address.

[culino2]

Have you been sniffing ? Right ? Anything else is useless. If you have debugged into LoadBuffer, even with the opcode active, you wont see any modification. It's "Load".

Note: The check is not in LoadBuffer, it's in Lua_Load, and if you see xref, you will see that function is CALLED ONCE in the whole code, so it's MUCH MUCH MUCH more easy for blizzard to have a check in a function like this, with one possible location of calling rather than in LoadBuffer or ExecuteBuffer that are called from thousands of location. Think about the economy of perf, if they wasn't taking care of that, they would have kept warden + this opcode ALWAYS active.

If you read my first post -again-, you will realize I don't say the check is inside LoadBuffer, but inside "FrameScript_Load".

I bet they have the tools to auto dump all refs.

[healzzz]

so is pqr "safe"?

[vitalic]

Epic fail from Blizzard. Not putting HONORBUDDY in the packet name might be a good start

[ginuwine12]

VesperCore thank you for the infos

[LiquidAtoR]

Reports are coming in on the HB forum about Tripwire being Activated with some users.
Seems something is going on....

Reference URL's:

Tripwire activated. Shutting down Honorbuddy
[17:50:06.536 N] Tripwire activated. Shutting down Honorbuddy

[HunterHero]

I have been leveling two characters from 1-90 and pvping to get full malevolent gear within 2 weeks only by botting, about 20 hours a day mostly non stop and i haven't recieved any warning or seen anything suspicious.

[dadude123]

VesperCore, you said the check is "range n+1", I think you mean that the hook checks the complete callstack right?
If that isn't what you meant then please explain the pharse "n+1.

Next thing you said that using lua_load / FrameScript_loadbuffer(4D6BF0) isn't safe since the hook is placed inside "lua_load" (D61F0).

But then you said it would be ok to use "FrameScript_ExecuteBuffer = 0x55347; // good to execute lua".

But execute buffer also uses lua_load (indirectly) to load the supplied code. So why exactly do you say that this function should be safe?
They're checking the complete stack anyway or not?

@HunterHero: I think you're in the wrong section of this forum.

[Neyia]

I love tactics blizzard.
They are all wrong, it's as if they wanted to infiltrate a drug cartel having written "POLICE" on their jackets.
Super discreet.
LOL

[dadude123]

@VesperCore:
Ah now I get it. Thanks for the explanation!

I love tactics blizzard.
They are all wrong, it's as if they wanted to infiltrate a drug cartel having written "POLICE" on their jackets.
Super discreet.
LOL

Flame them all you want. But their idea is good.
Who knows how long that hook would have remained unknown to us if it weren't for that named network-opcode.
Imagine them adding another (or even the same) kind of protection at a different address, but this time without telling everyone.
Then it stops being funny...


ontopic:
I really want to analyze the hook and the code behind it in detail.
But for me the hook-placement just doesn't trigger even though I'm running both of my wow accounts parallel.
Would be really cool if someone could post a dump of the hooked FrameScript_load and the target it jumps to?

[Baelzebub]

To avoid a detection, you can either have a good anti-warden and keep using it (as the paquet received are really rare... maybe it's done by "if you are online more than 10hours, you receive it", I don't know when they send it exactly, but for sure, not everytime).

.

Please, get the hell out of here, your post is totally USELESS regarding the thread, I suppose, you did not read any shit of.

This post is about the recent change inside WoW Client, and have NOTHING to do with how many hour you can bot.

While i appreciate your knowledge and info your kinda out of line there

[generalsquid]

While i appreciate your knowledge and info your kinda out of line there

I'm with vesper. I appreciate his frustrations. People join and then read 2 posts of a thread and think they are contributing to discussion by offering up baseless nonsense. It just makes the poster looks stupider than before.

The people on here who develop and code are smart people who have little tolerance for pretenders and people who they to come off like they know more than they do.
He's only saying what the rest are thinking.

Bravo vesper

[RBGBOOSTY]

Flame them all you want. But their idea is good.
Who knows how long that hook would have remained unknown to us if it weren't for that named network-opcode.
Imagine them adding another (or even the same) kind of protection at a different address, but this time without telling everyone.
Then it stops being funny...

That is what i exactly tought.They named the Opcode.Maybe they were distracting us? I mean really it cant be that obvious.There is something going on.