detection of engine function calls menu

Shout-Out

User Tag List

Results 1 to 11 of 11
  1. #1
    mnbvc's Avatar Banned
    Reputation
    120
    Join Date
    Jul 2009
    Posts
    273
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    detection of engine function calls

    everybody here knows that warden currently won't ban you if you are injecting a private dll and don't hook certain functions or write to certain memory addresses

    but i'm asking myself why warden doesn't detect more things

    for example using the famous dostring aka framescript_execute
    to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll

    another one would be the ctm struct. they are already checking for memory writes at other points, why don't they check this one?

    is it just blizzards duplicity, to ban some bots so that the casuals think blizz does something against bots, and on the other hand they don't want to lose all the money from the bot accounts? what do you think is the reason for what warden does or does not?

    what are vac or punkbunster doing with engine calls from injected dlls? do they ban for them?

    detection of engine function calls
  2. #2
    -Ryuk-'s Avatar Elite User CoreCoins Purchaser Authenticator enabled
    Reputation
    529
    Join Date
    Nov 2009
    Posts
    1,028
    Thanks G/R
    38/51
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mnbvc View Post
    everybody here knows that warden currently won't ban you if you are injecting a private dll and don't hook certain functions or write to certain memory addresses

    but i'm asking myself why warden doesn't detect more things

    for example using the famous dostring aka framescript_execute
    to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll

    another one would be the ctm struct. they are already checking for memory writes at other points, why don't they check this one?

    is it just blizzards duplicity, to ban some bots so that the casuals think blizz does something against bots, and on the other hand they don't want to lose all the money from the bot accounts? what do you think is the reason for what warden does or does not?

    what are vac or punkbunster doing with engine calls from injected dlls? do they ban for them?

    Eventually they ban all of your current methods, and people just find more. Look at LuaFoo for example, it was banned, and in a few days another one popped up. Blizzard will never stop us, they can only ban some of us in the process.

    However if they ban us they expect us to buy another account. If they banned every cheater/hacker they would lose alot of members.

    There are alot of things they could ban if they wanted, however there lazy/want our money.
    |Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|

  3. #3
    wraithZX's Avatar Active Member
    Reputation
    43
    Join Date
    May 2007
    Posts
    122
    Thanks G/R
    0/1
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mnbvc View Post
    to scan if an injected dll has a typedef (however it looks in asm) for dostring shouldn't be really difficult, right? and there is no legal purpose to have this typedef in this dll
    If you find out what a typedef looks like in assembly, let me know.
    I've always been curious how a pointer can look different in machine code depending on what it was defined to be.

    No, really.

    Perhaps looking at assembly listings of your own stuff is a good place to start?

    If they were so inclined, walking the stack at runtime would be all they need to do to detect calls that were made outside of wow.exe's code segment.
    Last edited by wraithZX; 03-27-2010 at 05:14 PM.

  4. #4
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could still get around this by context swapping(Get/SetThreadContext).

  5. #5
    mnbvc's Avatar Banned
    Reputation
    120
    Join Date
    Jul 2009
    Posts
    273
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by wraithZX View Post
    If you find out what a typedef looks like in assembly, let me know.
    I've always been curious how a pointer can look different in machine code depending on what it was defined to be.
    :confused:
    ofc it's not the typedef alone, but the following function call
    i mean example dostring would look something like this in asm (maybe push the variables in the opposite order, i have nearly no clue of asm :P)
    push "print('lol')"
    push "lol.lua"
    push 0
    call 0x1337

    it would really be no problem scanning a dll for this :P

  6. #6
    flo8464's Avatar Active Member
    Reputation
    30
    Join Date
    Apr 2009
    Posts
    434
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But what about

    push "print('lol')"
    push "lol.lua"
    push 0
    call eax

    ? Pwnd.
    Hey, it compiles! Ship it!

  7. #7
    mnbvc's Avatar Banned
    Reputation
    120
    Join Date
    Jul 2009
    Posts
    273
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, you could certainly try to hide it, but i guess there are only really few people who are doing this
    normally it looks just like this:
    typedef void (__cdecl * tDoString)(const char* sCommand1, const char* sCommand2, void* pState);
    tDoString oDoString = (tDoString)0x1337;

    void bla()
    {
    oDoString("lol", "rofl", 0);
    }

    which results in:
    sub_10001020 proc near
    push ebp
    mov ebp, esp
    push 0
    push offset aRofl ; "rofl"
    push offset aLol ; "lol"
    call dword_10004000
    add esp, 0Ch
    pop ebp
    retn
    sub_10001020 endp

    where warden could easily scan for push/push/push/call, grab the content of the variable behind the call and if it's dostring offset = ban

  8. #8
    kynox's Avatar Member
    Reputation
    830
    Join Date
    Dec 2006
    Posts
    888
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mnbvc View Post
    well, you could certainly try to hide it, but i guess there are only really few people who are doing this
    normally it looks just like this:
    typedef void (__cdecl * tDoString)(const char* sCommand1, const char* sCommand2, void* pState);
    tDoString oDoString = (tDoString)0x1337;

    void bla()
    {
    oDoString("lol", "rofl", 0);
    }

    which results in:
    sub_10001020 proc near
    push ebp
    mov ebp, esp
    push 0
    push offset aRofl ; "rofl"
    push offset aLol ; "lol"
    call dword_10004000
    add esp, 0Ch
    pop ebp
    retn
    sub_10001020 endp

    where warden could easily scan for push/push/push/call, grab the content of the variable behind the call and if it's dostring offset = ban
    You forget two things.

    1) Warden already implements a lua scan
    2) Polymorphism would deny your idea

    Warden isn't something that detects cheats on a global scale, it specifically targets individual cheats (with the exception of speedhacks) and takes appropriate action.

  9. #9
    mnbvc's Avatar Banned
    Reputation
    120
    Join Date
    Jul 2009
    Posts
    273
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    and the purpose of the thread was: what do you guys think why warding is not scanning for this, and are other anti cheats like vac or pb doing this?
    Last edited by mnbvc; 03-28-2010 at 02:18 PM.

  10. #10
    lanman92's Avatar Active Member
    Reputation
    50
    Join Date
    Mar 2007
    Posts
    1,033
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Warden scans lua?

  11. #11
    flo8464's Avatar Active Member
    Reputation
    30
    Join Date
    Apr 2009
    Posts
    434
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by mnbvc View Post
    and the purpose of the thread was: what do you guys think why warding is not scanning for this, and are other anti cheats like vac or pb doing this?
    Because WoW is an MMO and no FPS.
    There is no point in banning all the retards with crappy bots as long as they pay and they don't annoy other people too much. They pay 13€ a month, that's all Blizzard cares about.

    Cheats are something different and Blizzard reacts on cheats (normally).
    Hey, it compiles! Ship it!

Similar Threads

  1. Replies: 11
    Last Post: 11-21-2011, 12:25 AM
  2. "pure virtual function call" c++ error
    By Kzuly in forum Diablo 3 Emulator Servers
    Replies: 2
    Last Post: 10-21-2011, 12:37 AM
  3. Remote function call, calling convention?
    By lweid in forum WoW Memory Editing
    Replies: 11
    Last Post: 03-24-2011, 03:39 PM
  4. CEGUI - EndScene Hook - DLL Function Call
    By Orix in forum WoW Memory Editing
    Replies: 5
    Last Post: 02-12-2011, 03:51 PM
  5. ASM function call?
    By akh in forum WoW Memory Editing
    Replies: 15
    Last Post: 09-02-2008, 12:31 AM
All times are GMT -5. The time now is 09:46 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search