[Release] -AIO Bot- for the US *lvl 1-80 FULL questing*

[feymon]

Why did my account get ownd?!!

[Demonshade]

AIO. id like to talk to you. Is there any way u can pm me and clear room in your inbox for a reply from me? Or just pm me your msn or something.

[AIO Bot]

Why did my account get ownd?!!

I see you just came into the chat. They should help you out with that

[AIO Bot]

AIO. id like to talk to you. Is there any way u can pm me and clear room in your inbox for a reply from me? Or just pm me your msn or something.

or i can clear room, just PM me quickly

[MooChan]

AIO. id like to talk to you. Is there any way u can pm me and clear room in your inbox for a reply from me? Or just pm me your msn or something.

Review when you get a chance pl0x?

[kallell]

We have a temp fix for chat set up right now. You can visit this link to chat with us ---> http://probotters.com/forum/ezirc.php

[Chudz]

Hey would love a trial, willing to pay monthly if this works. What is your IRC channel?

[kynox]

If this bot is as clean as you say it is.. no injection, etc.. then why is it that you're hooking LoadLibraryA, GetCursorPos and SetPhysicalCursorPos?

[Cypher]

As Kynox has said, this bot injects a DLL and hooks 3 APIs.

What's most hilarious though is that their hooks are implemented with simple inline jump hooks. Warden can follow and hash these hooks in its current form. Meaning that the bot can be banned by Warden without even an update, all they need to do is push new scan parameters.

Plus, they don't hook any of the memory querying APIs, which means that not only are their hooks detectable by Warden in its current form, their module is too.

Don't trust these guys, they're lying to you, and don't deserve your money. I mean, really, they were stupid enough to think we wouldn't notice that they're injecting a DLL and hooking shit. They must think we're as ****ing dumb as they are.

(Sorry Kynox, I ninja edited my post before I saw your reply)

Proof of their module being injected:


Proof of their hooks:

Code:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: srv*
Executable search path is: 
ModLoad: 00400000 011cd000   C:\Users\Public\Games\World of Warcraft\WoW.exe
ModLoad: 77280000 77400000   C:\Windows\SysWOW64\ntdll.dll
ModLoad: 76d80000 76e80000   C:\Windows\syswow64\kernel32.dll
ModLoad: 75690000 756d6000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 6b790000 6b858000   C:\Windows\system32\OPENGL32.dll
ModLoad: 75130000 751dc000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 74f90000 75030000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 769d0000 769e9000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 76b90000 76c80000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 74df0000 74e50000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 74de0000 74dec000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 75cd0000 75d60000   C:\Windows\syswow64\GDI32.dll
ModLoad: 754c0000 755c0000   C:\Windows\syswow64\USER32.dll
ModLoad: 75bd0000 75bda000   C:\Windows\syswow64\LPK.dll
ModLoad: 75b30000 75bcd000   C:\Windows\syswow64\USP10.dll
ModLoad: 6cfb0000 6cfd2000   C:\Windows\system32\GLU32.dll
ModLoad: 73830000 73917000   C:\Windows\system32\DDRAW.dll
ModLoad: 74150000 74156000   C:\Windows\system32\DCIMAN32.dll
ModLoad: 769f0000 76b8d000   C:\Windows\syswow64\SETUPAPI.dll
ModLoad: 75400000 75427000   C:\Windows\syswow64\CFGMGR32.dll
ModLoad: 75430000 754bf000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 751e0000 7533c000   C:\Windows\syswow64\ole32.dll
ModLoad: 75d60000 75d72000   C:\Windows\syswow64\DEVOBJ.dll
ModLoad: 71d60000 71d73000   C:\Windows\system32\dwmapi.dll
ModLoad: 725d0000 725d9000   C:\Windows\system32\VERSION.dll
ModLoad: 75c70000 75cd0000   C:\Windows\syswow64\IMM32.dll
ModLoad: 755c0000 7568c000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 76c80000 76d74000   C:\Windows\syswow64\WININET.dll
ModLoad: 750c0000 75117000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 75120000 75123000   C:\Windows\syswow64\Normaliz.dll
ModLoad: 74e50000 74f85000   C:\Windows\syswow64\urlmon.dll
ModLoad: 75a10000 75b2c000   C:\Windows\syswow64\CRYPT32.dll
ModLoad: 77250000 7725c000   C:\Windows\syswow64\MSASN1.dll
ModLoad: 756e0000 758d9000   C:\Windows\syswow64\iertutil.dll
ModLoad: 75940000 75975000   C:\Windows\syswow64\WS2_32.dll
ModLoad: 75980000 75986000   C:\Windows\syswow64\NSI.dll
ModLoad: 6d100000 6d130000   C:\Windows\system32\DINPUT8.dll
ModLoad: 75d80000 769c9000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 10000000 10069000   C:\Users\Public\Games\World of Warcraft\DivxDecoder.dll
ModLoad: 72ed0000 72f02000   C:\Windows\system32\WINMM.dll
ModLoad: 74900000 74914000   C:\Windows\system32\MSACM32.dll
ModLoad: 73c90000 73c99000   C:\Windows\system32\HID.DLL
ModLoad: 720b0000 720fb000   C:\Windows\system32\apphelp.dll
ModLoad: 6d080000 6d0fb000   C:\Windows\AppPatch\AcSpecfc.DLL
ModLoad: 75030000 750b4000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16385_none_ebf82fc36c758ad5\COMCTL32.dll
ModLoad: 73c00000 73c79000   C:\Windows\system32\mscms.dll
ModLoad: 72f10000 72f27000   C:\Windows\system32\USERENV.dll
ModLoad: 74b10000 74b1b000   C:\Windows\system32\profapi.dll
ModLoad: 72410000 72422000   C:\Windows\system32\MPR.dll
ModLoad: 75990000 75a0b000   C:\Windows\syswow64\COMDLG32.dll
ModLoad: 59f60000 5a1a0000   C:\Windows\system32\msi.dll
ModLoad: 72020000 720ac000   C:\Windows\AppPatch\AcLayers.DLL
ModLoad: 72530000 72581000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 72d90000 72db1000   C:\Windows\system32\ntmarta.dll
ModLoad: 758f0000 75935000   C:\Windows\syswow64\WLDAP32.dll
ModLoad: 71fa0000 72020000   C:\Windows\system32\uxtheme.dll
ModLoad: 655f0000 657b3000   C:\Windows\system32\d3d9.dll
ModLoad: 73be0000 73be6000   C:\Windows\system32\d3d8thk.dll
ModLoad: 6f0d0000 6f9c5000   C:\Windows\system32\nvd3dum.dll
ModLoad: 002f0000 002fc000   C:\Program Files (x86)\Ad Muncher\AM31318.dll
ModLoad: 041f0000 0432b000   C:\Windows\system32\nvapi.dll
ModLoad: 01260000 01288000   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvStereoApiI.dll
ModLoad: 03100000 03153000   C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPI.dll
ModLoad: 75340000 7536d000   C:\Windows\syswow64\WINTRUST.dll
ModLoad: 74840000 74865000   C:\Windows\system32\powrprof.dll
ModLoad: 75be0000 75c63000   C:\Windows\syswow64\CLBCatQ.DLL
ModLoad: 74b80000 74bb9000   C:\Windows\System32\MMDevApi.dll
ModLoad: 74990000 74a85000   C:\Windows\System32\PROPSYS.dll
ModLoad: 74930000 74966000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 74b50000 74b80000   C:\Windows\system32\wdmaud.drv
ModLoad: 74980000 74984000   C:\Windows\system32\ksuser.dll
ModLoad: 74970000 74977000   C:\Windows\system32\AVRT.dll
ModLoad: 74920000 74928000   C:\Windows\system32\msacm32.drv
ModLoad: 748f0000 748f7000   C:\Windows\system32\midimap.dll
ModLoad: 71e00000 71f9e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
ModLoad: 724a0000 724e4000   C:\Windows\system32\dnsapi.DLL
ModLoad: 72500000 7251c000   C:\Windows\system32\iphlpapi.DLL
ModLoad: 724f0000 724f7000   C:\Windows\system32\WINNSI.DLL
ModLoad: 73d70000 73d95000   C:\Windows\system32\peerdist.dll
ModLoad: 72cf0000 72d0b000   C:\Windows\system32\AUTHZ.dll
ModLoad: 0e780000 0e7c2000   C:\Windows\system32\nvLsp.dll
ModLoad: 758e0000 758e5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 72600000 7263c000   C:\Windows\system32\mswsock.dll
ModLoad: 725e0000 725e5000   C:\Windows\System32\wshtcpip.dll
ModLoad: 74510000 74562000   C:\Windows\system32\RASAPI32.dll
ModLoad: 744f0000 74505000   C:\Windows\system32\rasman.dll
ModLoad: 744e0000 744ed000   C:\Windows\system32\rtutils.dll
ModLoad: 72790000 72796000   C:\Windows\system32\sensapi.dll
ModLoad: 71cd0000 71ce0000   C:\Windows\system32\NLAapi.dll
ModLoad: 71c50000 71c56000   C:\Windows\system32\rasadhlp.dll
ModLoad: 725f0000 725f6000   C:\Windows\System32\wship6.dll
ModLoad: 71c60000 71c84000   C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
ModLoad: 71bf0000 71c28000   C:\Windows\System32\fwpuclnt.dll
eax=7eef8000 ebx=00000000 ecx=00000000 edx=7731f50a esi=00000000 edi=00000000
eip=7729000c esp=1592ff5c ebp=1592ff88 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
7729000c cc              int     3
0:034> .reload
Reloading current modules
................................................................
.............................
0:034> u kernel32!LoadLibraryA
kernel32!LoadLibraryA:
76d94bc6 e9552d3f9b      jmp     12187920
76d94bcb 837d0800        cmp     dword ptr [ebp+8],0
76d94bcf 53              push    ebx
76d94bd0 56              push    esi
76d94bd1 57              push    edi
76d94bd2 7417            je      kernel32!LoadLibraryA+0xae (76d94beb)
76d94bd4 68004cd976      push    offset kernel32!`string' (76d94c00)
76d94bd9 ff7508          push    dword ptr [ebp+8]
0:034> u user32!GetCursorPos
USER32!GetCursorPos:
754e0e0d e98e69ca9c      jmp     121877a0
754e0e12 6a69            push    69h
754e0e14 6a01            push    1
754e0e16 ff7508          push    dword ptr [ebp+8]
754e0e19 e8a65cffff      call    USER32!NtUserCallTwoParam (754d6ac4)
754e0e1e 5d              pop     ebp
754e0e1f c20400          ret     4
754e0e22 33c0            xor     eax,eax
0:034> u user32!SetPhysicalCursorPos
USER32!SetPhysicalCursorPos:
75519f13 e958d9c69c      jmp     12187870
75519f18 6a75            push    75h
75519f1a ff750c          push    dword ptr [ebp+0Ch]
75519f1d ff7508          push    dword ptr [ebp+8]
75519f20 e89fcbfbff      call    USER32!NtUserCallTwoParam (754d6ac4)
75519f25 5d              pop     ebp
75519f26 c20800          ret     8
75519f29 90              nop

[kynox]

In addition to what cypher said, this can be detected by two of wardens other scans. I sincerely hope the developers were joking when they said they were hiding from Warden.

*Edit*: Why do you have a gameguard bypass in a WoW hack? This whole thing seems to be some giant troll.

Code:

.text:10007920 sub_10007920    proc near               ; DATA XREF: DllMain(x,x,x)+382o
.text:10007920
.text:10007920 lpLibFileName   = dword ptr  4
.text:10007920
.text:10007920                 push    esi
.text:10007921                 mov     esi, [esp+4+lpLibFileName]
.text:10007925                 push    offset aNpggnt_des ; "npggNT.des"
.text:1000792A                 push    esi             ; char *
.text:1000792B                 call    _strstr
.text:10007930                 add     esp, 8
.text:10007933                 test    eax, eax
.text:10007935                 jz      short loc_10007946
.text:10007937                 pop     esi
.text:10007938                 mov     [esp+lpLibFileName], offset aKernel32_dll_0 ; "Kernel32.dll"
.text:10007940                 jmp     ds:GetModuleHandleA
.text:10007946 ; ---------------------------------------------------------------------------
.text:10007946
.text:10007946 loc_10007946:                           ; CODE XREF: sub_10007920+15j
.text:10007946                 push    0               ; dwFlags
.text:10007948                 push    0               ; hFile
.text:1000794A                 push    esi             ; lpLibFileName
.text:1000794B                 call    ds:LoadLibraryExA
.text:10007951                 pop     esi
.text:10007952                 retn    4
.text:10007952 sub_10007920    endp

The above returns kernel32's imagebase, instead of loading "npggNT.des" which is a GameGuard DLL.

[Cypher]

Didn't you hear? Warden is out an GG is in. You're obviously not an awesome chinese hacker so you didn't notice.

[Tierman]

Thanks. Glad I didn't waste my money on it, or even attempt to try it.

[DragonWaxter]

I heard these guys where Japanese yo...

[kynox]

Didn't you hear? Warden is out an GG is in. You're obviously not an awesome chinese hacker so you didn't notice.

Yeah. I lack the Mimic-touch (No, seriously. This is written by the same people who wrote mimic. The code is exactly the same).

[TehHuntorz]

*Grabs popcorn*