Questions regarding EWT being detected and general approach to a botbase in 2019

[GlittPrizes]

With EWT users reporting detection recently, is it safe to assume unlocking lua will not be practical anymore, or is that only the case if you are using public software? I know Blizz has stepped up their anti-cheat game, but I don't want to give up nor do I want to resort to a bot that is so "safe" that it's practically useless/featureless.

I have experience with game design, so making a navmesh server to coordinate with a botbase should be the familiar part, but I'm still training when it comes to the RE. I've managed to record and send clicks as a rudimentary waypoint system which is far from complete, but it was a huge personal achievement nonetheless. Instead of imitating the Lua functions for facing, targeting, etc, I hope it's still viable to make a private unlocker to extend functionality. Can anyone share a modern recipe on how to gain access to the protected client functions now that the cat is out of the bag so to speak? I've peeked at some of the related github repos, but I'm not sure what exactly I'm looking for until I understand the process a bit better. Also, my instinct is to avoid the WiniFix repo due to his reputation.

If Lua unlocking isn't practical today, then what would your ideal bot look like? For example, in/out of process, VM hosting the bot as another layer of protection, etc. In the past it seems like you can get away with quite a lot as long as you don't go public. Is this still the case now? What does a successful bot look like in 2019, or am I better off biting the bullet and focusing on another game?

[air999]

You will be pretty safe with private bot.

[GlittPrizes]

You will be pretty safe with private bot.

That's pretty much what I need to hear to keep morale high.


I stumbled upon a nice 2018 guide yesterday that is outdated somewhat, but I think I have the right idea...

It seems like there is a pretty serious drought of bots these days. You would think that this means those who are controlling sizeable groups of autonomous farmers today have a lot to gain. Anyways, thanks for the reply!

[lolp1]

With EWT users reporting detection recently, is it safe to assume unlocking lua will not be practical anymore, or is that only the case if you are using public software? I know Blizz has stepped up their anti-cheat game, but I don't want to give up nor do I want to resort to a bot that is so "safe" that it's practically useless/featureless.

EWT did not use the only way, best way, safest way, or really even close way to unlock lua. With that said it's clear he tried hard, and his job was not poor. It's really always been the case any hack for wow on a mass public scale will with enough outrage be targeted by blizzard and resources invested to detect it lua, external, pixel, memory read only etc..

I have experience with game design, so making a navmesh server to coordinate with a botbase should be the familiar part, but I'm still training when it comes to the RE. I've managed to record and send clicks as a rudimentary waypoint system which is far from complete, but it was a huge personal achievement nonetheless. Instead of imitating the Lua functions for facing, targeting, etc, I hope it's still viable to make a private unlocker to extend functionality. Can anyone share a modern recipe on how to gain access to the protected client functions now that the cat is out of the bag so to speak? I've peeked at some of the related github repos, but I'm not sure what exactly I'm looking for until I understand the process a bit better. Also, my instinct is to avoid the WiniFix repo due to his reputation.

There is dozens of tricks to unlock lua many needing no patches. For many reasons I can't share them, but it's not like a method or two only. Worth nothing there is many non lua unlocking based ways to write 3rd party software, some safer by good margins.

If Lua unlocking isn't practical today, then what would your ideal bot look like? For example, in/out of process, VM hosting the bot as another layer of protection, etc. In the past it seems like you can get away with quite a lot as long as you don't go public. Is this still the case now? What does a successful bot look like in 2019, or am I better off biting the bullet and focusing on another game?[/QUOTE]

This is still the case (private is safe). Read memory emulate input, find your own or an unbanned unlock method, or lots of ways to do it.

If your goal is to make a personal use bot and you are dedicated it is doable practical and reasonable.

[GlittPrizes]

This is still the case (private is safe). Read memory emulate input, find your own or an unbanned unlock method, or lots of ways to do it.

I'm trying to get it to just work at first, then I will look into safety regarding Warden. I've made some progress, but my test lua call was still blocked as protected lua even though it's called from within my detour of an injected dll using PolyHook_2. The detour works, but it doesn't appear to be running from the main thread, or it's more likely I'm misunderstanding where/how to call the lua.

Code:

// Present detour
NOINLINE HRESULT __fastcall hook_present(IDXGISwapChain* p_chain, UINT sync_interval, UINT flags)
{
	if (!g_bInitialised) 
	{
		std::cout << "\t[+] Present hook called for first time" << std::endl;

		if (FAILED(swapchain_get_device(p_chain, &p_device, &p_context)))
			return PLH::FnCast(hook_present_tramp, fn_present)(p_chain, sync_interval, flags);
		p_swap_chain = p_chain;
		DXGI_SWAP_CHAIN_DESC sd;
		p_chain->GetDesc(&sd);
		window = sd.OutputWindow;

		ID3D11Texture2D* p_back_buffer;

		p_chain->GetBuffer(0, __uuidof(ID3D11Texture2D), (LPVOID*)&p_back_buffer);
		p_device->CreateRenderTargetView(p_back_buffer, NULL, &mainRenderTargetView);
		p_back_buffer->Release();

		// lua call test
		fn_frame_execute("JumpOrAscendStart()", "somestring", "jump.lua");

		g_bInitialised = true;
	}

	p_context->OMSetRenderTargets(1, &mainRenderTargetView, NULL);

	return PLH::FnCast(hook_present_tramp, fn_present)(p_chain, sync_interval, flags);
}

This is what happens after the Directx11 detour fires for the first time upon injection. ("jump.lua" has been blocked from an action only available to the Blizzard UI.")
oc.png

Edit/Update:
I was able to get it working by mostly changing the lua call definition and the parameters passed. I was pretty surprised it actually worked (jumped from injected dll). I have a feeling it allows me to do these calls, but it still knows that my calling environment is not "clean". I'm not really sure how to mask what I'm doing from Warden though. I think I will focus on other things for now and come back.