12/1/2016 bans...

[-Ryuk-]

All i used a few weeks ago was a fishbot, (3 weeks ago aproximately) and 2-3 days ago i used Tmorph. I don't know why they would make a "delayed" permanent ban? Or if Tmorph is what caused this ban for me?

Depends if Tmorph uses any LUA.

However, delayed bans are common. For all we know they did another 'glider check' where the check is sent back with a normal packet; they could have been doing this for weeks or even months.

[Sklug]

A moderator over in ReBot is saying his trial account got banned and he was just sitting 20 minutes in a starter zone with bot hooked playing around with the settings to assist people who had questions in the official forums, and he had never once even run the bot, so zero behavior detection or combat or anything. Just 100% hooking function here got detected.

SoapBox said that since he removed his 32-bit bot last month, this banwave that seemed to hit everyone completely missed his 64-bit users, and the few people using SoapBox that got banned have reported to also being EWT/HB users. So, it'll be good to figure this out.

[namreeb]

Calling Lua

No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.

[Robske]

I've been maintaining a (now ancient) framework that relies heavily on Lua (via ExecuteBuffer), still not banned.
I'm not lucky nor special, so that makes me doubt Lua being the culprit here.

@Namreeb
- to write text to chat frames
- listen to events
- provides the implementation for an abstracted wow API (Battlegrounds, Inventory, Quest, Spell...) example

Code:

        public static bool IsSpellTargetting()
        {
            return Core.FrameScript.GetReturnValue<bool>("SpellIsTargeting()", 0);
        }

Why? I think past-me was a lazy ****. Wrapping a well defined API is much easier than maintaining patterns/addresses and reversing functions/structures.

[-Ryuk-]

No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.

Just through ease... We can do whatever we need in Lua without having to reverse a load more things. Like Spell Info, Quest related things etc

[-Ryuk-]

I've been maintaining a (now ancient) framework that relies heavily on Lua (via ExecuteBuffer), still not banned.
I'm not lucky nor special, so that makes me doubt Lua being the culprit here.

@Namreeb
- to write text to chat frames
- listen to events
- provides the implementation for an abstracted wow API (Battlegrounds, Inventory, Quest, Spell...)
Why? I think past-me was a lazy ****. Wrapping a well defined API is much easier than maintaining patterns/addresses and reversing functions/structures.

I think the question is where exactly your calling ExecuteBuffer from, and how you listen to events

[Robske]

I think the question is where exactly your calling ExecuteBuffer from, and how you listen to events

From a place where any stack-traversing system would definitely catch me (so in a section far, far away... from wow's text section).
As for events, I register a Lua function with a managed function pointer. This lua function is then registered as the event handler for a frame that is configured to listen to all events. The creation and configuration of this frame is done with ExecuteBuffer.

So, nothing special going on here.

[Master674]

Theoretically all they need to detect you when calling any of their functions is to set a global/thread-local variable before they call their own function and reset it when they're done. Something like:

Code:

WowGameLoop:
   DoStuff();
   callingLua = 1;
   ExecuteBuffer("...");
   callingLua = 0;
   DoMoreStuff();
   EndScene/Present();

now when you call it outside that small window when callingLua is set to 1, they can ban you. No stack traversal needed, just a simple variable.

[Master674]

No shit calling Lua. I mean why are you calling Lua? What do people use it for? In every bot I've ever written, I'm pretty sure I've been able to accomplish what I need without using it.

Déjà-vu o,o

[DarkLinux]

@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?

@Master674
But something like that would be easy to notice. Unless people just blindly update, then it would work.

@namreeb
Are you calling functions directly b/c that could be Blizz next move, hook something in CastSpellByName (or any heavily used function). That covers people calling it from LUA and directly.

[Master674]

@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?

@Master674
But something like that would be easy to notice. Unless people just blindly update, then it would work.

Tbh. I always blindly update. Also, if they hide the variable somewhere it is not easy to spot. Like setting an additional bit somewhere or doing some math calculation differently or whatever. I'm sure I could sneak something in there that noone here would ever notice

[Filint]

... Unless people just blindly update ...

Guilty as charged...

As far as things like CastSpellByName, they can be legitimately used so it would be interesting to see how they differentiate between the two.

[reliasn]

@reliasn
Its funny they are patching code again, as its relativity easy to detect. I hope its still active tonight, would love to take a look at what function is creating the hook. Are they calling VirtualProtect?

These are the functions:

Code:

HBDetectionLuaLoadHook = 0x982B9A, -> lua_load is hooked by this function
HBDetectionPacketHandler = 0x93055B, -> creates the JMP in lua_load, specifically the instruction at 0x930884

EWT was already patching the JMP in lua_load, but my implementation was a little silly: every time I called FrameScript_Execute (it wasn't even ExecuteBuffer), I would remove the JMP and then re-apply it after the call. So yeah, I wasn't removing the JMP completely and they could have detected EWT by checking the call stack when ExecuteBuffer is called by some other function, like I explained in my previous post. Yes, I hooked FrameScript_SignalEvent and the hook could be seen when FrameScript_ExecuteFile was getting called.

But once again, I'm not really too confident that this is the reason behind the bans.

[DarkLinux]

Anyone know if the bots that got banned registered new LUA functions? I guess what does ReBot do? Other then hook and call lua function on start up.

[Sklug]

Anyone know if the bots that got banned registered new LUA functions? I guess what does ReBot do? Other then hook and call lua function on start up.

Not entirely sure, but in the C# you can execute Lua with their built in API ExecuteLua(string); So theoretically, any custom profile creator could implement Lua calls just using this API. You can return values for example like this:

Code:

        int ilvl  =  (int)ExecuteLua<double>("local _,equipped = GetAverageItemLevel(); return equipped");

Not sure how their implementation of that is working though...