[WoW] [3.1.0] Addon Blacklist

**~~-Scooby-~~** · 03-21-2009

So this will ban carb and moretreats and addons like that or am i missing the point?

**Cypher** · 03-21-2009

In lieu of Blizzard's new addon policy I did some digging into the client and noticed a file added in 3.0.x called 'Baddons.wcf'.

The client does not use the file at all on 3.0.9 or earlier. The file is located in the "World of Warcraft\WDB" folder (yes, the same one that existed in 1.x.x).

I did some digging into the 3.1 PTR client and found the following that was not present in the 3.0.9 client.
Note: I'm not on the latest PTR client yet, it's currently updating. The following function is from "WoW [Release Assertions Enabled] Build 9684 (Mar 11 2009)". Updated dump coming once the paches are installed.

Code:

.text:0069A3A0 ; =============== S U B R O U T I N E =======================================
.text:0069A3A0
.text:0069A3A0 ; Attributes: bp-based frame
.text:0069A3A0
.text:0069A3A0 sub_69A3A0      proc near               ; CODE XREF: sub_69A5D0+5j
.text:0069A3A0
.text:0069A3A0 var_120         = byte ptr -120h
.text:0069A3A0 var_1C          = dword ptr -1Ch
.text:0069A3A0 var_18          = dword ptr -18h
.text:0069A3A0 var_14          = dword ptr -14h
.text:0069A3A0 var_10          = dword ptr -10h
.text:0069A3A0 var_C           = dword ptr -0Ch
.text:0069A3A0 var_8           = dword ptr -8
.text:0069A3A0 var_4           = dword ptr -4
.text:0069A3A0
.text:0069A3A0                 push    ebp
.text:0069A3A1                 mov     ebp, esp
.text:0069A3A3                 sub     esp, 120h
.text:0069A3A9                 push    ebx
.text:0069A3AA                 push    104h
.text:0069A3AF                 push    offset off_9D6A84
.text:0069A3B4                 lea     eax, [ebp+var_120]
.text:0069A3BA                 push    eax
.text:0069A3BB                 call    sub_550D90
.text:0069A3C0                 push    104h
.text:0069A3C5                 push    offset SubBlock ; "\\"
.text:0069A3CA                 lea     ecx, [ebp+var_120]
.text:0069A3D0                 push    ecx
.text:0069A3D1
.text:0069A3D1 loc_69A3D1:                             ; DATA XREF: .rdata:00A18870o
.text:0069A3D1                 call    sub_551020
.text:0069A3D6                 push    104h
.text:0069A3DB                 push    offset aBaddons_wcf ; "baddons.wcf"
.text:0069A3E0                 lea     edx, [ebp+var_120]
.text:0069A3E6                 push    edx
.text:0069A3E7                 call    sub_551020
.text:0069A3EC                 push    3F3F3F3Fh
.text:0069A3F1                 push    80h
.text:0069A3F6                 push    3
.text:0069A3F8                 xor     ebx, ebx
.text:0069A3FA                 push    ebx
.text:0069A3FB                 lea     eax, [ebp+var_120]
.text:0069A401                 push    80000000h
.text:0069A406                 push    eax
.text:0069A407                 call    sub_45FE90
.text:0069A40C                 add     esp, 18h
.text:0069A40F                 cmp     eax, 0FFFFFFFFh
.text:0069A412                 mov     [ebp+var_4], eax
.text:0069A415                 jnz     short loc_69A41E
.text:0069A417                 xor     eax, eax
.text:0069A419                 pop     ebx
.text:0069A41A                 mov     esp, ebp
.text:0069A41C                 pop     ebp
.text:0069A41D                 retn
.text:0069A41E ; ---------------------------------------------------------------------------
.text:0069A41E
.text:0069A41E loc_69A41E:                             ; CODE XREF: sub_69A3A0+75j
.text:0069A41E                 lea     ecx, [ebp+var_C]
.text:0069A421                 mov     edx, ecx
.text:0069A423                 or      edx, 1
.text:0069A426                 push    esi
.text:0069A427                 mov     [ebp+var_10], ebx
.text:0069A42A                 mov     [ebp+var_C], ecx
.text:0069A42D                 mov     [ebp+var_8], edx
.text:0069A430                 push    edi
.text:0069A431
.text:0069A431 loc_69A431:                             ; CODE XREF: sub_69A3A0+154j
.text:0069A431                 push    8
.text:0069A433                 push    0FFFFFFFEh
.text:0069A435                 push    offset a_?au_banneda_0 ; ".?AU_BANNEDADDONLOADNODE@@"
.text:0069A43A                 push    34h
.text:0069A43C                 call    sub_54E530
.text:0069A441                 cmp     eax, ebx
.text:0069A443                 jz      short loc_69A49C
.text:0069A445                 mov     [eax], ebx
.text:0069A447                 mov     [eax+4], ebx
.text:0069A44A                 mov     [eax+8], ebx
.text:0069A44D                 mov     [eax+2Ch], ebx
.text:0069A450                 mov     ecx, ds:dword_9DA94C
.text:0069A456                 mov     [eax+0Ch], ecx
.text:0069A459                 mov     edx, ds:dword_9DA950
.text:0069A45F                 mov     [eax+10h], edx
.text:0069A462                 mov     ecx, ds:dword_9DA954
.text:0069A468                 mov     [eax+14h], ecx
.text:0069A46B                 mov     edx, ds:dword_9DA958
.text:0069A471                 mov     [eax+18h], edx
.text:0069A474                 mov     ecx, ds:dword_9DA94C
.text:0069A47A                 mov     [eax+1Ch], ecx
.text:0069A47D                 mov     edx, ds:dword_9DA950
.text:0069A483                 mov     [eax+20h], edx
.text:0069A486                 mov     ecx, ds:dword_9DA954
.text:0069A48C                 mov     [eax+24h], ecx
.text:0069A48F                 mov     edx, ds:dword_9DA958
.text:0069A495                 mov     [eax+28h], edx
.text:0069A498                 mov     esi, eax
.text:0069A49A                 jmp     short loc_69A4A1
.text:0069A49C ; ---------------------------------------------------------------------------
.text:0069A49C
.text:0069A49C loc_69A49C:                             ; CODE XREF: sub_69A3A0+A3j
.text:0069A49C                 xor     esi, esi
.text:0069A49E                 lea     eax, [ebp+var_C]
.text:0069A4A1
.text:0069A4A1 loc_69A4A1:                             ; CODE XREF: sub_69A3A0+FAj
.text:0069A4A1                 mov     edi, [eax]
.text:0069A4A3                 cmp     edi, ebx
.text:0069A4A5                 jz      short loc_69A4CE
.text:0069A4A7                 mov     ecx, [eax+4]
.text:0069A4AA                 test    cl, 1
.text:0069A4AD                 jnz     short loc_69A4B3
.text:0069A4AF                 cmp     ecx, ebx
.text:0069A4B1                 jnz     short loc_69A4B8
.text:0069A4B3
.text:0069A4B3 loc_69A4B3:                             ; CODE XREF: sub_69A3A0+10Dj
.text:0069A4B3                 and     ecx, 0FFFFFFFEh
.text:0069A4B6                 jmp     short loc_69A4BF
.text:0069A4B8 ; ---------------------------------------------------------------------------
.text:0069A4B8
.text:0069A4B8 loc_69A4B8:                             ; CODE XREF: sub_69A3A0+111j
.text:0069A4B8                 mov     edx, eax
.text:0069A4BA                 sub     edx, [edi+4]
.text:0069A4BD                 add     ecx, edx
.text:0069A4BF
.text:0069A4BF loc_69A4BF:                             ; CODE XREF: sub_69A3A0+116j
.text:0069A4BF                 mov     [ecx], edi
.text:0069A4C1                 mov     ecx, [eax]
.text:0069A4C3                 mov     edx, [eax+4]
.text:0069A4C6                 mov     [ecx+4], edx
.text:0069A4C9                 mov     [eax], ebx
.text:0069A4CB                 mov     [eax+4], ebx
.text:0069A4CE
.text:0069A4CE loc_69A4CE:                             ; CODE XREF: sub_69A3A0+105j
.text:0069A4CE                 mov     ecx, [ebp+var_C]
.text:0069A4D1                 mov     [eax], ecx
.text:0069A4D3                 mov     edx, [ecx+4]
.text:0069A4D6                 mov     [eax+4], edx
.text:0069A4D9                 mov     [ecx+4], esi
.text:0069A4DC                 mov     [ebp+var_C], eax
.text:0069A4DF                 lea     eax, [esi+8]
.text:0069A4E2                 mov     esi, [ebp+var_4]
.text:0069A4E5                 lea     edi, [ebp+var_18]
.text:0069A4E8                 call    sub_6999F0
.text:0069A4ED                 test    eax, eax
.text:0069A4EF                 jz      short loc_69A517
.text:0069A4F1                 cmp     [ebp+var_18], ebx
.text:0069A4F4                 ja      loc_69A431
.text:0069A4FA                 mov     ecx, esi
.text:0069A4FC                 push    ecx
.text:0069A4FD                 call    sub_45F900
.text:0069A502                 mov     eax, [ebp+var_8]
.text:0069A505                 add     esp, 4
.text:0069A508                 test    al, 1
.text:0069A50A                 jnz     short loc_69A510
.text:0069A50C                 cmp     eax, ebx
.text:0069A50E                 jnz     short loc_69A53B
.text:0069A510
.text:0069A510 loc_69A510:                             ; CODE XREF: sub_69A3A0+16Aj
.text:0069A510                 xor     eax, eax
.text:0069A512                 mov     [ebp+var_4], eax
.text:0069A515                 jmp     short loc_69A541
.text:0069A517 ; ---------------------------------------------------------------------------
.text:0069A517
.text:0069A517 loc_69A517:                             ; CODE XREF: sub_69A3A0+14Fj
.text:0069A517                 lea     ecx, [ebp+var_10]
.text:0069A51A                 call    sub_699F70
.text:0069A51F                 mov     eax, esi
.text:0069A521                 push    eax
.text:0069A522                 call    sub_45F900
.text:0069A527                 add     esp, 4
.text:0069A52A                 lea     ecx, [ebp+var_10]
.text:0069A52D                 call    sub_699B20
.text:0069A532                 pop     edi
.text:0069A533                 pop     esi
.text:0069A534                 xor     eax, eax
.text:0069A536                 pop     ebx
.text:0069A537                 mov     esp, ebp
.text:0069A539                 pop     ebp
.text:0069A53A                 retn
.text:0069A53B ; ---------------------------------------------------------------------------
.text:0069A53B
.text:0069A53B loc_69A53B:                             ; CODE XREF: sub_69A3A0+16Ej
.text:0069A53B                 mov     [ebp+var_4], eax
.text:0069A53E
.text:0069A53E loc_69A53E:                             ; CODE XREF: sub_69A3A0+1E5j
.text:0069A53E                 mov     eax, [ebp+var_4]
.text:0069A541
.text:0069A541 loc_69A541:                             ; CODE XREF: sub_69A3A0+175j
.text:0069A541                 test    al, 1
.text:0069A543                 jnz     short loc_69A587
.text:0069A545                 cmp     eax, ebx
.text:0069A547                 jz      short loc_69A587
.text:0069A549                 mov     esi, [eax+8]
.text:0069A54C                 lea     ecx, [eax+8]
.text:0069A54F                 lea     ebx, [eax+2Ch]
.text:0069A552                 lea     edi, [ebp+var_14]
.text:0069A555                 mov     [ebp+var_1C], ecx
.text:0069A558                 call    sub_69A250
.text:0069A55D                 test    eax, eax
.text:0069A55F                 jz      short loc_69A57A
.text:0069A561                 cmp     [ebp+var_14], 0
.text:0069A565                 jz      short loc_69A57A
.text:0069A567                 mov     edx, [ebp+var_1C]
.text:0069A56A                 push    edx
.text:0069A56B                 lea     ecx, [eax+18h]
.text:0069A56E                 mov     dword ptr [eax+44h], 0
.text:0069A575                 call    sub_699830
.text:0069A57A
.text:0069A57A loc_69A57A:                             ; CODE XREF: sub_69A3A0+1BFj
.text:0069A57A                                         ; sub_69A3A0+1C5j
.text:0069A57A                 mov     eax, [ebp+var_4]
.text:0069A57D                 mov     ecx, [eax+4]
.text:0069A580                 mov     [ebp+var_4], ecx
.text:0069A583                 xor     ebx, ebx
.text:0069A585                 jmp     short loc_69A53E
.text:0069A587 ; ---------------------------------------------------------------------------
.text:0069A587
.text:0069A587 loc_69A587:                             ; CODE XREF: sub_69A3A0+1A3j
.text:0069A587                                         ; sub_69A3A0+1A7j
.text:0069A587                 lea     ecx, [ebp+var_10]
.text:0069A58A                 call    sub_699F70
.text:0069A58F                 lea     ecx, [ebp+var_10]
.text:0069A592                 call    sub_464DD0
.text:0069A597                 mov     edx, [ebp+var_C]
.text:0069A59A                 cmp     edx, ebx
.text:0069A59C                 jz      short loc_69A5C1
.text:0069A59E                 mov     eax, [ebp+var_8]
.text:0069A5A1                 test    al, 1
.text:0069A5A3                 jnz     short loc_69A5A9
.text:0069A5A5                 cmp     eax, ebx
.text:0069A5A7                 jnz     short loc_69A5AE
.text:0069A5A9
.text:0069A5A9 loc_69A5A9:                             ; CODE XREF: sub_69A3A0+203j
.text:0069A5A9                 and     eax, 0FFFFFFFEh
.text:0069A5AC                 jmp     short loc_69A5B6
.text:0069A5AE ; ---------------------------------------------------------------------------
.text:0069A5AE
.text:0069A5AE loc_69A5AE:                             ; CODE XREF: sub_69A3A0+207j
.text:0069A5AE                 lea     ecx, [ebp+var_C]
.text:0069A5B1                 sub     ecx, [edx+4]
.text:0069A5B4                 add     eax, ecx
.text:0069A5B6
.text:0069A5B6 loc_69A5B6:                             ; CODE XREF: sub_69A3A0+20Cj
.text:0069A5B6                 mov     [eax], edx
.text:0069A5B8                 mov     edx, [ebp+var_8]
.text:0069A5BB                 mov     eax, [ebp+var_C]
.text:0069A5BE                 mov     [eax+4], edx
.text:0069A5C1
.text:0069A5C1 loc_69A5C1:                             ; CODE XREF: sub_69A3A0+1FCj
.text:0069A5C1                 pop     edi
.text:0069A5C2                 pop     esi
.text:0069A5C3                 mov     eax, 1
.text:0069A5C8                 pop     ebx
.text:0069A5C9                 mov     esp, ebp
.text:0069A5CB                 pop     ebp
.text:0069A5CC                 retn
.text:0069A5CC sub_69A3A0      endp

I havn't reversed the function yet (I'll start once I have some data to work with, currently baddons.wcf is just 'empty'). But what you can see at a glance pretty much confirms all suspicions ("?AU_BANNEDADDONLOADNODE@@").

Feel free to post your thoughts on this new change and any reversing you do on the new functionality. If I don't get lazy and it's not too much of a pita I intend to write a bypass-hack. Not because I use Carbonite or any of that shit, but just for lulz.

**Cypher** · 03-21-2009

Originally Posted by -Scooby-

So this will ban carb and moretreats and addons like that or am i missing the point?

It will be used to ban any addons that violate their new policy I assume.

Also, wtf. How did your post get above mine?

**SKU** · 03-21-2009

Originally Posted by Cypher

It will be used to ban any addons that violate their new policy I assume.

Also, wtf. How did your post get above mine?

Nice find. And lol at the post order.

**Cypher** · 03-21-2009

Function for latest 3.1.0 PTR patch.

Improved dump because I ran function string associate over it too:

Code:

.text:00699E30 ; =============== S U B R O U T I N E =======================================
.text:00699E30
.text:00699E30 ; <".?AU_BANNEDADDONLOADNODE@@", "baddons.wcf">
.text:00699E30 ; Attributes: bp-based frame
.text:00699E30
.text:00699E30 sub_699E30      proc near               ; CODE XREF: sub_69A060+5j
.text:00699E30
.text:00699E30 var_120         = byte ptr -120h
.text:00699E30 var_1C          = dword ptr -1Ch
.text:00699E30 var_18          = dword ptr -18h
.text:00699E30 var_14          = dword ptr -14h
.text:00699E30 var_10          = dword ptr -10h
.text:00699E30 var_C           = dword ptr -0Ch
.text:00699E30 var_8           = dword ptr -8
.text:00699E30 var_4           = dword ptr -4
.text:00699E30
.text:00699E30                 push    ebp
.text:00699E31                 mov     ebp, esp
.text:00699E33                 sub     esp, 120h
.text:00699E39                 push    ebx
.text:00699E3A                 push    104h
.text:00699E3F                 push    offset off_9EB9BC
.text:00699E44                 lea     eax, [ebp+var_120]
.text:00699E4A                 push    eax
.text:00699E4B                 call    sub_5507D0      ; <".\SStr.cpp", "((ptrdiff_t)((d)-(dest))) <= 0x7FFFFFF", "(d) >= (dest)", "source", "dest">
.text:00699E50                 push    104h
.text:00699E55                 push    offset SubBlock ; "\\"
.text:00699E5A                 lea     ecx, [ebp+var_120]
.text:00699E60                 push    ecx
.text:00699E61                 call    sub_550A60      ; <".\SStr.cpp", "((ptrdiff_t)((d)-(dest))) <= 0x7FFFFFF", "(d) >= (dest)", "source", "dest">
.text:00699E66                 push    104h
.text:00699E6B                 push    offset aBaddons_wcf ; "baddons.wcf"
.text:00699E70                 lea     edx, [ebp+var_120]
.text:00699E76                 push    edx
.text:00699E77                 call    sub_550A60      ; <".\SStr.cpp", "((ptrdiff_t)((d)-(dest))) <= 0x7FFFFFF", "(d) >= (dest)", "source", "dest">
.text:00699E7C                 push    3F3F3F3Fh
.text:00699E81                 push    80h
.text:00699E86                 push    3
.text:00699E88                 xor     ebx, ebx
.text:00699E8A                 push    ebx
.text:00699E8B                 lea     eax, [ebp+var_120]
.text:00699E91                 push    80000000h
.text:00699E96                 push    eax
.text:00699E97                 call    sub_45EF50      ; <".\OsFile-Core.cpp", "!"invalid create disposition"", "!"invalid desired access"", "!"invalid filename"">
.text:00699E9C                 add     esp, 18h
.text:00699E9F                 cmp     eax, 0FFFFFFFFh
.text:00699EA2                 mov     [ebp+var_4], eax
.text:00699EA5                 jnz     short loc_699EAE
.text:00699EA7                 xor     eax, eax
.text:00699EA9                 pop     ebx
.text:00699EAA                 mov     esp, ebp
.text:00699EAC                 pop     ebp
.text:00699EAD                 retn
.text:00699EAE ; ---------------------------------------------------------------------------
.text:00699EAE
.text:00699EAE loc_699EAE:                             ; CODE XREF: sub_699E30+75j
.text:00699EAE                 lea     ecx, [ebp+var_C]
.text:00699EB1                 mov     edx, ecx
.text:00699EB3                 or      edx, 1
.text:00699EB6                 push    esi
.text:00699EB7                 mov     [ebp+var_10], ebx
.text:00699EBA                 mov     [ebp+var_C], ecx
.text:00699EBD                 mov     [ebp+var_8], edx
.text:00699EC0                 push    edi
.text:00699EC1
.text:00699EC1 loc_699EC1:                             ; CODE XREF: sub_699E30+154j
.text:00699EC1                 push    8
.text:00699EC3                 push    0FFFFFFFEh
.text:00699EC5                 push    offset a_?au_banneda_0 ; ".?AU_BANNEDADDONLOADNODE@@"
.text:00699ECA                 push    34h
.text:00699ECC                 call    sub_54DF10
.text:00699ED1                 cmp     eax, ebx
.text:00699ED3                 jz      short loc_699F2C
.text:00699ED5                 mov     [eax], ebx
.text:00699ED7                 mov     [eax+4], ebx
.text:00699EDA                 mov     [eax+8], ebx
.text:00699EDD                 mov     [eax+2Ch], ebx
.text:00699EE0                 mov     ecx, ds:dword_9EF8AC
.text:00699EE6                 mov     [eax+0Ch], ecx
.text:00699EE9                 mov     edx, ds:dword_9EF8B0
.text:00699EEF                 mov     [eax+10h], edx
.text:00699EF2                 mov     ecx, ds:dword_9EF8B4
.text:00699EF8                 mov     [eax+14h], ecx
.text:00699EFB                 mov     edx, ds:dword_9EF8B8
.text:00699F01                 mov     [eax+18h], edx
.text:00699F04                 mov     ecx, ds:dword_9EF8AC
.text:00699F0A                 mov     [eax+1Ch], ecx
.text:00699F0D                 mov     edx, ds:dword_9EF8B0
.text:00699F13                 mov     [eax+20h], edx
.text:00699F16                 mov     ecx, ds:dword_9EF8B4
.text:00699F1C                 mov     [eax+24h], ecx
.text:00699F1F                 mov     edx, ds:dword_9EF8B8
.text:00699F25                 mov     [eax+28h], edx
.text:00699F28                 mov     esi, eax
.text:00699F2A                 jmp     short loc_699F31
.text:00699F2C ; ---------------------------------------------------------------------------
.text:00699F2C
.text:00699F2C loc_699F2C:                             ; CODE XREF: sub_699E30+A3j
.text:00699F2C                 xor     esi, esi
.text:00699F2E                 lea     eax, [ebp+var_C]
.text:00699F31
.text:00699F31 loc_699F31:                             ; CODE XREF: sub_699E30+FAj
.text:00699F31                 mov     edi, [eax]
.text:00699F33                 cmp     edi, ebx
.text:00699F35                 jz      short loc_699F5E
.text:00699F37                 mov     ecx, [eax+4]
.text:00699F3A                 test    cl, 1
.text:00699F3D                 jnz     short loc_699F43
.text:00699F3F                 cmp     ecx, ebx
.text:00699F41                 jnz     short loc_699F48
.text:00699F43
.text:00699F43 loc_699F43:                             ; CODE XREF: sub_699E30+10Dj
.text:00699F43                 and     ecx, 0FFFFFFFEh
.text:00699F46                 jmp     short loc_699F4F
.text:00699F48 ; ---------------------------------------------------------------------------
.text:00699F48
.text:00699F48 loc_699F48:                             ; CODE XREF: sub_699E30+111j
.text:00699F48                 mov     edx, eax
.text:00699F4A                 sub     edx, [edi+4]
.text:00699F4D                 add     ecx, edx
.text:00699F4F
.text:00699F4F loc_699F4F:                             ; CODE XREF: sub_699E30+116j
.text:00699F4F                 mov     [ecx], edi
.text:00699F51                 mov     ecx, [eax]
.text:00699F53                 mov     edx, [eax+4]
.text:00699F56                 mov     [ecx+4], edx
.text:00699F59                 mov     [eax], ebx
.text:00699F5B                 mov     [eax+4], ebx
.text:00699F5E
.text:00699F5E loc_699F5E:                             ; CODE XREF: sub_699E30+105j
.text:00699F5E                 mov     ecx, [ebp+var_C]
.text:00699F61                 mov     [eax], ecx
.text:00699F63                 mov     edx, [ecx+4]
.text:00699F66                 mov     [eax+4], edx
.text:00699F69                 mov     [ecx+4], esi
.text:00699F6C                 mov     [ebp+var_C], eax
.text:00699F6F                 lea     eax, [esi+8]
.text:00699F72                 mov     esi, [ebp+var_4]
.text:00699F75                 lea     edi, [ebp+var_18]
.text:00699F78                 call    sub_699430      ; <".\BannedAddOns.cpp", "file != HOSFILE_INVALID">
.text:00699F7D                 test    eax, eax
.text:00699F7F                 jz      short loc_699FA7
.text:00699F81                 cmp     [ebp+var_18], ebx
.text:00699F84                 ja      loc_699EC1
.text:00699F8A                 mov     ecx, esi
.text:00699F8C                 push    ecx
.text:00699F8D                 call    sub_45E9C0
.text:00699F92                 mov     eax, [ebp+var_8]
.text:00699F95                 add     esp, 4
.text:00699F98                 test    al, 1
.text:00699F9A                 jnz     short loc_699FA0
.text:00699F9C                 cmp     eax, ebx
.text:00699F9E                 jnz     short loc_699FCB
.text:00699FA0
.text:00699FA0 loc_699FA0:                             ; CODE XREF: sub_699E30+16Aj
.text:00699FA0                 xor     eax, eax
.text:00699FA2                 mov     [ebp+var_4], eax
.text:00699FA5                 jmp     short loc_699FD1
.text:00699FA7 ; ---------------------------------------------------------------------------
.text:00699FA7
.text:00699FA7 loc_699FA7:                             ; CODE XREF: sub_699E30+14Fj
.text:00699FA7                 lea     ecx, [ebp+var_10]
.text:00699FAA                 call    sub_699A00      ; <".?AU_BANNEDADDONLOADNODE@@">
.text:00699FAF                 mov     eax, esi
.text:00699FB1                 push    eax
.text:00699FB2                 call    sub_45E9C0
.text:00699FB7                 add     esp, 4
.text:00699FBA                 lea     ecx, [ebp+var_10]
.text:00699FBD                 call    sub_6995B0
.text:00699FC2                 pop     edi
.text:00699FC3                 pop     esi
.text:00699FC4                 xor     eax, eax
.text:00699FC6                 pop     ebx
.text:00699FC7                 mov     esp, ebp
.text:00699FC9                 pop     ebp
.text:00699FCA                 retn
.text:00699FCB ; ---------------------------------------------------------------------------
.text:00699FCB
.text:00699FCB loc_699FCB:                             ; CODE XREF: sub_699E30+16Ej
.text:00699FCB                 mov     [ebp+var_4], eax
.text:00699FCE
.text:00699FCE loc_699FCE:                             ; CODE XREF: sub_699E30+1E5j
.text:00699FCE                 mov     eax, [ebp+var_4]
.text:00699FD1
.text:00699FD1 loc_699FD1:                             ; CODE XREF: sub_699E30+175j
.text:00699FD1                 test    al, 1
.text:00699FD3                 jnz     short loc_69A017
.text:00699FD5                 cmp     eax, ebx
.text:00699FD7                 jz      short loc_69A017
.text:00699FD9                 mov     esi, [eax+8]
.text:00699FDC                 lea     ecx, [eax+8]
.text:00699FDF                 lea     ebx, [eax+2Ch]
.text:00699FE2                 lea     edi, [ebp+var_14]
.text:00699FE5                 mov     [ebp+var_1C], ecx
.text:00699FE8                 call    sub_699CE0
.text:00699FED                 test    eax, eax
.text:00699FEF                 jz      short loc_69A00A
.text:00699FF1                 cmp     [ebp+var_14], 0
.text:00699FF5                 jz      short loc_69A00A
.text:00699FF7                 mov     edx, [ebp+var_1C]
.text:00699FFA                 push    edx
.text:00699FFB                 lea     ecx, [eax+18h]
.text:00699FFE                 mov     dword ptr [eax+44h], 0
.text:0069A005                 call    sub_699270
.text:0069A00A
.text:0069A00A loc_69A00A:                             ; CODE XREF: sub_699E30+1BFj
.text:0069A00A                                         ; sub_699E30+1C5j
.text:0069A00A                 mov     eax, [ebp+var_4]
.text:0069A00D                 mov     ecx, [eax+4]
.text:0069A010                 mov     [ebp+var_4], ecx
.text:0069A013                 xor     ebx, ebx
.text:0069A015                 jmp     short loc_699FCE
.text:0069A017 ; ---------------------------------------------------------------------------
.text:0069A017
.text:0069A017 loc_69A017:                             ; CODE XREF: sub_699E30+1A3j
.text:0069A017                                         ; sub_699E30+1A7j
.text:0069A017                 lea     ecx, [ebp+var_10]
.text:0069A01A                 call    sub_699A00      ; <".?AU_BANNEDADDONLOADNODE@@">
.text:0069A01F                 lea     ecx, [ebp+var_10]
.text:0069A022                 call    sub_699560
.text:0069A027                 mov     edx, [ebp+var_C]
.text:0069A02A                 cmp     edx, ebx
.text:0069A02C                 jz      short loc_69A051
.text:0069A02E                 mov     eax, [ebp+var_8]
.text:0069A031                 test    al, 1
.text:0069A033                 jnz     short loc_69A039
.text:0069A035                 cmp     eax, ebx
.text:0069A037                 jnz     short loc_69A03E
.text:0069A039
.text:0069A039 loc_69A039:                             ; CODE XREF: sub_699E30+203j
.text:0069A039                 and     eax, 0FFFFFFFEh
.text:0069A03C                 jmp     short loc_69A046
.text:0069A03E ; ---------------------------------------------------------------------------
.text:0069A03E
.text:0069A03E loc_69A03E:                             ; CODE XREF: sub_699E30+207j
.text:0069A03E                 lea     ecx, [ebp+var_C]
.text:0069A041                 sub     ecx, [edx+4]
.text:0069A044                 add     eax, ecx
.text:0069A046
.text:0069A046 loc_69A046:                             ; CODE XREF: sub_699E30+20Cj
.text:0069A046                 mov     [eax], edx
.text:0069A048                 mov     edx, [ebp+var_8]
.text:0069A04B                 mov     eax, [ebp+var_C]
.text:0069A04E                 mov     [eax+4], edx
.text:0069A051
.text:0069A051 loc_69A051:                             ; CODE XREF: sub_699E30+1FCj
.text:0069A051                 pop     edi
.text:0069A052                 pop     esi
.text:0069A053                 mov     eax, 1
.text:0069A058                 pop     ebx
.text:0069A059                 mov     esp, ebp
.text:0069A05B                 pop     ebp
.text:0069A05C                 retn
.text:0069A05C sub_699E30      endp
.text:0069A05C
.text:0069A05C ; ---------------------------------------------------------------------------

More:

Code:

.rdata:009EF8BC a_Bannedaddons_ db '.\BannedAddOns.cpp',0 ; DATA XREF: sub_699430+16o
.rdata:009EF8BC                                         ; sub_6994C0+16o
.rdata:009EF8CF                 align 10h
.rdata:009EF8D0 aFileHosfile_in db 'file != HOSFILE_INVALID',0 ; DATA XREF: sub_699430+Co
.rdata:009EF8D0                                         ; sub_6994C0+Co ...
.rdata:009EF8E8 off_9EF8E8      dd offset sub_699550    ; DATA XREF: sub_699A70+Do
.rdata:009EF8E8                                         ; sub_699B10+2Co
.rdata:009EF8EC                 dd offset sub_55D620
.rdata:009EF8F0 aBaddons_wcf    db 'baddons.wcf',0      ; DATA XREF: sub_699600+Do
.rdata:009EF8F0                                         ; sub_699600+86o ...
.rdata:009EF8FC off_9EF8FC      dd offset sub_699B80    ; DATA XREF: sub_699B10+3o
.rdata:009EF8FC                                         ; sub_699C20+5o
.rdata:009EF8FC                                         ; <".?AU_BANNEDADDON@@">
.rdata:009EF900                 dd offset sub_699BB0    ; <".?AU_BANNEDADDON@@">
.rdata:009EF904                 dd offset sub_699CB0    ; <"delete">
.rdata:009EF908                 dd offset sub_699C80

Preliminary findings (rough, educated guesses):

Implemented using a linked list. (TSExplicitList, similar to their other list types, TSObjectArray, TSGrowableArray, etc etc.)
Seems to be a list of a known size, accessed via index. Possibly data received from server then cached on the client side.

Sorry though, unless they send down a file with some actual data to work with I'm not gonna attempt to forge my own from scratch or bother reversing the function purely on the code side just to get some vague info.

**schlumpf** · 03-21-2009

It should be easy to get WoW to ignore the list anyway. (Just like the great signatures. My current version uses just a "return 1;" to replace the function.)

The only problem may get, that they might check it serverside. (At least that is, what I would do). But well, thats just another function to hook / modify.

If they are stupid, they will ban by name. I hope so.

// May you upload the binary from the PTR for me, Cypher? I don't want to get that whole patch.

**Cypher** · 03-21-2009

Originally Posted by schlumpf

It should be easy to get WoW to ignore the list anyway. (Just like the great signatures. My current version uses just a "return 1;" to replace the function.)

The only problem may get, that they might check it serverside. (At least that is, what I would do). But well, thats just another function to hook / modify.

If they are stupid, they will ban by name. I hope so.

// May you upload the binary from the PTR for me, Cypher? I don't want to get that whole patch.

Sure, I'll post a link soon. Also, gotta be careful what you modify, given they've started to get more proactive in terms of cheat-detection one of the next most obvious change would be to CRC all read-only memory.

Currently I'm not using any code hooks and the only thing I want that I can't replicate currently is a fly hack and minimap track hack.

Anyway, as far as stuff like this goes, its pretty much impossible to enforce. Addons are pretty much 100% clientside so there's nothing stopping you from just removing an entry from the list.

It will meet their goal though of killing off the addons, because most players aren't gonna risk using a hack just for an addon.

EDIT:

Link: http://dl.getdropbox.com/u/74751/PTR-Latest.7z

Still uploading. Refresh till it works.

**schlumpf** · 03-21-2009

Addons now have more states. Such as the "invalid version", they now also have:
"LOADABLE"
"MISSING"
"DISABLED"
"BANNED"
"CORRUPT"
"INSECURE"
"DEMAND_LOADED"
"INTERFACE_VERSION"
"INCOMPATIBLE"
"SECURE"
"INSECURE"
"BANNED"
(Yes, some are duplicate. its not my fault. They are in arrays being accessed by functions like

Code:

char *__cdecl GetSecure_Insecure_or_Banned(int a1)
{
  return Sec_Insec_Banned[a1];
}

which are called when loading the addons and on "GetAddonInfo()" (lua). )

The information, if its banned or secure is returned by the function at .text:0069C020.

Conclusion: It may be enough to just hook .text:0069C020 and always return AddonStates_SECURE.

(And do this for the other list too.)

**UnknOwned** · 03-21-2009

Im pretty sure that this is one of Blizzards "transparent" attempts to keep the masses away like they do with the scan.dll features and the MC disabler.
But I sure would love to see some more challenging efforts from Bli<<ard to try and reduce hacking to a minimum.

**Cypher** · 03-21-2009

Nice. I wish my patterns worked on the PTR builds. I'm too lazy to do anything until the live patch hits or someone updates the addresses I"m using.

Code:

// LUA
#define __LuaExecute                        0x0077E460
#define __LuaGetTop                            0x007ADAD0
#define __LuaRegister                        0x0077D290
#define __LuaToString                        0x007ADFE0

If someone less lazy updates those I'll fire up my framework and start testing some addons (including spoofed ones). I think those are the only ones I need for my LUA API. (Being able to execute LUA and get back data at any time including the login/charselect/etc screens is so useful, lol. I love blizzard, more games need LUA APIs

)

EDIT:

And oh, Schlumpf, there are duplicates because there's two arrays.

**Cypher** · 03-21-2009

Originally Posted by UnknOwned

Im pretty sure that this is one of Blizzards "transparent" attempts to keep the masses away like they do with the scan.dll features and the MC disabler.
But I sure would love to see some more challenging efforts from Bli<<ard to try and reduce hacking to a minimum.

Ditto.

Warden needs to start getting more aggressive (not privacy-invading style aggression, caus Hoglund would cry again, but more 'generic' checks, like scanning all readonly mem rather than just snippets).

**schlumpf** · 03-21-2009

You don't work with patterns? Oo Is that against your "no hooking etc."-policy too? Oo

A bit more aggressive checks would be nice. But again useless code to do extra. And I am a lazy one.

Lua is the best that could ever happen to WoW.

And: "They are in arrays being accessed by" - I know.

This is why i wrote that sentence. :P

**Cypher** · 03-21-2009

Actually, there are no new states, the same ones are in 2.4.3 (before the baddons stuff was added in 3.0.x).

2.4.3:

Code:

.data:00B9E7B4 off_B9E7B4      dd offset aLoadable     ; DATA XREF: sub_52E520+11r
.data:00B9E7B4                                         ; sub_52E520+28r
.data:00B9E7B4                                         ; "LOADABLE"
.data:00B9E7B8                 dd offset aMissing_0    ; "MISSING"
.data:00B9E7BC                 dd offset aDisabled_0   ; "DISABLED"
.data:00B9E7C0                 dd offset aBanned       ; "BANNED"
.data:00B9E7C4                 dd offset aCorrupt      ; "CORRUPT"
.data:00B9E7C8                 dd offset aInsecure     ; "INSECURE"
.data:00B9E7CC                 dd offset aNot_demand_loa ; "NOT_DEMAND_LOADED"
.data:00B9E7D0                 dd offset aInterface_vers ; "INTERFACE_VERSION"
.data:00B9E7D4                 dd offset aIncompatible ; "INCOMPATIBLE"
.data:00B9E7D8 off_B9E7D8      dd offset aSecure_0     ; DATA XREF: sub_52E570+6r
.data:00B9E7D8                                         ; "SECURE"
.data:00B9E7DC                 dd offset aInsecure     ; "INSECURE"
.data:00B9E7E0                 dd offset aBanned       ; "BANNED"

3.1.0

Code:

.data:00A86464 off_A86464      dd offset aLoadable     ; DATA XREF: sub_69A3D0+11r
.data:00A86464                                         ; sub_69A3D0+28r
.data:00A86464                                         ; "LOADABLE"
.data:00A86468                 dd offset aMissing_0    ; "MISSING"
.data:00A8646C                 dd offset aDisabled     ; "DISABLED"
.data:00A86470                 dd offset aBanned       ; "BANNED"
.data:00A86474                 dd offset aCorrupt      ; "CORRUPT"
.data:00A86478                 dd offset aInsecure     ; "INSECURE"
.data:00A8647C                 dd offset aDemand_loaded ; "DEMAND_LOADED"
.data:00A86480                 dd offset aInterface_vers ; "INTERFACE_VERSION"
.data:00A86484                 dd offset aIncompatible ; "INCOMPATIBLE"
.data:00A86488 off_A86488      dd offset aSecure_0     ; DATA XREF: sub_69A420+6r
.data:00A86488                                         ; "SECURE"
.data:00A8648C                 dd offset aInsecure     ; "INSECURE"
.data:00A86490                 dd offset aBanned       ; "BANNED"

From memory its the same stuff that's been there since they banned addons in classic (the cross-realm communication ones).

**schlumpf** · 03-21-2009

Ah k. Never cared for addons. Well, then its the same fix.

How are the c-r-c addons banned? Hardcoded?

**Cypher** · 03-21-2009

Originally Posted by schlumpf

You don't work with patterns? Oo Is that against your "no hooking etc."-policy too? Oo

A bit more aggressive checks would be nice. But again useless code to do extra. And I am a lazy one.

Lua is the best that could ever happen to WoW.

And: "They are in arrays being accessed by" - I know.

This is why i wrote that sentence. :P

Nono. I do use patterns, but it generates a header file because I need them at compile time not runtime (for pre-processing voodoo magic).

And the pattern file isn't build for PTR builds so most stuff fails. Its built only to generate reliable results on Release builds, not Release Assertions. Thats why I was saying I wished they worked on the PTR build. Not because I don't use a pattern scanner (I do), but because they don't work on 'debug' builds.

Also, pattern scanners are non-invasive so no they don't violate that rule.

EDIT: Sorry for all the double posts but I'm on Minefield and it's being a whore. Gotta track down the bug and post a report.

Shout-Out

User Tag List

Thread: [WoW] [3.1.0] Addon Blacklist

Thread Tools

Search Thread

[WoW] [3.1.0] Addon Blacklist

Similar Threads

WoW dungeon/BG alarm addon!

[WIP] Cataclysm WoW Private Laucher - Patch/Addon Downloader

WoW guide to starter addons/mods

XP/Hour addon for WoW 2.0+/BC

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino