Warden doing its job?

[Prooz]

I'm not too knowledgeable about all this but it seemed interesting to me. Was posted over at blizzhackers and shared over on the DB forums so though I'd share it here.

Code:

0x00996210 0007 - [MAPHACK]     GetMinimapMarker
0x00943cd0 0009 - [HACK_CMD]    ConsoleInput
---------------------------------------------------------------------------
0x00748800 0014 - [HIDE CRASH]  ExecErrorReport
0x00717ed0 0014 - [HIDE CRASH]  UnhandledExceptionFilter
0x004a4730 0007 - [???]         MenuCallBack
0x00458100 0010 - [PKT SNIFFER] ParseServerMessage
0x003cbe61 0008 - [PKT_SNIFFER] SendMessage
0x00351bb0 0010 - [???]         GetEntityName
0x0032d286 0014 - [MAPHACK]
0x0032d22f 0015 - [MAPHACK]
0x003299d0 0015 - [MAPHACK]     IsMinimapMarkerVisible
0x002d8761 0009 - [MAPHACK?]    Target check crap
0x00263f30 0008 - [HACK_CMD?]   ChatMsg
0x0020dea0 0012 - [PKT_SNIFFER] SendClientAction
0x0020999d 0011 - [PKT_SNIFFER] Intercepting client action
0x0017f860 0017 - [BOT]         RenderGameFrame
0x0017cdc0 0010 - [BOT]         Intercept action on entity
0x00150a00 0008 - [???]         Window stuff
0x000c7700 0009 - [???]         GetEntityAttrib

Also the *Buddy bots are detectable by Warden... You see there is a scan function in Warden that goes over every DLL and makes a signature of it. That means, if you forcefully load 'any' DLL into Diablo III Warden can see it. It doesn't matter if you promise not to change the process, you actually have to physically hide to truly be undetectable to this anti-cheat. (for example: a ReadProcessMemory hook)

If Autoit injects any helper libraries into the target process that too could be causing bans.

Original Post:

Blizzhackers • View topic - Diablo III 1.0.3b Warden Client Module

[dfk]

so does it mean it reads IB dlls when you run it?

[CuT]

so does it mean it reads IB dlls when you run it?

edit: Apoc posted.

"Good thing we don't load any modules in the process, and warden can't see our allocs!"

edit2: APOC

"Just posting this to avoid confusion in the future.

1) No buddy product injects any library (or even loads one in the target process), so that part of the "*Buddy is detected" line is pointless.

2) None of our memory allocations are detectable by Warden, unless they drastically change how Warden works. (If they ever do, we can easily get around that as well, at the cost of a slight performance loss overall)"

Sooo it appears DB is safe (I trust a Coder of the bot). IB who knows.

Edit3: Apoc posted on blizzhackers

"So, firstly, GJ on the reversing of Warden (and posting its info). However, please don't throw out things like "they're detected" when it's not the case.

I'm not sure who spread the rumor that we inject libraries (or even load them) in the games, but the fact is, we don't. (We tried this for Rift, and it backfired)

Also, if you've done this much reversing on Warden, you'd know how, and when, it actually does its work. None of our allocations are detectable by Warden (we make sure to clean up as soon as they're done being used). Plus, if they were to scan for allocated memory in the first place, they'd hit a lot of false positives. Many in-game HUDs [steam/xfire/etc]) allocate memory in the game process, so they'd be hitting those anyway. Especially programs that are "external" viewers (such as some streaming applications)

Again, nice job on the info. (You're missing a few other scans in there btw. Probably going to be more once more than 1 module is actually sent to the clients)"

[fredaman]

that means all autoit script with included/call some dll file with image detect function will be detected? I saw all highend script with included call dll function it request you put some dll file to windows/system32.

[TMichael]

that means all autoit script with included/call some dll file with image detect function will be detected? I saw all highend script with included call dll function it request you put some dll file to windows/system32.

AutoIt uses DLLs to add functionality, as do many other programs. These DLLs are not injected into Diablo III memory space. Injection, if I understand the term correctly, means that the program is reading or trying to access memory space used specifically by the game.

[Prooz]

There was a few more back and forth in the thread but ultimately it seems Demonbuddy is on top of it and Warden can't detect the bot itself. That doesn't mean they can't detect bot like actions server side which is indeed the reason for bans then.

What does this mean for people looking to make money botting? Well, imo it doesn't seem worth it at the rate blizz is banning. You can go get demonbuddy and only run it sporadically to try and go unnoticed but will that make any decent income? I'm not so sure. I'm personally hoping blizz just slows down on the bans and eventually does every other week or longer instead of every single week. If you could get in 24/7 botting for a solid 2 weeks it might be worth it for some extra cash, 1 week or less.. not so much.