Regarding the PQR ban

[Torpedoes]

As a fellow developer I'm always interested in understanding the specifics of a ban. As you all know, PQR was recently detected which resulted in the ban of a few thousand accounts. As somebody who has seen a lot of talk about PQR but never actually using it, could somebody please shed some light as to how it worked and how it became detected. I found that "It uses both simple memory reading as well as a memory detour to execute Lua code", does this mean it injected a hack to bypass lua protection? I also found that it used an in-game addon which had a feature to notify the user about potential updates, another red flag in my book.

In essence, was PQR fully external, or did it inject something into the game? If it was external, what would be some of the things that allowed it to become detected? If it was internal/injected I guess it was only a matter of time, but what aspect made it most detectable?

Thanks and, as always, I'm interested in what you guys have to say regarding detectability mitigation.

[cukiemunster]

A very good possibility is the use of PQI, which is an in game addon that communicates with the chat window. Xelper(creator of PQR) had this to say about the matter:

My huge concern is that many profiles used PQI, and PQI used CHAT_MSG_ADDON as a version check...

Code:

function ADDON:CHAT_MSG_ADDON( event, prefix, message, channel, sender)
    --if sender == E.myname then return end
    if prefix == "VC" and not ADDON.recievedOutOfDateMessage then
        if ADDON.version ~= 'BETA' and tonumber(message) ~= nil and tonumber(message) > tonumber(ADDON.version) then
            ADDON:Print("Your version of "..AddOnName.." is out of date. You can download the latest version from http://pqrotation.wikia.com/wiki/PQInterface")
            ADDON.recievedOutOfDateMessage = true
        end

Which means addon messages were communicated to the server, and sent to any listening clients on that addon channel. This is a HUGELY BAD IDEA, as it is essentially advertising to the WoW servers "I AM RUNNING THIS ADDON!" Blizzard logs everything they receive, and it is just a matter of them searching the logs for people advertising their version number on the channel.

This is why I want to know if anyone was banned without ever having PQI installed.

http://www.ownedcore.com/forums/worl...ml#post2958510 (PQR - Rotation Bot)

[RivaLfr]

Hello,

It is really easy for bliz to detect PQR, all lua codes is written in wow memory (and keep) (you can use cheatengine and search text "PQR"), no random text, same variable name used all time, bliz can use search pattern to detect pqr or just check targeted variable (and pqr spamming the spells...).

And use wow addon makes it even easier detection (if addon name and codes is not random).

ps: I watched it a long time ago, it is possible that it is changed since and improve security.

[MaiN]

There's also a list of used addons sent to Blizzard's server when you login IIRC, so if this wasn't patched, PQI was easily detected server side. Same goes for ProbablyEngine.

[AngelicDevil]

Well I guess Im glad Im not the only one.
How come it was only my main account and not any of the other accounts under the same btag? I think the other account I keep active under that btag got a 72hr ban. I dont get why it wasnt a perma ban on all the accounts under that btag.

[aeo]

From what I can tell there were no added or changed warden scans so this must have been detected using another means.

[Xelper]

I haven't had much time to look into things yet, however RivaLfr is most likely correct.

PQR was not a lua unlocker. It was essentially an addon (though not registered as one) in the way that it just called FrameScript__ExecuteBuffer with a ton of lua code (that would obviously execute as protected code, capable of calling the protected functions.) It didn't implement obfuscation/encryption of the Lua code (like HB does), so it is plausible that Blizzard added some checks to detect variables that were commonly used by PQR. If this is the case, they may be experimenting with ways of detecting lua being executed untainted, and just saw these variables as an easy testing ground.

The function that was overwritten for executing the lua was immediately changed back to its original state after execution of the code (which took less than 2ms.) The offset isn't even being monitored, and a Warden detection of this memory change is unlikely given the extent of the banwave ... They would have had to perform a scan of that memory location at the very millisecond I was executing the Lua code.

Another option, like I mentioned before, is that Blizzard can see which addons are running. I am not familiar enough with Blizzards capabilities to be sure. PQI (not written by me) was also doing a version check via the CHAT_MSG_ADDON event. It is possible that might have been used, though I don't think it was. When I was doing some initial research I stumbled on that and was just like, "Why would anyone think this is a good idea?"

Shrug... It lasted over 2.5 years (release date 7-7-2011), it had a good run.

[Thomja]

I haven't had much time to look into things yet, however RivaLfr is most likely correct.

PQR was not a lua unlocker. It was essentially an addon (though not registered as one) in the way that it just called FrameScript__ExecuteBuffer with a ton of lua code (that would obviously execute as protected code, capable of calling the protected functions.) It didn't implement obfuscation/encryption of the Lua code (like HB does), so it is plausible that Blizzard added some checks to detect variables that were commonly used by PQR. If this is the case, they may be experimenting with ways of detecting lua being executed untainted, and just saw these variables as an easy testing ground.

The function that was overwritten for executing the lua was immediately changed back to its original state after execution of the code (which took less than 2ms.) The offset isn't even being monitored, and a Warden detection of this memory change is unlikely given the extent of the banwave ... They would have had to perform a scan of that memory location at the very millisecond I was executing the Lua code.

Another option, like I mentioned before, is that Blizzard can see which addons are running. I am not familiar enough with Blizzards capabilities to be sure. PQI (not written by me) was also doing a version check via the CHAT_MSG_ADDON event. It is possible that might have been used, though I don't think it was. When I was doing some initial research I stumbled on that and was just like, "Why would anyone think this is a good idea?"

Shrug... It lasted over 2.5 years (release date 7-7-2011), it had a good run.

Will you try to patch it?

[Xelper]

Honestly, I haven't played WoW in a long time (over 6 months). I just login to a trial account to update offsets for my friends that do. I don't have the desire to rewrite it in a way that would be safe enough for me to consider releasing publicly. When I originally wrote it HB didn't have the rotation bot option, so PQR was my solution. I highly recommend people just rewrite their rotations in C# for HonorBuddy, it will be far safer that way.

[Jadd]

There's also a list of used addons sent to Blizzard's server when you login IIRC, so if this wasn't patched, PQI was easily detected server side. Same goes for ProbablyEngine.

ProbablyEngine also wrote to .text with no warden protection whatsoever. The addresses he was writing to were also available to find as it is also open-source. I specifically remember telling the developer, that with this information Blizzard could detect PE within minutes. He didn't seem to care.

I'm not at all suprised that these programs were detected so easily. Frankly, I would've expected it sooner.

[Torpedoes]

I haven't had much time to look into things yet, however RivaLfr is most likely correct.

PQR was not a lua unlocker. It was essentially an addon (though not registered as one) in the way that it just called FrameScript__ExecuteBuffer with a ton of lua code (that would obviously execute as protected code, capable of calling the protected functions.) It didn't implement obfuscation/encryption of the Lua code (like HB does), so it is plausible that Blizzard added some checks to detect variables that were commonly used by PQR. If this is the case, they may be experimenting with ways of detecting lua being executed untainted, and just saw these variables as an easy testing ground.

The function that was overwritten for executing the lua was immediately changed back to its original state after execution of the code (which took less than 2ms.) The offset isn't even being monitored, and a Warden detection of this memory change is unlikely given the extent of the banwave ... They would have had to perform a scan of that memory location at the very millisecond I was executing the Lua code.

Another option, like I mentioned before, is that Blizzard can see which addons are running. I am not familiar enough with Blizzards capabilities to be sure. PQI (not written by me) was also doing a version check via the CHAT_MSG_ADDON event. It is possible that might have been used, though I don't think it was. When I was doing some initial research I stumbled on that and was just like, "Why would anyone think this is a good idea?"

Thank you for this explanation, it makes things a lot clearer for me. I do have a request though, for personal interest purposes. Did you log the usage of PQR and if so, would you mind sharing some usage statistics so we can better understand the depth of the ban.

Honestly, I haven't played WoW in a long time (over 6 months). I just login to a trial account to update offsets for my friends that do. I don't have the desire to rewrite it in a way that would be safe enough for me to consider releasing publicly. When I originally wrote it HB didn't have the rotation bot option, so PQR was my solution. I highly recommend people just rewrite their rotations in C# for HonorBuddy, it will be far safer that way.

Since you don't plan on releasing the source (for understandable reasons), is there a chance you could release certain aspects of it, particularly those that are innovative or interesting. I ask because I imagine you put a lot of effort into this and the community would benefit greatly from the progress you made. Any source snippets, offsets or technical literature would be appreciated by developers and researchers all around.

Thanks again, and good luck in your future developments!

[Konctantin]

Hi, I wrote a bot on the similarity of PQR. Lua core is written differently. And anyway, I was banned for 72 hours.
I believe that the function call is checked CastSpellByName.
Or verify the contents of the loaded addons in memory and presence in them of protected functions.



For example the following code:

Code:

if ability.CencelCasting or ability.DropChanel then
	SpellStopCasting();
end
if ability.Target == "mouselocation" then
	CastSpellByName(spellInfo);
	CameraOrSelectOrMoveStart();
	CameraOrSelectOrMoveStop();
elseif ability.Target == "none" then
	CastSpellByName(spellInfo);
else
	CastSpellByName(spellInfo, ability.Target);
end

PS. Sorry for my bad English.

[ImogenOC]

ProbablyEngine also wrote to .text with no warden protection whatsoever. The addresses he was writing to were also available to find as it is also open-source. I specifically remember telling the developer, that with this information Blizzard could detect PE within minutes. He didn't seem to care.

I'm not at all suprised that these programs were detected so easily. Frankly, I would've expected it sooner.

PE Admin here.
We have such a minimalistic change that there is no need for warden protection. Additionally, we use a patch, not an injection method. We don't sit in the program like PQR does. We're in and out, and the Lua unlocker can be closed after it is run. PQR must stay up to be run.

[DarkLinux]

@Xelper
So were you just creating a stub in WoW and calling ExecuteBuffer?

[aeo]

PE Admin here.
We have such a minimalistic change that there is no need for warden protection. Additionally, we use a patch, not an injection method. We don't sit in the program like PQR does. We're in and out, and the Lua unlocker can be closed after it is run. PQR must stay up to be run.

Was PQR not the same? it only alter wow when it was running the lua script. After that the codecave was removed and the detour removed until next execution.

Hi, I wrote a bot on the similarity of PQR. Lua core is written differently. And anyway, I was banned for 72 hours.
I believe that the function call is checked CastSpellByName.
Or verify the contents of the loaded addons in memory and presence in them of protected functions.



For example the following code:

Code:

if ability.CencelCasting or ability.DropChanel then
    SpellStopCasting();
end
if ability.Target == "mouselocation" then
    CastSpellByName(spellInfo);
    CameraOrSelectOrMoveStart();
    CameraOrSelectOrMoveStop();
elseif ability.Target == "none" then
    CastSpellByName(spellInfo);
else
    CastSpellByName(spellInfo, ability.Target);
end

PS. Sorry for my bad English.

Also i don't believe this is the case. Did you ever install or run PQR? I have my own application that works in a similar fashion to PQR but with a different way of dealing with the LUA. I am not banned (yet) and use CastSpellByName.