-
Established Member
[Discuss]How to reduce ban
What have we do:
1. read/write process's memory
2. Inject dll into process
3. call inner function in mainthread(never touch lua)
4. remap/bypass crc and detour[option]
What bot do:
1. farm 20h / day
2. offline 0.5h, online 2.5h
3. do gather/mine/cast spell, and follow path
4. auto login, repair, mail, train, blabla
And what we see after? Ban ban ban!!! maybe 7/14/30 or more.
In my experience, ways to confirm it's bot:
1. long time fixed path
2. online for too long, almost never offline
3. write memory detected, call stack detected, features detected
Most of the problems can be solved, such as avoiding writing to memory and not touching Lua, but there will still be ban.
I think the focus should be on warden.
With what I know about warden:
1. active after login
2. download and execute shellcode every secodns/minutes
3. 100+ modules exists atm, maybe more now...
What can we do with warden?
1. put a breakpoint on some special address with runtime and see who access this address with anti-anti-debug tools
2. find s_moduleInterface with ida static analyze(is it still there?)
3. "0xF3, 0xA4, 0x5F, 0x5E, 0xC3" is still the patten?
4. monitor warden's pack
5. analyze warden module with BLL2 mark
6. modify our operation to avoid being detected by it
Most of the time, we only discuss how to find the offsets, and rarely discuss warden. (discussed more in 2012 and 2014, but less after that.)
Since the closure of warden-monitor.com, there have been few relevant statistics. Don't know how far it has developed now.
Open discussion of warden may not be appropriate, which will lead to further attack and defense. But analyzing it should be the only way to reduce the ban.
Feel free to ask or share, any hint or suggestion are welcome.
-
Post Thanks / Like - 2 Thanks
-
> 3. 100+ modules exists atm, maybe more now...
Negative, Warden contains multiple encrypted chunks of code that seem to be placed in different locations with different encryption keys. It looks like every time you get a warden module the keys have been changed, resulting in a different chunk of bytes. On top of that, there also seem to be multiple encryption/decryption functions (assumed to make hooking/patching harder) which may not always be located at the exact same location.
So there is that, don't be fooled, you might have been looking at the same payload the whole time
Any fool can write code that a computer can understand. good programmers write code that humans can understand.
-
Post Thanks / Like - 1 Thanks
oiramario (1 members gave Thanks to MrNoble for this useful post)
-
-
Post Thanks / Like - 1 Thanks
oiramario (1 members gave Thanks to Kovrizha for this useful post)
-
Established Member
Originally Posted by
Kovrizha
I'm at the same boat
Getting my bans constantly every ~2-3 weeks. For almost 2 years.
What does not help:
- Operating under vmware. Also tried qemu kvm (recompiled, with vm detection mitigation).
- proxy/vps/vpn
- driver for keyboard/mouse input
- no memory write, lua unlock
- no open process, ReadProcessMemory. Using driver for reading instead. Skipping virtual memory if it has no physical backing
- randomize navigation, human-like interaction, working for 12h (tried even less) with random breaks
proxy does not help?
how about hwid?
-
Established Member
Originally Posted by
MrNoble
> 3. 100+ modules exists atm, maybe more now...
Negative, Warden contains multiple encrypted chunks of code that seem to be placed in different locations with different encryption keys. It looks like every time you get a warden module the keys have been changed, resulting in a different chunk of bytes. On top of that, there also seem to be multiple encryption/decryption functions
(assumed to make hooking/patching harder) which may not always be located at the exact same location.
So there is that, don't be fooled, you might have been looking at the same payload the whole time
thanks for reply big bro.
We all follow your footsteps.
-
Active Member
Originally Posted by
oiramario
proxy does not help?
how about hwid?
All qemu VMs have their own hwid. You can set up IDs via:
libvirt: Domain XML format
-
Member
Originally Posted by
Kovrizha
I'm at the same boat
Getting my bans constantly every ~2-3 weeks. For almost 2 years.
What does not help:
- Operating under vmware. Also tried qemu kvm (recompiled, with vm detection mitigation).
- proxy/vps/vpn
- driver for keyboard/mouse input
- no memory write, lua unlock
- no open process, ReadProcessMemory. Using driver for reading instead. Skipping virtual memory if it has no physical backing
- randomize navigation, human-like interaction, working for 12h (tried even less) with random breaks
i started having such a problem with the TBC prepatch. i used my pixel bot in classics with bans every six months, now it works without bans for only 3-4 weeks. i think it might also have something to do with where you farm. in the classic, I farmed in a deserted place, but in the TBC i had to go where there are people. so far this is only a guess.
i had everything the same, except for this item
- driver for keyboard/mouse input
-
Post Thanks / Like - 1 Thanks
Kovrizha (1 members gave Thanks to fofgogjoj for this useful post)
-
Active Member
You mean it might be player reports?
Maybe, but sometimes my fresh bots (1-3 days) get their bans.
I'm also starting to believe that blizz implemented some serious in-game behavior analyze. So they are do not detect bot program, nor the way you interact the game, your vm/hardware/ip. They are looking how you actually play the game. I only hope that I'm wrong.
Last edited by Kovrizha; 12-02-2021 at 06:39 AM.
-
Active Member
Also the question is how many people here successfully using their bots for long time period (>2 months)?
Not just 1 bot for 1-2 hours per days. I mean driving their bot business.
-
Member
Originally Posted by
Kovrizha
You mean it might be player reports?
Maybe, but sometimes my fresh bots (1-3 days) get their bans.
I'm also starting to believe that blizz implemented some serious in-game behavior analyze. So they are do not detect bot program, nor the way you interact the game, your vm/hardware/ip. They are looking how you actually play the game. I only hope that I'm wrong.
when i bought several accounts and launched them all at once, i also got a ban. if i bought 1-2, then they were not banned. i should also note:
-i tried different payment methods, including time cards.
-i used a vm with preinstalled warcraft and cloned it. this is also the reason for the bans i think.
Last edited by fofgogjoj; 12-02-2021 at 06:49 AM.
-
Active Member
I always launch 1 bot per day (vm creating, proxy buying etc...).
Always use keys from plati.com from different sellers.
I never use VM cloning. Tried many ways around client installing and linking via <host-vm>.
This is not the reason of our problem.
-
Established Member
Originally Posted by
Kovrizha
I always launch 1 bot per day (vm creating, proxy buying etc...).
Always use keys from plati.com from different sellers.
I never use VM cloning. Tried many ways around client installing and linking via <host-vm>.
This is not the reason of our problem.
maybe vm is easy to detected.
i've tried KMD for HID that does not help.
i guess ip and hwid are important.
-
Active Member
Originally Posted by
oiramario
maybe vm is easy to detected.
i've tried KMD for HID that does not help.
i guess ip and hwid are important.
Did you try launch bot on separate PC?
-
Member
I don't know it it helps... but my experience :
- Using private bot with 0 memory write
- Running on linux
- No VM, no unique HWID per instances
- No Proxy / VPN
- No fuck given about warden
- Same payment for all accounts (Paypal)
- 10 to 15accs 10-12hours / day / 7 / 7
- On the same exact same profile since TBC release (all of them, yep)
No ban since begining of TBC (started botting 2nd week)
Only since last week I got some bans.
Now, tried creating accs : 10 wow accs
Banned without even connecting in game after 48hours ~
Tried the same thing but with clean prefix and Vpn : accounts still alive.
Gonna need to step up my game, with dedicated VPN / HWID / Payment method per acc
Last edited by Narache; 12-03-2021 at 08:02 AM.
-
Post Thanks / Like - 2 Thanks
-
Established Member
Originally Posted by
Kovrizha
Did you try launch bot on separate PC?
private bot running on win10
last 6 months, 20 accs 20h / day x 7 with no bans, no proxy no hwid.
since last 2 weeks:
no ban: 5 accs 20h / day / pc
ban: more accs or hours
-
Post Thanks / Like - 1 Thanks
Narache (1 members gave Thanks to oiramario for this useful post)