The Free Lunch Is Over - Obfuscation is Coming menu

User Tag List

Page 1 of 9 12345 ... LastLast
Results 1 to 15 of 122
  1. #1
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    The Free Lunch Is Over - Obfuscation is Coming

    OVERVIEW
    Thanks to a user of this forum who has notified me of this news. Unfortunately it looks like Blizzard has begun testing and deploying a new obfuscated version of the WoW binary (currently on the PTR). Perhaps ending support for Windows XP opened up some new opportunities for improved countermeasures against reverse engineering. In a way, I'm happy to see them finally making a move to reduce the amount of cheaters in this game, but how far will they go?

    OBFUSCATION
    Early indications show an obfuscation pattern similar to Overwatch, which was bypassed early on before being taken down. So at the very least, we might start seeing unpackers akin to StarCraft II and Heroes of the Storm. I have no reason to believe that any internal data structures would change but I would not be surprised to see some nasty tricks being implemented to protect the object manager. If not now then perhaps in the new expansion. We've seen this before with Legacy of the Void.

    ANTI DEBUGGING
    Next, and while I haven't tried this myself, there are reports of anti-debugging capabilities being implemented as well. This means that attaching any sort of debugger will end up crashing the client or otherwise locking it up. As a result, we might have to come up with new strategies to get around this. Perhaps we'll have to revisit the strategies used by the SC2 and HotS community.

    TRAP PAGES
    Until we get more information, I'd avoid performing any unprotected memory scans including any unbounded cheat engine scans. Thanks to Overwatch, we've seen trap pages being implemented which resulted in a client crash. So we know it's a technique they might be using to ban cheaters and cheat developers with. Regardless, it's always a good idea to protect your memory scans. See this thread to learn more.

    NOTES: Possible Cheat Engine workaround. Thanks @karliky.

    DLL INJECTION
    As always, be careful with this one. Writing to memory is dangerous enough let alone importing code and spawning threads. I never liked this technique but if you must use it then at least wait for the dust to settle before injecting anything. While I'm not sure we'll see HWID bans in WoW, they have been strictly enforced in Overwatch and you could end up losing all your accounts!! I did when I foolishly injected DLL's in Overwatch. Not even in-game just on the login screen.

    NOTES: I've heard people getting away with DLL injection by emulating OBS and other "legit" apps.

    THE FUTURE
    The future of cheating in WoW depends entirely on how far Blizzard is willing to take this. Despite the advanced security of Overwatch, the community has been quite resourceful in counteracting it, so I have no doubt that we'll continue seeing big-name bots continue to bypass and succeed. As for the small players such as myself. Unless we're able to keep up, it might be time to find a new hobby. Regardless of what happens, I'm surprised we've held on for this long without any significant changes to client security.

    Protection is live as of 7.3.0 released Aug 29, 2017
    Last edited by Torpedoes; 08-29-2017 at 01:54 PM.

    The Free Lunch Is Over - Obfuscation is Coming
  2. #2
    Nyarly's Avatar ★ Elder ★ Lorekeeper of Exploration
    Reputation
    1090
    Join Date
    Aug 2007
    Posts
    1,650
    Thanks G/R
    367/314
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Nice recap ! I have faith in this community to always find new ways to exploit and hack. But maybe i'm dreaming...
    Anyway, it would be sad to see the end of datamining.

  3. #3
    uzzy13u's Avatar Active Member
    Reputation
    40
    Join Date
    Oct 2008
    Posts
    99
    Thanks G/R
    21/20
    Trade Feedback
    1 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    // edit - removed
    Last edited by uzzy13u; 03-24-2022 at 07:12 AM.

  4. #4
    Zazazu's Avatar Contributor
    Reputation
    191
    Join Date
    Jun 2016
    Posts
    390
    Thanks G/R
    5/143
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.

  5. #5
    doityourself's Avatar ★ Elder ★
    Reputation
    1424
    Join Date
    Nov 2008
    Posts
    843
    Thanks G/R
    35/448
    Trade Feedback
    0 (0%)
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Zazazu View Post
    For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.
    Reading memory is fine atm, also for static analysis you can still dump the process memory for now. Injecting my dll and calling functions is working too (I guess^^), but game memory write not

  6. #6
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    You can still dump the process memory for now.
    I've tried this before but it ended up being a mess. Is there somewhere you can point me to that explains this technique in more detail?

  7. #7
    air999's Avatar Contributor
    Reputation
    131
    Join Date
    Nov 2014
    Posts
    102
    Thanks G/R
    9/62
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Attaching both IDA and CE in debug mode crashed wow.

    I've dumped 24759 x32 PTR with GitHub - glmcdona/Process-Dump: Windows tool for dumping malware PE files from memory back to disk for analysis. just fine.

    It generate exe file with PE headers and IAT table (seems not complete), so i can open it with IDA and dump my offsets.

  8. Thanks Torpedoes (1 members gave Thanks to air999 for this useful post)
  9. #8
    natt_'s Avatar Contributor
    Reputation
    145
    Join Date
    Dec 2007
    Posts
    391
    Thanks G/R
    13/0
    Trade Feedback
    3 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    this makes me happy and sad

  10. #9
    tutrakan's Avatar Contributor
    Reputation
    134
    Join Date
    Feb 2013
    Posts
    175
    Thanks G/R
    124/52
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think is good idea that they try to protect more their content. The sad part is that they are blind against the interest for the earliest versions of their own game.


    Can I get unlike button, just in case some bot seller promote his crap for free?
    Originally Posted by WiNiFiX View Post
    removed
    Last edited by maclone; 08-07-2017 at 02:54 PM.

  11. #10
    DarkLinux's Avatar Former Staff
    CoreCoins Purchaser Authenticator enabled
    Reputation
    1584
    Join Date
    May 2010
    Posts
    1,824
    Thanks G/R
    188/531
    Trade Feedback
    16 (100%)
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by WiNiFiX View Post
    removed
    Good luck with that, I'm guessing you have not been keeping up with OverWatch
    Last edited by maclone; 08-07-2017 at 02:55 PM.

  12. #11
    doityourself's Avatar ★ Elder ★
    Reputation
    1424
    Join Date
    Nov 2008
    Posts
    843
    Thanks G/R
    35/448
    Trade Feedback
    0 (0%)
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by air999 View Post
    Attaching both IDA and CE in debug mode crashed wow.

    I've dumped 24759 x32 PTR with GitHub - glmcdona/Process-Dump: Windows tool for dumping malware PE files from memory back to disk for analysis. just fine.

    It generate exe file with PE headers and IAT table (seems not complete), so i can open it with IDA and dump my offsets.
    Use scylla, it's better

  13. #12
    WiNiFiX's Avatar Banned
    Reputation
    242
    Join Date
    Jun 2008
    Posts
    447
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by DarkLinux View Post
    Good luck with that, I'm guessing you have not been keeping up with OverWatch
    Actually no, I hate FPS, but i have used AutoIt aim-bots to test out and my account is still very much alive.
    Any good sources I can read up on to see how they blocking it in OW?

  14. #13
    Torpedoes's Avatar ★ Elder ★ Doomsayer
    Authenticator enabled
    Reputation
    1147
    Join Date
    Sep 2013
    Posts
    956
    Thanks G/R
    148/415
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    Use scylla, it's better
    Can confirm, it is better and worked just fine. People have also been successfully modifying and using this project.

    Originally Posted by DarkLinux View Post
    Good luck with that, I'm guessing you have not been keeping up with OverWatch
    I haven't been keeping up with Overwatch so I'm curious to see what they've done. I was under the impression that pixel aimers were still a thing.

  15. #14
    rail3r85's Avatar Member
    Reputation
    2
    Join Date
    Jan 2014
    Posts
    30
    Thanks G/R
    0/1
    Trade Feedback
    4 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    allready live on Mac version of WoW

  16. #15
    doityourself's Avatar ★ Elder ★
    Reputation
    1424
    Join Date
    Nov 2008
    Posts
    843
    Thanks G/R
    35/448
    Trade Feedback
    0 (0%)
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by rail3r85 View Post
    allready live on Mac version of WoW
    wat?! The mac version is fine

Page 1 of 9 12345 ... LastLast

Similar Threads

  1. [WOD] is coming, how much u paid for the key
    By Kuri in forum World of Warcraft General
    Replies: 15
    Last Post: 11-12-2014, 02:03 PM
  2. [Selling] The Elder Scrolls Online is coming on the way
    By V5ESO in forum General MMO Buy Sell Trade
    Replies: 1
    Last Post: 04-02-2014, 04:02 AM
  3. Replies: 22
    Last Post: 07-07-2012, 11:31 AM
  4. Is the beta testing period over?
    By Badtobaco in forum Star Wars: The Old Republic
    Replies: 6
    Last Post: 07-23-2011, 09:50 AM
  5. The terrifying Terrorist is Coming to Town.
    By ViND_ in forum Screenshot & Video Showoff
    Replies: 0
    Last Post: 11-30-2008, 09:10 AM
All times are GMT -5. The time now is 03:05 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search