Odd code in 24015 IsSpellKnown()

[air999]

Hello!

I was diggin for InputControl structure and found some strange code in client 24015 both x32 and x64.

I found in function IsSpellKnown, which called from:

Code:

Script_IsAutoRepeatSpell
Script_IsUsableSpell
Script_IsSpellKnown
Script_IsSpellKnownOrOverridesKnown
Script_GetSpellCharges
Script_GetSpellInfo
Script_GetSpellPowerCost
Script_GetSpellAutocast
Script_ToggleSpellAutocast
Script_EnableSpellAutocast
Script_DisableSpellAutocast
GetSpellIDFromLua
sub_8C2787

some strange code:

Code:

 off_10F3CE0 = (char *)xmemcpy + (((char *)off_10F3CE0 - (char *)xmemcpy) | 0x640000
    * (*(_DWORD *)(g_theGxDevicePtr + 0xE60) != *(_DWORD *)(g_theGxDevicePtr + 0xE64))));

[g_theGxDevicePtr + 0xE60] is in fact mouse action incremental counter.
[g_theGxDevicePtr + 0xE64] must be previous value, didn't actuallycheck

this code calculate some value then mouse action counter don't equal previous.

i found reference to off_10F3CE0 in NetClient::ClientConnectionAuthChallengeHandler()


x32 0x8C3C28 not rebased

Code:

bool __cdecl IsSpellKnown(int a1, int a2)
{
  bool result; // al@3

  off_10F3CE0 = (char *)xmemcpy  + (((char *)off_10F3CE0 - (char *)xmemcpy) | 0x640000
      * (*(_DWORD *)(g_theGxDevicePtr + 0xE60) != *(_DWORD *)(g_theGxDevicePtr + 0xE64))));

  if ( (CGSpellBook__FindSlotBySpellID(a1, a2) & 0x80000000) == 0 )
  {
    result = 1;
  }
  else if ( a2 )
  {
    result = CGPetInfo__FindSpellByID(a1) != 0;
  }
  else
  {
    result = sub_8C389E(a1);
  }
  return result;
}

x64 14078C030 not rebased

Code:

char __fastcall IsSpellKnown(unsigned int a1, int a2)
{
  unsigned int v2; // ebx@1
  int v3; // esi@1
  __int64 v4; // rax@3
  char result; // al@3

  v2 = a1;
  v3 = a2;
  off_141560CA8 =(char *)xmemcpy + (((char *)off_141560CA8 - (char *)xmemcpy) | 0x640000
                * (*((_DWORD *)g_theGxDevicePtr + 0xE64) != *((_DWORD *)g_theGxDevicePtr + 0xE68)));

  if ( sub_140787230(a1) >= 0 )
  {
    result = 1;
  }
  else if ( v3 )
  {
    LODWORD(v4) = sub_1408B1450(v2);
    result = v4 != 0;
  }
  else if ( v2 != 2641 || (unsigned int)dword_141922370 <= 0xA51 )
  {
    result = 0;
  }
  else
  {
    result = (*(_DWORD *)(qword_141922380 + 328) >> 17) & 1;
  }
  return result;
}

In current build 24461 there is no such code.

So, my question is: it's detection vector or just my paranoia?

[Jadd]

Yes, it is detection related and it has existed since some time after 7.1. Essentially the way it works is by checking the previous graphics refcount to the current refcount. The only time this is ever unequal is *during* a render, meaning it will set a flag in your client if the code is executed from rendering functions - most notably EndScene.

As you're aware, the detection flag is only read within the auth challenge response, so you are only susceptible to a ban if you relog on the same client after being flagged.

Before any wild speculation occurs, most bot developers I know (including the HB team) have been aware of it since it was introduced.