Banned? Wipe those tears. Let's discuss security

[seldane]

Remember what your mom told you, there's no use crying over spilled milk. What can we learn from the ban?

There were a lot of security issues raised throughout the thread, and it was implied that a program running in Robot-JS was untouchable. Clearly it's not. We need to figure out why.

Let's ask the important questions:
1) How did Blizzard detect the hack? Did they use signature scanning to detect the code? Did they actually block
2) Is Robot-JS itself still safe?
3) Was mouse button entry from Robot-JS detected? or keyboard entry?

To answer this question, it would be helpful to talk about exactly who was banned.
- Was every person banned who used the code from Riceking's thread Page 1?
- Was every person banned who used alternative versions of the code
- There was an initial version Riceking had out which all of a sudden stopped working, and Riceking updated the code to rebind the primary fire key to "N"? That's because Overwatch made a change to the way they detected input into the game. Was anyone banned who ONLY used the newer version?

Please discuss

[comic-1337]

1) They can't use signature scanning unless you are telling me that Blizzard is scanning your PC for files then signature to detect is possible but then again it's stupid because if people just change the algorithm, they can't detect it anymore.
2) Not sure
3) Does it matter? Shouldn't it be "Virtual input detected? Should we program our own driver to simulate those inputs?"

I might be wrong but I am guessing
-they are looking at virtual inputs sent (but once again there has been complains that players couldn't use controllers because virtual inputs were blocked?)
-they are looking at your mouse movement to detect snapping ( i am not sure if riceking's one has snapping )
-they have research on how a normal mouse movement will be like and they can detect if it's abnormal movement e.g if normal mouse can only move x pixels per direction/acceleration but you are moving more than that x pixels.

[Bombawomba]

Talked to some coder and let me quote him ... : "It looks like they monitor virtual inputs so I'd have to write something to interface with a legitatme application and then actually getting the aimbot to work would be a bitch with all these colors."

"If I can verify that I can I get direct frames from the gpu then I dont really need to use it until production. I could just test the algorithim off youtube videos."
"If I can get the frame buffer data from the hardware I know I can do it" ... " if they detect virtual inputs I'd have to write my own kernal :/"

Thats what he told me after he was taking some quick looks at the Anti Cheat.

[Sychotix]

Talked to some coder and let me quote him ... : "It looks like they monitor virtual inputs so I'd have to write something to interface with a legitatme application and then actually getting the aimbot to work would be a bitch with all these colors."

"If I can verify that I can I get direct frames from the gpu then I dont really need to use it until production. I could just test the algorithim off youtube videos."
"If I can get the frame buffer data from the hardware I know I can do it" ... " if they detect virtual inputs I'd have to write my own kernal :/"

Thats what he told me after he was taking some quick looks at the Anti Cheat.

One does not simply "take a quick look at the anti cheat."

Also, we already know a driver is the best solution. I pointed out a while back that virtual inputs could be detected and that it was a security flaw. Mouse movements being so direct is also another issue that should probably be solved... which could possibly be handled in the driver as well.

[Bombawomba]

One does not simply "take a quick look at the anti cheat."

Also, we already know a driver is the best solution. I pointed out a while back that virtual inputs could be detected and that it was a security flaw. Mouse movements being so direct is also another issue that should probably be solved... which could possibly be handled in the driver as well.

Choosed the wrong words. He guessed.

[seldane]

1) They can't use signature scanning unless you are telling me that Blizzard is scanning your PC for files then signature to detect is possible but then again it's stupid because if people just change the algorithm, they can't detect it anymore.
2) Not sure
3) Does it matter? Shouldn't it be "Virtual input detected? Should we program our own driver to simulate those inputs?"

I might be wrong but I am guessing
-they are looking at virtual inputs sent (but once again there has been complains that players couldn't use controllers because virtual inputs were blocked?)
-they are looking at your mouse movement to detect snapping ( i am not sure if riceking's one has snapping )
-they have research on how a normal mouse movement will be like and they can detect if it's abnormal movement e.g if normal mouse can only move x pixels per direction/acceleration but you are moving more than that x pixels.

Signature scanning can be done on physical memory. This is a screencap from another hacking website, just google the words to read the full post if interested in learning more about sig scanning and Valve Anti-Cheat. Warden's methods are unknown, but it is well within their EULA/TOS to do something similar. Imgur: The most awesome images on the Internet

[comic-1337]

You can just buy a cheap arduino and simulate those inputs, that's what I did

[seldane]

One does not simply "take a quick look at the anti cheat."

Also, we already know a driver is the best solution. I pointed out a while back that virtual inputs could be detected and that it was a security flaw. Mouse movements being so direct is also another issue that should probably be solved... which could possibly be handled in the driver as well.

By direct movement, do you mean the mouse moving in straight lines? Unfortunately Aimbots moving the mouse in straight lines is definitely a ubiquitous issue among aimbots in general, and certainly is a way to get caught individually. My strong suspicion is that any current bans Blizzard is handing out right now are automated based on detection of irregular behavior, such as virtual input or a combination of Robot JS process in memory AND virtual input.

[comic-1337]

Signature scanning can be done on physical memory. This is a screencap from another hacking website, just google the words to read the full post if interested in learning more about sig scanning and Valve Anti-Cheat. Warden's methods are unknown, but it is well within their EULA/TOS to do something similar. Imgur: The most awesome images on the Internet

It can be done? I tot the memory will be very dynamic

[Sychotix]

By direct movement, do you mean the mouse moving in straight lines? Unfortunately Aimbots moving the mouse in straight lines is definitely a ubiquitous issue among aimbots in general, and certainly is a way to get caught individually. My strong suspicion is that any current bans Blizzard is handing out right now are automated based on detection of irregular behavior, such as virtual input or a combination of Robot JS process in memory AND virtual input.

I more-so meant that movement typically goes from (100, 100) directly to (500, 500) with little to no points in between.

Also, interesting about the pattern scanning in memory.

[seldane]

I more-so meant that movement typically goes from (100, 100) directly to (500, 500) with little to no points in between.

Also, interesting about the pattern scanning in memory.

oh yeah you're absolutely right. I'm certain that "pixel skipping/jumping" could easily be automatically detected on Blizzard's end. Not to mention anyone who watches their death cams.

[comic-1337]

You can always use a simple limiting method,
If(MouseMovePIX>x)
MouseMovePIX = x;
Do the same for for negative values.
Where x is the safe value for moving, I am not sure if blizzard actually logfed down legit player's mouse move to analyse how should legit mouse movement be like eg how many pixels per move per acceleration.
Or you can create your own transfer function. I used to do robotics programming a lot and used these methods to limit jerking movements
There's a cheap simple way to bypass the virtual input but it comes with money. Just get an arduino, pretty small and you can get it anywhere here in Toronto. You can interface it with anything, c++, Java etc.

I bought a cheap one to write for a game that blocked virtual inputs


And yeah, memory checking? I'm thinking crc bypass can bypass that:/

[seldane]

You can always use a simple limiting method,
If(MouseMovePIX>x)
MouseMovePIX = x;
Do the same for for negative values.
Where x is the safe value for moving, I am not sure if blizzard actually logfed down legit player's mouse move to analyse how should legit mouse movement be like eg how many pixels per move per acceleration.
Or you can create your own transfer function. I used to do robotics programming a lot and used these methods to limit jerking movements
There's a cheap simple way to bypass the virtual input but it comes with money. Just get an arduino, pretty small and you can get it anywhere here in Toronto. You can interface it with anything, c++, Java etc.

I bought a cheap one to write for a game that blocked virtual inputs


And yeah, memory checking? I'm thinking crc bypass can bypass that:/

That is very interesting about the Arduino! I googled it and that's definitely a unique solution to the virtual input problem.

In regards to memory checking bypass, take a look at these programs. I'm not sure how Warden interacts with them
1) Enigma
2) VMProtect
3) Themida

[browneye]

Warden isn't used with Overwatch. Read the first post here: https://www.thebuddyforum.com/watcho...er-tyrant.html

[spoofjack]

That is very interesting about the Arduino! I googled it and that's definitely a unique solution to the virtual input problem.

In regards to memory checking bypass, take a look at these programs. I'm not sure how Warden interacts with them
1) Enigma
2) VMProtect
3) Themida

What is Enigma i have hear do of it but having trouble finding this program you speak of.

Found it
enigmaprotector