detection of engine function calls

[mnbvc]

everybody here knows that warden currently won't ban you if you are injecting a private dll and don't hook certain functions or write to certain memory addresses

but i'm asking myself why warden doesn't detect more things

for example using the famous dostring aka framescript_execute
to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll

another one would be the ctm struct. they are already checking for memory writes at other points, why don't they check this one?

is it just blizzards duplicity, to ban some bots so that the casuals think blizz does something against bots, and on the other hand they don't want to lose all the money from the bot accounts? what do you think is the reason for what warden does or does not?

what are vac or punkbunster doing with engine calls from injected dlls? do they ban for them?

[-Ryuk-]

everybody here knows that warden currently won't ban you if you are injecting a private dll and don't hook certain functions or write to certain memory addresses

but i'm asking myself why warden doesn't detect more things

for example using the famous dostring aka framescript_execute
to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll

another one would be the ctm struct. they are already checking for memory writes at other points, why don't they check this one?

is it just blizzards duplicity, to ban some bots so that the casuals think blizz does something against bots, and on the other hand they don't want to lose all the money from the bot accounts? what do you think is the reason for what warden does or does not?

what are vac or punkbunster doing with engine calls from injected dlls? do they ban for them?

Eventually they ban all of your current methods, and people just find more. Look at LuaFoo for example, it was banned, and in a few days another one popped up. Blizzard will never stop us, they can only ban some of us in the process.

However if they ban us they expect us to buy another account. If they banned every cheater/hacker they would lose alot of members.

There are alot of things they could ban if they wanted, however there lazy/want our money.

[wraithZX]

to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll

If you find out what a typedef looks like in assembly, let me know.
I've always been curious how a pointer can look different in machine code depending on what it was defined to be.

No, really.

Perhaps looking at assembly listings of your own stuff is a good place to start?

If they were so inclined, walking the stack at runtime would be all they need to do to detect calls that were made outside of wow.exe's code segment.

[lanman92]

You could still get around this by context swapping(Get/SetThreadContext).

[mnbvc]

If you find out what a typedef looks like in assembly, let me know.
I've always been curious how a pointer can look different in machine code depending on what it was defined to be.

:confused:
ofc it's not the typedef alone, but the following function call
i mean example dostring would look something like this in asm (maybe push the variables in the opposite order, i have nearly no clue of asm :P)
push "print('lol')"
push "lol.lua"
push 0
call 0x1337

it would really be no problem scanning a dll for this :P

[flo8464]

But what about

push "print('lol')"
push "lol.lua"
push 0
call eax

? Pwnd.

[mnbvc]

well, you could certainly try to hide it, but i guess there are only really few people who are doing this
normally it looks just like this:
typedef void (__cdecl * tDoString)(const char* sCommand1, const char* sCommand2, void* pState);
tDoString oDoString = (tDoString)0x1337;

void bla()
{
oDoString("lol", "rofl", 0);
}

which results in:
sub_10001020 proc near
push ebp
mov ebp, esp
push 0
push offset aRofl ; "rofl"
push offset aLol ; "lol"
call dword_10004000
add esp, 0Ch
pop ebp
retn
sub_10001020 endp

where warden could easily scan for push/push/push/call, grab the content of the variable behind the call and if it's dostring offset = ban

[kynox]

well, you could certainly try to hide it, but i guess there are only really few people who are doing this
normally it looks just like this:
typedef void (__cdecl * tDoString)(const char* sCommand1, const char* sCommand2, void* pState);
tDoString oDoString = (tDoString)0x1337;

void bla()
{
oDoString("lol", "rofl", 0);
}

which results in:
sub_10001020 proc near
push ebp
mov ebp, esp
push 0
push offset aRofl ; "rofl"
push offset aLol ; "lol"
call dword_10004000
add esp, 0Ch
pop ebp
retn
sub_10001020 endp

where warden could easily scan for push/push/push/call, grab the content of the variable behind the call and if it's dostring offset = ban

You forget two things.

1) Warden already implements a lua scan
2) Polymorphism would deny your idea

Warden isn't something that detects cheats on a global scale, it specifically targets individual cheats (with the exception of speedhacks) and takes appropriate action.

[mnbvc]

and the purpose of the thread was: what do you guys think why warding is not scanning for this, and are other anti cheats like vac or pb doing this?

[lanman92]

Warden scans lua?

[flo8464]

and the purpose of the thread was: what do you guys think why warding is not scanning for this, and are other anti cheats like vac or pb doing this?

Because WoW is an MMO and no FPS.
There is no point in banning all the retards with crappy bots as long as they pay and they don't annoy other people too much. They pay 13€ a month, that's all Blizzard cares about.

Cheats are something different and Blizzard reacts on cheats (normally).