-
The Free Lunch Is Over - Obfuscation is Coming
OVERVIEW
Thanks to a user of this forum who has notified me of this news. Unfortunately it looks like Blizzard has begun testing and deploying a new obfuscated version of the WoW binary (currently on the PTR). Perhaps
ending support for Windows XP opened up some new opportunities for improved countermeasures against reverse engineering. In a way, I'm happy to see them finally making a move to reduce the amount of cheaters in this game, but how far will they go?
OBFUSCATION
Early indications show an obfuscation pattern similar to Overwatch, which was
bypassed early on before being taken down. So at the very least, we might start seeing unpackers akin to StarCraft II and Heroes of the Storm. I have no reason to believe that any internal data structures would change but I would not be surprised to see some nasty tricks being implemented to protect the object manager. If not now then perhaps in the new expansion. We've seen this before with Legacy of the Void.
ANTI DEBUGGING
Next, and while I haven't tried this myself, there are reports of anti-debugging capabilities being implemented as well. This means that attaching any sort of debugger will end up crashing the client or otherwise locking it up. As a result, we might have to come up with new strategies to get around this. Perhaps we'll have to revisit the strategies used by the SC2 and HotS community.
TRAP PAGES
Until we get more information, I'd avoid performing any unprotected memory scans including any unbounded cheat engine scans. Thanks to Overwatch, we've seen trap pages being implemented which resulted in a client crash. So we know it's a technique they might be using to ban cheaters and cheat developers with. Regardless, it's always a good idea to protect your memory scans. See
this thread to learn more.
NOTES: Possible Cheat Engine
workaround. Thanks @karliky.
DLL INJECTION
As always, be careful with this one. Writing to memory is dangerous enough let alone importing code and spawning threads. I never liked this technique but if you must use it then at least wait for the dust to settle before injecting anything. While I'm not sure we'll see HWID bans in WoW, they have been strictly enforced in Overwatch and you could end up losing all your accounts!! I did when I foolishly injected DLL's in Overwatch. Not even in-game just on the login screen.
NOTES: I've heard people getting away with DLL injection by emulating
OBS and other "legit" apps.
THE FUTURE
The future of cheating in WoW depends entirely on how far Blizzard is willing to take this. Despite the advanced security of Overwatch, the community has been quite resourceful in counteracting it, so I have no doubt that we'll continue seeing big-name bots continue to bypass and succeed. As for the small players such as myself. Unless we're able to keep up, it might be time to find a new hobby. Regardless of what happens, I'm surprised we've held on for this long without any significant changes to client security.
Protection is live as of 7.3.0 released Aug 29, 2017
Last edited by Torpedoes; 08-29-2017 at 01:54 PM.
-
Post Thanks / Like - 22 Thanks
Nyarly,
MrNoble,
Frosttall,
air999,
culino2,
WiNiFiX,
natt_,
Jaladhjin,
shahinpb,
homer91,
Krack3n,
Apoclypse,
Xewl,
Vachiusa,
hybran,
h42,
Sariam1992,
Senketsu,
artemarkantos,
HighlineTV,
Kanyle,
Hazzbazzy (22 members gave Thanks to Torpedoes for this useful post)
-
★ Elder ★
Lorekeeper of Exploration
Nice recap ! I have faith in this community to always find new ways to exploit and hack. But maybe i'm dreaming...
Anyway, it would be sad to see the end of datamining.
-
Active Member
Last edited by uzzy13u; 03-24-2022 at 07:12 AM.
-
Contributor
For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.
-
★ Elder ★
Originally Posted by
Zazazu
For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.
Reading memory is fine atm, also for static analysis you can still dump the process memory for now. Injecting my dll and calling functions is working too (I guess^^), but game memory write not
-
Originally Posted by
king48488
You can still dump the process memory for now.
I've tried this before but it ended up being a mess. Is there somewhere you can point me to that explains this technique in more detail?
-
Contributor
Attaching both IDA and CE in debug mode crashed wow.
I've dumped 24759 x32 PTR with GitHub - glmcdona/Process-Dump: Windows tool for dumping malware PE files from memory back to disk for analysis. just fine.
It generate exe file with PE headers and IAT table (seems not complete), so i can open it with IDA and dump my offsets.
-
Post Thanks / Like - 1 Thanks
Torpedoes (1 members gave Thanks to air999 for this useful post)
-
Contributor
this makes me happy and sad
-
Contributor
I think is good idea that they try to protect more their content. The sad part is that they are blind against the interest for the earliest versions of their own game.
Can I get unlike button, just in case some bot seller promote his crap for free?
Originally Posted by
WiNiFiX
removed
Last edited by maclone; 08-07-2017 at 02:54 PM.
-
Originally Posted by
WiNiFiX
removed
Good luck with that, I'm guessing you have not been keeping up with OverWatch
Last edited by maclone; 08-07-2017 at 02:55 PM.
-
★ Elder ★
Originally Posted by
air999
Use scylla, it's better
-
Banned
Originally Posted by
DarkLinux
Good luck with that, I'm guessing you have not been keeping up with OverWatch
Actually no, I hate FPS, but i have used AutoIt aim-bots to test out and my account is still very much alive.
Any good sources I can read up on to see how they blocking it in OW?
-
Originally Posted by
king48488
Use scylla, it's better
Can confirm, it is better and worked just fine. People have also been successfully modifying and using this project.
Originally Posted by
DarkLinux
Good luck with that, I'm guessing you have not been keeping up with OverWatch
I haven't been keeping up with Overwatch so I'm curious to see what they've done. I was under the impression that pixel aimers were still a thing.
-
Member
allready live on Mac version of WoW
-
★ Elder ★
Originally Posted by
rail3r85
allready live on Mac version of WoW
wat?! The mac version is fine