Regarding the PQR ban

[Xelper]

@ImogenOC: Just to avoid any confusion, no PQR didn't have to stay up to run. It ran all of the code at once and then left the WoW process alone and unaltered. The only time it would touch WoW was when a rotation was started or stopped.

@DarkLinux:
My primary memory editing class:
[C#] using System; using System.Collections.Generic; using System.Text; using Magi - Pastebin.com
Not the prettiest code in the world, but it worked for my needs. Keep in mind this code was written 2.5+ years ago, so some of the terminology I may have used back then may not have been proper. Memory editing was a new world to me, and much of what I did back then was an amalgamation of things I learned on this forum and elsewhere. :P

I don't know the exact address that was used in the current build (I used a pattern), so if interested:
public static string DetourMask = "xxxxxxxxxxxxxxxx";
public static byte[] DetourOverWritten = { 0x55, 0x8b, 0xec, 0x81, 0xec, 0x94, 0, 0, 0 };
public static byte[] DetourPattern = { 0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x94, 00, 00, 00, 0x83, 0x7D, 0x14, 00, 0x56, 0x8B, 0x75 };

Code:

clsMemory.Memory.DetourAddress = clsMemory.Memory.BlackMagic.FindPattern(clsMemory.DetourPattern, clsMemory.DetourMask) - (uint)clsMemory.Memory.BlackMagic.MainModule.BaseAddress;

Just called ApplyDetour -> Lua_GetReturnValue -> RestoreDetour.
Lua_GetReturnValue was called with the following LUA code: http://pastebin.com/qaPEMqeW and an array (formatted in lua) of each rotation that was defined in the outside application, in the following format.

PQR[i].priorityTable = {}
PQR[i].priorityTable.index = {}
PQR[i].priorityTable.ability = {}
PQR[i].priorityTable.spellid = {}
PQR[i].priorityTable.target = {}
PQR[i].priorityTable.actions = {}
PQR[i].priorityTable.lua = {}
PQR[i].priorityTable.recast = {}
PQR[i].priorityTable.delay = {}
PQR[i].priorityTable.cancelChannel = {}
PQR[i].priorityTable.skipUnknown = {}
PQR[i].priorityTable.requireCombat = true

Nothing too fancy.

[Thomja]

@ImogenOC: Just to avoid any confusion, no PQR didn't have to stay up to run. It ran all of the code at once and then left the WoW process alone and unaltered. The only time it would touch WoW was when a rotation was started or stopped.

@DarkLinux:
My primary memory editing class:
[C#] using System; using System.Collections.Generic; using System.Text; using Magi - Pastebin.com
Not the prettiest code in the world, but it worked for my needs. Keep in mind this code was written 2.5+ years ago, so some of the terminology I may have used back then may not have been proper. Memory editing was a new world to me, and much of what I did back then was an amalgamation of things I learned on this forum and elsewhere. :P

I don't know the exact address that was used in the current build (I used a pattern), so if interested:
public static string DetourMask = "xxxxxxxxxxxxxxxx";
public static byte[] DetourOverWritten = { 0x55, 0x8b, 0xec, 0x81, 0xec, 0x94, 0, 0, 0 };
public static byte[] DetourPattern = { 0x55, 0x8B, 0xEC, 0x81, 0xEC, 0x94, 00, 00, 00, 0x83, 0x7D, 0x14, 00, 0x56, 0x8B, 0x75 };

Code:

clsMemory.Memory.DetourAddress = clsMemory.Memory.BlackMagic.FindPattern(clsMemory.DetourPattern, clsMemory.DetourMask) - (uint)clsMemory.Memory.BlackMagic.MainModule.BaseAddress;

Just called ApplyDetour -> Lua_GetReturnValue -> RestoreDetour.
Lua_GetReturnValue was called with the following LUA code: [Lua] if PQR_Addon_Loaded == nil then PQR_Addon_Loaded = true --PQR --These are - Pastebin.com and an array (formatted in lua) of each rotation that was defined in the outside application, in the following format.

PQR[i].priorityTable = {}
PQR[i].priorityTable.index = {}
PQR[i].priorityTable.ability = {}
PQR[i].priorityTable.spellid = {}
PQR[i].priorityTable.target = {}
PQR[i].priorityTable.actions = {}
PQR[i].priorityTable.lua = {}
PQR[i].priorityTable.recast = {}
PQR[i].priorityTable.delay = {}
PQR[i].priorityTable.cancelChannel = {}
PQR[i].priorityTable.skipUnknown = {}
PQR[i].priorityTable.requireCombat = true

Nothing too fancy.

I just love the BlackMagic code you got in there

I also wanted to say that this is one of the most interesting threads I have seen on this forum when it comes to programming. Altho I may understand 0 of code that is not lua I still find it enjoyable to read!

[Jadd]

PE Admin here.
We have such a minimalistic change that there is no need for warden protection. Additionally, we use a patch, not an injection method. We don't sit in the program like PQR does. We're in and out, and the Lua unlocker can be closed after it is run. PQR must stay up to be run.

A .text patch (especially when the address of memory which the patch modifies is public,) is a dumb idea when you don't have Warden protection. Simple as that.

Anyone with half of a brain could see the PE banwave coming.

[Geekingitout]

@ImogenOC: Just to avoid any confusion, no PQR didn't have to stay up to run. It ran all of the code at once and then left the WoW process alone and unaltered. The only time it would touch WoW was when a rotation was started or stopped.

I bet to differ on this comment. If you closed the PQR application, the rotation was not able to be ran. Therefore, it required for it to be opened to use it.

[Xelper]

I wrote code to stop any running rotations when the application closed so that someone wouldn't close out of the application and go, "Gee, I'm now attacking and I have no way to stop it." Starting and stopping the rotation was the only time the application was interacting with the WoW process. This post was created for analyzing the potential detection methods being used by Blizzard, and the point of the post you quoted was to clarify that PQR was not constantly altering anything in the WoW Process.

You could have killed the PQR process via task manager and your rotation would have continued just fine. Feel free to login and give it a shot if you don't believe me.

[Geekingitout]

I wrote code to stop any running rotations when the application closed so that someone wouldn't close out of the application and go, "Gee, I'm now attacking and I have no way to stop it." Starting and stopping the rotation was the only time the application was interacting with the WoW process. This post was created for analyzing the potential detection methods being used by Blizzard, and the point of the post you quoted was to clarify that PQR was not constantly altering anything in the WoW Process.

You could have killed the PQR process via task manager and your rotation would have continued just fine. Feel free to login and give it a shot if you don't believe me.

Which is the whole reason for the hot keys to start and stop the rotation. However, if you closed the PQR application itself (yes even in task manager - I have done so) the rotation is unloaded and unable to run without the PQRotation running. I have tried this long before to see if it would work and it ... simply doesn't.

[Xelper]

There is a difference between killing a process (taskkill /IM:PQR.exe /F) and ending one ("End Task"). Killing a process immediately terminates it. Ending one sends it a signal to close, allowing it to close itself gracefully.

[lhar4679]

i will miss pqr :'(

[Senketsu]

Jadd you seem to wanna talk to PE with smite. When they did nothing but offer a bot for free same as pqr with no protection on either. The creator's felt it was safe enough the way wrote them not to add it. So in that befor you start this half a brain bs maybe you should one. people make mistakes omg it's so wrong not to be perfect. I mean we all take a chance when using bot's of any kind no matter what. So in short it's the user's fault to a point not just all the creator's. Think about these things not just attack people and their work.

[Jadd]

Jadd you seem to wanna talk to PE with smite. When they did nothing but offer a bot for free same as pqr with no protection on either. The creator's felt it was safe enough the way wrote them not to add it. So in that befor you start this half a brain bs maybe you should one. people make mistakes omg it's so wrong not to be perfect. I mean we all take a chance when using bot's of any kind no matter what. So in short it's the user's fault to a point not just all the creator's. Think about these things not just attack people and their work.

I think 'I told you so' is quite apt in this case, so say what you will.

[wowmacro]

There is a difference between killing a process (taskkill /IM:PQR.exe /F) and ending one ("End Task"). Killing a process immediately terminates it. Ending one sends it a signal to close, allowing it to close itself gracefully.

@Xelper

I am trying to get a new offsets for 5.4.7 PTR
but I don't know how to get the rest info

<ClntObjMgrGetActivePlayerObjAddress>0x4E3B</ClntObjMgrGetActivePlayerObjAddress>
<LocalGUID>0xE8</LocalGUID>
<FirstObject>0xCC</FirstObject>
<NextObject>0x34</NextObject>
<Descriptors>0x4</Descriptors>
<Obj_TypeOffset>0xC</Obj_TypeOffset>
<Obj_X>0x838</Obj_X>
<Obj_TargetGUID>0x16</Obj_TargetGUID>
<ClickTerrain>0</ClickTerrain>

Could u give me some help to show the way of finding them. PLZ

[Senketsu]

told me so i was not banned for pe or pqr lol so feel how you want mate.

[hqvrrsc4]

My account was also caught in this banwave although I only used my own private bot which was made by myself (with EndScene hook, GetLocalizedText, Dostring and Ingame lua interface, all I learned from this forum),
so I can confirm that the detection is not based on specific addon name/ lua code/ program name/ or addon message sent.
I know little about hooks or asm codes. However, thanks to the section I managed to make a rotation bot better than some public ones.
Since my rotation bot is highly private (only I myself use it), the only suspective is either the hook or the ASM in implementing GetLocalizedText or Dostring. (I simply grab the ASMs in early posts)
I guess the ASMs injected can be hashed and reported. Since I didn't do sufficient obfuscation in the ASMs injected, is it why I got caught?
One evidence is that one of my account is banned even though i logged out just after the bot is loaded but not started running.
I'm also curious about the way PQR does. Does PQR use EndScene hook? Does PQR obfuscate its ASMs?
To find an answer, I looked into PQR with reflector after the banwave and found its GetLocalizedText ASMs are quite similar to the public implementation on the forum and seem not obfuscated.
Is it the reason why they could detect us?

By the way, anyone knows whether one will be instantly kicked and banned after PQR is loaded on US servers?

[Jadd]

told me so i was not banned for pe or pqr lol so feel how you want mate.

You? I've never spoken to you before. I'm talking about the PE dev - I told him directly that it was only a matter of time before this happens and he didn't believe it or simply wasn't concerned. I feel like any statements I've made about PE are quite justified.

My account was also caught in this banwave although I only used my own private bot which was made by myself (with EndScene hook, GetLocalizedText, Dostring and Ingame lua interface, all I learned from this forum),
so I can confirm that the detection is not based on specific addon name/ lua code/ program name/ or addon message sent.
I know little about hooks or asm codes. However, thanks to the section I managed to make a rotation bot better than some public ones.
Since my rotation bot is highly private (only I myself use it), the only suspective is either the hook or the ASM in implementing GetLocalizedText or Dostring. (I simply grab the ASMs in early posts)
I guess the ASMs injected can be hashed and reported. Since I didn't do sufficient obfuscation in the ASMs injected, is it why I got caught?
One evidence is that one of my account is banned even though i logged out just after the bot is loaded but not started running.
I'm also curious about the way PQR does. Does PQR use EndScene hook? Does PQR obfuscate its ASMs?
To find an answer, I looked into PQR with reflector after the banwave and found its GetLocalizedText ASMs are quite similar to the public implementation on the forum and seem not obfuscated.
Is it the reason why they could detect us?

By the way, anyone knows whether one will be instantly kicked and banned after PQR is loaded on US servers?

They probably do some stack trace on FrameScript::ExecuteBuffer and FrameScript::GetText or whatever the "GetLocalizedText" function is called now. Either that, or they're catching anyone using copy-pasta'd assembly. (The first one is more likely IMO.)

[Xelper]

I'm also curious about the way PQR does. Does PQR use EndScene hook? Does PQR obfuscate its ASMs?
To find an answer, I looked into PQR with reflector after the banwave and found its GetLocalizedText ASMs are quite similar to the public implementation on the forum and seem not obfuscated.

I posted the relevant code earlier in this thread, should answer your questions. The ASM is run through a randomizer function that inserts a bunch of instructions that accomplish nothing.



Sent from my iPhone using Tapatalk