[Discuss]How to reduce ban

[oiramario]

What have we do:
1. read/write process's memory
2. Inject dll into process
3. call inner function in mainthread(never touch lua)
4. remap/bypass crc and detour[option]

What bot do:
1. farm 20h / day
2. offline 0.5h, online 2.5h
3. do gather/mine/cast spell, and follow path
4. auto login, repair, mail, train, blabla

And what we see after? Ban ban ban!!! maybe 7/14/30 or more.

In my experience, ways to confirm it's bot:
1. long time fixed path
2. online for too long, almost never offline
3. write memory detected, call stack detected, features detected
Most of the problems can be solved, such as avoiding writing to memory and not touching Lua, but there will still be ban.
I think the focus should be on warden.

With what I know about warden:
1. active after login
2. download and execute shellcode every secodns/minutes
3. 100+ modules exists atm, maybe more now...

What can we do with warden?
1. put a breakpoint on some special address with runtime and see who access this address with anti-anti-debug tools
2. find s_moduleInterface with ida static analyze(is it still there?)
3. "0xF3, 0xA4, 0x5F, 0x5E, 0xC3" is still the patten?
4. monitor warden's pack
5. analyze warden module with BLL2 mark
6. modify our operation to avoid being detected by it

Most of the time, we only discuss how to find the offsets, and rarely discuss warden. (discussed more in 2012 and 2014, but less after that.)
Since the closure of warden-monitor.com, there have been few relevant statistics. Don't know how far it has developed now.
Open discussion of warden may not be appropriate, which will lead to further attack and defense. But analyzing it should be the only way to reduce the ban.
Feel free to ask or share, any hint or suggestion are welcome.

[MrNoble]

> 3. 100+ modules exists atm, maybe more now...

Negative, Warden contains multiple encrypted chunks of code that seem to be placed in different locations with different encryption keys. It looks like every time you get a warden module the keys have been changed, resulting in a different chunk of bytes. On top of that, there also seem to be multiple encryption/decryption functions (assumed to make hooking/patching harder) which may not always be located at the exact same location.

So there is that, don't be fooled, you might have been looking at the same payload the whole time

[Kovrizha]

I'm at the same boat
Getting my bans constantly every ~2-3 weeks. For almost 2 years.
What does not help:
- Operating under vmware. Also tried qemu kvm (recompiled, with vm detection mitigation).
- proxy/vps/vpn
- driver for keyboard/mouse input
- no memory write, lua unlock
- no open process, ReadProcessMemory. Using driver for reading instead. Skipping virtual memory if it has no physical backing
- randomize navigation, human-like interaction, working for 12h (tried even less) with random breaks

[oiramario]

I'm at the same boat
Getting my bans constantly every ~2-3 weeks. For almost 2 years.
What does not help:
- Operating under vmware. Also tried qemu kvm (recompiled, with vm detection mitigation).
- proxy/vps/vpn
- driver for keyboard/mouse input
- no memory write, lua unlock
- no open process, ReadProcessMemory. Using driver for reading instead. Skipping virtual memory if it has no physical backing
- randomize navigation, human-like interaction, working for 12h (tried even less) with random breaks

proxy does not help?
how about hwid?

[oiramario]

> 3. 100+ modules exists atm, maybe more now...

Negative, Warden contains multiple encrypted chunks of code that seem to be placed in different locations with different encryption keys. It looks like every time you get a warden module the keys have been changed, resulting in a different chunk of bytes. On top of that, there also seem to be multiple encryption/decryption functions (assumed to make hooking/patching harder) which may not always be located at the exact same location.

So there is that, don't be fooled, you might have been looking at the same payload the whole time

thanks for reply big bro.
We all follow your footsteps.

[Kovrizha]

proxy does not help?
how about hwid?

All qemu VMs have their own hwid. You can set up IDs via:
libvirt: Domain XML format

[fofgogjoj]

I'm at the same boat
Getting my bans constantly every ~2-3 weeks. For almost 2 years.
What does not help:
- Operating under vmware. Also tried qemu kvm (recompiled, with vm detection mitigation).
- proxy/vps/vpn
- driver for keyboard/mouse input
- no memory write, lua unlock
- no open process, ReadProcessMemory. Using driver for reading instead. Skipping virtual memory if it has no physical backing
- randomize navigation, human-like interaction, working for 12h (tried even less) with random breaks

i started having such a problem with the TBC prepatch. i used my pixel bot in classics with bans every six months, now it works without bans for only 3-4 weeks. i think it might also have something to do with where you farm. in the classic, I farmed in a deserted place, but in the TBC i had to go where there are people. so far this is only a guess.

i had everything the same, except for this item
- driver for keyboard/mouse input

[Kovrizha]

You mean it might be player reports?
Maybe, but sometimes my fresh bots (1-3 days) get their bans.

I'm also starting to believe that blizz implemented some serious in-game behavior analyze. So they are do not detect bot program, nor the way you interact the game, your vm/hardware/ip. They are looking how you actually play the game. I only hope that I'm wrong.

[Kovrizha]

Also the question is how many people here successfully using their bots for long time period (>2 months)?
Not just 1 bot for 1-2 hours per days. I mean driving their bot business.

[fofgogjoj]

You mean it might be player reports?
Maybe, but sometimes my fresh bots (1-3 days) get their bans.

I'm also starting to believe that blizz implemented some serious in-game behavior analyze. So they are do not detect bot program, nor the way you interact the game, your vm/hardware/ip. They are looking how you actually play the game. I only hope that I'm wrong.

when i bought several accounts and launched them all at once, i also got a ban. if i bought 1-2, then they were not banned. i should also note:
-i tried different payment methods, including time cards.
-i used a vm with preinstalled warcraft and cloned it. this is also the reason for the bans i think.

[Kovrizha]

I always launch 1 bot per day (vm creating, proxy buying etc...).
Always use keys from plati.com from different sellers.
I never use VM cloning. Tried many ways around client installing and linking via <host-vm>.
This is not the reason of our problem.

[oiramario]

I always launch 1 bot per day (vm creating, proxy buying etc...).
Always use keys from plati.com from different sellers.
I never use VM cloning. Tried many ways around client installing and linking via <host-vm>.
This is not the reason of our problem.

maybe vm is easy to detected.
i've tried KMD for HID that does not help.
i guess ip and hwid are important.

[Kovrizha]

maybe vm is easy to detected.
i've tried KMD for HID that does not help.
i guess ip and hwid are important.

Did you try launch bot on separate PC?

[Narache]

I don't know it it helps... but my experience :

- Using private bot with 0 memory write
- Running on linux
- No VM, no unique HWID per instances
- No Proxy / VPN
- No fuck given about warden
- Same payment for all accounts (Paypal)
- 10 to 15accs 10-12hours / day / 7 / 7
- On the same exact same profile since TBC release (all of them, yep)

No ban since begining of TBC (started botting 2nd week)
Only since last week I got some bans.

Now, tried creating accs : 10 wow accs
Banned without even connecting in game after 48hours ~

Tried the same thing but with clean prefix and Vpn : accounts still alive.

Gonna need to step up my game, with dedicated VPN / HWID / Payment method per acc

[oiramario]

Did you try launch bot on separate PC?

private bot running on win10
last 6 months, 20 accs 20h / day x 7 with no bans, no proxy no hwid.
since last 2 weeks:
no ban: 5 accs 20h / day / pc
ban: more accs or hours