New 32-bit Detection Method Added

[l0l1dk]

A few days ago, Blizzard activated a new detection method in the 32-bit client.

luaD_protectedparser (Wow.exe + 0x0B2580) is hooked with the function at Wow.exe + 0x9322E8. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at Wow.exe + 0x8DA9FE. It appears to be called in response to a packet send during or immediately after login.

64-bit appears to be still be safe. I haven't seen any Wow-64.exe functions being hooked.

EDIT: After further reversing of the hook function, it doesn't appear to check the call stack very far back, so most tools should still be safe.

[thehiddenshop]

omg ++++++ rep

[Shameless]

omg ++++++ rep

Do you even know what this means?

Good contrib. +Rep.

[Trixiap]

You... you are our hero!

[l0l1dk]

Fixed some incorrect details. The function being hooked is luaD_protectedparser, not luaD_pcall. luaD_pcall is called by luaD_protectedparser, so I must've copied the wrong name. I'll continue reversing it to find more details.

EDIT: I reversed the hook function more. It doesn't appear to be checking far back enough in the call stack to detect FrameScript_ExecuteBuffer or FrameScript_Execute. Most tools should still be safe.

[frammis4242]

-------------------------------
+rap

[Ales Kolman Bagari]

I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?

[miceiken]

I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?

Don't bot or hack.

[l0l1dk]

I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?

Basically they'll send data to Blizzard if you use a bot or hack tries to use the hooked function or anything that uses it. As long as they don't, nothing is sent to Blizzard.

[jimmyamd]

honorbuddy is still safe to use since they updated it

[DarkLinux]

How often do they do this? Hate to spend time if its rare. Are they using RPM / WPM or directly accessing memory? Guess you could just hook VirtualProtect for that memory page. Should be fun Also code caves for the win, unless they really check the caller address.

[l0l1dk]

5.4.7.18019
0x0D75CE : _lua_load
0x8673BC : HBDetectionPacketHandler
0x8BD916 : HBDetectionLuaLoadHook

6.1.0.19702
0x0B2580 : _lua_load
0x8DA9FE : HBDetectionPacketHandler
0x9322E8 : HBDetectionLuaLoadHook

compare the stuff you are reversing with the code in the 5.4.7.18019 exe : )

Interesting. This might be the same thing Blizzard used to try to detect HB a couple of years ago. I haven't ever seen it do anything until a couple of days ago though. +5 for the info.

[jivk03]

A few days ago, Blizzard activated a new detection method in the 32-bit client.

luaD_protectedparser (Wow.exe + 0x0B2580) is hooked with the function at Wow.exe + 0x9322E8. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at Wow.exe + 0x8DA9FE. It appears to be called in response to a packet send during or immediately after login.

64-bit appears to be still be safe. I haven't seen any Wow-64.exe functions being hooked.

EDIT: After further reversing of the hook function, it doesn't appear to check the call stack very far back, so most tools should still be safe.

Okay i cant understand is Honorbuddy still safe or not?

[Trixiap]

Okay i cant understand is Honorbuddy still safe or not?

I made little diagram for you, that will always work, so save it to your PC and use every time when you want ask this question

[Torpedoes]

In situations like this I like to post THIS video. Also this pretty much puts all those Lua unlockers in greater jeopardy.