Memory patch is up, RIP D3

[notnairda]

I think the confusion here is that you are assuming it will be decrypted in-place, which it is not. The decryption takes place in a temporary stack variable, so you either have to hook the point in the game code (therefore making memory modifications) where the decrypted value will be used in order to reliably use that stack variable, or you have to decrypt the value yourself when you read it.

"so you either have to hook the point in the game code".
THud is an external "cheat". No .exe detouring. Pretty sure it isn't internal because it works only in windowed/fullscreen-windowed mode, so I assumed it's using just some direct3d hook or something, instead of injecting directly to the game. Otherwise I don't see a reason why it would only work in windowed modes.
Can't tell for granted, because the code is not open source (sic!). Pure guess.

"or you have to decrypt the value yourself when you read it."
It's decrypted by the game itself at some point. Hence you're able to grab a string. If it got never decrypted by the game, the game would crash. There MUST be at least 1 tick where it's decrypted and you're able to grab it. Otherwise it's a crash. I've seen similar approach (if not the same) in NFS Payback.

[Rlyeh]

"so you either have to hook the point in the game code".
THud is an external "cheat". No .exe detouring. Pretty sure it isn't internal because it works only in windowed/fullscreen-windowed mode, so I assumed it's using just some direct3d hook or something, instead of injecting directly to the game. Otherwise I don't see a reason why it would only work in windowed modes.
Can't tell for granted, because the code is not open source (sic!). Pure guess.

"or you have to decrypt the value yourself when you read it."
It's decrypted by the game itself at some point. Hence you're able to grab a string. If it got never decrypted by the game, the game would crash. There MUST be at least 1 tick where it's decrypted and you're able to grab it. Otherwise it's a crash. I've seen similar approach (if not the same) in NFS Payback.

Windowed/full screen windowed mode is necessary for THUD to be able to draw the overlay. It's impossible to do it in full screen mode.

[notnairda]

Windowed/full screen windowed mode is necessary for THUD to be able to draw the overlay. It's impossible to do it in full screen mode.

Yeah. Exactly what I said. It would have to be an internal cheat to draw it fullscreen :-)

[maper]

"or you have to decrypt the value yourself when you read it."
It's decrypted by the game itself at some point. Hence you're able to grab a string. If it got never decrypted by the game, the game would crash. There MUST be at least 1 tick where it's decrypted and you're able to grab it. Otherwise it's a crash. I've seen similar approach (if not the same) in NFS Payback.

I know it seems like I am nagging at this point but I promise I am not trying to be argumentative. I totally understand where your head is at with your assumption. You're saying that the value will be decrypted at some point, even for a fraction of a second, and you'll be able to read it.

You would be right except for the fact that that's not how they have implemented it. They do not decrypt the value in-place and then read it, even for just one tick. What happens is when the value is going to be decrypted, a local copy of the value is made on the stack, and the decryption is performed on that copy. The original value is never decrypted. Only copies are decrypted. Because of the ephemeral nature of data on the stack of any given thread, it is infeasible to know exactly where and when the decrypted value will appear.

The only reasonable solutions to this are to either hook the function(s) that will use the decrypted value, which as you mentioned is not an option for an external cheat, or to reverse engineer and understand the encryption algorithm enough that you understand how to decrypt the value yourself when you read it.

[notnairda]

I know it seems like I am nagging at this point but I promise I am not trying to be argumentative. I totally understand where your head is at with your assumption. You're saying that the value will be decrypted at some point, even for a fraction of a second, and you'll be able to read it.

You would be right except for the fact that that's not how they have implemented it. They do not decrypt the value in-place and then read it, even for just one tick. What happens is when the value is going to be decrypted, a local copy of the value is made on the stack, and the decryption is performed on that copy. The original value is never decrypted. Only copies are decrypted. Because of the ephemeral nature of data on the stack of any given thread, it is infeasible to know exactly where and when the decrypted value will appear.

The only reasonable solutions to this are to either hook the function(s) that will use the decrypted value, which as you mentioned is not an option for an external cheat, or to reverse engineer and understand the encryption algorithm enough that you understand how to decrypt the value yourself when you read it.

Now. that's a quality post and no sarcasm here. Thanks alot. I'll keep that all in mind. Kinda looks the way it worked in NFS Payback. Will get back at ya once we finally lay our hands on it:>

[Gator T]

I don't know anything about coding or encryption really, but I'm really confused and hoping someone can help explain something to me. Enigma was already able to decrypt whatever protection Blizzard put into the minimap. Realistically, that minimap information is by far the biggest advantage any overlay can provide. Why would they bother encrypting other information to prevent that information from being read?

I mean, do they really care about an overlay telling me how many crafting materials I have on my inventory tab? Do they really care about letting me see my total health/resource without scrolling my mouse over the orb? Do they really care about me seeing what level augment is on my gear without scrolling over it? If the map information can be so easily decrypted, why bother encrypting other information that really is just more quality of life than an actual advantage?

[enigma32]

Enigma was already able to decrypt whatever protection Blizzard put into the minimap.

Wrong. I'm not decrypting anything. The only reason I'm able to find things is because I know what they're supposed to look like in memory, the "shape" of it, and I know how to find (almost) all allocated chunks of memory. So I go through these and find the best match, and hope that it works It doesn't always and honestly I think this method will be broken in a few patches.

If this was a new game, I would not attempt to reverse engineer it. Blizzard won. I believe this is a tech demo, rather than trying to target a specific hack or bot. As a tech demo, it is a success!

However, if they were targeting a specific hack, well, then hacks are hacks. An overlay hack is not very different from a bot. They use the same information, but one has a pathing algorithm and mouse/keyboard interaction added. More information = more optimized, but the core is the same.

[Razzko]

I don't know anything about coding or encryption really, but I'm really confused and hoping someone can help explain something to me. Enigma was already able to decrypt whatever protection Blizzard put into the minimap. Realistically, that minimap information is by far the biggest advantage any overlay can provide. Why would they bother encrypting other information to prevent that information from being read?

I mean, do they really care about an overlay telling me how many crafting materials I have on my inventory tab? Do they really care about letting me see my total health/resource without scrolling my mouse over the orb? Do they really care about me seeing what level augment is on my gear without scrolling over it? If the map information can be so easily decrypted, why bother encrypting other information that really is just more quality of life than an actual advantage?

Because they just have an 'anti cheat technology' that they are implementing for all their games (see Overwatch and World of Warcraft, others will probably follow too). There's no reason for them to be selective about it, they're enabling it for entire games.

Or, in other words, they'd have "to bother" to make it selective (i.e. only for the map in D3, for example), rather than just put a whole game onto that new tech. They'd have to do something very "out of their way" to NOT break THud.

They didn't sit there and decide "yeah, we should totally encrypt stats". It was more like, "yeah, let's enable the anticheat in d3", and that hits everything at once.

[Megouski]

Do you believe ROS-Bot is currently decrypting? Id like to hear what your thought on it are, do you believe they realistically have a beta running with what you know the limitations are ?

[odaru7788]

rosbot says:Still running some beta rounds to finalize a release. It's getting closer

[xblade2k7]

now using RosBot, you are banned 100% guaranted. They no show and proof nothing, no memory patch for checks... etc... all false and unsafe, ros bot is history.

[R3peat]

Wrong. I'm not decrypting anything. The only reason I'm able to find things is because I know what they're supposed to look like in memory, the "shape" of it, and I know how to find (almost) all allocated chunks of memory. So I go through these and find the best match, and hope that it works It doesn't always and honestly I think this method will be broken in a few patches.

If this was a new game, I would not attempt to reverse engineer it. Blizzard won. I believe this is a tech demo, rather than trying to target a specific hack or bot. As a tech demo, it is a success!

However, if they were targeting a specific hack, well, then hacks are hacks. An overlay hack is not very different from a bot. They use the same information, but one has a pathing algorithm and mouse/keyboard interaction added. More information = more optimized, but the core is the same.

Makes sense. Amen

[Megouski]

now using RosBot, you are banned 100% guaranted. They no show and proof nothing, no memory patch for checks... etc... all false and unsafe, ros bot is history.

No one is using ROSBot except those in closed beta. None of that team has been banned. Please try not spew bullshit based on self admittid zero information, sit down, and shut the fuck up. You're not helping the scene. Thanks.

PS. Its spelled guaranteed.

[Ramon125]

Do you truly think that blizz will ban ROS beta testers?? lol

I believe that blizz has prepared some hooks/traps to catch bot users in more reliable way.

RoSbot dev knows about it but they are still trying to figure out how bypass them.

[kanilol]

God I hope Rosbot is never back, this is one of the best seasons ever.