New 32-bit Detection Method Added

[realslimshady]

Is this relevant in any way? I wasn't sure what info is safe to post so I blurred a couple of unique items, but this occured when I launched my 32-bit client for the first time after today's patch.

[reliasn]

Just adding 6.1.2.19802 offsets:

Code:

_lua_load 0xB22BF
HBDetectionPacketHandler 0x8DDC83
HBDetectionLuaLoadHook 0x9351D1

[jivk03]

I made little diagram for you, that will always work, so save it to your PC and use every time when you want ask this question

"sarcasm" no rep for your : F

[Saridormi]

"sarcasm" no rep for your : F

You asked a stupid question. Why do you expect a serious answer? (although that diagram is fairly accurate, whether you want to believe it or not)

[TheMer]

You asked a stupid question. Why do you expect a serious answer? (although that diagram is fairly accurate, whether you want to believe it or not)

Looks like the diagram wasn't accurate. /sigh

[VesperCore]

They fixed their code for this patch at that time, it's something else.

[jossa90]

You asked a stupid question. Why do you expect a serious answer? (although that diagram is fairly accurate, whether you want to believe it or not)

I'm afraid that it's not that accurate.
HB working != safe.

[Trixiap]

It is accurate, but safe doesn´t mean 100% safe, only safe as usual. Botting is always about dogging bullet and this time we were not fast enough.

[hatawong]

Possible Anti-Way Here:
----------------------------------------------------
Original Seq:
1、WoW.exe Startup
2、Account Loggined
3、Recieve HBDetectionPacket
4、Call HBDetectionPacketHandler
5、Call HBDetectionLuaLoadHook
6、_lua_load Hooked
7、Any Bot Call _lua_load outside WoW.exe, Hook _lua_load dectected
8、Report to blizz.

Anti Seq:
1、WoW.exe Startup - [Anti Step1] Hook HBDetectionPacketHandler
2、Account Loggined
3、Recieve HBDetectionPacket
4、Call HBDetectionPacketHandler - [Anti Step2] Call HBDetectionPacketHandler_Hooked, then call HBDetectionPacketHandler_Original
5、Call HBDetectionLuaLoadHook
6、_lua_load Hooked - [Anti Step3] Anter call HBDetectionPacketHandler_Original, unhook _lua_load
7、Any Bot Call _lua_load outside WoW.exe - [Anti Step4] Detection Failed
8、Report to blizz - [Anti Step5] It should never happend

Warden scan these offsets now:

address data
0x00002D4E E8 D7 CE 1B 00 E8
0x0001D7BA 59 59 85 C0 74 F0 83
0x000250FE 8B 4D 10
0x00025101 89 0D C8 F7
0x0008588D 55 8B EC 8B 0D 60 67
0x00085896 FF 75 08 8B 01 FF 50 78
0x000B77BB 55 8B EC 83 EC 48 8B 45 08
0x000B794D 55 8B EC 83 EC 64 56 8B 75 08
0x000B7F99 55 8B EC 8B 45 0C 83 78 08 06
0x000EB99F 55 8B EC A1
0x00202BF6 55 8B EC 53 56 8B F1 8B 4D
0x002884F5 75 1F 8B CB
0x0028CADE 55 8B EC 83 EC 20 53 57 FF
0x00294972 55 8B EC 56 8B F1 F7 46 40 00 00 00 40
0x00297F94 55 8B EC A1 C0
0x0029A4F3 55 8B EC 83 EC 4C 53 56 57 8B
0x0029A6A9 0F 87 3F 0C 00 00 FF 24 85
0x0029B4CB 55 8B EC 83 EC 0C 8B 45 0C 83
0x0029C18C E8 6C 14 E5 FF 8B F0
0x002A80C5 75 0B F7 46 40 00 00 10 01 75 02 5E C3
0x002E617F 8B 81 B8 0A 00 00 25 00 00 80
0x002F6C11 74 24 F3 0F
0x002F9C96 55 8B EC 83 EC 24 53 56 57 6A
0x00304A1B 75 10 68 5B 01 00 00
0x00309093 55 8B EC 83 EC 24 56 8B F1
0x00309181 85 C0 74 1F
0x00309185 8B 06 8D 4D
0x0036380F 0F 2F 44 06 08 72 05
0x003663AB A9 00 00 00 04 74 24
0x003663B0 74 24 A9 00 00 10 00
0x00381469 F7 C2 00 00 10 01 75 0C 81 66 04 FF FF EF FF
0x0038AA39 7F 27 6A 20
0x0038AA60 7E 0B 8B CF
0x003D0CCB 55 8B EC 83 EC 20 53 56 57
0x003D10C6 55 8B EC 81 EC B0 00 00 00
0x0051CCAE 74 25 F6 40 2C
0x00520B61 55 8B EC FF 75 10 FF
0x00532C94 0F 85 D5 01 00 00 8D 45 D4 50 8D 45 C4
0x0056351F 55 8B EC 83 EC 2C 53 8B 5D 08
0x00563541 F7 45 1C 00 00 F0 00 74
0x00563570 F7 45 1C F0 00 03 00 74
0x00563577 74 1F FF 75 1C
0x00563588 FF 75 10 FF 75 0C 50 E8
0x005635C2 FF 75 1C 8D 83 E0 00
0x00563670 F7 45 1C 00 01 00 00 74
0x00563677 74 11 FF 75 18
0x0059D6C1 55 8B EC 81 EC F4 00 00 00
0x008FEFA9 55 8B EC 83 EC 20 8D 45 F8 53 8B
0x008FEFF6 74 7B F3 0F 10
0x008FF82F A9 00 00 10 01 75 04 33 C0 EB 3F
0x008FF884 A9 00 00 10 01 75 04 33 C0 5E C3
0x008FF95D A9 00 00 10 01 74 0A 57 8B CE E8
0x009001CA A9 00 00 00 10 74 04
0x009001FA 75 30 F6 46 44
0x009009C8 81 66 40 FF FF 9F FF 8B 46 40 8B CA
0x00900A85 75 48 D9 86 88 00 00 00
0x0093D4CA 55 8B EC 8B 45 08
0x0093D4DE 78 4A 05 C0
0x0093D629 6A 01 68 C6 BA
0x0093F29A 8B EC 83
0x0093F2B5 FF 24 85 21 F3
0x0094D01D 53 57 E8 A6 04 FF FF
0x00956FF3 55 8B EC B8 68 38 00 00 E8 C0 DF D0
0x009574FC 7D 25 83 FE 0C 7C 54 83 FE
0x0095765A 74 17 83 F8 10
0x0095A022 55 8B EC 81 EC 68 0E 00 00 6A 0A E8
0x0095A3DC 74 46 83 FE 07
0x009E3050 2F 54 9A 41 43 4D 69 73
0x009E8B10 BB 8D 24 3F
0x00BDB94C D8 93 FE C0 48 8C 11 C1
0x00C470A0 00 00 00 00
0x00C470A4 04 00 00 00 B4 02

So maybe this way is safe...

[JamesHook]

hatawong it wasn't a warden detection. The detection was done inside the Wow.exe.

[CurbStomping]

hatawong it wasn't a warden detection. The detection was done inside the Wow.exe.

Source of this information?

[Trixiap]

Source of this information?

HB forum and many wannabe RE there

[Frosttall]

HB forum and many wannabe RE there

They clearly stated it to be speculations but no confirmed information.

[counted]

I just got back from a 9 month assignment and was updating my bot to start playing wow again. Fortunately I happened upon this post before I fired it up!!!

I check the address in question and blizzard is still hooking this address. I traced it around and the hook routine traces back up the stack to check the return address two calls prior to this routine and checks to see if the address is between TEXT Begin and TEXT End segment addresses. Basically the _luaL_loadbuffer call from FrameScript_LoadVariables, FrameScript_ExecuteBuffer, FrameScript_CompileFunction, _luaB_loadstring, Script

My bot is CPP based off of the WOWX framework and this detection would have caught it.

I can think of several ways to defeat this "check" but the fact that Blizzard has resorted to checking the stack is making me consider returning to OOP which is where i started.

I felt (probably incorrectly) pretty "safe" because i do not share my bot code with anyone so i thought it would be unlikely that I would get detected.

Now I am thinking that I would need to keep track of the other public bots, reverse them and see what internal routines they are calling and make sure i do not use those routines. There is no way i am going to do this.

I could right a IDA script to dump all sub routine addresses and the first 6 bytes and then after every patch scan the loaded and running wow executable and verify which routines blizzard is hooking and avoid them.

This feels like a departure on blizzards part from past practices.

What do the other in-process coders think?

-counted

[Jadd]

What do the other in-process coders think?

-counted

If you don't understand enough about anti-cheats to stay protected, I would simply recommend staying away from the use of Lua (and other conventional botting functions for that matter - ie. click to move.) It's not really needed if you're bothered to put in some extra work and seems to always be Blizzard's target when banning people.