-
Originally Posted by
Xcango013
All i used a few weeks ago was a fishbot, (3 weeks ago aproximately) and 2-3 days ago i used Tmorph. I don't know why they would make a "delayed" permanent ban? Or if Tmorph is what caused this ban for me?
Depends if Tmorph uses any LUA.
However, delayed bans are common. For all we know they did another 'glider check' where the check is sent back with a normal packet; they could have been doing this for weeks or even months.
|Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|
-
★ Elder ★
A moderator over in ReBot is saying his trial account got banned and he was just sitting 20 minutes in a starter zone with bot hooked playing around with the settings to assist people who had questions in the official forums, and he had never once even run the bot, so zero behavior detection or combat or anything. Just 100% hooking function here got detected.
SoapBox said that since he removed his 32-bit bot last month, this banwave that seemed to hit everyone completely missed his 64-bit users, and the few people using SoapBox that got banned have reported to also being EWT/HB users. So, it'll be good to figure this out.
Last edited by Sklug; 01-14-2016 at 11:33 AM.
-
Originally Posted by
-Ryuk-
Calling Lua
No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.
-
Contributor
I've been maintaining a (now ancient) framework that relies heavily on Lua (via ExecuteBuffer), still not banned.
I'm not lucky nor special, so that makes me doubt Lua being the culprit here.
@Namreeb
- to write text to chat frames
- listen to events
- provides the implementation for an abstracted wow API (Battlegrounds, Inventory, Quest, Spell...) example
Code:
public static bool IsSpellTargetting()
{
return Core.FrameScript.GetReturnValue<bool>("SpellIsTargeting()", 0);
}
Why? I think past-me was a lazy ****. Wrapping a well defined API is much easier than maintaining patterns/addresses and reversing functions/structures.
Last edited by Robske; 01-14-2016 at 01:19 PM.
"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." - Martin Golding
"I cried a little earlier when I had to poop" - Sku
-
Originally Posted by
namreeb
No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.
Just through ease... We can do whatever we need in Lua without having to reverse a load more things. Like Spell Info, Quest related things etc
|Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|
-
Originally Posted by
Robske
I've been maintaining a (now ancient) framework that relies heavily on Lua (via ExecuteBuffer), still not banned.
I'm not lucky nor special, so that makes me doubt Lua being the culprit here.
@Namreeb
- to write text to chat frames
- listen to events
- provides the implementation for an abstracted wow API (Battlegrounds, Inventory, Quest, Spell...)
Why? I think past-me was a lazy ****. Wrapping a well defined API is much easier than maintaining patterns/addresses and reversing functions/structures.
I think the question is where exactly your calling ExecuteBuffer from, and how you listen to events
|Leacher:11/2009|Donor:02/2010|Established Member:09/2010|Contributor:09/2010|Elite:08/2013|
-
Contributor
Originally Posted by
-Ryuk-
I think the question is where exactly your calling ExecuteBuffer from, and how you listen to events
From a place where any stack-traversing system would definitely catch me (so in a section far, far away... from wow's text section).
As for events, I register a Lua function with a managed function pointer. This lua function is then registered as the event handler for a frame that is configured to listen to all events. The creation and configuration of this frame is done with ExecuteBuffer.
So, nothing special going on here.
"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." - Martin Golding
"I cried a little earlier when I had to poop" - Sku
-
Elite User
Theoretically all they need to detect you when calling any of their functions is to set a global/thread-local variable before they call their own function and reset it when they're done. Something like:
Code:
WowGameLoop:
DoStuff();
callingLua = 1;
ExecuteBuffer("...");
callingLua = 0;
DoMoreStuff();
EndScene/Present();
now when you call it outside that small window when callingLua is set to 1, they can ban you. No stack traversal needed, just a simple variable.
-
Elite User
Originally Posted by
namreeb
No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.
Déjà-vu o,o
-
@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?
@Master674
But something like that would be easy to notice. Unless people just blindly update, then it would work.
@namreeb
Are you calling functions directly b/c that could be Blizz next move, hook something in CastSpellByName (or any heavily used function). That covers people calling it from LUA and directly.
Last edited by DarkLinux; 01-14-2016 at 02:04 PM.
-
Elite User
Originally Posted by
DarkLinux
@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?
@Master674
But something like that would be easy to notice. Unless people just blindly update, then it would work.
Tbh. I always blindly update. Also, if they hide the variable somewhere it is not easy to spot. Like setting an additional bit somewhere or doing some math calculation differently or whatever. I'm sure I could sneak something in there that noone here would ever notice
-
Originally Posted by
DarkLinux
... Unless people just blindly update ...
Guilty as charged...
As far as things like CastSpellByName, they can be legitimately used so it would be interesting to see how they differentiate between the two.
-
Originally Posted by
DarkLinux
@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?
These are the functions:
Code:
HBDetectionLuaLoadHook = 0x982B9A, -> lua_load is hooked by this function
HBDetectionPacketHandler = 0x93055B, -> creates the JMP in lua_load, specifically the instruction at 0x930884
EWT was already patching the JMP in lua_load, but my implementation was a little silly: every time I called FrameScript_Execute (it wasn't even ExecuteBuffer), I would remove the JMP and then re-apply it after the call. So yeah, I wasn't removing the JMP completely and they could have detected EWT by checking the call stack when ExecuteBuffer is called by some other function, like I explained in my previous post. Yes, I hooked FrameScript_SignalEvent and the hook could be seen when FrameScript_ExecuteFile was getting called.
But once again, I'm not really too confident that this is the reason behind the bans.
-
Post Thanks / Like - 1 Thanks
Miksu (1 members gave Thanks to reliasn for this useful post)
-
Anyone know if the bots that got banned registered new LUA functions? I guess what does ReBot do? Other then hook and call lua function on start up.
Last edited by DarkLinux; 01-14-2016 at 04:28 PM.
-
★ Elder ★
Originally Posted by
DarkLinux
Anyone know if the bots that got banned registered new LUA functions? I guess what does ReBot do? Other then hook and call lua function on start up.
Not entirely sure, but in the C# you can execute Lua with their built in API ExecuteLua(string); So theoretically, any custom profile creator could implement Lua calls just using this API. You can return values for example like this:
Code:
int ilvl = (int)ExecuteLua<double>("local _,equipped = GetAverageItemLevel(); return equipped");
Not sure how their implementation of that is working though...