New 32-bit Detection Method Added menu

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 15 of 39
  1. #1
    l0l1dk's Avatar Elite User

    Reputation
    499
    Join Date
    Sep 2010
    Posts
    342
    Thanks G/R
    1/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    New 32-bit Detection Method Added

    A few days ago, Blizzard activated a new detection method in the 32-bit client.

    luaD_protectedparser (Wow.exe + 0x0B2580) is hooked with the function at Wow.exe + 0x9322E8. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at Wow.exe + 0x8DA9FE. It appears to be called in response to a packet send during or immediately after login.

    64-bit appears to be still be safe. I haven't seen any Wow-64.exe functions being hooked.

    EDIT: After further reversing of the hook function, it doesn't appear to check the call stack very far back, so most tools should still be safe.
    Last edited by l0l1dk; 03-21-2015 at 09:09 PM. Reason: Rebased the offset of the function that applies the hook incorrectly. Fixed it.

    New 32-bit Detection Method Added
  2. #2
    thehiddenshop's Avatar Banned
    Reputation
    147
    Join Date
    Aug 2011
    Posts
    2,489
    Thanks G/R
    0/2
    Trade Feedback
    3 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    omg ++++++ rep

  3. #3
    Shameless's Avatar Elite User JD's Master CoreCoins Purchaser
    Reputation
    473
    Join Date
    Jul 2009
    Posts
    720
    Thanks G/R
    4/3
    Trade Feedback
    36 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by ************* View Post
    omg ++++++ rep
    Do you even know what this means?

    Good contrib. +Rep.

  4. #4
    Trixiap's Avatar Contributor
    Reputation
    218
    Join Date
    Nov 2010
    Posts
    349
    Thanks G/R
    22/18
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You... you are our hero!

  5. #5
    l0l1dk's Avatar Elite User

    Reputation
    499
    Join Date
    Sep 2010
    Posts
    342
    Thanks G/R
    1/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Fixed some incorrect details. The function being hooked is luaD_protectedparser, not luaD_pcall. luaD_pcall is called by luaD_protectedparser, so I must've copied the wrong name. I'll continue reversing it to find more details.

    EDIT: I reversed the hook function more. It doesn't appear to be checking far back enough in the call stack to detect FrameScript_ExecuteBuffer or FrameScript_Execute. Most tools should still be safe.
    Last edited by l0l1dk; 03-21-2015 at 05:36 PM.

  6. #6
    frammis4242's Avatar Member
    Reputation
    2
    Join Date
    May 2011
    Posts
    57
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    -------------------------------
    +rap

  7. #7
    Ales Kolman Bagari's Avatar Member CoreCoins Purchaser
    Reputation
    8
    Join Date
    Jul 2014
    Posts
    76
    Thanks G/R
    2/2
    Trade Feedback
    4 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?

  8. #8
    miceiken's Avatar Contributor Authenticator enabled
    Reputation
    209
    Join Date
    Dec 2007
    Posts
    401
    Thanks G/R
    7/9
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ales Kolman Bagari View Post
    I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?
    Don't bot or hack.

  9. #9
    l0l1dk's Avatar Elite User

    Reputation
    499
    Join Date
    Sep 2010
    Posts
    342
    Thanks G/R
    1/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ales Kolman Bagari View Post
    I am not rly familiar with those thingys but those *hooks* are sending data to blizzard so they see if bots/hacks etc are attached to client or just checking what is runing in our processes. If so is there any way to protect our accounts?
    Basically they'll send data to Blizzard if you use a bot or hack tries to use the hooked function or anything that uses it. As long as they don't, nothing is sent to Blizzard.

  10. #10
    jimmyamd's Avatar Elite User
    Reputation
    329
    Join Date
    Apr 2014
    Posts
    866
    Thanks G/R
    71/114
    Trade Feedback
    8 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    honorbuddy is still safe to use since they updated it

  11. #11
    DarkLinux's Avatar Former Staff
    CoreCoins Purchaser Authenticator enabled
    Reputation
    1627
    Join Date
    May 2010
    Posts
    1,846
    Thanks G/R
    193/539
    Trade Feedback
    16 (100%)
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    How often do they do this? Hate to spend time if its rare. Are they using RPM / WPM or directly accessing memory? Guess you could just hook VirtualProtect for that memory page. Should be fun Also code caves for the win, unless they really check the caller address.
    Last edited by DarkLinux; 03-22-2015 at 10:27 AM.

  12. #12
    l0l1dk's Avatar Elite User

    Reputation
    499
    Join Date
    Sep 2010
    Posts
    342
    Thanks G/R
    1/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Harko View Post
    5.4.7.18019
    0x0D75CE : _lua_load
    0x8673BC : HBDetectionPacketHandler
    0x8BD916 : HBDetectionLuaLoadHook

    6.1.0.19702
    0x0B2580 : _lua_load
    0x8DA9FE : HBDetectionPacketHandler
    0x9322E8 : HBDetectionLuaLoadHook

    compare the stuff you are reversing with the code in the 5.4.7.18019 exe : )
    Interesting. This might be the same thing Blizzard used to try to detect HB a couple of years ago. I haven't ever seen it do anything until a couple of days ago though. +5 for the info.

  13. #13
    jivk03's Avatar Active Member
    CoreCoins Purchaser
    Reputation
    16
    Join Date
    Mar 2015
    Posts
    95
    Thanks G/R
    0/12
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by l0l1dk View Post
    A few days ago, Blizzard activated a new detection method in the 32-bit client.

    luaD_protectedparser (Wow.exe + 0x0B2580) is hooked with the function at Wow.exe + 0x9322E8. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at Wow.exe + 0x8DA9FE. It appears to be called in response to a packet send during or immediately after login.

    64-bit appears to be still be safe. I haven't seen any Wow-64.exe functions being hooked.

    EDIT: After further reversing of the hook function, it doesn't appear to check the call stack very far back, so most tools should still be safe.
    Okay i cant understand is Honorbuddy still safe or not?

  14. #14
    Trixiap's Avatar Contributor
    Reputation
    218
    Join Date
    Nov 2010
    Posts
    349
    Thanks G/R
    22/18
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by jivk03 View Post
    Okay i cant understand is Honorbuddy still safe or not?
    I made little diagram for you, that will always work, so save it to your PC and use every time when you want ask this question

    Last edited by Trixiap; 03-24-2015 at 06:08 AM.

  15. #15
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In situations like this I like to post THIS video. Also this pretty much puts all those Lua unlockers in greater jeopardy.

Page 1 of 3 123 LastLast

Similar Threads

  1. new detection methods ?
    By Distiny in forum Star Wars: The Old Republic
    Replies: 10
    Last Post: 04-27-2012, 02:13 AM
  2. CCP Employs New Serverside Botting Detection
    By Phygar in forum EVE Online
    Replies: 11
    Last Post: 01-24-2012, 01:11 PM
  3. New mount bugging/Giant method 4.3
    By Willaika in forum World of Warcraft Exploits
    Replies: 12
    Last Post: 12-03-2011, 08:31 PM
  4. New fly without mount method
    By Monoman in forum World of Warcraft Exploits
    Replies: 9
    Last Post: 12-29-2007, 01:17 AM
All times are GMT -5. The time now is 05:53 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search