Warden upgrade! Be careful!!!

[Recoiled]

Tripwire activated. Shutting down Honorbuddy - Page 15

Please run the newest HB and tell me what happens.

I wonder what Bossland has changed. Maybe it was false positives for the tripwire?
For someone who is a programming noob (Java/PHP I get, this I don't). If you continue to use the hook into Framescript how would the tripwire work to protect you?
If the server sends the packet and the client doesn't respond would that be suspicious?
Does Honorbuddy effectively overwrite that function or just simply close the client down hoping the client didn't respond to the packet in time?

[VesperCore]

Tripwire activated. Shutting down Honorbuddy - Page 15



I wonder what Bossland has changed. Maybe it was false positives for the tripwire?
For someone who is a programming noob (Java/PHP I get, this I don't). If you continue to use the hook into Framescript how would the tripwire work to protect you?
If the server sends the packet and the client doesn't respond would that be suspicious?
Does Honorbuddy effectively overwrite that function or just simply close the client down hoping the client didn't respond to the packet in time?

Its not relative to this -at all-, its a new feature they(hb) added, not a false positive for the purpose it serve though.

[Recoiled]

Its not relative to this -at all-, its a new feature they added, not a false positive for the purpose it serve though.

Yeah, I get that blizzard added a check on the function that lets honorbuddy run lua code (which other people could use if they wanted). I'm just wondering how you would counter the check (without mapping to another function or n+2 as you described)

Edit: Just re-read some stuff, you said they don't scan that opcode anymore. >_> then I wonder what their tripwire was doing :S

[VesperCore]

Yeah, I get that blizzard added a check on the function that lets honorbuddy run lua code (which other people could use if they wanted). I'm just wondering how you would counter the check (without mapping to another function or n+2 as you described)

Edit: Just re-read some stuff, you said they don't scan that opcode anymore. >_> then I wonder what their tripwire was doing :S

This tripwire alert is not related to anything in this thread, and is not even related to the game.

[Lottolols]

ty for info

[Sednogmah]

Is lua_load the same thing as lua_pcall?
My personal half-baked bot is using the standard Lua API.
lua_pcall, lua_pop, lua_push*, lua_gettop, ...
No patching of any kind.
Am I going to be OK?

[rens]

Is lua_load the same thing as lua_pcall?
My personal half-baked bot is using the standard Lua API.
lua_pcall, lua_pop, lua_push*, lua_gettop, ...
No patching of any kind.
Am I going to be OK?

You will be fine, its lua_load, framscript_loadbuffer.

EDIT: I assume you are using a call back to get return values?

[Sednogmah]

You will be fine, its lua_load, framscript_loadbuffer.

EDIT: I assume you are using a call back to get return values?

No. My Lua calls go like this:
- lua_getglobal (pushes the desired function name on the stack)
- lua_pushnumber / lua_pushstring / .... (parameters)
- lua_pcall (execute function call, blocking)
- loop over stack, retrieve return values with: lua_tonumber / lua_tostring / ....

Pretty much like it's done in the official Lua C API documentation: Programming in Lua : 24.2.2

I don't register my own functions.

Edit: Thank you very much for your help by the way
Edit 2: Decided to switch to GetText() anyway because it's one function instead of like 15

[daCoder]

Commercial message from HB, that's all.
An opcode named SMSG_EnableHonorbuddyDetection have been added into the WoW client since the early 5.3.0 PTR patches, if the server send it, the WoW Client receive it and will add a "jmp" into FrameScript_Load to hook the calls to that function. The check range is recursivly n + 1, so FrameScript_LoadBuffer must be not safe, but I'm not sure about this part.

Can you share the binary with the annotations, pls? I am interested in this kind of meta informations.

Thanks,
daCoder

[Randy44]

thanks for the info

[redcatH]

Great information though thanks VesperCore

Commercial message from HB, that's all.

An opcode named SMSG_EnableHonorbuddyDetection have been added into the WoW client since the early 5.3.0 PTR patches, if the server send it, the WoW Client receive it and will add a "jmp" into FrameScript_Load to hook the calls to that function. The check range is recursivly n + 1, so FrameScript_LoadBuffer must be not safe, but I'm not sure about this part.

if the function is call from somewhere else than the .text of FrameScript_LoadBuffer, it will send back data to Blizzard servers and flag you "using Honorbuddy" for a banwave mostly.

This paquet has been started to be active since yesterday, on 17055 build. It was off all the rest of the time.

To avoid a detection, you can either have a good anti-warden and keep using it (as the paquet received are really rare... maybe it's done by "if you are online more than 10hours, you receive it", I don't know when they send it exactly, but for sure, not everytime).

Or you can simply stop to use both of that functions FrameScript_LoadBuffer and FrameScript_Load.

HB used to use this function FS_Load for direct access to LUA return of values.

example
var myVar = FS_Load("return UnitHealth()");

rather than :
FrameScript_ExecuteBuffer("HP = UnitHealth()");
var myVar = FrameScript_GetLocalizedText("HP");

The HB text is a part lie, because not so much bot or hacks used to have Fs_Load or Fs_LoadBuffer, my project TheNoobBot don't use it at all for instance.
And the goal of that detection was trully for Honorbuddy as blizzard named the opcode as is. (EnableHonorbuddyDetection)

You know all now.


Rebased offsets as of WoW 5.3.0.17055 :

Code:

// the detection code is located here 0x83BEAC

// the detection affect
FrameScript_Load = 0xD61F0;
FrameScript_LoadBuffer = 0x4D6BF0;

//others, not affected
FrameScript_ExecuteBuffer = 0x55347; // good to execute lua
FrameScript_GetText = 0x563AB;
FrameScript_GetLocalizedText = 0x3DD8F9, // good to retrieve data

Note: the last improvements in the warden are not since Glider, it's slighly improved everytime, and they detect every hacks/bots that don't have a D3D hooks somehow fast, when I started TheNoobBot, i haven't used it, and they updated the warden check list 3 times for us within 1 week as we were changing variable when our anti-warden detected these, they even added the support for WINAPI (see kernel32.dll GetThreadPriority in WardenMon) for us, as this was targetting TheNoobBot.

You can see WardenMon, the tool of JuJuBosc, it actually monitore the warden checks for all the latest version of WoW, usually updated within a day after a patch, sometimes automaticly updated by pattern...
WardenMon



It's somehow part of the warden, the function FrameScript_Load haven't changed -at all-, it's dynamicly hooked when receiving the opcode.



Don't stress yourself just because Honorbuddy say something, most of the bot don't even use these. What they mean by "alot of stuff added" is "ONE" check. no big deals

As of 14th june, it seems the detection is no longer active (I mean they don't send packet to that opcode anymore).

[Genocyber]

They are losing Subs because of Botting epidemic especially in BGs

They lose subs because the game became boring.